1 /* $OpenBSD: ieee80211_input.c,v 1.214 2019/12/20 09:28:06 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *, 65 struct mbuf_list *); 66 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 67 struct ieee80211_rx_ba *, struct mbuf_list *); 68 void ieee80211_input_ba_gap_timeout(void *arg); 69 void ieee80211_ba_move_window(struct ieee80211com *, 70 struct ieee80211_node *, u_int8_t, u_int16_t, struct mbuf_list *); 71 void ieee80211_input_ba_seq(struct ieee80211com *, 72 struct ieee80211_node *, uint8_t, uint16_t, struct mbuf_list *); 73 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 74 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 75 struct ieee80211_node *, int, struct mbuf_list *); 76 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 77 struct ieee80211_node *, int, struct mbuf_list *); 78 void ieee80211_enqueue_data(struct ieee80211com *, struct mbuf *, 79 struct ieee80211_node *, int, struct mbuf_list *); 80 int ieee80211_parse_edca_params_body(struct ieee80211com *, 81 const u_int8_t *); 82 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 83 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 84 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 85 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 86 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 87 u_int, struct ieee80211_rsnparams *); 88 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 89 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 90 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 91 #ifndef IEEE80211_STA_ONLY 92 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 93 struct ieee80211_node *, struct ieee80211_rxinfo *); 94 #endif 95 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 96 struct ieee80211_node *, struct ieee80211_rxinfo *); 97 #ifndef IEEE80211_STA_ONLY 98 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 99 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 100 #endif 101 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 102 struct ieee80211_node *, int); 103 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 104 struct ieee80211_node *); 105 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *); 107 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *); 109 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 110 struct ieee80211_node *); 111 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 112 struct ieee80211_node *); 113 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 114 struct ieee80211_node *); 115 #ifndef IEEE80211_STA_ONLY 116 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 117 struct ieee80211_node *); 118 #endif 119 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 120 struct ieee80211_node *); 121 #ifndef IEEE80211_STA_ONLY 122 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 123 struct ieee80211_node *); 124 #endif 125 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 126 struct ieee80211_node *); 127 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 128 u_int8_t, u_int16_t); 129 130 /* 131 * Retrieve the length in bytes of an 802.11 header. 132 */ 133 u_int 134 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 135 { 136 u_int size = sizeof(*wh); 137 138 /* NB: does not work with control frames */ 139 KASSERT(ieee80211_has_seq(wh)); 140 141 if (ieee80211_has_addr4(wh)) 142 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 143 if (ieee80211_has_qos(wh)) 144 size += sizeof(u_int16_t); /* i_qos */ 145 if (ieee80211_has_htc(wh)) 146 size += sizeof(u_int32_t); /* i_ht */ 147 return size; 148 } 149 150 /* 151 * Process a received frame. The node associated with the sender 152 * should be supplied. If nothing was found in the node table then 153 * the caller is assumed to supply a reference to ic_bss instead. 154 * The RSSI and a timestamp are also supplied. The RSSI data is used 155 * during AP scanning to select a AP to associate with; it can have 156 * any units so long as values have consistent units and higher values 157 * mean ``better signal''. The receive timestamp is currently not used 158 * by the 802.11 layer. 159 * 160 * This function acts on management frames immediately and queues data frames 161 * on the specified mbuf list. Delivery of queued data frames to upper layers 162 * must be triggered with if_input(). Drivers should call if_input() only once 163 * per Rx interrupt to avoid triggering the input ifq pressure drop mechanism 164 * unnecessarily. 165 */ 166 void 167 ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 168 struct ieee80211_rxinfo *rxi, struct mbuf_list *ml) 169 { 170 struct ieee80211com *ic = (void *)ifp; 171 struct ieee80211_frame *wh; 172 u_int16_t *orxseq, nrxseq, qos; 173 u_int8_t dir, type, subtype, tid; 174 int hdrlen, hasqos; 175 176 KASSERT(ni != NULL); 177 178 /* in monitor mode, send everything directly to bpf */ 179 if (ic->ic_opmode == IEEE80211_M_MONITOR) 180 goto out; 181 182 /* 183 * Do not process frames without an Address 2 field any further. 184 * Only CTS and ACK control frames do not have this field. 185 */ 186 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 187 DPRINTF(("frame too short, len %u\n", m->m_len)); 188 ic->ic_stats.is_rx_tooshort++; 189 goto out; 190 } 191 192 wh = mtod(m, struct ieee80211_frame *); 193 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 194 IEEE80211_FC0_VERSION_0) { 195 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 196 ic->ic_stats.is_rx_badversion++; 197 goto err; 198 } 199 200 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 201 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 202 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 203 204 if (type != IEEE80211_FC0_TYPE_CTL) { 205 hdrlen = ieee80211_get_hdrlen(wh); 206 if (m->m_len < hdrlen) { 207 DPRINTF(("frame too short, len %u\n", m->m_len)); 208 ic->ic_stats.is_rx_tooshort++; 209 goto err; 210 } 211 } 212 if ((hasqos = ieee80211_has_qos(wh))) { 213 qos = ieee80211_get_qos(wh); 214 tid = qos & IEEE80211_QOS_TID; 215 } else { 216 qos = 0; 217 tid = 0; 218 } 219 220 if (ic->ic_state == IEEE80211_S_RUN && 221 type == IEEE80211_FC0_TYPE_DATA && hasqos && 222 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 223 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 224 #ifndef IEEE80211_STA_ONLY 225 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 226 #endif 227 ) { 228 int ba_state = ni->ni_rx_ba[tid].ba_state; 229 230 #ifndef IEEE80211_STA_ONLY 231 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 232 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 233 ic->ic_bss->ni_bssid)) { 234 ic->ic_stats.is_rx_wrongbss++; 235 goto err; 236 } 237 if (ni->ni_state != IEEE80211_S_ASSOC) { 238 ic->ic_stats.is_rx_notassoc++; 239 goto err; 240 } 241 } 242 #endif 243 /* 244 * If Block Ack was explicitly requested, check 245 * if we have a BA agreement for this RA/TID. 246 */ 247 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 248 IEEE80211_QOS_ACK_POLICY_BA && 249 ba_state != IEEE80211_BA_AGREED) { 250 DPRINTF(("no BA agreement for %s, TID %d\n", 251 ether_sprintf(ni->ni_macaddr), tid)); 252 /* send a DELBA with reason code UNKNOWN-BA */ 253 IEEE80211_SEND_ACTION(ic, ni, 254 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 255 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 256 goto err; 257 } 258 259 /* 260 * Check if we have an explicit or implicit 261 * Block Ack Request for a valid BA agreement. 262 */ 263 if (ba_state == IEEE80211_BA_AGREED && 264 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 265 IEEE80211_QOS_ACK_POLICY_BA || 266 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 267 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 268 /* go through A-MPDU reordering */ 269 ieee80211_input_ba(ic, m, ni, tid, rxi, ml); 270 return; /* don't free m! */ 271 } 272 } 273 274 /* duplicate detection (see 9.2.9) */ 275 if (ieee80211_has_seq(wh) && 276 ic->ic_state != IEEE80211_S_SCAN) { 277 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 278 IEEE80211_SEQ_SEQ_SHIFT; 279 if (hasqos) 280 orxseq = &ni->ni_qos_rxseqs[tid]; 281 else 282 orxseq = &ni->ni_rxseq; 283 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 284 nrxseq == *orxseq) { 285 /* duplicate, silently discarded */ 286 ic->ic_stats.is_rx_dup++; 287 goto out; 288 } 289 *orxseq = nrxseq; 290 } 291 if (ic->ic_state > IEEE80211_S_SCAN) { 292 ni->ni_rssi = rxi->rxi_rssi; 293 ni->ni_rstamp = rxi->rxi_tstamp; 294 ni->ni_inact = 0; 295 296 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 297 /* Cancel or start background scan based on RSSI. */ 298 if ((*ic->ic_node_checkrssi)(ic, ni)) 299 timeout_del(&ic->ic_bgscan_timeout); 300 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 301 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 302 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 303 timeout_add_msec(&ic->ic_bgscan_timeout, 304 500 * (ic->ic_bgscan_fail + 1)); 305 } 306 } 307 308 #ifndef IEEE80211_STA_ONLY 309 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 310 (ic->ic_caps & IEEE80211_C_APPMGT) && 311 ni->ni_state == IEEE80211_STA_ASSOC) { 312 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 313 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 314 /* turn on PS mode */ 315 ni->ni_pwrsave = IEEE80211_PS_DOZE; 316 DPRINTF(("PS mode on for %s\n", 317 ether_sprintf(wh->i_addr2))); 318 } 319 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 320 struct mbuf *m; 321 322 /* turn off PS mode */ 323 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 324 DPRINTF(("PS mode off for %s\n", 325 ether_sprintf(wh->i_addr2))); 326 327 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 328 329 /* dequeue buffered unicast frames */ 330 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 331 mq_enqueue(&ic->ic_pwrsaveq, m); 332 if_start(ifp); 333 } 334 } 335 } 336 #endif 337 switch (type) { 338 case IEEE80211_FC0_TYPE_DATA: 339 switch (ic->ic_opmode) { 340 case IEEE80211_M_STA: 341 if (dir != IEEE80211_FC1_DIR_FROMDS) { 342 ic->ic_stats.is_rx_wrongdir++; 343 goto out; 344 } 345 if (ic->ic_state != IEEE80211_S_SCAN && 346 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 347 /* Source address is not our BSS. */ 348 DPRINTF(("discard frame from SA %s\n", 349 ether_sprintf(wh->i_addr2))); 350 ic->ic_stats.is_rx_wrongbss++; 351 goto out; 352 } 353 if ((ifp->if_flags & IFF_SIMPLEX) && 354 IEEE80211_IS_MULTICAST(wh->i_addr1) && 355 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 356 /* 357 * In IEEE802.11 network, multicast frame 358 * sent from me is broadcasted from AP. 359 * It should be silently discarded for 360 * SIMPLEX interface. 