1 /* $OpenBSD: ieee80211_input.c,v 1.126 2014/07/12 18:44:22 tedu Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/proc.h> 44 #include <sys/sysctl.h> 45 #include <sys/task.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_arp.h> 51 #include <net/if_llc.h> 52 53 #if NBPFILTER > 0 54 #include <net/bpf.h> 55 #endif 56 57 #ifdef INET 58 #include <netinet/in.h> 59 #include <netinet/if_ether.h> 60 #endif 61 62 #include <net80211/ieee80211_var.h> 63 #include <net80211/ieee80211_priv.h> 64 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 #ifndef IEEE80211_NO_HT 68 void ieee80211_input_ba(struct ifnet *, struct mbuf *, 69 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 70 void ieee80211_ba_move_window(struct ieee80211com *, 71 struct ieee80211_node *, u_int8_t, u_int16_t); 72 #endif 73 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 74 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 75 struct ieee80211_node *, int); 76 #ifndef IEEE80211_NO_HT 77 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 #endif 80 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 int ieee80211_parse_edca_params_body(struct ieee80211com *, 83 const u_int8_t *); 84 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 85 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 86 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 87 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 88 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 89 u_int, struct ieee80211_rsnparams *); 90 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 91 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 93 #ifndef IEEE80211_STA_ONLY 94 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #endif 97 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *); 99 #ifndef IEEE80211_STA_ONLY 100 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 102 #endif 103 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 104 struct ieee80211_node *, int); 105 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *); 107 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *); 109 #ifndef IEEE80211_NO_HT 110 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 #endif 117 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 #ifndef IEEE80211_STA_ONLY 120 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 121 struct ieee80211_node *); 122 #endif 123 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 124 struct ieee80211_node *); 125 #ifndef IEEE80211_STA_ONLY 126 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 127 struct ieee80211_node *); 128 #endif 129 #ifndef IEEE80211_NO_HT 130 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 131 struct ieee80211_node *); 132 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 133 u_int8_t, u_int16_t); 134 #endif 135 void ieee80211_input_print(struct ieee80211com *, struct ifnet *, 136 struct ieee80211_frame *, struct ieee80211_rxinfo *); 137 void ieee80211_input_print_task(void *, void *); 138 139 struct ieee80211printmsg { 140 struct task task; 141 char text[512]; 142 }; 143 144 /* 145 * Retrieve the length in bytes of an 802.11 header. 146 */ 147 u_int 148 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 149 { 150 u_int size = sizeof(*wh); 151 152 /* NB: does not work with control frames */ 153 KASSERT(ieee80211_has_seq(wh)); 154 155 if (ieee80211_has_addr4(wh)) 156 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 157 if (ieee80211_has_qos(wh)) 158 size += sizeof(u_int16_t); /* i_qos */ 159 if (ieee80211_has_htc(wh)) 160 size += sizeof(u_int32_t); /* i_ht */ 161 return size; 162 } 163 164 /* 165 * Work queue task that prints a received frame. Avoids printf() from 166 * interrupt context at IPL_NET making slow machines unusable when many 167 * frames are received and the interface is put in debug mode. 168 */ 169 void 170 ieee80211_input_print_task(void *arg1, void *arg2) 171 { 172 struct ieee80211printmsg *msg = arg1; 173 174 printf("%s", msg->text); 175 free(msg, M_DEVBUF, 0); 176 } 177 178 void 179 ieee80211_input_print(struct ieee80211com *ic, struct ifnet *ifp, 180 struct ieee80211_frame *wh, struct ieee80211_rxinfo *rxi) 181 { 182 int doprint; 183 struct ieee80211printmsg *msg; 184 u_int8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 185 186 /* avoid printing too many frames */ 187 doprint = 0; 188 switch (subtype) { 189 case IEEE80211_FC0_SUBTYPE_BEACON: 190 if (ic->ic_state == IEEE80211_S_SCAN) 191 doprint = 1; 192 break; 193 #ifndef IEEE80211_STA_ONLY 194 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 195 if (ic->ic_opmode == IEEE80211_M_IBSS) 196 doprint = 1; 197 break; 198 #endif 199 default: 200 doprint = 1; 201 break; 202 } 203 #ifdef IEEE80211_DEBUG 204 doprint += ieee80211_debug; 205 #endif 206 if (!doprint) 207 return; 208 209 msg = malloc(sizeof(*msg), M_DEVBUF, M_NOWAIT); 210 if (msg == NULL) 211 return; 212 213 snprintf(msg->text, sizeof(msg->text), 214 "%s: received %s from %s rssi %d mode %s\n", ifp->if_xname, 215 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 216 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 217 ieee80211_phymode_name[ieee80211_chan2mode( 218 ic, ic->ic_bss->ni_chan)]); 219 220 task_set(&msg->task, ieee80211_input_print_task, msg, NULL); 221 task_add(systq, &msg->task); 222 } 223 224 /* 225 * Process a received frame. The node associated with the sender 226 * should be supplied. If nothing was found in the node table then 227 * the caller is assumed to supply a reference to ic_bss instead. 228 * The RSSI and a timestamp are also supplied. The RSSI data is used 229 * during AP scanning to select a AP to associate with; it can have 230 * any units so long as values have consistent units and higher values 231 * mean ``better signal''. The receive timestamp is currently not used 232 * by the 802.11 layer. 233 */ 234 void 235 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 236 struct ieee80211_rxinfo *rxi) 237 { 238 struct ieee80211com *ic = (void *)ifp; 239 struct ieee80211_frame *wh; 240 u_int16_t *orxseq, nrxseq, qos; 241 u_int8_t dir, type, subtype, tid; 242 int hdrlen, hasqos; 243 244 KASSERT(ni != NULL); 245 246 /* in monitor mode, send everything directly to bpf */ 247 if (ic->ic_opmode == IEEE80211_M_MONITOR) 248 goto out; 249 250 /* 251 * Do not process frames without an Address 2 field any further. 252 * Only CTS and ACK control frames do not have this field. 253 */ 254 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 255 DPRINTF(("frame too short, len %u\n", m->m_len)); 256 ic->ic_stats.is_rx_tooshort++; 257 goto out; 258 } 259 260 wh = mtod(m, struct ieee80211_frame *); 261 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 262 IEEE80211_FC0_VERSION_0) { 263 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 264 ic->ic_stats.is_rx_badversion++; 265 goto err; 266 } 267 268 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 269 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 270 271 if (type != IEEE80211_FC0_TYPE_CTL) { 272 hdrlen = ieee80211_get_hdrlen(wh); 273 if (m->m_len < hdrlen) { 274 DPRINTF(("frame too short, len %u\n", m->m_len)); 275 ic->ic_stats.is_rx_tooshort++; 276 goto err; 277 } 278 } 279 if ((hasqos = ieee80211_has_qos(wh))) { 280 qos = ieee80211_get_qos(wh); 281 tid = qos & IEEE80211_QOS_TID; 282 } else { 283 qos = 0; 284 tid = 0; 285 } 286 287 /* duplicate detection (see 9.2.9) */ 288 if (ieee80211_has_seq(wh) && 289 ic->ic_state != IEEE80211_S_SCAN) { 290 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 291 IEEE80211_SEQ_SEQ_SHIFT; 292 if (hasqos) 293 orxseq = &ni->ni_qos_rxseqs[tid]; 294 else 295 orxseq = &ni->ni_rxseq; 296 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 297 nrxseq == *orxseq) { 298 /* duplicate, silently discarded */ 299 ic->ic_stats.is_rx_dup++; 300 goto out; 301 } 302 *orxseq = nrxseq; 303 } 304 if (ic->ic_state != IEEE80211_S_SCAN) { 305 ni->ni_rssi = rxi->rxi_rssi; 306 ni->ni_rstamp = rxi->rxi_tstamp; 307 ni->ni_inact = 0; 308 } 309 310 #ifndef IEEE80211_STA_ONLY 311 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 312 (ic->ic_caps & IEEE80211_C_APPMGT) && 313 ni->ni_state == IEEE80211_STA_ASSOC) { 314 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 315 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 316 /* turn on PS mode */ 317 ni->ni_pwrsave = IEEE80211_PS_DOZE; 318 ic->ic_pssta++; 319 DPRINTF(("PS mode on for %s, count %d\n", 320 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 321 } 322 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 323 /* turn off PS mode */ 324 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 325 ic->ic_pssta--; 326 DPRINTF(("PS mode off for %s, count %d\n", 327 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 328 329 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 330 331 /* dequeue buffered unicast frames */ 332 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 333 struct mbuf *m; 334 IF_DEQUEUE(&ni->ni_savedq, m); 335 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 336 (*ifp->if_start)(ifp); 337 } 338 } 339 } 340 #endif 341 switch (type) { 342 case IEEE80211_FC0_TYPE_DATA: 343 switch (ic->ic_opmode) { 344 case IEEE80211_M_STA: 345 if (dir != IEEE80211_FC1_DIR_FROMDS) { 346 ic->ic_stats.is_rx_wrongdir++; 347 goto out; 348 } 349 if (ic->ic_state != IEEE80211_S_SCAN && 350 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 351 /* Source address is not our BSS. */ 352 DPRINTF(("discard frame from SA %s\n", 353 ether_sprintf(wh->i_addr2))); 354 ic->ic_stats.is_rx_wrongbss++; 355 goto out; 356 } 357 if ((ifp->if_flags & IFF_SIMPLEX) && 358 IEEE80211_IS_MULTICAST(wh->i_addr1) && 359 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 360 /* 361 * In IEEE802.11 network, multicast frame 362 * sent from me is broadcasted from AP. 363 * It should be silently discarded for 364 * SIMPLEX interface. 365 */ 366 ic->ic_stats.is_rx_mcastecho++; 367 goto out; 368 } 369 break; 370 #ifndef IEEE80211_STA_ONLY 371 case IEEE80211_M_IBSS: 372 case IEEE80211_M_AHDEMO: 373 if (dir != IEEE80211_FC1_DIR_NODS) { 374 ic->ic_stats.is_rx_wrongdir++; 375 goto out; 376 } 377 if (ic->ic_state != IEEE80211_S_SCAN && 378 !IEEE80211_ADDR_EQ(wh->i_addr3, 379 ic->ic_bss->ni_bssid) && 380 !IEEE80211_ADDR_EQ(wh->i_addr3, 381 etherbroadcastaddr)) { 382 /* Destination is not our BSS or broadcast. */ 383 DPRINTF(("discard data frame to DA %s\n", 384 ether_sprintf(wh->i_addr3))); 385 ic->ic_stats.is_rx_wrongbss++; 386 goto out; 387 } 388 break; 389 case IEEE80211_M_HOSTAP: 390 if (dir != IEEE80211_FC1_DIR_TODS) { 391 ic->ic_stats.is_rx_wrongdir++; 392 goto out; 393 } 394 if (ic->ic_state != IEEE80211_S_SCAN && 395 !IEEE80211_ADDR_EQ(wh->i_addr1, 396 ic->ic_bss->ni_bssid) && 397 !IEEE80211_ADDR_EQ(wh->i_addr1, 398 etherbroadcastaddr)) { 399 /* BSS is not us or broadcast. */ 400 DPRINTF(("discard data frame to BSS %s\n", 401 ether_sprintf(wh->i_addr1))); 402 ic->ic_stats.is_rx_wrongbss++; 403 goto out; 404 } 405 /* check if source STA is associated */ 406 if (ni == ic->ic_bss) { 407 DPRINTF(("data from unknown src %s\n", 408 ether_sprintf(wh->i_addr2))); 409 /* NB: caller deals with reference */ 410 ni = ieee80211_find_node(ic, wh->i_addr2); 411 if (ni == NULL) 412 ni = ieee80211_dup_bss(ic, wh->i_addr2); 413 if (ni != NULL) { 414 IEEE80211_SEND_MGMT(ic, ni, 415 IEEE80211_FC0_SUBTYPE_DEAUTH, 416 IEEE80211_REASON_NOT_AUTHED); 417 } 418 ic->ic_stats.is_rx_notassoc++; 419 goto err; 420 } 421 if (ni->ni_associd == 0) { 422 DPRINTF(("data from unassoc src %s\n", 423 ether_sprintf(wh->i_addr2))); 424 IEEE80211_SEND_MGMT(ic, ni, 425 IEEE80211_FC0_SUBTYPE_DISASSOC, 426 IEEE80211_REASON_NOT_ASSOCED); 427 ic->ic_stats.is_rx_notassoc++; 428 goto err; 429 } 430 break; 431 #endif /* IEEE80211_STA_ONLY */ 432 default: 433 /* can't get there */ 434 goto out; 435 } 436 437 #ifndef IEEE80211_NO_HT 438 if (!(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) && 439 hasqos && (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 440 IEEE80211_QOS_ACK_POLICY_BA) { 441 /* check if we have a BA agreement for this RA/TID */ 442 if (ni->ni_rx_ba[tid].ba_state != 443 IEEE80211_BA_AGREED) { 444 DPRINTF(("no BA agreement for %s, TID %d\n", 445 ether_sprintf(ni->ni_macaddr), tid)); 446 /* send a DELBA with reason code UNKNOWN-BA */ 447 IEEE80211_SEND_ACTION(ic, ni, 448 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 449 IEEE80211_REASON_SETUP_REQUIRED << 16 | 450 tid); 451 goto err; 452 } 453 /* go through A-MPDU reordering */ 454 ieee80211_input_ba(ifp, m, ni, tid, rxi); 455 return; /* don't free m! */ 456 } 457 #endif 458 if ((ic->ic_flags & IEEE80211_F_WEPON) || 459 ((ic->ic_flags & IEEE80211_F_RSNON) && 460 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 461 /* protection is on for Rx */ 462 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 463 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 464 /* drop unencrypted */ 465 ic->ic_stats.is_rx_unencrypted++; 466 goto err; 467 } 468 /* do software decryption */ 469 m = ieee80211_decrypt(ic, m, ni); 470 if (m == NULL) { 471 ic->ic_stats.is_rx_wepfail++; 472 goto err; 473 } 474 wh = mtod(m, struct ieee80211_frame *); 475 } 476 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 477 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 478 /* frame encrypted but protection off for Rx */ 479 ic->ic_stats.is_rx_nowep++; 480 goto out; 481 } 482 483 #if NBPFILTER > 0 484 /* copy to listener after decrypt */ 485 if (ic->ic_rawbpf) 486 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 487 #endif 488 489 #ifndef IEEE80211_NO_HT 490 if ((ni->ni_flags & IEEE80211_NODE_HT) && 491 hasqos && (qos & IEEE80211_QOS_AMSDU)) 492 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 493 else 494 #endif 495 ieee80211_decap(ic, m, ni, hdrlen); 496 return; 497 498 case IEEE80211_FC0_TYPE_MGT: 499 if (dir != IEEE80211_FC1_DIR_NODS) { 500 ic->ic_stats.is_rx_wrongdir++; 501 goto err; 502 } 503 #ifndef IEEE80211_STA_ONLY 504 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 505 ic->ic_stats.is_rx_ahdemo_mgt++; 506 goto out; 507 } 508 #endif 509 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 510 511 /* drop frames without interest */ 512 if (ic->ic_state == IEEE80211_S_SCAN) { 513 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 514 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 515 ic->ic_stats.is_rx_mgtdiscard++; 516 goto out; 517 } 518 } 519 520 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 521 /* MMPDU protection is on for Rx */ 522 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 523 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 524 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 525 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 526 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 527 /* unicast mgmt not encrypted */ 528 goto out; 529 } 530 /* do software decryption */ 531 m = ieee80211_decrypt(ic, m, ni); 532 if (m == NULL) { 533 /* XXX stats */ 534 goto out; 535 } 536 wh = mtod(m, struct ieee80211_frame *); 537 } 538 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 539 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 540 /* encrypted but MMPDU Rx protection off for TA */ 541 goto out; 542 } 543 544 if (ifp->if_flags & IFF_DEBUG) 545 ieee80211_input_print(ic, ifp, wh, rxi); 546 #if NBPFILTER > 0 547 if (ic->ic_rawbpf) 548 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 549 /* 550 * Drop mbuf if it was filtered by bpf. Normally, this is 551 * done in ether_input() but IEEE 802.11 management frames 552 * are a special case. 553 */ 554 if (m->m_flags & M_FILDROP) { 555 m_freem(m); 556 return; 557 } 558 #endif 559 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 560 m_freem(m); 561 return; 562 563 case IEEE80211_FC0_TYPE_CTL: 564 ic->ic_stats.is_rx_ctl++; 565 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 566 switch (subtype) { 567 #ifndef IEEE80211_STA_ONLY 568 case IEEE80211_FC0_SUBTYPE_PS_POLL: 569 ieee80211_recv_pspoll(ic, m, ni); 570 break; 571 #endif 572 #ifndef IEEE80211_NO_HT 573 case IEEE80211_FC0_SUBTYPE_BAR: 574 ieee80211_recv_bar(ic, m, ni); 575 break; 576 #endif 577 default: 578 break; 579 } 580 goto out; 581 582 default: 583 DPRINTF(("bad frame type %x\n", type)); 584 /* should not come here */ 585 break; 586 } 587 err: 588 ifp->if_ierrors++; 589 out: 590 if (m != NULL) { 591 #if NBPFILTER > 0 592 if (ic->ic_rawbpf) 593 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 594 #endif 595 m_freem(m); 596 } 597 } 598 599 /* 600 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 601 * reception of fragments of three fragmented MSDUs or MMPDUs. 602 */ 603 struct mbuf * 604 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 605 { 606 const struct ieee80211_frame *owh, *wh; 607 struct ieee80211_defrag *df; 608 u_int16_t rxseq, seq; 609 u_int8_t frag; 610 int i; 611 612 wh = mtod(m, struct ieee80211_frame *); 613 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 614 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 615 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 616 617 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 618 return m; /* not fragmented */ 619 620 if (frag == 0) { 621 /* first fragment, setup entry in the fragment cache */ 622 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 623 ic->ic_defrag_cur = 0; 624 df = &ic->ic_defrag[ic->ic_defrag_cur]; 625 if (df->df_m != NULL) 626 m_freem(df->df_m); /* discard old entry */ 627 df->df_seq = seq; 628 df->df_frag = 0; 629 df->df_m = m; 630 /* start receive MSDU timer of aMaxReceiveLifetime */ 631 timeout_add_sec(&df->df_to, 1); 632 return NULL; /* MSDU or MMPDU not yet complete */ 633 } 634 635 /* find matching entry in the fragment cache */ 636 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 637 df = &ic->ic_defrag[i]; 638 if (df->df_m == NULL) 639 continue; 640 if (df->df_seq != seq || df->df_frag + 1 != frag) 641 continue; 642 owh = mtod(df->df_m, struct ieee80211_frame *); 643 /* frame type, source and destination must match */ 644 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 645 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 646 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 647 continue; 648 /* matching entry found */ 649 break; 650 } 651 if (i == IEEE80211_DEFRAG_SIZE) { 652 /* no matching entry found, discard fragment */ 653 ic->ic_if.if_ierrors++; 654 m_freem(m); 655 return NULL; 656 } 657 658 df->df_frag = frag; 659 /* strip 802.11 header and concatenate fragment */ 660 m_adj(m, hdrlen); 661 m_cat(df->df_m, m); 662 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 663 664 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 665 return NULL; /* MSDU or MMPDU not yet complete */ 666 667 /* MSDU or MMPDU complete */ 668 timeout_del(&df->df_to); 669 m = df->df_m; 670 df->df_m = NULL; 671 return m; 672 } 673 674 /* 675 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 676 */ 677 void 678 ieee80211_defrag_timeout(void *arg) 679 { 680 struct ieee80211_defrag *df = arg; 681 int s = splnet(); 682 683 /* discard all received fragments */ 684 m_freem(df->df_m); 685 df->df_m = NULL; 686 687 splx(s); 688 } 689 690 #ifndef IEEE80211_NO_HT 691 /* 692 * Process a received data MPDU related to a specific HT-immediate Block Ack 693 * agreement (see 9.10.7.6). 694 */ 695 void 696 ieee80211_input_ba(struct ifnet *ifp, struct mbuf *m, 697 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 698 { 699 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 700 struct ieee80211_frame *wh; 701 int idx, count; 702 u_int16_t sn; 703 704 wh = mtod(m, struct ieee80211_frame *); 705 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 706 707 /* reset Block Ack inactivity timer */ 708 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 709 710 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 711 ifp->if_ierrors++; 712 m_freem(m); /* discard the MPDU */ 713 return; 714 } 715 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 716 count = (sn - ba->ba_winend) & 0xfff; 717 if (count > ba->ba_winsize) /* no overlap */ 718 count = ba->ba_winsize; 719 while (count-- > 0) { 720 /* gaps may exist */ 721 if (ba->ba_buf[ba->ba_head].m != NULL) { 722 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 723 ni, &ba->ba_buf[ba->ba_head].rxi); 724 ba->ba_buf[ba->ba_head].m = NULL; 725 } 726 ba->ba_head = (ba->ba_head + 1) % 727 IEEE80211_BA_MAX_WINSZ; 728 } 729 /* move window forward */ 730 ba->ba_winend = sn; 731 ba->ba_winstart = (sn - ba->ba_winsize + 1) & 0xfff; 732 } 733 /* WinStartB <= SN <= WinEndB */ 734 735 idx = (sn - ba->ba_winstart) & 0xfff; 736 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 737 /* store the received MPDU in the buffer */ 738 if (ba->ba_buf[idx].m != NULL) { 739 ifp->if_ierrors++; 740 m_freem(m); 741 return; 742 } 743 ba->ba_buf[idx].m = m; 744 /* store Rx meta-data too */ 745 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 746 ba->ba_buf[idx].rxi = *rxi; 747 748 /* pass reordered MPDUs up to the next MAC process */ 749 while (ba->ba_buf[ba->ba_head].m != NULL) { 750 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 751 &ba->ba_buf[ba->ba_head].rxi); 752 ba->ba_buf[ba->ba_head].m = NULL; 753 754 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 755 /* move window forward */ 756 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 757 } 758 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 759 } 760 761 /* 762 * Change the value of WinStartB (move window forward) upon reception of a 763 * BlockAckReq frame or an ADDBA Request (PBAC). 