361 */ 362 ic->ic_stats.is_rx_mcastecho++; 363 goto out; 364 } 365 break; 366 #ifndef IEEE80211_STA_ONLY 367 case IEEE80211_M_IBSS: 368 case IEEE80211_M_AHDEMO: 369 if (dir != IEEE80211_FC1_DIR_NODS) { 370 ic->ic_stats.is_rx_wrongdir++; 371 goto out; 372 } 373 if (ic->ic_state != IEEE80211_S_SCAN && 374 !IEEE80211_ADDR_EQ(wh->i_addr3, 375 ic->ic_bss->ni_bssid) && 376 !IEEE80211_ADDR_EQ(wh->i_addr3, 377 etherbroadcastaddr)) { 378 /* Destination is not our BSS or broadcast. */ 379 DPRINTF(("discard data frame to DA %s\n", 380 ether_sprintf(wh->i_addr3))); 381 ic->ic_stats.is_rx_wrongbss++; 382 goto out; 383 } 384 break; 385 case IEEE80211_M_HOSTAP: 386 if (dir != IEEE80211_FC1_DIR_TODS) { 387 ic->ic_stats.is_rx_wrongdir++; 388 goto out; 389 } 390 if (ic->ic_state != IEEE80211_S_SCAN && 391 !IEEE80211_ADDR_EQ(wh->i_addr1, 392 ic->ic_bss->ni_bssid) && 393 !IEEE80211_ADDR_EQ(wh->i_addr1, 394 etherbroadcastaddr)) { 395 /* BSS is not us or broadcast. */ 396 DPRINTF(("discard data frame to BSS %s\n", 397 ether_sprintf(wh->i_addr1))); 398 ic->ic_stats.is_rx_wrongbss++; 399 goto out; 400 } 401 /* check if source STA is associated */ 402 if (ni == ic->ic_bss) { 403 DPRINTF(("data from unknown src %s\n", 404 ether_sprintf(wh->i_addr2))); 405 /* NB: caller deals with reference */ 406 ni = ieee80211_find_node(ic, wh->i_addr2); 407 if (ni == NULL) 408 ni = ieee80211_dup_bss(ic, wh->i_addr2); 409 if (ni != NULL) { 410 IEEE80211_SEND_MGMT(ic, ni, 411 IEEE80211_FC0_SUBTYPE_DEAUTH, 412 IEEE80211_REASON_NOT_AUTHED); 413 } 414 ic->ic_stats.is_rx_notassoc++; 415 goto err; 416 } 417 if (ni->ni_state != IEEE80211_STA_ASSOC) { 418 DPRINTF(("data from unassoc src %s\n", 419 ether_sprintf(wh->i_addr2))); 420 IEEE80211_SEND_MGMT(ic, ni, 421 IEEE80211_FC0_SUBTYPE_DISASSOC, 422 IEEE80211_REASON_NOT_ASSOCED); 423 ic->ic_stats.is_rx_notassoc++; 424 goto err; 425 } 426 break; 427 #endif /* IEEE80211_STA_ONLY */ 428 default: 429 /* can't get there */ 430 goto out; 431 } 432 433 /* Do not process "no data" frames any further. */ 434 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 435 if (ic->ic_rawbpf) 436 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 437 goto out; 438 } 439 440 if ((ic->ic_flags & IEEE80211_F_WEPON) || 441 ((ic->ic_flags & IEEE80211_F_RSNON) && 442 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 443 /* protection is on for Rx */ 444 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 445 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 446 /* drop unencrypted */ 447 ic->ic_stats.is_rx_unencrypted++; 448 goto err; 449 } 450 /* do software decryption */ 451 m = ieee80211_decrypt(ic, m, ni); 452 if (m == NULL) { 453 ic->ic_stats.is_rx_wepfail++; 454 goto err; 455 } 456 wh = mtod(m, struct ieee80211_frame *); 457 } 458 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 459 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 460 /* frame encrypted but protection off for Rx */ 461 ic->ic_stats.is_rx_nowep++; 462 goto out; 463 } 464 465 #if NBPFILTER > 0 466 /* copy to listener after decrypt */ 467 if (ic->ic_rawbpf) 468 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 469 #endif 470 471 if ((ni->ni_flags & IEEE80211_NODE_HT) && 472 hasqos && (qos & IEEE80211_QOS_AMSDU)) 473 ieee80211_amsdu_decap(ic, m, ni, hdrlen, ml); 474 else 475 ieee80211_decap(ic, m, ni, hdrlen, ml); 476 return; 477 478 case IEEE80211_FC0_TYPE_MGT: 479 if (dir != IEEE80211_FC1_DIR_NODS) { 480 ic->ic_stats.is_rx_wrongdir++; 481 goto err; 482 } 483 #ifndef IEEE80211_STA_ONLY 484 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 485 ic->ic_stats.is_rx_ahdemo_mgt++; 486 goto out; 487 } 488 #endif 489 /* drop frames without interest */ 490 if (ic->ic_state == IEEE80211_S_SCAN) { 491 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 492 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 493 ic->ic_stats.is_rx_mgtdiscard++; 494 goto out; 495 } 496 } 497 498 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 499 /* MMPDU protection is on for Rx */ 500 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 501 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 502 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 503 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 504 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 505 /* unicast mgmt not encrypted */ 506 goto out; 507 } 508 /* do software decryption */ 509 m = ieee80211_decrypt(ic, m, ni); 510 if (m == NULL) { 511 /* XXX stats */ 512 goto out; 513 } 514 wh = mtod(m, struct ieee80211_frame *); 515 } 516 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 517 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 518 /* encrypted but MMPDU Rx protection off for TA */ 519 goto out; 520 } 521 522 #if NBPFILTER > 0 523 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 524 /* 525 * Drop mbuf if it was filtered by bpf. Normally, 526 * this is done in ether_input() but IEEE 802.11 527 * management frames are a special case. 528 */ 529 m_freem(m); 530 return; 531 } 532 #endif 533 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 534 m_freem(m); 535 return; 536 537 case IEEE80211_FC0_TYPE_CTL: 538 switch (subtype) { 539 #ifndef IEEE80211_STA_ONLY 540 case IEEE80211_FC0_SUBTYPE_PS_POLL: 541 ieee80211_recv_pspoll(ic, m, ni); 542 break; 543 #endif 544 case IEEE80211_FC0_SUBTYPE_BAR: 545 ieee80211_recv_bar(ic, m, ni); 546 break; 547 default: 548 ic->ic_stats.is_rx_ctl++; 549 break; 550 } 551 goto out; 552 553 default: 554 DPRINTF(("bad frame type %x\n", type)); 555 /* should not come here */ 556 break; 557 } 558 err: 559 ifp->if_ierrors++; 560 out: 561 if (m != NULL) { 562 #if NBPFILTER > 0 563 if (ic->ic_rawbpf) 564 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 565 #endif 566 m_freem(m); 567 } 568 } 569 570 /* Input handler for drivers which only receive one frame per interrupt. */ 571 void 572 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 573 struct ieee80211_rxinfo *rxi) 574 { 575 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 576 577 ieee80211_inputm(ifp, m, ni, rxi, &ml); 578 if_input(ifp, &ml); 579 } 580 581 /* 582 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 583 * reception of fragments of three fragmented MSDUs or MMPDUs. 584 */ 585 struct mbuf * 586 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 587 { 588 const struct ieee80211_frame *owh, *wh; 589 struct ieee80211_defrag *df; 590 u_int16_t rxseq, seq; 591 u_int8_t frag; 592 int i; 593 594 wh = mtod(m, struct ieee80211_frame *); 595 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 596 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 597 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 598 599 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 600 return m; /* not fragmented */ 601 602 if (frag == 0) { 603 /* first fragment, setup entry in the fragment cache */ 604 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 605 ic->ic_defrag_cur = 0; 606 df = &ic->ic_defrag[ic->ic_defrag_cur]; 607 m_freem(df->df_m); /* discard old entry */ 608 df->df_seq = seq; 609 df->df_frag = 0; 610 df->df_m = m; 611 /* start receive MSDU timer of aMaxReceiveLifetime */ 612 timeout_add_sec(&df->df_to, 1); 613 return NULL; /* MSDU or MMPDU not yet complete */ 614 } 615 616 /* find matching entry in the fragment cache */ 617 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 618 df = &ic->ic_defrag[i]; 619 if (df->df_m == NULL) 620 continue; 621 if (df->df_seq != seq || df->df_frag + 1 != frag) 622 continue; 623 owh = mtod(df->df_m, struct ieee80211_frame *); 624 /* frame type, source and destination must match */ 625 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 626 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 627 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 628 continue; 629 /* matching entry found */ 630 break; 631 } 632 if (i == IEEE80211_DEFRAG_SIZE) { 633 /* no matching entry found, discard fragment */ 634 ic->ic_if.if_ierrors++; 635 m_freem(m); 636 return NULL; 637 } 638 639 df->df_frag = frag; 640 /* strip 802.11 header and concatenate fragment */ 641 m_adj(m, hdrlen); 642 m_cat(df->df_m, m); 643 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 644 645 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 646 return NULL; /* MSDU or MMPDU not yet complete */ 647 648 /* MSDU or MMPDU complete */ 649 timeout_del(&df->df_to); 650 m = df->df_m; 651 df->df_m = NULL; 652 return m; 653 } 654 655 /* 656 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 657 */ 658 void 659 ieee80211_defrag_timeout(void *arg) 660 { 661 struct ieee80211_defrag *df = arg; 662 int s = splnet(); 663 664 /* discard all received fragments */ 665 m_freem(df->df_m); 666 df->df_m = NULL; 667 668 splx(s); 669 } 670 671 /* 672 * Process a received data MPDU related to a specific HT-immediate Block Ack 673 * agreement (see 9.10.7.6). 674 */ 675 void 676 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 677 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi, 678 struct mbuf_list *ml) 679 { 680 struct ifnet *ifp = &ic->ic_if; 681 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 682 struct ieee80211_frame *wh; 683 int idx, count; 684 u_int16_t sn; 685 686 wh = mtod(m, struct ieee80211_frame *); 687 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 688 689 /* reset Block Ack inactivity timer */ 690 if (ba->ba_timeout_val != 0) 691 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 692 693 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 694 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 695 m_freem(m); /* discard the MPDU */ 696 return; 697 } 698 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 699 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 700 count = (sn - ba->ba_winend) & 0xfff; 701 if (count > ba->ba_winsize) { 702 /* 703 * Check whether we're consistently behind the window, 704 * and let the window move forward if neccessary. 