764 */ 765 void 766 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 767 u_int8_t tid, u_int16_t ssn) 768 { 769 struct ifnet *ifp = &ic->ic_if; 770 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 771 int count; 772 773 /* assert(WinStartB <= SSN) */ 774 775 count = (ssn - ba->ba_winstart) & 0xfff; 776 if (count > ba->ba_winsize) /* no overlap */ 777 count = ba->ba_winsize; 778 while (count-- > 0) { 779 /* gaps may exist */ 780 if (ba->ba_buf[ba->ba_head].m != NULL) { 781 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 782 &ba->ba_buf[ba->ba_head].rxi); 783 ba->ba_buf[ba->ba_head].m = NULL; 784 } 785 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 786 } 787 /* move window forward */ 788 ba->ba_winstart = ssn; 789 790 /* pass reordered MPDUs up to the next MAC process */ 791 while (ba->ba_buf[ba->ba_head].m != NULL) { 792 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 793 &ba->ba_buf[ba->ba_head].rxi); 794 ba->ba_buf[ba->ba_head].m = NULL; 795 796 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 797 /* move window forward */ 798 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 799 } 800 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 801 } 802 #endif /* !IEEE80211_NO_HT */ 803 804 void 805 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 806 struct ieee80211_node *ni) 807 { 808 struct ifnet *ifp = &ic->ic_if; 809 struct ether_header *eh; 810 struct mbuf *m1; 811 812 eh = mtod(m, struct ether_header *); 813 814 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 815 eh->ether_type != htons(ETHERTYPE_PAE)) { 816 DPRINTF(("port not valid: %s\n", 817 ether_sprintf(eh->ether_dhost))); 818 ic->ic_stats.is_rx_unauth++; 819 m_freem(m); 820 return; 821 } 822 ifp->if_ipackets++; 823 824 /* 825 * Perform as a bridge within the AP. Notice that we do not 826 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 827 */ 828 m1 = NULL; 829 #ifndef IEEE80211_STA_ONLY 830 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 831 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 832 eh->ether_type != htons(ETHERTYPE_PAE)) { 833 struct ieee80211_node *ni1; 834 int error, len; 835 836 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 837 m1 = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 838 if (m1 == NULL) 839 ifp->if_oerrors++; 840 else 841 m1->m_flags |= M_MCAST; 842 } else { 843 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 844 if (ni1 != NULL && 845 ni1->ni_state == IEEE80211_STA_ASSOC) { 846 m1 = m; 847 m = NULL; 848 } 849 } 850 if (m1 != NULL) { 851 len = m1->m_pkthdr.len; 852 IFQ_ENQUEUE(&ifp->if_snd, m1, NULL, error); 853 if (error) 854 ifp->if_oerrors++; 855 else { 856 if (m != NULL) 857 ifp->if_omcasts++; 858 ifp->if_obytes += len; 859 if_start(ifp); 860 } 861 } 862 } 863 #endif 864 if (m != NULL) { 865 #if NBPFILTER > 0 866 /* 867 * If we forward frame into transmitter of the AP, 868 * we don't need to duplicate for DLT_EN10MB. 869 */ 870 if (ifp->if_bpf && m1 == NULL) 871 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 872 #endif 873 if ((ic->ic_flags & IEEE80211_F_RSNON) && 874 eh->ether_type == htons(ETHERTYPE_PAE)) 875 ieee80211_eapol_key_input(ic, m, ni); 876 else 877 ether_input_mbuf(ifp, m); 878 } 879 } 880 881 #ifdef __STRICT_ALIGNMENT 882 /* 883 * Make sure protocol header (e.g. IP) is aligned on a 32-bit boundary. 884 * This is achieved by copying mbufs so drivers should try to map their 885 * buffers such that this copying is not necessary. It is however not 886 * always possible because 802.11 header length may vary (non-QoS+LLC 887 * is 32 bytes while QoS+LLC is 34 bytes). Some devices are smart and 888 * add 2 padding bytes after the 802.11 header in the QoS case so this 889 * function is there for stupid drivers/devices only. 890 * 891 * XXX -- this is horrible 892 */ 893 struct mbuf * 894 ieee80211_align_mbuf(struct mbuf *m) 895 { 896 struct mbuf *n, *n0, **np; 897 caddr_t newdata; 898 int off, pktlen; 899 900 n0 = NULL; 901 np = &n0; 902 off = 0; 903 pktlen = m->m_pkthdr.len; 904 while (pktlen > off) { 905 if (n0 == NULL) { 906 MGETHDR(n, M_DONTWAIT, MT_DATA); 907 if (n == NULL) { 908 m_freem(m); 909 return NULL; 910 } 911 if (m_dup_pkthdr(n, m, M_DONTWAIT)) { 912 m_free(n); 913 m_freem(m); 914 return (NULL); 915 } 916 n->m_len = MHLEN; 917 } else { 918 MGET(n, M_DONTWAIT, MT_DATA); 919 if (n == NULL) { 920 m_freem(m); 921 m_freem(n0); 922 return NULL; 923 } 924 n->m_len = MLEN; 925 } 926 if (pktlen - off >= MINCLSIZE) { 927 MCLGET(n, M_DONTWAIT); 928 if (n->m_flags & M_EXT) 929 n->m_len = n->m_ext.ext_size; 930 } 931 if (n0 == NULL) { 932 newdata = (caddr_t)ALIGN(n->m_data + ETHER_HDR_LEN) - 933 ETHER_HDR_LEN; 934 n->m_len -= newdata - n->m_data; 935 n->m_data = newdata; 936 } 937 if (n->m_len > pktlen - off) 938 n->m_len = pktlen - off; 939 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 940 off += n->m_len; 941 *np = n; 942 np = &n->m_next; 943 } 944 m_freem(m); 945 return n0; 946 } 947 #endif /* __STRICT_ALIGNMENT */ 948 949 void 950 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 951 struct ieee80211_node *ni, int hdrlen) 952 { 953 struct ether_header eh; 954 struct ieee80211_frame *wh; 955 struct llc *llc; 956 957 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 958 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 959 ic->ic_stats.is_rx_decap++; 960 return; 961 } 962 wh = mtod(m, struct ieee80211_frame *); 963 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 964 case IEEE80211_FC1_DIR_NODS: 965 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 966 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 967 break; 968 case IEEE80211_FC1_DIR_TODS: 969 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 970 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 971 break; 972 case IEEE80211_FC1_DIR_FROMDS: 973 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 974 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 975 break; 976 case IEEE80211_FC1_DIR_DSTODS: 977 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 978 IEEE80211_ADDR_COPY(eh.ether_shost, 979 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 980 break; 981 } 982 llc = (struct llc *)((caddr_t)wh + hdrlen); 983 if (llc->llc_dsap == LLC_SNAP_LSAP && 984 llc->llc_ssap == LLC_SNAP_LSAP && 985 llc->llc_control == LLC_UI && 986 llc->llc_snap.org_code[0] == 0 && 987 llc->llc_snap.org_code[1] == 0 && 988 llc->llc_snap.org_code[2] == 0) { 989 eh.ether_type = llc->llc_snap.ether_type; 990 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 991 } else { 992 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 993 m_adj(m, hdrlen - ETHER_HDR_LEN); 994 } 995 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 996 #ifdef __STRICT_ALIGNMENT 997 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 998 if ((m = ieee80211_align_mbuf(m)) == NULL) { 999 ic->ic_stats.is_rx_decap++; 1000 return; 1001 } 1002 } 1003 #endif 1004 ieee80211_deliver_data(ic, m, ni); 1005 } 1006 1007 #ifndef IEEE80211_NO_HT 1008 /* 1009 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1010 */ 1011 void 1012 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1013 struct ieee80211_node *ni, int hdrlen) 1014 { 1015 struct mbuf *n; 1016 struct ether_header *eh; 1017 struct llc *llc; 1018 int len, pad; 1019 1020 /* strip 802.11 header */ 1021 m_adj(m, hdrlen); 1022 1023 for (;;) { 1024 /* process an A-MSDU subframe */ 1025 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1026 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1027 if (m == NULL) { 1028 ic->ic_stats.is_rx_decap++; 1029 break; 1030 } 1031 } 1032 eh = mtod(m, struct ether_header *); 1033 /* examine 802.3 header */ 1034 len = ntohs(eh->ether_type); 1035 if (len < LLC_SNAPFRAMELEN) { 1036 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1037 /* stop processing A-MSDU subframes */ 1038 ic->ic_stats.is_rx_decap++; 1039 m_freem(m); 1040 break; 1041 } 1042 llc = (struct llc *)&eh[1]; 1043 /* examine 802.2 LLC header */ 1044 if (llc->llc_dsap == LLC_SNAP_LSAP && 1045 llc->llc_ssap == LLC_SNAP_LSAP && 1046 llc->llc_control == LLC_UI && 1047 llc->llc_snap.org_code[0] == 0 && 1048 llc->llc_snap.org_code[1] == 0 && 1049 llc->llc_snap.org_code[2] == 0) { 1050 /* convert to Ethernet II header */ 1051 eh->ether_type = llc->llc_snap.ether_type; 1052 /* strip LLC+SNAP headers */ 1053 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1054 ETHER_HDR_LEN); 1055 m_adj(m, LLC_SNAPFRAMELEN); 1056 len -= LLC_SNAPFRAMELEN; 1057 } 1058 len += ETHER_HDR_LEN; 1059 1060 /* "detach" our A-MSDU subframe from the others */ 1061 n = m_split(m, len, M_NOWAIT); 1062 if (n == NULL) { 1063 /* stop processing A-MSDU subframes */ 1064 ic->ic_stats.is_rx_decap++; 1065 m_freem(m); 1066 break; 1067 } 1068 ieee80211_deliver_data(ic, m, ni); 1069 1070 m = n; 1071 /* remove padding */ 1072 pad = ((len + 3) & ~3) - len; 1073 m_adj(m, pad); 1074 } 1075 } 1076 #endif /* !IEEE80211_NO_HT */ 1077 1078 /* 1079 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1080 */ 1081 int 1082 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1083 { 1084 u_int updtcount; 1085 int aci; 1086 1087 /* 1088 * Check if EDCA parameters have changed XXX if we miss more than 1089 * 15 consecutive beacons, we might not detect changes to EDCA 1090 * parameters due to wraparound of the 4-bit Update Count field. 1091 */ 1092 updtcount = frm[0] & 0xf; 1093 if (updtcount == ic->ic_edca_updtcount) 1094 return 0; /* no changes to EDCA parameters, ignore */ 1095 ic->ic_edca_updtcount = updtcount; 1096 1097 frm += 2; /* skip QoS Info & Reserved fields */ 1098 1099 /* parse AC Parameter Records */ 1100 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1101 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1102 1103 ac->ac_acm = (frm[0] >> 4) & 0x1; 1104 ac->ac_aifsn = frm[0] & 0xf; 1105 ac->ac_ecwmin = frm[1] & 0xf; 1106 ac->ac_ecwmax = frm[1] >> 4; 1107 ac->ac_txoplimit = LE_READ_2(frm + 2); 1108 frm += 4; 1109 } 1110 /* give drivers a chance to update their settings */ 1111 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1112 (*ic->ic_updateedca)(ic); 1113 1114 return 0; 1115 } 1116 1117 int 1118 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1119 { 1120 if (frm[1] < 18) { 1121 ic->ic_stats.is_rx_elem_toosmall++; 1122 return IEEE80211_REASON_IE_INVALID; 1123 } 1124 return ieee80211_parse_edca_params_body(ic, frm + 2); 1125 } 1126 1127 int 1128 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1129 { 1130 if (frm[1] < 24) { 1131 ic->ic_stats.is_rx_elem_toosmall++; 1132 return IEEE80211_REASON_IE_INVALID; 1133 } 1134 return ieee80211_parse_edca_params_body(ic, frm + 8); 1135 } 1136 1137 enum ieee80211_cipher 1138 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1139 { 1140 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1141 switch (selector[3]) { 1142 case 0: /* use group data cipher suite */ 1143 return IEEE80211_CIPHER_USEGROUP; 1144 case 1: /* WEP-40 */ 1145 return IEEE80211_CIPHER_WEP40; 1146 case 2: /* TKIP */ 1147 return IEEE80211_CIPHER_TKIP; 1148 case 4: /* CCMP (RSNA default) */ 1149 return IEEE80211_CIPHER_CCMP; 1150 case 5: /* WEP-104 */ 1151 return IEEE80211_CIPHER_WEP104; 1152 } 1153 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1154 /* from IEEE Std 802.11 - Table 20da */ 1155 switch (selector[3]) { 1156 case 0: /* use group data cipher suite */ 1157 return IEEE80211_CIPHER_USEGROUP; 1158 case 1: /* WEP-40 */ 1159 return IEEE80211_CIPHER_WEP40; 1160 case 2: /* TKIP */ 1161 return IEEE80211_CIPHER_TKIP; 1162 case 4: /* CCMP (RSNA default) */ 1163 return IEEE80211_CIPHER_CCMP; 1164 case 5: /* WEP-104 */ 1165 return IEEE80211_CIPHER_WEP104; 1166 case 6: /* BIP */ 1167 return IEEE80211_CIPHER_BIP; 1168 } 1169 } 1170 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1171 } 1172 1173 enum ieee80211_akm 1174 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1175 { 1176 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1177 switch (selector[3]) { 1178 case 1: /* IEEE 802.1X (RSNA default) */ 1179 return IEEE80211_AKM_8021X; 1180 case 2: /* PSK */ 1181 return IEEE80211_AKM_PSK; 1182 } 1183 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1184 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1185 switch (selector[3]) { 1186 case 1: /* IEEE 802.1X (RSNA default) */ 1187 return IEEE80211_AKM_8021X; 1188 case 2: /* PSK */ 1189 return IEEE80211_AKM_PSK; 1190 case 5: /* IEEE 802.1X with SHA256 KDF */ 1191 return IEEE80211_AKM_SHA256_8021X; 1192 case 6: /* PSK with SHA256 KDF */ 1193 return IEEE80211_AKM_SHA256_PSK; 1194 } 1195 } 1196 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1197 } 1198 1199 /* 1200 * Parse an RSN element (see 7.3.2.25). 1201 */ 1202 int 1203 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1204 u_int len, struct ieee80211_rsnparams *rsn) 1205 { 1206 const u_int8_t *efrm; 1207 u_int16_t m, n, s; 1208 1209 efrm = frm + len; 1210 1211 /* check Version field */ 1212 if (LE_READ_2(frm) != 1) 1213 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1214 frm += 2; 1215 1216 /* all fields after the Version field are optional */ 1217 1218 /* if Cipher Suite missing, default to CCMP */ 1219 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1220 rsn->rsn_nciphers = 1; 1221 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1222 /* if Group Management Cipher Suite missing, defaut to BIP */ 1223 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1224 /* if AKM Suite missing, default to 802.1X */ 1225 rsn->rsn_nakms = 1; 1226 rsn->rsn_akms = IEEE80211_AKM_8021X; 1227 /* if RSN capabilities missing, default to 0 */ 1228 rsn->rsn_caps = 0; 1229 rsn->rsn_npmkids = 0; 1230 1231 /* read Group Data Cipher Suite field */ 1232 if (frm + 4 > efrm) 1233 return 0; 1234 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1235 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP) 1236 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1237 frm += 4; 1238 1239 /* read Pairwise Cipher Suite Count field */ 1240 if (frm + 2 > efrm) 1241 return 0; 1242 m = rsn->rsn_nciphers = LE_READ_2(frm); 1243 frm += 2; 1244 1245 /* read Pairwise Cipher Suite List */ 1246 if (frm + m * 4 > efrm) 1247 return IEEE80211_STATUS_IE_INVALID; 1248 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1249 while (m-- > 0) { 1250 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1251 frm += 4; 1252 } 1253 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1254 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1255 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1256 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1257 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1258 } 1259 1260 /* read AKM Suite List Count field */ 1261 if (frm + 2 > efrm) 1262 return 0; 1263 n = rsn->rsn_nakms = LE_READ_2(frm); 1264 frm += 2; 1265 1266 /* read AKM Suite List */ 1267 if (frm + n * 4 > efrm) 1268 return IEEE80211_STATUS_IE_INVALID; 1269 rsn->rsn_akms = IEEE80211_AKM_NONE; 1270 while (n-- > 0) { 1271 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1272 frm += 4; 1273 } 1274 1275 /* read RSN Capabilities field */ 1276 if (frm + 2 > efrm) 1277 return 0; 1278 rsn->rsn_caps = LE_READ_2(frm); 1279 frm += 2; 1280 1281 /* read PMKID Count field */ 1282 if (frm + 2 > efrm) 1283 return 0; 1284 s = rsn->rsn_npmkids = LE_READ_2(frm); 1285 frm += 2; 1286 1287 /* read PMKID List */ 1288 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1289 return IEEE80211_STATUS_IE_INVALID; 1290 if (s != 0) { 1291 rsn->rsn_pmkids = frm; 1292 frm += s * IEEE80211_PMKID_LEN; 1293 } 1294 1295 /* read Group Management Cipher Suite field */ 1296 if (frm + 4 > efrm) 1297 return 0; 1298 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1299 1300 return IEEE80211_STATUS_SUCCESS; 1301 } 1302 1303 int 1304 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1305 struct ieee80211_rsnparams *rsn) 1306 { 1307 if (frm[1] < 2) { 1308 ic->ic_stats.is_rx_elem_toosmall++; 1309 return IEEE80211_STATUS_IE_INVALID; 1310 } 1311 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1312 } 1313 1314 int 1315 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1316 struct ieee80211_rsnparams *rsn) 1317 { 1318 if (frm[1] < 6) { 1319 ic->ic_stats.is_rx_elem_toosmall++; 1320 return IEEE80211_STATUS_IE_INVALID; 1321 } 1322 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1323 } 1324 1325 /* 1326 * Create (or update) a copy of an information element. 1327 */ 1328 int 1329 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1330 { 1331 if (*ie == NULL || (*ie)[1] != frm[1]) { 1332 if (*ie != NULL) 1333 free(*ie, M_DEVBUF, 0); 1334 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1335 if (*ie == NULL) 1336 return ENOMEM; 1337 } 1338 memcpy(*ie, frm, 2 + frm[1]); 1339 return 0; 1340 } 1341 1342 /*- 1343 * Beacon/Probe response frame format: 1344 * [8] Timestamp 1345 * [2] Beacon interval 1346 * [2] Capability 1347 * [tlv] Service Set Identifier (SSID) 1348 * [tlv] Supported rates 1349 * [tlv] DS Parameter Set (802.11g) 1350 * [tlv] ERP Information (802.11g) 1351 * [tlv] Extended Supported Rates (802.11g) 1352 * [tlv] RSN (802.11i) 1353 * [tlv] EDCA Parameter Set (802.11e) 1354 * [tlv] QoS Capability (Beacon only, 802.11e) 1355 * [tlv] HT Capabilities (802.11n) 1356 * [tlv] HT Operation (802.11n) 1357 */ 1358 void 1359 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1360 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1361 { 1362 const struct ieee80211_frame *wh; 1363 const u_int8_t *frm, *efrm; 1364 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1365 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1366 u_int16_t capinfo, bintval; 1367 u_int8_t chan, bchan, erp; 1368 int is_new; 1369 1370 /* 1371 * We process beacon/probe response frames for: 1372 * o station mode: to collect state 1373 * updates such as 802.11g slot time and for passive 1374 * scanning of APs 1375 * o adhoc mode: to discover neighbors 1376 * o hostap mode: for passive scanning of neighbor APs 1377 * o when scanning 1378 * In other words, in all modes other than monitor (which 1379 * does not process incoming frames) and adhoc-demo (which 1380 * does not use management frames at all). 1381 */ 1382 #ifdef DIAGNOSTIC 1383 if (ic->ic_opmode != IEEE80211_M_STA && 1384 #ifndef IEEE80211_STA_ONLY 1385 ic->ic_opmode != IEEE80211_M_IBSS && 1386 ic->ic_opmode != IEEE80211_M_HOSTAP && 1387 #endif 1388 ic->ic_state != IEEE80211_S_SCAN) { 1389 panic("%s: impossible operating mode", __func__); 1390 } 1391 #endif 1392 /* make sure all mandatory fixed fields are present */ 1393 if (m->m_len < sizeof(*wh) + 12) { 1394 DPRINTF(("frame too short\n")); 1395 return; 1396 } 1397 wh = mtod(m, struct ieee80211_frame *); 1398 frm = (const u_int8_t *)&wh[1]; 1399 efrm = mtod(m, u_int8_t *) + m->m_len; 1400 1401 tstamp = frm; frm += 8; 1402 bintval = LE_READ_2(frm); frm += 2; 1403 capinfo = LE_READ_2(frm); frm += 2; 1404 1405 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1406 htcaps = htop = NULL; 1407 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1408 chan = bchan; 1409 erp = 0; 1410 while (frm + 2 <= efrm) { 1411 if (frm + 2 + frm[1] > efrm) { 1412 ic->ic_stats.is_rx_elem_toosmall++; 1413 break; 1414 } 1415 switch (frm[0]) { 1416 case IEEE80211_ELEMID_SSID: 1417 ssid = frm; 1418 break; 1419 case IEEE80211_ELEMID_RATES: 1420 rates = frm; 1421 break; 1422 case IEEE80211_ELEMID_DSPARMS: 1423 if (frm[1] < 1) { 1424 ic->ic_stats.is_rx_elem_toosmall++; 1425 break; 1426 } 1427 chan = frm[2]; 1428 break; 1429 case IEEE80211_ELEMID_XRATES: 1430 xrates = frm; 1431 break; 1432 case IEEE80211_ELEMID_ERP: 1433 if (frm[1] < 1) { 1434 ic->ic_stats.is_rx_elem_toosmall++; 1435 break; 1436 } 1437 erp = frm[2]; 1438 break; 1439 case IEEE80211_ELEMID_RSN: 1440 rsnie = frm; 1441 break; 1442 case IEEE80211_ELEMID_EDCAPARMS: 1443 edcaie = frm; 1444 break; 1445 #ifndef IEEE80211_NO_HT 1446 case IEEE80211_ELEMID_HTCAPS: 1447 htcaps = frm; 1448 break; 1449 case IEEE80211_ELEMID_HTOP: 1450 htop = frm; 1451 break; 1452 #endif 1453 case IEEE80211_ELEMID_VENDOR: 1454 if (frm[1] < 4) { 1455 ic->ic_stats.is_rx_elem_toosmall++; 1456 break; 1457 } 1458 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1459 if (frm[5] == 1) 1460 wpaie = frm; 1461 else if (frm[1] >= 5 && 1462 frm[5] == 2 && frm[6] == 1) 1463 wmmie = frm; 1464 } 1465 break; 1466 } 1467 frm += 2 + frm[1]; 1468 } 1469 /* supported rates element is mandatory */ 1470 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1471 DPRINTF(("invalid supported rates element\n")); 1472 return; 1473 } 1474 /* SSID element is mandatory */ 1475 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1476 DPRINTF(("invalid SSID element\n")); 1477 return; 1478 } 1479 1480 if ( 1481 #if IEEE80211_CHAN_MAX < 255 1482 chan > IEEE80211_CHAN_MAX || 1483 #endif 1484 isclr(ic->ic_chan_active, chan)) { 1485 DPRINTF(("ignore %s with invalid channel %u\n", 1486 isprobe ? "probe response" : "beacon", chan)); 1487 ic->ic_stats.is_rx_badchan++; 1488 return; 1489 } 1490 if ((ic->ic_state != IEEE80211_S_SCAN || 1491 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1492 chan != bchan) { 1493 /* 1494 * Frame was received on a channel different from the 1495 * one indicated in the DS params element id; 1496 * silently discard it. 1497 * 1498 * NB: this can happen due to signal leakage. 1499 */ 1500 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1501 isprobe ? "probe response" : "beacon", bchan, chan)); 1502 ic->ic_stats.is_rx_chanmismatch++; 1503 return; 1504 } 1505 /* 1506 * Use mac, channel and rssi so we collect only the 1507 * best potential AP with the equal bssid while scanning. 