705 */ 706 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 707 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 708 ba->ba_winmiss++; 709 else 710 ba->ba_winmiss = 0; 711 ba->ba_missedsn = sn; 712 ifp->if_ierrors++; 713 m_freem(m); /* discard the MPDU */ 714 return; 715 } 716 717 /* It appears the window has moved for real. */ 718 ic->ic_stats.is_ht_rx_ba_window_jump++; 719 ba->ba_winmiss = 0; 720 ba->ba_missedsn = 0; 721 ieee80211_ba_move_window(ic, ni, tid, sn, ml); 722 } else { 723 ic->ic_stats.is_ht_rx_ba_window_slide++; 724 ieee80211_input_ba_seq(ic, ni, tid, 725 (ba->ba_winstart + count) & 0xfff, ml); 726 ieee80211_input_ba_flush(ic, ni, ba, ml); 727 } 728 } 729 /* WinStartB <= SN <= WinEndB */ 730 731 ba->ba_winmiss = 0; 732 ba->ba_missedsn = 0; 733 idx = (sn - ba->ba_winstart) & 0xfff; 734 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 735 /* store the received MPDU in the buffer */ 736 if (ba->ba_buf[idx].m != NULL) { 737 ifp->if_ierrors++; 738 ic->ic_stats.is_ht_rx_ba_no_buf++; 739 m_freem(m); 740 return; 741 } 742 ba->ba_buf[idx].m = m; 743 /* store Rx meta-data too */ 744 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 745 ba->ba_buf[idx].rxi = *rxi; 746 747 if (ba->ba_buf[ba->ba_head].m == NULL) 748 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 749 else if (timeout_pending(&ba->ba_gap_to)) 750 timeout_del(&ba->ba_gap_to); 751 752 ieee80211_input_ba_flush(ic, ni, ba, ml); 753 } 754 755 /* 756 * Forward buffered frames with sequence number lower than max_seq. 757 * See 802.11-2012 9.21.7.6.2 b. 758 */ 759 void 760 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 761 uint8_t tid, uint16_t max_seq, struct mbuf_list *ml) 762 { 763 struct ifnet *ifp = &ic->ic_if; 764 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 765 struct ieee80211_frame *wh; 766 uint16_t seq; 767 int i = 0; 768 769 while (i++ < ba->ba_winsize) { 770 /* gaps may exist */ 771 if (ba->ba_buf[ba->ba_head].m != NULL) { 772 wh = mtod(ba->ba_buf[ba->ba_head].m, 773 struct ieee80211_frame *); 774 KASSERT(ieee80211_has_seq(wh)); 775 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 776 IEEE80211_SEQ_SEQ_SHIFT; 777 if (!SEQ_LT(seq, max_seq)) 778 return; 779 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, 780 ni, &ba->ba_buf[ba->ba_head].rxi, ml); 781 ba->ba_buf[ba->ba_head].m = NULL; 782 } else 783 ic->ic_stats.is_ht_rx_ba_frame_lost++; 784 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 785 /* move window forward */ 786 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 787 } 788 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 789 } 790 791 /* Flush a consecutive sequence of frames from the reorder buffer. */ 792 void 793 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 794 struct ieee80211_rx_ba *ba, struct mbuf_list *ml) 795 796 { 797 struct ifnet *ifp = &ic->ic_if; 798 799 /* pass reordered MPDUs up to the next MAC process */ 800 while (ba->ba_buf[ba->ba_head].m != NULL) { 801 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 802 &ba->ba_buf[ba->ba_head].rxi, ml); 803 ba->ba_buf[ba->ba_head].m = NULL; 804 805 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 806 /* move window forward */ 807 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 808 } 809 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 810 } 811 812 /* 813 * Forcibly move the BA window forward to remove a leading gap which has 814 * been causing frames to linger in the reordering buffer for too long. 815 * A leading gap will occur if a particular A-MPDU subframe never arrives 816 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 817 */ 818 void 819 ieee80211_input_ba_gap_timeout(void *arg) 820 { 821 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 822 struct ieee80211_rx_ba *ba = arg; 823 struct ieee80211_node *ni = ba->ba_ni; 824 struct ieee80211com *ic = ni->ni_ic; 825 int s, skipped; 826 827 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 828 829 s = splnet(); 830 831 skipped = 0; 832 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 833 /* move window forward */ 834 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 835 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 836 skipped++; 837 ic->ic_stats.is_ht_rx_ba_frame_lost++; 838 } 839 if (skipped > 0) 840 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 841 842 ieee80211_input_ba_flush(ic, ni, ba, &ml); 843 if_input(&ic->ic_if, &ml); 844 845 splx(s); 846 } 847 848 849 /* 850 * Change the value of WinStartB (move window forward) upon reception of a 851 * BlockAckReq frame or an ADDBA Request (PBAC). 852 */ 853 void 854 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 855 u_int8_t tid, u_int16_t ssn, struct mbuf_list *ml) 856 { 857 struct ifnet *ifp = &ic->ic_if; 858 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 859 int count; 860 861 /* assert(WinStartB <= SSN) */ 862 863 count = (ssn - ba->ba_winstart) & 0xfff; 864 if (count > ba->ba_winsize) /* no overlap */ 865 count = ba->ba_winsize; 866 while (count-- > 0) { 867 /* gaps may exist */ 868 if (ba->ba_buf[ba->ba_head].m != NULL) { 869 ieee80211_inputm(ifp, ba->ba_buf[ba->ba_head].m, ni, 870 &ba->ba_buf[ba->ba_head].rxi, ml); 871 ba->ba_buf[ba->ba_head].m = NULL; 872 } else 873 ic->ic_stats.is_ht_rx_ba_frame_lost++; 874 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 875 } 876 /* move window forward */ 877 ba->ba_winstart = ssn; 878 879 ieee80211_input_ba_flush(ic, ni, ba, ml); 880 } 881 882 void 883 ieee80211_enqueue_data(struct ieee80211com *ic, struct mbuf *m, 884 struct ieee80211_node *ni, int mcast, struct mbuf_list *ml) 885 { 886 struct ifnet *ifp = &ic->ic_if; 887 struct ether_header *eh; 888 struct mbuf *m1; 889 890 eh = mtod(m, struct ether_header *); 891 892 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 893 eh->ether_type != htons(ETHERTYPE_PAE)) { 894 DPRINTF(("port not valid: %s\n", 895 ether_sprintf(eh->ether_dhost))); 896 ic->ic_stats.is_rx_unauth++; 897 m_freem(m); 898 return; 899 } 900 901 /* 902 * Perform as a bridge within the AP. Notice that we do not 903 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 904 * And we do not forward unicast frames received on a multicast address. 905 */ 906 m1 = NULL; 907 #ifndef IEEE80211_STA_ONLY 908 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 909 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 910 eh->ether_type != htons(ETHERTYPE_PAE)) { 911 struct ieee80211_node *ni1; 912 913 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 914 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 915 if (m1 == NULL) 916 ifp->if_oerrors++; 917 else 918 m1->m_flags |= M_MCAST; 919 } else if (!mcast) { 920 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 921 if (ni1 != NULL && 922 ni1->ni_state == IEEE80211_STA_ASSOC) { 923 m1 = m; 924 m = NULL; 925 } 926 } 927 if (m1 != NULL) { 928 if (if_enqueue(ifp, m1)) 929 ifp->if_oerrors++; 930 } 931 } 932 #endif 933 if (m != NULL) { 934 if ((ic->ic_flags & IEEE80211_F_RSNON) && 935 eh->ether_type == htons(ETHERTYPE_PAE)) { 936 ifp->if_ipackets++; 937 #if NBPFILTER > 0 938 /* 939 * If we forward frame into transmitter of the AP, 940 * we don't need to duplicate for DLT_EN10MB. 941 */ 942 if (ifp->if_bpf && m1 == NULL) 943 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 944 #endif 945 ieee80211_eapol_key_input(ic, m, ni); 946 } else { 947 ml_enqueue(ml, m); 948 } 949 } 950 } 951 952 void 953 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 954 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 955 { 956 struct ether_header eh; 957 struct ieee80211_frame *wh; 958 struct llc *llc; 959 int mcast; 960 961 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 962 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 963 ic->ic_stats.is_rx_decap++; 964 return; 965 } 966 wh = mtod(m, struct ieee80211_frame *); 967 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 968 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 969 case IEEE80211_FC1_DIR_NODS: 970 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 971 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 972 break; 973 case IEEE80211_FC1_DIR_TODS: 974 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 975 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 976 break; 977 case IEEE80211_FC1_DIR_FROMDS: 978 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 979 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 980 break; 981 case IEEE80211_FC1_DIR_DSTODS: 982 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 983 IEEE80211_ADDR_COPY(eh.ether_shost, 984 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 985 break; 986 } 987 llc = (struct llc *)((caddr_t)wh + hdrlen); 988 if (llc->llc_dsap == LLC_SNAP_LSAP && 989 llc->llc_ssap == LLC_SNAP_LSAP && 990 llc->llc_control == LLC_UI && 991 llc->llc_snap.org_code[0] == 0 && 992 llc->llc_snap.org_code[1] == 0 && 993 llc->llc_snap.org_code[2] == 0) { 994 eh.ether_type = llc->llc_snap.ether_type; 995 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 996 } else { 997 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 998 m_adj(m, hdrlen - ETHER_HDR_LEN); 999 } 1000 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 1001 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 1002 struct mbuf *m0 = m; 1003 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 1004 m_freem(m0); 1005 if (m == NULL) { 1006 ic->ic_stats.is_rx_decap++; 1007 return; 1008 } 1009 } 1010 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1011 } 1012 1013 /* 1014 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1015 */ 1016 void 1017 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1018 struct ieee80211_node *ni, int hdrlen, struct mbuf_list *ml) 1019 { 1020 struct mbuf *n; 1021 struct ether_header *eh; 1022 struct llc *llc; 1023 int len, pad, mcast; 1024 struct ieee80211_frame *wh; 1025 1026 wh = mtod(m, struct ieee80211_frame *); 1027 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1028 1029 /* strip 802.11 header */ 1030 m_adj(m, hdrlen); 1031 1032 for (;;) { 1033 /* process an A-MSDU subframe */ 1034 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1035 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1036 