1508 * Collecting all potential APs may result in bloat of 1509 * the node tree. This call will return NULL if the node 1510 * for this APs does not exist or if the new node is the 1511 * potential better one. 1512 */ 1513 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1514 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1515 return; 1516 1517 #ifdef IEEE80211_DEBUG 1518 if (ieee80211_debug && 1519 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1520 printf("%s: %s%s on chan %u (bss chan %u) ", 1521 __func__, (ni == NULL ? "new " : ""), 1522 isprobe ? "probe response" : "beacon", 1523 chan, bchan); 1524 ieee80211_print_essid(ssid + 2, ssid[1]); 1525 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1526 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1527 __func__, capinfo, bintval, erp); 1528 } 1529 #endif 1530 1531 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1532 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1533 if (ni == NULL) 1534 return; 1535 is_new = 1; 1536 } else 1537 is_new = 0; 1538 1539 /* 1540 * When operating in station mode, check for state updates 1541 * while we're associated. We consider only 11g stuff right 1542 * now. 1543 */ 1544 if (ic->ic_opmode == IEEE80211_M_STA && 1545 ic->ic_state == IEEE80211_S_RUN && 1546 ni->ni_state == IEEE80211_STA_BSS) { 1547 /* 1548 * Check if protection mode has changed since last beacon. 1549 */ 1550 if (ni->ni_erp != erp) { 1551 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1552 ether_sprintf((u_int8_t *)wh->i_addr2), 1553 ni->ni_erp, erp)); 1554 if (ic->ic_curmode == IEEE80211_MODE_11G && 1555 (erp & IEEE80211_ERP_USE_PROTECTION)) 1556 ic->ic_flags |= IEEE80211_F_USEPROT; 1557 else 1558 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1559 ic->ic_bss->ni_erp = erp; 1560 } 1561 /* 1562 * Check if AP short slot time setting has changed 1563 * since last beacon and give the driver a chance to 1564 * update the hardware. 1565 */ 1566 if ((ni->ni_capinfo ^ capinfo) & 1567 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1568 ieee80211_set_shortslottime(ic, 1569 ic->ic_curmode == IEEE80211_MODE_11A || 1570 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1571 } 1572 } 1573 /* 1574 * We do not try to update EDCA parameters if QoS was not negotiated 1575 * with the AP at association time. 1576 */ 1577 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1578 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1579 if (edcaie != NULL) 1580 ieee80211_parse_edca_params(ic, edcaie); 1581 else if (wmmie != NULL) 1582 ieee80211_parse_wmm_params(ic, wmmie); 1583 } 1584 1585 if (ic->ic_state == IEEE80211_S_SCAN 1586 #ifndef IEEE80211_STA_ONLY 1587 && ic->ic_opmode != IEEE80211_M_HOSTAP 1588 #endif 1589 ) { 1590 struct ieee80211_rsnparams rsn; 1591 const u_int8_t *saveie = NULL; 1592 /* 1593 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1594 * we only store the parameters of the highest protocol 1595 * version we support. 1596 */ 1597 if (rsnie != NULL && 1598 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1599 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1600 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1601 saveie = rsnie; 1602 } 1603 } else if (wpaie != NULL && 1604 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1605 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1606 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1607 saveie = wpaie; 1608 } 1609 } 1610 if (saveie != NULL && 1611 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1612 ni->ni_rsnakms = rsn.rsn_akms; 1613 ni->ni_rsnciphers = rsn.rsn_ciphers; 1614 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1615 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1616 ni->ni_rsncaps = rsn.rsn_caps; 1617 } else 1618 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1619 } 1620 1621 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1622 ni->ni_esslen = ssid[1]; 1623 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1624 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1625 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1626 } 1627 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1628 ni->ni_rssi = rxi->rxi_rssi; 1629 ni->ni_rstamp = rxi->rxi_tstamp; 1630 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1631 ni->ni_intval = bintval; 1632 ni->ni_capinfo = capinfo; 1633 /* XXX validate channel # */ 1634 ni->ni_chan = &ic->ic_channels[chan]; 1635 ni->ni_erp = erp; 1636 /* NB: must be after ni_chan is setup */ 1637 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1638 1639 /* 1640 * When scanning we record results (nodes) with a zero 1641 * refcnt. Otherwise we want to hold the reference for 1642 * ibss neighbors so the nodes don't get released prematurely. 1643 * Anything else can be discarded (XXX and should be handled 1644 * above so we don't do so much work). 1645 */ 1646 if ( 1647 #ifndef IEEE80211_STA_ONLY 1648 ic->ic_opmode == IEEE80211_M_IBSS || 1649 #endif 1650 (is_new && isprobe)) { 1651 /* 1652 * Fake an association so the driver can setup it's 1653 * private state. The rate set has been setup above; 1654 * there is no handshake as in ap/station operation. 1655 */ 1656 if (ic->ic_newassoc) 1657 (*ic->ic_newassoc)(ic, ni, 1); 1658 } 1659 } 1660 1661 #ifndef IEEE80211_STA_ONLY 1662 /*- 1663 * Probe request frame format: 1664 * [tlv] SSID 1665 * [tlv] Supported rates 1666 * [tlv] Extended Supported Rates (802.11g) 1667 * [tlv] HT Capabilities (802.11n) 1668 */ 1669 void 1670 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1671 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1672 { 1673 const struct ieee80211_frame *wh; 1674 const u_int8_t *frm, *efrm; 1675 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1676 u_int8_t rate; 1677 1678 if (ic->ic_opmode == IEEE80211_M_STA || 1679 ic->ic_state != IEEE80211_S_RUN) 1680 return; 1681 1682 wh = mtod(m, struct ieee80211_frame *); 1683 frm = (const u_int8_t *)&wh[1]; 1684 efrm = mtod(m, u_int8_t *) + m->m_len; 1685 1686 ssid = rates = xrates = htcaps = NULL; 1687 while (frm + 2 <= efrm) { 1688 if (frm + 2 + frm[1] > efrm) { 1689 ic->ic_stats.is_rx_elem_toosmall++; 1690 break; 1691 } 1692 switch (frm[0]) { 1693 case IEEE80211_ELEMID_SSID: 1694 ssid = frm; 1695 break; 1696 case IEEE80211_ELEMID_RATES: 1697 rates = frm; 1698 break; 1699 case IEEE80211_ELEMID_XRATES: 1700 xrates = frm; 1701 break; 1702 #ifndef IEEE80211_NO_HT 1703 case IEEE80211_ELEMID_HTCAPS: 1704 htcaps = frm; 1705 break; 1706 #endif 1707 } 1708 frm += 2 + frm[1]; 1709 } 1710 /* supported rates element is mandatory */ 1711 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1712 DPRINTF(("invalid supported rates element\n")); 1713 return; 1714 } 1715 /* SSID element is mandatory */ 1716 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1717 DPRINTF(("invalid SSID element\n")); 1718 return; 1719 } 1720 /* check that the specified SSID (if not wildcard) matches ours */ 1721 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1722 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1723 DPRINTF(("SSID mismatch\n")); 1724 ic->ic_stats.is_rx_ssidmismatch++; 1725 return; 1726 } 1727 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1728 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1729 DPRINTF(("wildcard SSID rejected")); 1730 ic->ic_stats.is_rx_ssidmismatch++; 1731 return; 1732 } 1733 1734 if (ni == ic->ic_bss) { 1735 ni = ieee80211_find_node(ic, wh->i_addr2); 1736 if (ni == NULL) 1737 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1738 if (ni == NULL) 1739 return; 1740 DPRINTF(("new probe req from %s\n", 1741 ether_sprintf((u_int8_t *)wh->i_addr2))); 1742 } 1743 ni->ni_rssi = rxi->rxi_rssi; 1744 ni->ni_rstamp = rxi->rxi_tstamp; 1745 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1746 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1747 IEEE80211_F_DODEL); 1748 if (rate & IEEE80211_RATE_BASIC) { 1749 DPRINTF(("rate mismatch for %s\n", 1750 ether_sprintf((u_int8_t *)wh->i_addr2))); 1751 return; 1752 } 1753 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1754 } 1755 #endif /* IEEE80211_STA_ONLY */ 1756 1757 /*- 1758 * Authentication frame format: 1759 * [2] Authentication algorithm number 1760 * [2] Authentication transaction sequence number 1761 * [2] Status code 1762 */ 1763 void 1764 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1765 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1766 { 1767 const struct ieee80211_frame *wh; 1768 const u_int8_t *frm; 1769 u_int16_t algo, seq, status; 1770 1771 /* make sure all mandatory fixed fields are present */ 1772 if (m->m_len < sizeof(*wh) + 6) { 1773 DPRINTF(("frame too short\n")); 1774 return; 1775 } 1776 wh = mtod(m, struct ieee80211_frame *); 1777 frm = (const u_int8_t *)&wh[1]; 1778 1779 algo = LE_READ_2(frm); frm += 2; 1780 seq = LE_READ_2(frm); frm += 2; 1781 status = LE_READ_2(frm); frm += 2; 1782 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1783 ether_sprintf((u_int8_t *)wh->i_addr2))); 1784 1785 /* only "open" auth mode is supported */ 1786 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1787 DPRINTF(("unsupported auth algorithm %d from %s\n", 1788 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1789 ic->ic_stats.is_rx_auth_unsupported++; 1790 #ifndef IEEE80211_STA_ONLY 1791 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1792 /* XXX hack to workaround calling convention */ 1793 IEEE80211_SEND_MGMT(ic, ni, 1794 IEEE80211_FC0_SUBTYPE_AUTH, 1795 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1796 } 1797 #endif 1798 return; 1799 } 1800 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1801 } 1802 1803 #ifndef IEEE80211_STA_ONLY 1804 /*- 1805 * (Re)Association request frame format: 1806 * [2] Capability information 1807 * [2] Listen interval 1808 * [6*] Current AP address (Reassociation only) 1809 * [tlv] SSID 1810 * [tlv] Supported rates 1811 * [tlv] Extended Supported Rates (802.11g) 1812 * [tlv] RSN (802.11i) 1813 * [tlv] QoS Capability (802.11e) 1814 * [tlv] HT Capabilities (802.11n) 1815 */ 1816 void 1817 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1818 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1819 { 1820 const struct ieee80211_frame *wh; 1821 const u_int8_t *frm, *efrm; 1822 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1823 u_int16_t capinfo, bintval; 1824 int resp, status = 0; 1825 struct ieee80211_rsnparams rsn; 1826 u_int8_t rate; 1827 1828 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1829 ic->ic_state != IEEE80211_S_RUN) 1830 return; 1831 1832 /* make sure all mandatory fixed fields are present */ 1833 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1834 DPRINTF(("frame too short\n")); 1835 return; 1836 } 1837 wh = mtod(m, struct ieee80211_frame *); 1838 frm = (const u_int8_t *)&wh[1]; 1839 efrm = mtod(m, u_int8_t *) + m->m_len; 1840 1841 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1842 DPRINTF(("ignore other bss from %s\n", 1843 ether_sprintf((u_int8_t *)wh->i_addr2))); 1844 ic->ic_stats.is_rx_assoc_bss++; 1845 return; 1846 } 1847 capinfo = LE_READ_2(frm); frm += 2; 1848 bintval = LE_READ_2(frm); frm += 2; 1849 if (reassoc) { 1850 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1851 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1852 } else 1853 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1854 1855 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1856 while (frm + 2 <= efrm) { 1857 if (frm + 2 + frm[1] > efrm) { 1858 ic->ic_stats.is_rx_elem_toosmall++; 1859 break; 1860 } 1861 switch (frm[0]) { 1862 case IEEE80211_ELEMID_SSID: 1863 ssid = frm; 1864 break; 1865 case IEEE80211_ELEMID_RATES: 1866 rates = frm; 1867 break; 1868 case IEEE80211_ELEMID_XRATES: 1869 xrates = frm; 1870 break; 1871 case IEEE80211_ELEMID_RSN: 1872 rsnie = frm; 1873 break; 1874 case IEEE80211_ELEMID_QOS_CAP: 1875 break; 1876 #ifndef IEEE80211_NO_HT 1877 case IEEE80211_ELEMID_HTCAPS: 1878 htcaps = frm; 1879 break; 1880 #endif 1881 case IEEE80211_ELEMID_VENDOR: 1882 if (frm[1] < 4) { 1883 ic->ic_stats.is_rx_elem_toosmall++; 1884 break; 1885 } 1886 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1887 if (frm[5] == 1) 1888 wpaie = frm; 1889 } 1890 break; 1891 } 1892 frm += 2 + frm[1]; 1893 } 1894 /* supported rates element is mandatory */ 1895 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1896 DPRINTF(("invalid supported rates element\n")); 1897 return; 1898 } 1899 /* SSID element is mandatory */ 1900 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1901 DPRINTF(("invalid SSID element\n")); 1902 return; 1903 } 1904 /* check that the specified SSID matches ours */ 1905 if (ssid[1] != ic->ic_bss->ni_esslen || 1906 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1907 DPRINTF(("SSID mismatch\n")); 1908 ic->ic_stats.is_rx_ssidmismatch++; 1909 return; 1910 } 1911 1912 if (ni->ni_state != IEEE80211_STA_AUTH && 1913 ni->ni_state != IEEE80211_STA_ASSOC) { 1914 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1915 reassoc ? "re" : "", 1916 ether_sprintf((u_int8_t *)wh->i_addr2))); 1917 ni = ieee80211_find_node(ic, wh->i_addr2); 1918 if (ni == NULL) 1919 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1920 if (ni != NULL) { 1921 IEEE80211_SEND_MGMT(ic, ni, 1922 IEEE80211_FC0_SUBTYPE_DEAUTH, 1923 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1924 } 1925 ic->ic_stats.is_rx_assoc_notauth++; 1926 return; 1927 } 1928 1929 if (ni->ni_state == IEEE80211_STA_ASSOC && 1930 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1931 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1932 /* send a protected Disassociate frame */ 1933 IEEE80211_SEND_MGMT(ic, ni, 1934 IEEE80211_FC0_SUBTYPE_DISASSOC, 1935 IEEE80211_REASON_AUTH_EXPIRE); 1936 /* terminate the old SA */ 1937 ieee80211_node_leave(ic, ni); 1938 } else { 1939 /* reject the (Re)Association Request temporarily */ 1940 IEEE80211_SEND_MGMT(ic, ni, resp, 1941 IEEE80211_STATUS_TRY_AGAIN_LATER); 1942 /* start SA Query procedure if not already engaged */ 1943 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1944 ieee80211_sa_query_request(ic, ni); 1945 /* do not modify association state */ 1946 } 1947 return; 1948 } 1949 1950 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1951 ic->ic_stats.is_rx_assoc_capmismatch++; 1952 status = IEEE80211_STATUS_CAPINFO; 1953 goto end; 1954 } 1955 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1956 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1957 IEEE80211_F_DODEL); 1958 if (rate & IEEE80211_RATE_BASIC) { 1959 ic->ic_stats.is_rx_assoc_norate++; 1960 status = IEEE80211_STATUS_BASIC_RATE; 1961 goto end; 1962 } 1963 1964 if (ic->ic_flags & IEEE80211_F_RSNON) { 1965 const u_int8_t *saveie; 1966 /* 1967 * A station should never include both a WPA and an RSN IE 1968 * in its (Re)Association Requests, but if it does, we only 1969 * consider the IE of the highest version of the protocol 1970 * that is allowed (ie RSN over WPA). 1971 */ 1972 if (rsnie != NULL && 1973 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1974 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 1975 if (status != 0) 1976 goto end; 1977 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1978 saveie = rsnie; 1979 } else if (wpaie != NULL && 1980 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1981 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 1982 if (status != 0) 1983 goto end; 1984 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1985 saveie = wpaie; 1986 } else { 1987 /* 1988 * In an RSN, an AP shall not associate with STAs 1989 * that fail to include the RSN IE in the 1990 * (Re)Association Request. 1991 */ 1992 status = IEEE80211_STATUS_IE_INVALID; 1993 goto end; 1994 } 1995 /* 1996 * The initiating STA's RSN IE shall include one authentication 1997 * and pairwise cipher suite among those advertised by the 1998 * targeted AP. It shall also specify the group cipher suite 1999 * specified by the targeted AP. 2000 */ 2001 if (rsn.rsn_nakms != 1 || 2002 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2003 status = IEEE80211_STATUS_BAD_AKMP; 2004 goto end; 2005 } 2006 if (rsn.rsn_nciphers != 1 || 2007 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2008 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2009 goto end; 2010 } 2011 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2012 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2013 goto end; 2014 } 2015 2016 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2017 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2018 status = IEEE80211_STATUS_MFP_POLICY; 2019 goto end; 2020 } 2021 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2022 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2023 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2024 /* STA advertises an invalid setting */ 2025 status = IEEE80211_STATUS_MFP_POLICY; 2026 goto end; 2027 } 2028 /* 2029 * A STA that has associated with Management Frame Protection 2030 * enabled shall not use cipher suite pairwise selector WEP40, 2031 * WEP104, TKIP, or "Use Group cipher suite". 2032 */ 2033 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2034 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2035 rsn.rsn_groupmgmtcipher != 2036 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2037 status = IEEE80211_STATUS_MFP_POLICY; 2038 goto end; 2039 } 2040 2041 /* 2042 * Disallow new associations using TKIP if countermeasures 2043 * are active. 2044 */ 2045 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2046 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2047 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2048 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2049 goto end; 2050 } 2051 2052 /* everything looks fine, save IE and parameters */ 2053 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2054 status = IEEE80211_STATUS_TOOMANY; 2055 goto end; 2056 } 2057 ni->ni_rsnakms = rsn.rsn_akms; 2058 ni->ni_rsnciphers = rsn.rsn_ciphers; 2059 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2060 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2061 ni->ni_rsncaps = rsn.rsn_caps; 2062 2063 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2064 struct ieee80211_pmk *pmk = NULL; 2065 const u_int8_t *pmkid = rsn.rsn_pmkids; 2066 /* 2067 * Check if we have a cached PMK entry matching one 2068 * of the PMKIDs specified in the RSN IE. 2069 */ 2070 while (rsn.rsn_npmkids-- > 0) { 2071 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2072 if (pmk != NULL) 2073 break; 2074 pmkid += IEEE80211_PMKID_LEN; 2075 } 2076 if (pmk != NULL) { 2077 memcpy(ni->ni_pmk, pmk->pmk_key, 2078 IEEE80211_PMK_LEN); 2079 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2080 IEEE80211_PMKID_LEN); 2081 ni->ni_flags |= IEEE80211_NODE_PMK; 2082 } 2083 } 2084 } else 2085 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2086 2087 ni->ni_rssi = rxi->rxi_rssi; 2088 ni->ni_rstamp = rxi->rxi_tstamp; 2089 ni->ni_intval = bintval; 2090 ni->ni_capinfo = capinfo; 2091 ni->ni_chan = ic->ic_bss->ni_chan; 2092 end: 2093 if (status != 0) { 2094 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2095 ieee80211_node_leave(ic, ni); 2096 } else 2097 ieee80211_node_join(ic, ni, resp); 2098 } 2099 #endif /* IEEE80211_STA_ONLY */ 2100 2101 /*- 2102 * (Re)Association response frame format: 2103 * [2] Capability information 2104 * [2] Status code 2105 * [2] Association ID (AID) 2106 * [tlv] Supported rates 2107 * [tlv] Extended Supported Rates (802.11g) 2108 * [tlv] EDCA Parameter Set (802.11e) 2109 * [tlv] HT Capabilities (802.11n) 2110 * [tlv] HT Operation (802.11n) 2111 */ 2112 void 2113 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2114 struct ieee80211_node *ni, int reassoc) 2115 { 2116 struct ifnet *ifp = &ic->ic_if; 2117 const struct ieee80211_frame *wh; 2118 const u_int8_t *frm, *efrm; 2119 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2120 u_int16_t capinfo, status, associd; 2121 u_int8_t rate; 2122 2123 if (ic->ic_opmode != IEEE80211_M_STA || 2124 ic->ic_state != IEEE80211_S_ASSOC) { 2125 ic->ic_stats.is_rx_mgtdiscard++; 2126 return; 2127 } 2128 2129 /* make sure all mandatory fixed fields are present */ 2130 if (m->m_len < sizeof(*wh) + 6) { 2131 DPRINTF(("frame too short\n")); 2132 return; 2133 } 2134 wh = mtod(m, struct ieee80211_frame *); 2135 frm = (const u_int8_t *)&wh[1]; 2136 efrm = mtod(m, u_int8_t *) + m->m_len; 2137 2138 capinfo = LE_READ_2(frm); frm += 2; 2139 status = LE_READ_2(frm); frm += 2; 2140 if (status != IEEE80211_STATUS_SUCCESS) { 2141 if (ifp->if_flags & IFF_DEBUG) 2142 printf("%s: %sassociation failed (status %d)" 2143 " for %s\n", ifp->if_xname, 2144 reassoc ? "re" : "", 2145 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2146 if (ni != ic->ic_bss) 2147 ni->ni_fails++; 2148 ic->ic_stats.is_rx_auth_fail++; 2149 return; 2150 } 2151 associd = LE_READ_2(frm); frm += 2; 2152 2153 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2154 while (frm + 2 <= efrm) { 2155 if (frm + 2 + frm[1] > efrm) { 2156 ic->ic_stats.is_rx_elem_toosmall++; 2157 break; 2158 } 2159 switch (frm[0]) { 2160 case IEEE80211_ELEMID_RATES: 2161 rates = frm; 2162 break; 2163 case IEEE80211_ELEMID_XRATES: 2164 xrates = frm; 2165 break; 2166 case IEEE80211_ELEMID_EDCAPARMS: 2167 edcaie = frm; 2168 break; 2169 #ifndef IEEE80211_NO_HT 2170 case IEEE80211_ELEMID_HTCAPS: 2171 htcaps = frm; 2172 break; 2173 case IEEE80211_ELEMID_HTOP: 2174 htop = frm; 2175 break; 2176 #endif 2177 case IEEE80211_ELEMID_VENDOR: 2178 if (frm[1] < 4) { 2179 ic->ic_stats.is_rx_elem_toosmall++; 2180 break; 2181 } 2182 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2183 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2184 wmmie = frm; 2185 } 2186 break; 2187 } 2188 frm += 2 + frm[1]; 2189 } 2190 /* supported rates element is mandatory */ 2191 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2192 DPRINTF(("invalid supported rates element\n")); 2193 return; 2194 } 2195 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2196 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2197 IEEE80211_F_DODEL); 2198 if (rate & IEEE80211_RATE_BASIC) { 2199 DPRINTF(("rate mismatch for %s\n", 2200 ether_sprintf((u_int8_t *)wh->i_addr2))); 2201 ic->ic_stats.is_rx_assoc_norate++; 2202 return; 2203 } 2204 ni->ni_capinfo = capinfo; 2205 ni->ni_associd = associd; 2206 if (edcaie != NULL || wmmie != NULL) { 2207 /* force update of EDCA parameters */ 2208 ic->ic_edca_updtcount = -1; 2209 2210 if ((edcaie != NULL && 2211 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2212 (wmmie != NULL && 2213 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2214 ni->ni_flags |= IEEE80211_NODE_QOS; 2215 else /* for Reassociation */ 2216 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2217 } 2218 /* 2219 * Configure state now that we are associated. 