if (m == NULL) { 1037 ic->ic_stats.is_rx_decap++; 1038 break; 1039 } 1040 } 1041 eh = mtod(m, struct ether_header *); 1042 /* examine 802.3 header */ 1043 len = ntohs(eh->ether_type); 1044 if (len < LLC_SNAPFRAMELEN) { 1045 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1046 /* stop processing A-MSDU subframes */ 1047 ic->ic_stats.is_rx_decap++; 1048 m_freem(m); 1049 break; 1050 } 1051 llc = (struct llc *)&eh[1]; 1052 /* examine 802.2 LLC header */ 1053 if (llc->llc_dsap == LLC_SNAP_LSAP && 1054 llc->llc_ssap == LLC_SNAP_LSAP && 1055 llc->llc_control == LLC_UI && 1056 llc->llc_snap.org_code[0] == 0 && 1057 llc->llc_snap.org_code[1] == 0 && 1058 llc->llc_snap.org_code[2] == 0) { 1059 /* convert to Ethernet II header */ 1060 eh->ether_type = llc->llc_snap.ether_type; 1061 /* strip LLC+SNAP headers */ 1062 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1063 ETHER_HDR_LEN); 1064 m_adj(m, LLC_SNAPFRAMELEN); 1065 len -= LLC_SNAPFRAMELEN; 1066 } 1067 len += ETHER_HDR_LEN; 1068 if (len > m->m_pkthdr.len) { 1069 /* stop processing A-MSDU subframes */ 1070 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1071 ic->ic_stats.is_rx_decap++; 1072 m_freem(m); 1073 break; 1074 } 1075 1076 /* "detach" our A-MSDU subframe from the others */ 1077 n = m_split(m, len, M_NOWAIT); 1078 if (n == NULL) { 1079 /* stop processing A-MSDU subframes */ 1080 ic->ic_stats.is_rx_decap++; 1081 m_freem(m); 1082 break; 1083 } 1084 ieee80211_enqueue_data(ic, m, ni, mcast, ml); 1085 1086 if (n->m_pkthdr.len == 0) { 1087 m_freem(n); 1088 break; 1089 } 1090 m = n; 1091 /* remove padding */ 1092 pad = ((len + 3) & ~3) - len; 1093 m_adj(m, pad); 1094 } 1095 } 1096 1097 /* 1098 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1099 */ 1100 int 1101 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1102 { 1103 u_int updtcount; 1104 int aci; 1105 1106 /* 1107 * Check if EDCA parameters have changed XXX if we miss more than 1108 * 15 consecutive beacons, we might not detect changes to EDCA 1109 * parameters due to wraparound of the 4-bit Update Count field. 1110 */ 1111 updtcount = frm[0] & 0xf; 1112 if (updtcount == ic->ic_edca_updtcount) 1113 return 0; /* no changes to EDCA parameters, ignore */ 1114 ic->ic_edca_updtcount = updtcount; 1115 1116 frm += 2; /* skip QoS Info & Reserved fields */ 1117 1118 /* parse AC Parameter Records */ 1119 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1120 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1121 1122 ac->ac_acm = (frm[0] >> 4) & 0x1; 1123 ac->ac_aifsn = frm[0] & 0xf; 1124 ac->ac_ecwmin = frm[1] & 0xf; 1125 ac->ac_ecwmax = frm[1] >> 4; 1126 ac->ac_txoplimit = LE_READ_2(frm + 2); 1127 frm += 4; 1128 } 1129 /* give drivers a chance to update their settings */ 1130 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1131 (*ic->ic_updateedca)(ic); 1132 1133 return 0; 1134 } 1135 1136 int 1137 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1138 { 1139 if (frm[1] < 18) { 1140 ic->ic_stats.is_rx_elem_toosmall++; 1141 return IEEE80211_REASON_IE_INVALID; 1142 } 1143 return ieee80211_parse_edca_params_body(ic, frm + 2); 1144 } 1145 1146 int 1147 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1148 { 1149 if (frm[1] < 24) { 1150 ic->ic_stats.is_rx_elem_toosmall++; 1151 return IEEE80211_REASON_IE_INVALID; 1152 } 1153 return ieee80211_parse_edca_params_body(ic, frm + 8); 1154 } 1155 1156 enum ieee80211_cipher 1157 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1158 { 1159 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1160 switch (selector[3]) { 1161 case 0: /* use group data cipher suite */ 1162 return IEEE80211_CIPHER_USEGROUP; 1163 case 1: /* WEP-40 */ 1164 return IEEE80211_CIPHER_WEP40; 1165 case 2: /* TKIP */ 1166 return IEEE80211_CIPHER_TKIP; 1167 case 4: /* CCMP (RSNA default) */ 1168 return IEEE80211_CIPHER_CCMP; 1169 case 5: /* WEP-104 */ 1170 return IEEE80211_CIPHER_WEP104; 1171 } 1172 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1173 /* see 802.11-2012 Table 8-99 */ 1174 switch (selector[3]) { 1175 case 0: /* use group data cipher suite */ 1176 return IEEE80211_CIPHER_USEGROUP; 1177 case 1: /* WEP-40 */ 1178 return IEEE80211_CIPHER_WEP40; 1179 case 2: /* TKIP */ 1180 return IEEE80211_CIPHER_TKIP; 1181 case 4: /* CCMP (RSNA default) */ 1182 return IEEE80211_CIPHER_CCMP; 1183 case 5: /* WEP-104 */ 1184 return IEEE80211_CIPHER_WEP104; 1185 case 6: /* BIP */ 1186 return IEEE80211_CIPHER_BIP; 1187 } 1188 } 1189 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1190 } 1191 1192 enum ieee80211_akm 1193 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1194 { 1195 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1196 switch (selector[3]) { 1197 case 1: /* IEEE 802.1X (RSNA default) */ 1198 return IEEE80211_AKM_8021X; 1199 case 2: /* PSK */ 1200 return IEEE80211_AKM_PSK; 1201 } 1202 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1203 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1204 switch (selector[3]) { 1205 case 1: /* IEEE 802.1X (RSNA default) */ 1206 return IEEE80211_AKM_8021X; 1207 case 2: /* PSK */ 1208 return IEEE80211_AKM_PSK; 1209 case 5: /* IEEE 802.1X with SHA256 KDF */ 1210 return IEEE80211_AKM_SHA256_8021X; 1211 case 6: /* PSK with SHA256 KDF */ 1212 return IEEE80211_AKM_SHA256_PSK; 1213 } 1214 } 1215 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1216 } 1217 1218 /* 1219 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1220 */ 1221 int 1222 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1223 u_int len, struct ieee80211_rsnparams *rsn) 1224 { 1225 const u_int8_t *efrm; 1226 u_int16_t m, n, s; 1227 1228 efrm = frm + len; 1229 1230 /* check Version field */ 1231 if (LE_READ_2(frm) != 1) 1232 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1233 frm += 2; 1234 1235 /* all fields after the Version field are optional */ 1236 1237 /* if Cipher Suite missing, default to CCMP */ 1238 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1239 rsn->rsn_nciphers = 1; 1240 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1241 /* if Group Management Cipher Suite missing, defaut to BIP */ 1242 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1243 /* if AKM Suite missing, default to 802.1X */ 1244 rsn->rsn_nakms = 1; 1245 rsn->rsn_akms = IEEE80211_AKM_8021X; 1246 /* if RSN capabilities missing, default to 0 */ 1247 rsn->rsn_caps = 0; 1248 rsn->rsn_npmkids = 0; 1249 1250 /* read Group Data Cipher Suite field */ 1251 if (frm + 4 > efrm) 1252 return 0; 1253 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1254 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1255 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1256 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1257 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1258 frm += 4; 1259 1260 /* read Pairwise Cipher Suite Count field */ 1261 if (frm + 2 > efrm) 1262 return 0; 1263 m = rsn->rsn_nciphers = LE_READ_2(frm); 1264 frm += 2; 1265 1266 /* read Pairwise Cipher Suite List */ 1267 if (frm + m * 4 > efrm) 1268 return IEEE80211_STATUS_IE_INVALID; 1269 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1270 while (m-- > 0) { 1271 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1272 frm += 4; 1273 } 1274 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1275 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1276 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1277 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1278 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1279 } 1280 1281 /* read AKM Suite List Count field */ 1282 if (frm + 2 > efrm) 1283 return 0; 1284 n = rsn->rsn_nakms = LE_READ_2(frm); 1285 frm += 2; 1286 1287 /* read AKM Suite List */ 1288 if (frm + n * 4 > efrm) 1289 return IEEE80211_STATUS_IE_INVALID; 1290 rsn->rsn_akms = IEEE80211_AKM_NONE; 1291 while (n-- > 0) { 1292 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1293 frm += 4; 1294 } 1295 1296 /* read RSN Capabilities field */ 1297 if (frm + 2 > efrm) 1298 return 0; 1299 rsn->rsn_caps = LE_READ_2(frm); 1300 frm += 2; 1301 1302 /* read PMKID Count field */ 1303 if (frm + 2 > efrm) 1304 return 0; 1305 s = rsn->rsn_npmkids = LE_READ_2(frm); 1306 frm += 2; 1307 1308 /* read PMKID List */ 1309 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1310 return IEEE80211_STATUS_IE_INVALID; 1311 if (s != 0) { 1312 rsn->rsn_pmkids = frm; 1313 frm += s * IEEE80211_PMKID_LEN; 1314 } 1315 1316 /* read Group Management Cipher Suite field */ 1317 if (frm + 4 > efrm) 1318 return 0; 1319 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1320 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1321 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1322 1323 return IEEE80211_STATUS_SUCCESS; 1324 } 1325 1326 int 1327 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1328 struct ieee80211_rsnparams *rsn) 1329 { 1330 if (frm[1] < 2) { 1331 ic->ic_stats.is_rx_elem_toosmall++; 1332 return IEEE80211_STATUS_IE_INVALID; 1333 } 1334 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1335 } 1336 1337 int 1338 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1339 struct ieee80211_rsnparams *rsn) 1340 { 1341 if (frm[1] < 6) { 1342 ic->ic_stats.is_rx_elem_toosmall++; 1343 return IEEE80211_STATUS_IE_INVALID; 1344 } 1345 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1346 } 1347 1348 /* 1349 * Create (or update) a copy of an information element. 1350 */ 1351 int 1352 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1353 { 1354 int olen = *ie ? 2 + (*ie)[1] : 0; 1355 int len = 2 + frm[1]; 1356 1357 if (*ie == NULL || olen != len) { 1358 if (*ie != NULL) 1359 free(*ie, M_DEVBUF, olen); 1360 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1361 if (*ie == NULL) 1362 return ENOMEM; 1363 } 1364 memcpy(*ie, frm, len); 1365 return 0; 1366 } 1367 1368 /*- 1369 * Beacon/Probe response frame format: 1370 * [8] Timestamp 1371 * [2] Beacon interval 1372 * [2] Capability 1373 * [tlv] Service Set Identifier (SSID) 1374 * [tlv] Supported rates 1375 * [tlv] DS Parameter Set (802.11g) 1376 * [tlv] ERP Information (802.11g) 1377 * [tlv] Extended Supported Rates (802.11g) 1378 * [tlv] RSN (802.11i) 1379 * [tlv] EDCA Parameter Set (802.11e) 1380 * [tlv] QoS Capability (Beacon only, 802.11e) 1381 * [tlv] HT Capabilities (802.11n) 1382 * [tlv] HT Operation (802.11n) 1383 */ 1384 void 1385 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1386 struct ieee80211_node *rni, struct ieee80211_rxinfo *rxi, int isprobe) 1387 { 1388 struct ieee80211_node *ni; 1389 const struct ieee80211_frame *wh; 1390 const u_int8_t *frm, *efrm; 1391 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1392 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1393 u_int16_t capinfo, bintval; 1394 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1395 int is_new; 1396 1397 /* 1398 * We process beacon/probe response frames for: 1399 * o station mode: to collect state 1400 * updates such as 802.11g slot time and for passive 1401 * scanning of APs 1402 * o adhoc mode: to discover neighbors 1403 * o hostap mode: for passive scanning of neighbor APs 1404 * o when scanning 1405 * In other words, in all modes other than monitor (which 1406 * does not process incoming frames) and adhoc-demo (which 1407 * does not use management frames at all). 1408 */ 1409 #ifdef DIAGNOSTIC 1410 if (ic->ic_opmode != IEEE80211_M_STA && 1411 #ifndef IEEE80211_STA_ONLY 1412 ic->ic_opmode != IEEE80211_M_IBSS && 1413 ic->ic_opmode != IEEE80211_M_HOSTAP && 1414 #endif 1415 ic->ic_state != IEEE80211_S_SCAN) { 1416 panic("%s: impossible operating mode", __func__); 1417 } 1418 #endif 1419 /* make sure all mandatory fixed fields are present */ 1420 if (m->m_len < sizeof(*wh) + 12) { 1421 DPRINTF(("frame too short\n")); 1422 return; 1423 } 1424 wh = mtod(m, struct ieee80211_frame *); 1425 frm = (const u_int8_t *)&wh[1]; 1426 efrm = mtod(m, u_int8_t *) + m->m_len; 1427 1428 tstamp = frm; frm += 8; 1429 bintval = LE_READ_2(frm); frm += 2; 1430 capinfo = LE_READ_2(frm); frm += 2; 1431 1432 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1433 htcaps = htop = NULL; 1434 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1435 chan = bchan; 1436 erp = 0; 1437 dtim_count = dtim_period = 0; 1438 while (frm + 2 <= efrm) { 1439 if (frm + 2 + frm[1] > efrm) { 1440 ic->ic_stats.is_rx_elem_toosmall++; 1441 break; 1442 } 1443 switch (frm[0]) { 1444 case IEEE80211_ELEMID_SSID: 1445 ssid = frm; 1446 break; 1447 case IEEE80211_ELEMID_RATES: 1448 rates = frm; 1449 break; 1450 case IEEE80211_ELEMID_DSPARMS: 1451 if (frm[1] < 1) { 1452 ic->ic_stats.is_rx_elem_toosmall++; 1453 break; 1454 } 1455 chan = frm[2]; 1456 break; 1457 case IEEE80211_ELEMID_XRATES: 1458 xrates = frm; 1459 break; 1460 case IEEE80211_ELEMID_ERP: 1461 if (frm[1] < 1) { 1462 ic->ic_stats.is_rx_elem_toosmall++; 1463 break; 1464 } 1465 erp = frm[2]; 1466 break; 1467 case IEEE80211_ELEMID_RSN: 1468 rsnie = frm; 1469 break; 1470 case IEEE80211_ELEMID_EDCAPARMS: 1471 edcaie = frm; 1472 break; 1473 case IEEE80211_ELEMID_HTCAPS: 1474 htcaps = frm; 1475 break; 1476 case IEEE80211_ELEMID_HTOP: 1477 htop = frm; 1478 break; 1479 case IEEE80211_ELEMID_TIM: 1480 if (frm[1] > 3) { 1481 dtim_count = frm[2]; 1482 dtim_period = frm[3]; 1483 } 1484 break; 1485 case IEEE80211_ELEMID_VENDOR: 1486 if (frm[1] < 4) { 1487 ic->ic_stats.is_rx_elem_toosmall++; 1488 break; 1489 } 1490 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1491 if (frm[5] == 1) 1492 wpaie = frm; 1493 else if (frm[1] >= 5 && 1494 frm[5] == 2 && frm[6] == 1) 1495 wmmie = frm; 1496 } 1497 break; 1498 } 1499 frm += 2 + frm[1]; 1500 } 1501 /* supported rates element is mandatory */ 1502 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1503 DPRINTF(("invalid supported rates element\n")); 1504 return; 1505 } 1506 /* SSID element is mandatory */ 1507 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1508 DPRINTF(("invalid SSID element\n")); 1509 return; 1510 } 1511 1512 if ( 1513 #if IEEE80211_CHAN_MAX < 255 1514 chan > IEEE80211_CHAN_MAX || 1515 #endif 1516 isclr(ic->ic_chan_active, chan)) { 1517 DPRINTF(("ignore %s with invalid channel %u\n", 1518 isprobe ? "probe response" : "beacon", chan)); 1519 ic->ic_stats.is_rx_badchan++; 1520 return; 1521 } 1522 if ((ic->ic_state != IEEE80211_S_SCAN || 1523 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1524 chan != bchan) { 1525 /* 1526 * Frame was received on a channel different from the 1527 * one indicated in the DS params element id; 1528 * silently discard it. 1529 * 1530 * NB: this can happen due to signal leakage. 1531 */ 1532 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1533 isprobe ? "probe response" : "beacon", bchan, chan)); 1534 ic->ic_stats.is_rx_chanmismatch++; 1535 return; 1536 } 1537 /* 1538 * Use mac, channel and rssi so we collect only the 1539 * best potential AP with the equal bssid while scanning. 1540 * Collecting all potential APs may result in bloat of 1541 * the node tree. This call will return NULL if the node 1542 * for this APs does not exist or if the new node is the 1543 * potential better one. 1544 */ 1545 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1546 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1547 if (ni != NULL) { 1548 /* 1549 * If we are doing a directed scan for an AP with a hidden SSID 1550 * we must collect the SSID from a probe response to override 1551 * a non-zero-length SSID filled with zeroes that we may have 1552 * received earlier in a beacon. 1553 */ 1554 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1555 ni->ni_esslen = ssid[1]; 1556 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1557 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1558 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1559 } 1560 1561 /* Update channel in case AP has switched */ 1562 if (ic->ic_opmode == IEEE80211_M_STA) 1563 ni->ni_chan = rni->ni_chan; 1564 1565 return; 1566 } 1567 1568 #ifdef IEEE80211_DEBUG 1569 if (ieee80211_debug > 1 && 1570 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1571 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1572 printf("%s: %s%s on chan %u (bss chan %u) ", 1573 __func__, (ni == NULL ? "new " : ""), 1574 isprobe ? "probe response" : "beacon", 1575 chan, bchan); 1576 ieee80211_print_essid(ssid + 2, ssid[1]); 1577 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1578 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1579 __func__, capinfo, bintval, erp); 1580 } 1581 #endif 1582 1583 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1584 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1585 if (ni == NULL) 1586 return; 1587 is_new = 1; 1588 } else 1589 is_new = 0; 1590 1591 if (htcaps) 1592 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1593 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1594 htop = NULL; /* invalid HTOP */ 1595 1596 ni->ni_dtimcount = dtim_count; 1597 ni->ni_dtimperiod = dtim_period; 1598 1599 /* 1600 * When operating in station mode, check for state updates 1601 * while we're associated. 1602 */ 1603 if (ic->ic_opmode == IEEE80211_M_STA && 1604 ic->ic_state == IEEE80211_S_RUN && 1605 ni->ni_state == IEEE80211_STA_BSS) { 1606 /* 1607 * Check if protection mode has changed since last beacon. 1608 */ 1609 if (ni->ni_erp != erp) { 1610 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1611 ether_sprintf((u_int8_t *)wh->i_addr2), 1612 ni->ni_erp, erp)); 1613 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1614 (ic->ic_curmode == IEEE80211_MODE_11N && 1615 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1616 (erp & IEEE80211_ERP_USE_PROTECTION)) 1617 ic->ic_flags |= IEEE80211_F_USEPROT; 1618 else 1619 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1620 ic->ic_bss->ni_erp = erp; 1621 } 1622 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1623 enum ieee80211_htprot htprot_last, htprot; 1624 htprot_last = 1625 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1626 >> IEEE80211_HTOP1_PROT_SHIFT); 1627 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1628 IEEE80211_HTOP1_PROT_SHIFT); 1629 if (htprot_last != htprot) { 1630 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1631 ether_sprintf((u_int8_t *)wh->i_addr2), 1632 htprot_last, htprot)); 1633 ic->ic_stats.is_ht_prot_change++; 1634 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1635 if (ic->ic_update_htprot) 1636 ic->ic_update_htprot(ic, ic->ic_bss); 1637 } 1638 } 1639 1640 /* 1641 * Check if AP short slot time setting has changed 1642 * since last beacon and give the driver a chance to 1643 * update the hardware. 1644 */ 1645 if ((ni->ni_capinfo ^ capinfo) & 1646 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1647 ieee80211_set_shortslottime(ic, 1648 ic->ic_curmode == IEEE80211_MODE_11A || 1649 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1650 } 1651 1652 /* 1653 * Reset management timer. If it is non-zero in RUN state, the 1654 * driver sent a probe request after a missed beacon event. 1655 * This probe response indicates the AP is still serving us 1656 * so don't allow ieee80211_watchdog() to move us into SCAN. 1657 */ 1658 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1659 ic->ic_mgt_timer = 0; 1660 } 1661 /* 1662 * We do not try to update EDCA parameters if QoS was not negotiated 1663 * with the AP at association time. 1664 */ 1665 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1666 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1667 if ((edcaie != NULL && 1668 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1669 (wmmie != NULL && 1670 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1671 ni->ni_flags |= IEEE80211_NODE_QOS; 1672 else 1673 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1674 } 1675 1676 if (ic->ic_state == IEEE80211_S_SCAN || 1677 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1678 struct ieee80211_rsnparams rsn, wpa; 1679 1680 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1681 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1682 ni->ni_rsnakms = 0; 1683 ni->ni_supported_rsnakms = 0; 1684 ni->ni_rsnciphers = 0; 1685 ni->ni_rsngroupcipher = 0; 1686 ni->ni_rsngroupmgmtcipher = 0; 1687 ni->ni_rsncaps = 0; 1688 1689 if (rsnie != NULL && 1690 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1691 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1692 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1693 } 1694 if (wpaie != NULL && 1695 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1696 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1697 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1698 } 1699 1700 /* 1701 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1702 * we only use the highest protocol version we support. 