2220 */ 2221 if (ic->ic_curmode == IEEE80211_MODE_11A || 2222 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2223 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2224 else 2225 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2226 2227 ieee80211_set_shortslottime(ic, 2228 ic->ic_curmode == IEEE80211_MODE_11A || 2229 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2230 /* 2231 * Honor ERP protection. 2232 */ 2233 if (ic->ic_curmode == IEEE80211_MODE_11G && 2234 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2235 ic->ic_flags |= IEEE80211_F_USEPROT; 2236 else 2237 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2238 /* 2239 * If not an RSNA, mark the port as valid, otherwise wait for 2240 * 802.1X authentication and 4-way handshake to complete.. 2241 */ 2242 if (ic->ic_flags & IEEE80211_F_RSNON) { 2243 /* XXX ic->ic_mgt_timer = 5; */ 2244 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2245 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2246 2247 ieee80211_new_state(ic, IEEE80211_S_RUN, 2248 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2249 } 2250 2251 /*- 2252 * Deauthentication frame format: 2253 * [2] Reason code 2254 */ 2255 void 2256 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2257 struct ieee80211_node *ni) 2258 { 2259 const struct ieee80211_frame *wh; 2260 const u_int8_t *frm; 2261 u_int16_t reason; 2262 2263 /* make sure all mandatory fixed fields are present */ 2264 if (m->m_len < sizeof(*wh) + 2) { 2265 DPRINTF(("frame too short\n")); 2266 return; 2267 } 2268 wh = mtod(m, struct ieee80211_frame *); 2269 frm = (const u_int8_t *)&wh[1]; 2270 2271 reason = LE_READ_2(frm); 2272 2273 ic->ic_stats.is_rx_deauth++; 2274 switch (ic->ic_opmode) { 2275 case IEEE80211_M_STA: 2276 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2277 IEEE80211_FC0_SUBTYPE_DEAUTH); 2278 break; 2279 #ifndef IEEE80211_STA_ONLY 2280 case IEEE80211_M_HOSTAP: 2281 if (ni != ic->ic_bss) { 2282 if (ic->ic_if.if_flags & IFF_DEBUG) 2283 printf("%s: station %s deauthenticated " 2284 "by peer (reason %d)\n", 2285 ic->ic_if.if_xname, 2286 ether_sprintf(ni->ni_macaddr), 2287 reason); 2288 ieee80211_node_leave(ic, ni); 2289 } 2290 break; 2291 #endif 2292 default: 2293 break; 2294 } 2295 } 2296 2297 /*- 2298 * Disassociation frame format: 2299 * [2] Reason code 2300 */ 2301 void 2302 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2303 struct ieee80211_node *ni) 2304 { 2305 const struct ieee80211_frame *wh; 2306 const u_int8_t *frm; 2307 u_int16_t reason; 2308 2309 /* make sure all mandatory fixed fields are present */ 2310 if (m->m_len < sizeof(*wh) + 2) { 2311 DPRINTF(("frame too short\n")); 2312 return; 2313 } 2314 wh = mtod(m, struct ieee80211_frame *); 2315 frm = (const u_int8_t *)&wh[1]; 2316 2317 reason = LE_READ_2(frm); 2318 2319 ic->ic_stats.is_rx_disassoc++; 2320 switch (ic->ic_opmode) { 2321 case IEEE80211_M_STA: 2322 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2323 IEEE80211_FC0_SUBTYPE_DISASSOC); 2324 break; 2325 #ifndef IEEE80211_STA_ONLY 2326 case IEEE80211_M_HOSTAP: 2327 if (ni != ic->ic_bss) { 2328 if (ic->ic_if.if_flags & IFF_DEBUG) 2329 printf("%s: station %s disassociated " 2330 "by peer (reason %d)\n", 2331 ic->ic_if.if_xname, 2332 ether_sprintf(ni->ni_macaddr), 2333 reason); 2334 ieee80211_node_leave(ic, ni); 2335 } 2336 break; 2337 #endif 2338 default: 2339 break; 2340 } 2341 } 2342 2343 #ifndef IEEE80211_NO_HT 2344 /*- 2345 * ADDBA Request frame format: 2346 * [1] Category 2347 * [1] Action 2348 * [1] Dialog Token 2349 * [2] Block Ack Parameter Set 2350 * [2] Block Ack Timeout Value 2351 * [2] Block Ack Starting Sequence Control 2352 */ 2353 void 2354 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2355 struct ieee80211_node *ni) 2356 { 2357 const struct ieee80211_frame *wh; 2358 const u_int8_t *frm; 2359 struct ieee80211_rx_ba *ba; 2360 u_int16_t params, ssn, bufsz, timeout, status; 2361 u_int8_t token, tid; 2362 2363 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2364 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2365 ether_sprintf(ni->ni_macaddr))); 2366 return; 2367 } 2368 if (m->m_len < sizeof(*wh) + 9) { 2369 DPRINTF(("frame too short\n")); 2370 return; 2371 } 2372 /* MLME-ADDBA.indication */ 2373 wh = mtod(m, struct ieee80211_frame *); 2374 frm = (const u_int8_t *)&wh[1]; 2375 2376 token = frm[2]; 2377 params = LE_READ_2(&frm[3]); 2378 tid = (params >> 2) & 0xf; 2379 bufsz = (params >> 6) & 0x3ff; 2380 timeout = LE_READ_2(&frm[5]); 2381 ssn = LE_READ_2(&frm[7]) >> 4; 2382 2383 ba = &ni->ni_rx_ba[tid]; 2384 /* check if we already have a Block Ack agreement for this RA/TID */ 2385 if (ba->ba_state == IEEE80211_BA_AGREED) { 2386 /* XXX should we update the timeout value? */ 2387 /* reset Block Ack inactivity timer */ 2388 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2389 2390 /* check if it's a Protected Block Ack agreement */ 2391 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2392 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2393 return; /* not a PBAC, ignore */ 2394 2395 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2396 if (SEQ_LT(ba->ba_winstart, ssn)) 2397 ieee80211_ba_move_window(ic, ni, tid, ssn); 2398 return; 2399 } 2400 /* if PBAC required but RA does not support it, refuse request */ 2401 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2402 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2403 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2404 status = IEEE80211_STATUS_REFUSED; 2405 goto resp; 2406 } 2407 /* 2408 * If the TID for which the Block Ack agreement is requested is 2409 * configured with a no-ACK policy, refuse the agreement. 2410 */ 2411 if (ic->ic_tid_noack & (1 << tid)) { 2412 status = IEEE80211_STATUS_REFUSED; 2413 goto resp; 2414 } 2415 /* check that we support the requested Block Ack Policy */ 2416 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2417 !(params & IEEE80211_BA_ACK_POLICY)) { 2418 status = IEEE80211_STATUS_INVALID_PARAM; 2419 goto resp; 2420 } 2421 2422 /* setup Block Ack agreement */ 2423 ba->ba_state = IEEE80211_BA_INIT; 2424 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2425 if (ba->ba_timeout_val < IEEE80211_BA_MIN_TIMEOUT) 2426 ba->ba_timeout_val = IEEE80211_BA_MIN_TIMEOUT; 2427 else if (ba->ba_timeout_val > IEEE80211_BA_MAX_TIMEOUT) 2428 ba->ba_timeout_val = IEEE80211_BA_MAX_TIMEOUT; 2429 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2430 ba->ba_winsize = bufsz; 2431 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2432 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2433 ba->ba_winstart = ssn; 2434 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2435 /* allocate and setup our reordering buffer */ 2436 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2437 M_DEVBUF, M_NOWAIT | M_ZERO); 2438 if (ba->ba_buf == NULL) { 2439 status = IEEE80211_STATUS_REFUSED; 2440 goto resp; 2441 } 2442 ba->ba_head = 0; 2443 2444 /* notify drivers of this new Block Ack agreement */ 2445 if (ic->ic_ampdu_rx_start != NULL && 2446 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2447 /* driver failed to setup, rollback */ 2448 free(ba->ba_buf, M_DEVBUF, 0); 2449 ba->ba_buf = NULL; 2450 status = IEEE80211_STATUS_REFUSED; 2451 goto resp; 2452 } 2453 ba->ba_state = IEEE80211_BA_AGREED; 2454 /* start Block Ack inactivity timer */ 2455 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2456 status = IEEE80211_STATUS_SUCCESS; 2457 resp: 2458 /* MLME-ADDBA.response */ 2459 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2460 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2461 } 2462 2463 /*- 2464 * ADDBA Response frame format: 2465 * [1] Category 2466 * [1] Action 2467 * [1] Dialog Token 2468 * [2] Status Code 2469 * [2] Block Ack Parameter Set 2470 * [2] Block Ack Timeout Value 2471 */ 2472 void 2473 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2474 struct ieee80211_node *ni) 2475 { 2476 const struct ieee80211_frame *wh; 2477 const u_int8_t *frm; 2478 struct ieee80211_tx_ba *ba; 2479 u_int16_t status, params, bufsz, timeout; 2480 u_int8_t token, tid; 2481 2482 if (m->m_len < sizeof(*wh) + 9) { 2483 DPRINTF(("frame too short\n")); 2484 return; 2485 } 2486 wh = mtod(m, struct ieee80211_frame *); 2487 frm = (const u_int8_t *)&wh[1]; 2488 2489 token = frm[2]; 2490 status = LE_READ_2(&frm[3]); 2491 params = LE_READ_2(&frm[5]); 2492 tid = (params >> 2) & 0xf; 2493 bufsz = (params >> 6) & 0x3ff; 2494 timeout = LE_READ_2(&frm[7]); 2495 2496 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2497 ether_sprintf(ni->ni_macaddr), tid, status)); 2498 2499 /* 2500 * Ignore if no ADDBA request has been sent for this RA/TID or 2501 * if we already have a Block Ack agreement. 2502 */ 2503 ba = &ni->ni_tx_ba[tid]; 2504 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2505 DPRINTF(("no matching ADDBA req found\n")); 2506 return; 2507 } 2508 if (token != ba->ba_token) { 2509 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2510 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2511 return; 2512 } 2513 /* we got an ADDBA Response matching our request, stop timeout */ 2514 timeout_del(&ba->ba_to); 2515 2516 if (status != IEEE80211_STATUS_SUCCESS) { 2517 /* MLME-ADDBA.confirm(Failure) */ 2518 ba->ba_state = IEEE80211_BA_INIT; 2519 return; 2520 } 2521 /* MLME-ADDBA.confirm(Success) */ 2522 ba->ba_state = IEEE80211_BA_AGREED; 2523 2524 /* notify drivers of this new Block Ack agreement */ 2525 if (ic->ic_ampdu_tx_start != NULL) 2526 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2527 2528 /* start Block Ack inactivity timeout */ 2529 if (ba->ba_timeout_val != 0) 2530 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2531 } 2532 2533 /*- 2534 * DELBA frame format: 2535 * [1] Category 2536 * [1] Action 2537 * [2] DELBA Parameter Set 2538 * [2] Reason Code 2539 */ 2540 void 2541 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2542 struct ieee80211_node *ni) 2543 { 2544 const struct ieee80211_frame *wh; 2545 const u_int8_t *frm; 2546 u_int16_t params, reason; 2547 u_int8_t tid; 2548 int i; 2549 2550 if (m->m_len < sizeof(*wh) + 6) { 2551 DPRINTF(("frame too short\n")); 2552 return; 2553 } 2554 wh = mtod(m, struct ieee80211_frame *); 2555 frm = (const u_int8_t *)&wh[1]; 2556 2557 params = LE_READ_2(&frm[2]); 2558 reason = LE_READ_2(&frm[4]); 2559 tid = params >> 12; 2560 2561 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2562 ether_sprintf(ni->ni_macaddr), tid, reason)); 2563 2564 if (params & IEEE80211_DELBA_INITIATOR) { 2565 /* MLME-DELBA.indication(Originator) */ 2566 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2567 2568 if (ba->ba_state != IEEE80211_BA_AGREED) { 2569 DPRINTF(("no matching Block Ack agreement\n")); 2570 return; 2571 } 2572 /* notify drivers of the end of the Block Ack agreement */ 2573 if (ic->ic_ampdu_rx_stop != NULL) 2574 ic->ic_ampdu_rx_stop(ic, ni, tid); 2575 2576 ba->ba_state = IEEE80211_BA_INIT; 2577 /* stop Block Ack inactivity timer */ 2578 timeout_del(&ba->ba_to); 2579 2580 if (ba->ba_buf != NULL) { 2581 /* free all MSDUs stored in reordering buffer */ 2582 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2583 if (ba->ba_buf[i].m != NULL) 2584 m_freem(ba->ba_buf[i].m); 2585 /* free reordering buffer */ 2586 free(ba->ba_buf, M_DEVBUF, 0); 2587 ba->ba_buf = NULL; 2588 } 2589 } else { 2590 /* MLME-DELBA.indication(Recipient) */ 2591 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2592 2593 if (ba->ba_state != IEEE80211_BA_AGREED) { 2594 DPRINTF(("no matching Block Ack agreement\n")); 2595 return; 2596 } 2597 /* notify drivers of the end of the Block Ack agreement */ 2598 if (ic->ic_ampdu_tx_stop != NULL) 2599 ic->ic_ampdu_tx_stop(ic, ni, tid); 2600 2601 ba->ba_state = IEEE80211_BA_INIT; 2602 /* stop Block Ack inactivity timer */ 2603 timeout_del(&ba->ba_to); 2604 } 2605 } 2606 #endif /* !IEEE80211_NO_HT */ 2607 2608 /*- 2609 * SA Query Request frame format: 2610 * [1] Category 2611 * [1] Action 2612 * [2] Transaction Identifier 2613 */ 2614 void 2615 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2616 struct ieee80211_node *ni) 2617 { 2618 const struct ieee80211_frame *wh; 2619 const u_int8_t *frm; 2620 2621 if (ic->ic_opmode != IEEE80211_M_STA || 2622 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2623 DPRINTF(("unexpected SA Query req from %s\n", 2624 ether_sprintf(ni->ni_macaddr))); 2625 return; 2626 } 2627 if (m->m_len < sizeof(*wh) + 4) { 2628 DPRINTF(("frame too short\n")); 2629 return; 2630 } 2631 wh = mtod(m, struct ieee80211_frame *); 2632 frm = (const u_int8_t *)&wh[1]; 2633 2634 /* MLME-SAQuery.indication */ 2635 2636 /* save Transaction Identifier for SA Query Response */ 2637 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2638 2639 /* MLME-SAQuery.response */ 2640 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2641 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2642 } 2643 2644 #ifndef IEEE80211_STA_ONLY 2645 /*- 2646 * SA Query Response frame format: 2647 * [1] Category 2648 * [1] Action 2649 * [2] Transaction Identifier 2650 */ 2651 void 2652 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2653 struct ieee80211_node *ni) 2654 { 2655 const struct ieee80211_frame *wh; 2656 const u_int8_t *frm; 2657 2658 /* ignore if we're not engaged in an SA Query with that STA */ 2659 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2660 DPRINTF(("unexpected SA Query resp from %s\n", 2661 ether_sprintf(ni->ni_macaddr))); 2662 return; 2663 } 2664 if (m->m_len < sizeof(*wh) + 4) { 2665 DPRINTF(("frame too short\n")); 2666 return; 2667 } 2668 wh = mtod(m, struct ieee80211_frame *); 2669 frm = (const u_int8_t *)&wh[1]; 2670 2671 /* check that Transaction Identifier matches */ 2672 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2673 DPRINTF(("transaction identifier does not match\n")); 2674 return; 2675 } 2676 /* MLME-SAQuery.confirm */ 2677 timeout_del(&ni->ni_sa_query_to); 2678 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2679 } 2680 #endif 2681 2682 /*- 2683 * Action frame format: 2684 * [1] Category 2685 * [1] Action 2686 */ 2687 void 2688 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2689 struct ieee80211_node *ni) 2690 { 2691 const struct ieee80211_frame *wh; 2692 const u_int8_t *frm; 2693 2694 if (m->m_len < sizeof(*wh) + 2) { 2695 DPRINTF(("frame too short\n")); 2696 return; 2697 } 2698 wh = mtod(m, struct ieee80211_frame *); 2699 frm = (const u_int8_t *)&wh[1]; 2700 2701 switch (frm[0]) { 2702 #ifndef IEEE80211_NO_HT 2703 case IEEE80211_CATEG_BA: 2704 switch (frm[1]) { 2705 case IEEE80211_ACTION_ADDBA_REQ: 2706 ieee80211_recv_addba_req(ic, m, ni); 2707 break; 2708 case IEEE80211_ACTION_ADDBA_RESP: 2709 ieee80211_recv_addba_resp(ic, m, ni); 2710 break; 2711 case IEEE80211_ACTION_DELBA: 2712 ieee80211_recv_delba(ic, m, ni); 2713 break; 2714 } 2715 break; 2716 #endif 2717 case IEEE80211_CATEG_SA_QUERY: 2718 switch (frm[1]) { 2719 case IEEE80211_ACTION_SA_QUERY_REQ: 2720 ieee80211_recv_sa_query_req(ic, m, ni); 2721 break; 2722 #ifndef IEEE80211_STA_ONLY 2723 case IEEE80211_ACTION_SA_QUERY_RESP: 2724 ieee80211_recv_sa_query_resp(ic, m, ni); 2725 break; 2726 #endif 2727 } 2728 break; 2729 default: 2730 DPRINTF(("action frame category %d not handled\n", frm[0])); 2731 break; 2732 } 2733 } 2734 2735 void 2736 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2737 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2738 { 2739 switch (subtype) { 2740 case IEEE80211_FC0_SUBTYPE_BEACON: 2741 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2742 break; 2743 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2744 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2745 break; 2746 #ifndef IEEE80211_STA_ONLY 2747 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2748 ieee80211_recv_probe_req(ic, m, ni, rxi); 2749 break; 2750 #endif 2751 case IEEE80211_FC0_SUBTYPE_AUTH: 2752 ieee80211_recv_auth(ic, m, ni, rxi); 2753 break; 2754 #ifndef IEEE80211_STA_ONLY 2755 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2756 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2757 break; 2758 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2759 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2760 break; 2761 #endif 2762 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2763 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2764 break; 2765 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2766 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2767 break; 2768 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2769 ieee80211_recv_deauth(ic, m, ni); 2770 break; 2771 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2772 ieee80211_recv_disassoc(ic, m, ni); 2773 break; 2774 case IEEE80211_FC0_SUBTYPE_ACTION: 2775 ieee80211_recv_action(ic, m, ni); 2776 break; 2777 default: 2778 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2779 subtype)); 2780 ic->ic_stats.is_rx_badsubtype++; 2781 break; 2782 } 2783 } 2784 2785 #ifndef IEEE80211_STA_ONLY 2786 /* 2787 * Process an incoming PS-Poll control frame (see 11.2). 2788 */ 2789 void 2790 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2791 struct ieee80211_node *ni) 2792 { 2793 struct ifnet *ifp = &ic->ic_if; 2794 struct ieee80211_frame_pspoll *psp; 2795 struct ieee80211_frame *wh; 2796 u_int16_t aid; 2797 2798 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2799 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2800 ni->ni_state != IEEE80211_STA_ASSOC) 2801 return; 2802 2803 if (m->m_len < sizeof(*psp)) { 2804 DPRINTF(("frame too short, len %u\n", m->m_len)); 2805 ic->ic_stats.is_rx_tooshort++; 2806 return; 2807 } 2808 psp = mtod(m, struct ieee80211_frame_pspoll *); 2809 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2810 DPRINTF(("discard pspoll frame to BSS %s\n", 2811 ether_sprintf(psp->i_bssid))); 2812 ic->ic_stats.is_rx_wrongbss++; 2813 return; 2814 } 2815 aid = letoh16(*(u_int16_t *)psp->i_aid); 2816 if (aid != ni->ni_associd) { 2817 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2818 ether_sprintf(psp->i_ta))); 2819 return; 2820 } 2821 2822 /* take the first queued frame and put it out.. */ 2823 IF_DEQUEUE(&ni->ni_savedq, m); 2824 if (m == NULL) 2825 return; 2826 if (IF_IS_EMPTY(&ni->ni_savedq)) { 2827 /* last queued frame, turn off the TIM bit */ 2828 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2829 } else { 2830 /* more queued frames, set the more data bit */ 2831 wh = mtod(m, struct ieee80211_frame *); 2832 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2833 } 2834 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 2835 (*ifp->if_start)(ifp); 2836 } 2837 #endif /* IEEE80211_STA_ONLY */ 2838 2839 #ifndef IEEE80211_NO_HT 2840 /* 2841 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2842 */ 2843 void 2844 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2845 struct ieee80211_node *ni) 2846 { 2847 const struct ieee80211_frame_min *wh; 2848 const u_int8_t *frm; 2849 u_int16_t ctl, ssn; 2850 u_int8_t tid, ntids; 2851 2852 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2853 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2854 ether_sprintf(ni->ni_macaddr))); 2855 return; 2856 } 2857 if (m->m_len < sizeof(*wh) + 4) { 2858 DPRINTF(("frame too short\n")); 2859 return; 2860 } 2861 wh = mtod(m, struct ieee80211_frame_min *); 2862 frm = (const u_int8_t *)&wh[1]; 2863 2864 /* read BlockAckReq Control field */ 2865 ctl = LE_READ_2(&frm[0]); 2866 tid = ctl >> 12; 2867 2868 /* determine BlockAckReq frame variant */ 2869 if (ctl & IEEE80211_BA_MULTI_TID) { 2870 /* Multi-TID BlockAckReq variant (PSMP only) */ 2871 ntids = tid + 1; 2872 2873 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2874 DPRINTF(("MTBAR frame too short\n")); 2875 return; 2876 } 2877 frm += 2; /* skip BlockAckReq Control field */ 2878 while (ntids-- > 0) { 2879 /* read MTBAR Information field */ 2880 tid = LE_READ_2(&frm[0]) >> 12; 2881 ssn = LE_READ_2(&frm[2]) >> 4; 2882 ieee80211_bar_tid(ic, ni, tid, ssn); 2883 frm += 4; 2884 } 2885 } else { 2886 /* Basic or Compressed BlockAckReq variants */ 2887 ssn = LE_READ_2(&frm[2]) >> 4; 2888 ieee80211_bar_tid(ic, ni, tid, ssn); 2889 } 2890 } 2891 2892 /* 2893 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2894 * This is the common back-end for all BlockAckReq frame variants. 2895 */ 2896 void 2897 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2898 u_int8_t tid, u_int16_t ssn) 2899 { 2900 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2901 2902 /* check if we have a Block Ack agreement for RA/TID */ 2903 if (ba->ba_state != IEEE80211_BA_AGREED) { 2904 /* XXX not sure in PBAC case */ 2905 /* send a DELBA with reason code UNKNOWN-BA */ 2906 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2907 IEEE80211_ACTION_DELBA, 2908 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2909 return; 2910 } 2911 /* check if it is a Protected Block Ack agreement */ 2912 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2913 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2914 /* ADDBA Requests must be used in PBAC case */ 2915 if (SEQ_LT(ssn, ba->ba_winstart) || 2916 SEQ_LT(ba->ba_winend, ssn)) 2917 ic->ic_stats.is_pbac_errs++; 2918 return; /* PBAC, do not move window */ 2919 } 2920 /* reset Block Ack inactivity timer */ 2921 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2922 2923 if (SEQ_LT(ba->ba_winstart, ssn)) 2924 ieee80211_ba_move_window(ic, ni, tid, ssn); 2925 } 2926 #endif /* !IEEE80211_NO_HT */ 2927