1703 */ 1704 if (rsnie != NULL && 1705 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1706 (ic->ic_caps & IEEE80211_C_RSN)) { 1707 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1708 #ifndef IEEE80211_STA_ONLY 1709 && ic->ic_opmode != IEEE80211_M_HOSTAP 1710 #endif 1711 ) { 1712 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1713 ni->ni_rsnakms = rsn.rsn_akms; 1714 ni->ni_rsnciphers = rsn.rsn_ciphers; 1715 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1716 ni->ni_rsngroupmgmtcipher = 1717 rsn.rsn_groupmgmtcipher; 1718 ni->ni_rsncaps = rsn.rsn_caps; 1719 } 1720 } else if (wpaie != NULL && 1721 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1722 (ic->ic_caps & IEEE80211_C_RSN)) { 1723 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1724 #ifndef IEEE80211_STA_ONLY 1725 && ic->ic_opmode != IEEE80211_M_HOSTAP 1726 #endif 1727 ) { 1728 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1729 ni->ni_rsnakms = wpa.rsn_akms; 1730 ni->ni_rsnciphers = wpa.rsn_ciphers; 1731 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1732 ni->ni_rsngroupmgmtcipher = 1733 wpa.rsn_groupmgmtcipher; 1734 ni->ni_rsncaps = wpa.rsn_caps; 1735 } 1736 } 1737 } 1738 1739 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1740 ni->ni_esslen = ssid[1]; 1741 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1742 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1743 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1744 } 1745 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1746 /* XXX validate channel # */ 1747 ni->ni_chan = &ic->ic_channels[chan]; 1748 if (ic->ic_state == IEEE80211_S_SCAN && 1749 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1750 /* 1751 * During a scan on 5Ghz, prefer RSSI measured for probe 1752 * response frames. i.e. don't allow beacons to lower the 1753 * measured RSSI. Some 5GHz APs send beacons with much 1754 * less Tx power than they use for probe responses. 1755 */ 1756 if (isprobe || ni->ni_rssi == 0) 1757 ni->ni_rssi = rxi->rxi_rssi; 1758 else if (ni->ni_rssi < rxi->rxi_rssi) 1759 ni->ni_rssi = rxi->rxi_rssi; 1760 } else 1761 ni->ni_rssi = rxi->rxi_rssi; 1762 ni->ni_rstamp = rxi->rxi_tstamp; 1763 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1764 ni->ni_intval = bintval; 1765 ni->ni_capinfo = capinfo; 1766 ni->ni_erp = erp; 1767 /* NB: must be after ni_chan is setup */ 1768 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1769 #ifndef IEEE80211_STA_ONLY 1770 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1771 /* 1772 * Fake an association so the driver can setup it's 1773 * private state. The rate set has been setup above; 1774 * there is no handshake as in ap/station operation. 1775 */ 1776 if (ic->ic_newassoc) 1777 (*ic->ic_newassoc)(ic, ni, 1); 1778 } 1779 #endif 1780 } 1781 1782 #ifndef IEEE80211_STA_ONLY 1783 /*- 1784 * Probe request frame format: 1785 * [tlv] SSID 1786 * [tlv] Supported rates 1787 * [tlv] Extended Supported Rates (802.11g) 1788 * [tlv] HT Capabilities (802.11n) 1789 */ 1790 void 1791 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1792 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1793 { 1794 const struct ieee80211_frame *wh; 1795 const u_int8_t *frm, *efrm; 1796 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1797 u_int8_t rate; 1798 1799 if (ic->ic_opmode == IEEE80211_M_STA || 1800 ic->ic_state != IEEE80211_S_RUN) 1801 return; 1802 1803 wh = mtod(m, struct ieee80211_frame *); 1804 frm = (const u_int8_t *)&wh[1]; 1805 efrm = mtod(m, u_int8_t *) + m->m_len; 1806 1807 ssid = rates = xrates = htcaps = NULL; 1808 while (frm + 2 <= efrm) { 1809 if (frm + 2 + frm[1] > efrm) { 1810 ic->ic_stats.is_rx_elem_toosmall++; 1811 break; 1812 } 1813 switch (frm[0]) { 1814 case IEEE80211_ELEMID_SSID: 1815 ssid = frm; 1816 break; 1817 case IEEE80211_ELEMID_RATES: 1818 rates = frm; 1819 break; 1820 case IEEE80211_ELEMID_XRATES: 1821 xrates = frm; 1822 break; 1823 case IEEE80211_ELEMID_HTCAPS: 1824 htcaps = frm; 1825 break; 1826 } 1827 frm += 2 + frm[1]; 1828 } 1829 /* supported rates element is mandatory */ 1830 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1831 DPRINTF(("invalid supported rates element\n")); 1832 return; 1833 } 1834 /* SSID element is mandatory */ 1835 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1836 DPRINTF(("invalid SSID element\n")); 1837 return; 1838 } 1839 /* check that the specified SSID (if not wildcard) matches ours */ 1840 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1841 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1842 DPRINTF(("SSID mismatch\n")); 1843 ic->ic_stats.is_rx_ssidmismatch++; 1844 return; 1845 } 1846 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1847 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1848 DPRINTF(("wildcard SSID rejected")); 1849 ic->ic_stats.is_rx_ssidmismatch++; 1850 return; 1851 } 1852 1853 if (ni == ic->ic_bss) { 1854 ni = ieee80211_find_node(ic, wh->i_addr2); 1855 if (ni == NULL) 1856 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1857 if (ni == NULL) 1858 return; 1859 DPRINTF(("new probe req from %s\n", 1860 ether_sprintf((u_int8_t *)wh->i_addr2))); 1861 } 1862 ni->ni_rssi = rxi->rxi_rssi; 1863 ni->ni_rstamp = rxi->rxi_tstamp; 1864 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1865 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1866 IEEE80211_F_DODEL); 1867 if (rate & IEEE80211_RATE_BASIC) { 1868 DPRINTF(("rate mismatch for %s\n", 1869 ether_sprintf((u_int8_t *)wh->i_addr2))); 1870 return; 1871 } 1872 if (htcaps) 1873 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1874 else 1875 ieee80211_clear_htcaps(ni); 1876 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1877 } 1878 #endif /* IEEE80211_STA_ONLY */ 1879 1880 /*- 1881 * Authentication frame format: 1882 * [2] Authentication algorithm number 1883 * [2] Authentication transaction sequence number 1884 * [2] Status code 1885 */ 1886 void 1887 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1888 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1889 { 1890 const struct ieee80211_frame *wh; 1891 const u_int8_t *frm; 1892 u_int16_t algo, seq, status; 1893 1894 /* make sure all mandatory fixed fields are present */ 1895 if (m->m_len < sizeof(*wh) + 6) { 1896 DPRINTF(("frame too short\n")); 1897 return; 1898 } 1899 wh = mtod(m, struct ieee80211_frame *); 1900 frm = (const u_int8_t *)&wh[1]; 1901 1902 algo = LE_READ_2(frm); frm += 2; 1903 seq = LE_READ_2(frm); frm += 2; 1904 status = LE_READ_2(frm); frm += 2; 1905 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1906 ether_sprintf((u_int8_t *)wh->i_addr2))); 1907 1908 /* only "open" auth mode is supported */ 1909 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1910 DPRINTF(("unsupported auth algorithm %d from %s\n", 1911 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1912 ic->ic_stats.is_rx_auth_unsupported++; 1913 #ifndef IEEE80211_STA_ONLY 1914 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1915 /* XXX hack to workaround calling convention */ 1916 IEEE80211_SEND_MGMT(ic, ni, 1917 IEEE80211_FC0_SUBTYPE_AUTH, 1918 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1919 } 1920 #endif 1921 return; 1922 } 1923 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1924 } 1925 1926 #ifndef IEEE80211_STA_ONLY 1927 /*- 1928 * (Re)Association request frame format: 1929 * [2] Capability information 1930 * [2] Listen interval 1931 * [6*] Current AP address (Reassociation only) 1932 * [tlv] SSID 1933 * [tlv] Supported rates 1934 * [tlv] Extended Supported Rates (802.11g) 1935 * [tlv] RSN (802.11i) 1936 * [tlv] QoS Capability (802.11e) 1937 * [tlv] HT Capabilities (802.11n) 1938 */ 1939 void 1940 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1941 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1942 { 1943 const struct ieee80211_frame *wh; 1944 const u_int8_t *frm, *efrm; 1945 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *wmeie, *htcaps; 1946 u_int16_t capinfo, bintval; 1947 int resp, status = 0; 1948 struct ieee80211_rsnparams rsn; 1949 u_int8_t rate; 1950 const u_int8_t *saveie = NULL; 1951 1952 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1953 ic->ic_state != IEEE80211_S_RUN) 1954 return; 1955 1956 /* make sure all mandatory fixed fields are present */ 1957 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1958 DPRINTF(("frame too short\n")); 1959 return; 1960 } 1961 wh = mtod(m, struct ieee80211_frame *); 1962 frm = (const u_int8_t *)&wh[1]; 1963 efrm = mtod(m, u_int8_t *) + m->m_len; 1964 1965 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1966 DPRINTF(("ignore other bss from %s\n", 1967 ether_sprintf((u_int8_t *)wh->i_addr2))); 1968 ic->ic_stats.is_rx_assoc_bss++; 1969 return; 1970 } 1971 capinfo = LE_READ_2(frm); frm += 2; 1972 bintval = LE_READ_2(frm); frm += 2; 1973 if (reassoc) { 1974 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1975 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1976 } else 1977 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1978 1979 ssid = rates = xrates = rsnie = wpaie = wmeie = htcaps = NULL; 1980 while (frm + 2 <= efrm) { 1981 if (frm + 2 + frm[1] > efrm) { 1982 ic->ic_stats.is_rx_elem_toosmall++; 1983 break; 1984 } 1985 switch (frm[0]) { 1986 case IEEE80211_ELEMID_SSID: 1987 ssid = frm; 1988 break; 1989 case IEEE80211_ELEMID_RATES: 1990 rates = frm; 1991 break; 1992 case IEEE80211_ELEMID_XRATES: 1993 xrates = frm; 1994 break; 1995 case IEEE80211_ELEMID_RSN: 1996 rsnie = frm; 1997 break; 1998 case IEEE80211_ELEMID_QOS_CAP: 1999 break; 2000 case IEEE80211_ELEMID_HTCAPS: 2001 htcaps = frm; 2002 break; 2003 case IEEE80211_ELEMID_VENDOR: 2004 if (frm[1] < 4) { 2005 ic->ic_stats.is_rx_elem_toosmall++; 2006 break; 2007 } 2008 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2009 if (frm[5] == 1) 2010 wpaie = frm; 2011 /* WME info IE: len=7 type=2 subtype=0 */ 2012 if (frm[1] == 7 && frm[5] == 2 && frm[6] == 0) 2013 wmeie = frm; 2014 } 2015 break; 2016 } 2017 frm += 2 + frm[1]; 2018 } 2019 /* supported rates element is mandatory */ 2020 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2021 DPRINTF(("invalid supported rates element\n")); 2022 return; 2023 } 2024 /* SSID element is mandatory */ 2025 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 2026 DPRINTF(("invalid SSID element\n")); 2027 return; 2028 } 2029 /* check that the specified SSID matches ours */ 2030 if (ssid[1] != ic->ic_bss->ni_esslen || 2031 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2032 DPRINTF(("SSID mismatch\n")); 2033 ic->ic_stats.is_rx_ssidmismatch++; 2034 return; 2035 } 2036 2037 if (ni->ni_state != IEEE80211_STA_AUTH && 2038 ni->ni_state != IEEE80211_STA_ASSOC) { 2039 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2040 reassoc ? "re" : "", 2041 ether_sprintf((u_int8_t *)wh->i_addr2))); 2042 ni = ieee80211_find_node(ic, wh->i_addr2); 2043 if (ni == NULL) 2044 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2045 if (ni != NULL) { 2046 IEEE80211_SEND_MGMT(ic, ni, 2047 IEEE80211_FC0_SUBTYPE_DEAUTH, 2048 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2049 } 2050 ic->ic_stats.is_rx_assoc_notauth++; 2051 return; 2052 } 2053 2054 if (ni->ni_state == IEEE80211_STA_ASSOC && 2055 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2056 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2057 /* send a protected Disassociate frame */ 2058 IEEE80211_SEND_MGMT(ic, ni, 2059 IEEE80211_FC0_SUBTYPE_DISASSOC, 2060 IEEE80211_REASON_AUTH_EXPIRE); 2061 /* terminate the old SA */ 2062 ieee80211_node_leave(ic, ni); 2063 } else { 2064 /* reject the (Re)Association Request temporarily */ 2065 IEEE80211_SEND_MGMT(ic, ni, resp, 2066 IEEE80211_STATUS_TRY_AGAIN_LATER); 2067 /* start SA Query procedure if not already engaged */ 2068 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2069 ieee80211_sa_query_request(ic, ni); 2070 /* do not modify association state */ 2071 } 2072 return; 2073 } 2074 2075 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2076 ic->ic_stats.is_rx_assoc_capmismatch++; 2077 status = IEEE80211_STATUS_CAPINFO; 2078 goto end; 2079 } 2080 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2081 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2082 IEEE80211_F_DODEL); 2083 if (rate & IEEE80211_RATE_BASIC) { 2084 ic->ic_stats.is_rx_assoc_norate++; 2085 status = IEEE80211_STATUS_BASIC_RATE; 2086 goto end; 2087 } 2088 2089 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2090 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2091 ni->ni_rsnakms = 0; 2092 ni->ni_supported_rsnakms = 0; 2093 ni->ni_rsnciphers = 0; 2094 ni->ni_rsngroupcipher = 0; 2095 ni->ni_rsngroupmgmtcipher = 0; 2096 ni->ni_rsncaps = 0; 2097 2098 /* 2099 * A station should never include both a WPA and an RSN IE 2100 * in its (Re)Association Requests, but if it does, we only 2101 * consider the IE of the highest version of the protocol 2102 * that is allowed (ie RSN over WPA). 2103 */ 2104 if (rsnie != NULL) { 2105 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2106 if (status != 0) 2107 goto end; 2108 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2109 ni->ni_supported_rsnakms = rsn.rsn_akms; 2110 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2111 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2112 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2113 saveie = rsnie; 2114 } 2115 } else if (wpaie != NULL) { 2116 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2117 if (status != 0) 2118 goto end; 2119 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2120 ni->ni_supported_rsnakms = rsn.rsn_akms; 2121 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2122 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2123 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2124 saveie = wpaie; 2125 } 2126 } 2127 2128 if (ic->ic_flags & IEEE80211_F_QOS) { 2129 if (wmeie != NULL) 2130 ni->ni_flags |= IEEE80211_NODE_QOS; 2131 else /* for Reassociation */ 2132 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2133 } 2134 2135 if (ic->ic_flags & IEEE80211_F_RSNON) { 2136 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2137 /* 2138 * In an RSN, an AP shall not associate with STAs 2139 * that fail to include the RSN IE in the 2140 * (Re)Association Request. 2141 */ 2142 status = IEEE80211_STATUS_IE_INVALID; 2143 goto end; 2144 } 2145 /* 2146 * The initiating STA's RSN IE shall include one authentication 2147 * and pairwise cipher suite among those advertised by the 2148 * targeted AP. It shall also specify the group cipher suite 2149 * specified by the targeted AP. 2150 */ 2151 if (rsn.rsn_nakms != 1 || 2152 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2153 status = IEEE80211_STATUS_BAD_AKMP; 2154 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2155 goto end; 2156 } 2157 if (rsn.rsn_nciphers != 1 || 2158 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2159 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2160 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2161 goto end; 2162 } 2163 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2164 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2165 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2166 goto end; 2167 } 2168 2169 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2170 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2171 status = IEEE80211_STATUS_MFP_POLICY; 2172 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2173 goto end; 2174 } 2175 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2176 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2177 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2178 /* STA advertises an invalid setting */ 2179 status = IEEE80211_STATUS_MFP_POLICY; 2180 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2181 goto end; 2182 } 2183 /* 2184 * A STA that has associated with Management Frame Protection 2185 * enabled shall not use cipher suite pairwise selector WEP40, 2186 * WEP104, TKIP, or "Use Group cipher suite". 2187 */ 2188 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2189 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2190 rsn.rsn_groupmgmtcipher != 2191 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2192 status = IEEE80211_STATUS_MFP_POLICY; 2193 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2194 goto end; 2195 } 2196 2197 /* 2198 * Disallow new associations using TKIP if countermeasures 2199 * are active. 2200 */ 2201 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2202 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2203 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2204 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2205 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2206 goto end; 2207 } 2208 2209 /* everything looks fine, save IE and parameters */ 2210 if (saveie == NULL || 2211 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2212 status = IEEE80211_STATUS_TOOMANY; 2213 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2214 goto end; 2215 } 2216 ni->ni_rsnakms = rsn.rsn_akms; 2217 ni->ni_rsnciphers = rsn.rsn_ciphers; 2218 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2219 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2220 ni->ni_rsncaps = rsn.rsn_caps; 2221 2222 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2223 struct ieee80211_pmk *pmk = NULL; 2224 const u_int8_t *pmkid = rsn.rsn_pmkids; 2225 /* 2226 * Check if we have a cached PMK entry matching one 2227 * of the PMKIDs specified in the RSN IE. 2228 */ 2229 while (rsn.rsn_npmkids-- > 0) { 2230 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2231 if (pmk != NULL) 2232 break; 2233 pmkid += IEEE80211_PMKID_LEN; 2234 } 2235 if (pmk != NULL) { 2236 memcpy(ni->ni_pmk, pmk->pmk_key, 2237 IEEE80211_PMK_LEN); 2238 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2239 IEEE80211_PMKID_LEN); 2240 ni->ni_flags |= IEEE80211_NODE_PMK; 2241 } 2242 } 2243 } 2244 2245 ni->ni_rssi = rxi->rxi_rssi; 2246 ni->ni_rstamp = rxi->rxi_tstamp; 2247 ni->ni_intval = bintval; 2248 ni->ni_capinfo = capinfo; 2249 ni->ni_chan = ic->ic_bss->ni_chan; 2250 if (htcaps) 2251 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2252 else 2253 ieee80211_clear_htcaps(ni); 2254 end: 2255 if (status != 0) { 2256 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2257 ieee80211_node_leave(ic, ni); 2258 } else 2259 ieee80211_node_join(ic, ni, resp); 2260 } 2261 #endif /* IEEE80211_STA_ONLY */ 2262 2263 /*- 2264 * (Re)Association response frame format: 2265 * [2] Capability information 2266 * [2] Status code 2267 * [2] Association ID (AID) 2268 * [tlv] Supported rates 2269 * [tlv] Extended Supported Rates (802.11g) 2270 * [tlv] EDCA Parameter Set (802.11e) 2271 * [tlv] HT Capabilities (802.11n) 2272 * [tlv] HT Operation (802.11n) 2273 */ 2274 void 2275 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2276 struct ieee80211_node *ni, int reassoc) 2277 { 2278 struct ifnet *ifp = &ic->ic_if; 2279 const struct ieee80211_frame *wh; 2280 const u_int8_t *frm, *efrm; 2281 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2282 u_int16_t capinfo, status, associd; 2283 u_int8_t rate; 2284 2285 if (ic->ic_opmode != IEEE80211_M_STA || 2286 ic->ic_state != IEEE80211_S_ASSOC) { 2287 ic->ic_stats.is_rx_mgtdiscard++; 2288 return; 2289 } 2290 2291 /* make sure all mandatory fixed fields are present */ 2292 if (m->m_len < sizeof(*wh) + 6) { 2293 DPRINTF(("frame too short\n")); 2294 return; 2295 } 2296 wh = mtod(m, struct ieee80211_frame *); 2297 frm = (const u_int8_t *)&wh[1]; 2298 efrm = mtod(m, u_int8_t *) + m->m_len; 2299 2300 capinfo = LE_READ_2(frm); frm += 2; 2301 status = LE_READ_2(frm); frm += 2; 2302 if (status != IEEE80211_STATUS_SUCCESS) { 2303 if (ifp->if_flags & IFF_DEBUG) 2304 printf("%s: %sassociation failed (status %d)" 2305 " for %s\n", ifp->if_xname, 2306 reassoc ? "re" : "", 2307 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2308 if (ni != ic->ic_bss) 2309 ni->ni_fails++; 2310 ic->ic_stats.is_rx_auth_fail++; 2311 return; 2312 } 2313 associd = LE_READ_2(frm); frm += 2; 2314 2315 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2316 while (frm + 2 <= efrm) { 2317 if (frm + 2 + frm[1] > efrm) { 2318 ic->ic_stats.is_rx_elem_toosmall++; 2319 break; 2320 } 2321 switch (frm[0]) { 2322 case IEEE80211_ELEMID_RATES: 2323 rates = frm; 2324 break; 2325 case IEEE80211_ELEMID_XRATES: 2326 xrates = frm; 2327 break; 2328 case IEEE80211_ELEMID_EDCAPARMS: 2329 edcaie = frm; 2330 break; 2331 case IEEE80211_ELEMID_HTCAPS: 2332 htcaps = frm; 2333 break; 2334 case IEEE80211_ELEMID_HTOP: 2335 htop = frm; 2336 break; 2337 case IEEE80211_ELEMID_VENDOR: 2338 if (frm[1] < 4) { 2339 ic->ic_stats.is_rx_elem_toosmall++; 2340 break; 2341 } 2342 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2343 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2344 wmmie = frm; 2345 } 2346 break; 2347 } 2348 frm += 2 + frm[1]; 2349 } 2350 /* supported rates element is mandatory */ 2351 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2352 DPRINTF(("invalid supported rates element\n")); 2353 return; 2354 } 2355 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2356 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2357 IEEE80211_F_DODEL); 2358 if (rate & IEEE80211_RATE_BASIC) { 2359 DPRINTF(("rate mismatch for %s\n", 2360 ether_sprintf((u_int8_t *)wh->i_addr2))); 2361 ic->ic_stats.is_rx_assoc_norate++; 2362 return; 2363 } 2364 ni->ni_capinfo = capinfo; 2365 ni->ni_associd = associd; 2366 if (edcaie != NULL || wmmie != NULL) { 2367 /* force update of EDCA parameters */ 2368 ic->ic_edca_updtcount = -1; 2369 2370 if ((edcaie != NULL && 2371 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2372 (wmmie != NULL && 2373 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2374 ni->ni_flags |= IEEE80211_NODE_QOS; 2375 else /* for Reassociation */ 2376 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2377 } 2378 if (htcaps) 2379 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2380 if (htop) 2381 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2382 ieee80211_ht_negotiate(ic, ni); 2383 2384 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2385 if (ni->ni_flags & IEEE80211_NODE_HT) 2386 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2387 else 2388 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2389 /* 2390 * Reset the erp state (mostly the slot time) now that 2391 * our operating mode has been nailed down. 2392 */ 2393 ieee80211_reset_erp(ic); 2394 2395 /* 2396 * Configure state now that we are associated. 2397 */ 2398 if (ic->ic_curmode == IEEE80211_MODE_11A || 2399 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2400 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2401 else 2402 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2403 2404 ieee80211_set_shortslottime(ic, 2405 ic->ic_curmode == IEEE80211_MODE_11A || 2406 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2407 /* 2408 * Honor ERP protection. 2409 */ 2410 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2411 (ic->ic_curmode == IEEE80211_MODE_11N && 2412 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2413 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2414 ic->ic_flags |= IEEE80211_F_USEPROT; 2415 else 2416 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2417 /* 2418 * If not an RSNA, mark the port as valid, otherwise wait for 2419 * 802.1X authentication and 4-way handshake to complete.. 2420 */ 2421 if (ic->ic_flags & IEEE80211_F_RSNON) { 2422 /* XXX ic->ic_mgt_timer = 5; */ 2423 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2424 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2425 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2426 2427 ieee80211_new_state(ic, IEEE80211_S_RUN, 2428 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2429 } 2430 2431 /*- 2432 * Deauthentication frame format: 2433 * [2] Reason code 2434 */ 2435 void 2436 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2437 struct ieee80211_node *ni) 2438 { 2439 const struct ieee80211_frame *wh; 2440 const u_int8_t *frm; 2441 u_int16_t reason; 2442 2443 /* make sure all mandatory fixed fields are present */ 2444 if (m->m_len < sizeof(*wh) + 2) { 2445 DPRINTF(("frame too short\n")); 2446 return; 2447 } 2448 wh = mtod(m, struct ieee80211_frame *); 2449 frm = (const u_int8_t *)&wh[1]; 2450 2451 reason = LE_READ_2(frm); 2452 2453 ic->ic_stats.is_rx_deauth++; 2454 switch (ic->ic_opmode) { 2455 case IEEE80211_M_STA: { 2456 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2457 ic->ic_state == IEEE80211_S_RUN); 2458 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2459 ic->ic_state >= IEEE80211_S_AUTH); 2460 if (!(bgscan || stay_auth)) 2461 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2462 IEEE80211_FC0_SUBTYPE_DEAUTH); 2463 } 2464 break; 2465 #ifndef IEEE80211_STA_ONLY 2466 case IEEE80211_M_HOSTAP: 2467 if (ni != ic->ic_bss) { 2468 int stay_auth = 2469 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2470 (ni->ni_state == IEEE80211_STA_AUTH || 2471 ni->ni_state == IEEE80211_STA_ASSOC)); 2472 if (ic->ic_if.if_flags & IFF_DEBUG) 2473 printf("%s: station %s deauthenticated " 2474 "by peer (reason %d)\n", 2475 ic->ic_if.if_xname, 2476 ether_sprintf(ni->ni_macaddr), 2477 reason); 2478 if (!stay_auth) 2479 ieee80211_node_leave(ic, ni); 2480 } 2481 break; 2482 #endif 2483 default: 2484 break; 2485 } 2486 } 2487 2488 /*- 2489 * Disassociation frame format: 2490 * [2] Reason code 2491 */ 2492 void 2493 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2494 struct ieee80211_node *ni) 2495 { 2496 const struct ieee80211_frame *wh; 2497 const u_int8_t *frm; 2498 u_int16_t reason; 2499 2500 /* make sure all mandatory fixed fields are present */ 2501 if (m->m_len < sizeof(*wh) + 2) { 2502 DPRINTF(("frame too short\n")); 2503 return; 2504 } 2505 wh = mtod(m, struct ieee80211_frame *); 2506 frm = (const u_int8_t *)&wh[1]; 2507 2508 reason = LE_READ_2(frm); 2509 2510 ic->ic_stats.is_rx_disassoc++; 2511 switch (ic->ic_opmode) { 2512 case IEEE80211_M_STA: { 2513 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2514 ic->ic_state == IEEE80211_S_RUN); 2515 if (!bgscan) /* ignore disassoc during bgscan */ 2516 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2517 IEEE80211_FC0_SUBTYPE_DISASSOC); 2518 } 2519 break; 2520 #ifndef IEEE80211_STA_ONLY 2521 case IEEE80211_M_HOSTAP: 2522 if (ni != ic->ic_bss) { 2523 if (ic->ic_if.if_flags & IFF_DEBUG) 2524 printf("%s: station %s disassociated " 2525 "by peer (reason %d)\n", 2526 ic->ic_if.if_xname, 2527 ether_sprintf(ni->ni_macaddr), 2528 reason); 2529 ieee80211_node_leave(ic, ni); 2530 } 2531 break; 2532 #endif 2533 default: 2534 break; 2535 } 2536 } 2537 2538 /*- 2539 * ADDBA Request frame format: 2540 * [1] Category 2541 * [1] Action 2542 * [1] Dialog Token 2543 * [2] Block Ack Parameter Set 2544 * [2] Block Ack Timeout Value 2545 * [2] Block Ack Starting Sequence Control 2546 */ 2547 void 2548 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2549 struct ieee80211_node *ni) 2550 { 2551 const struct ieee80211_frame *wh; 2552 const u_int8_t *frm; 2553 struct ieee80211_rx_ba *ba; 2554 u_int16_t params, ssn, bufsz, timeout; 2555 u_int8_t token, tid; 2556 int err = 0; 2557 2558 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2559 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2560 ether_sprintf(ni->ni_macaddr))); 2561 return; 2562 } 2563 if (m->m_len < sizeof(*wh) + 9) { 2564 DPRINTF(("frame too short\n")); 2565 return; 2566 } 2567 2568 /* No point in starting block-ack before the WPA handshake is done. */ 2569 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid) 2570 return; 2571 2572 /* MLME-ADDBA.indication */ 2573 wh = mtod(m, struct ieee80211_frame *); 2574 frm = (const u_int8_t *)&wh[1]; 2575 2576 token = frm[2]; 2577 params = LE_READ_2(&frm[3]); 2578 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2579 IEEE80211_ADDBA_TID_SHIFT); 2580 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2581 IEEE80211_ADDBA_BUFSZ_SHIFT; 2582 timeout = LE_READ_2(&frm[5]); 2583 ssn = LE_READ_2(&frm[7]) >> 4; 2584 2585 ba = &ni->ni_rx_ba[tid]; 2586 /* check if we already have a Block Ack agreement for this RA/TID */ 2587 if (ba->ba_state == IEEE80211_BA_AGREED) { 2588 /* XXX should we update the timeout value? */ 2589 /* reset Block Ack inactivity timer */ 2590 if (ba->ba_timeout_val != 0) 2591 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2592 2593 /* check if it's a Protected Block Ack agreement */ 2594 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2595 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2596 return; /* not a PBAC, ignore */ 2597 2598 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2599 if (SEQ_LT(ba->ba_winstart, ssn)) { 2600 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 2601 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 2602 if_input(&ic->ic_if, &ml); 2603 } 2604 return; 2605 } 2606 2607 /* if PBAC required but RA does not support it, refuse request */ 2608 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2609 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2610 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2611 goto refuse; 2612 /* 2613 * If the TID for which the Block Ack agreement is requested is 2614 * configured with a no-ACK policy, refuse the agreement. 2615 */ 2616 if (ic->ic_tid_noack & (1 << tid)) 2617 goto refuse; 2618 2619 /* check that we support the requested Block Ack Policy */ 2620 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2621 !(params & IEEE80211_ADDBA_BA_POLICY)) 2622 goto refuse; 2623 2624 /* setup Block Ack agreement */ 2625 ba->ba_state = IEEE80211_BA_INIT; 2626 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2627 ba->ba_ni = ni; 2628 ba->ba_token = token; 2629 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2630 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2631 ba->ba_winsize = bufsz; 2632 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2633 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2634 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2635 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2636 (tid << IEEE80211_ADDBA_TID_SHIFT)); 2637 #if 0 2638 /* 2639 * XXX A-MSDUs inside A-MPDUs expose a problem with bad TCP connection 2640 * sharing behaviour. One connection eats all available bandwidth 2641 * while others stall. Leave this disabled for now to give packets 2642 * from disparate connections better chances of interleaving. 2643 */ 2644 ba->ba_params |= IEEE80211_ADDBA_AMSDU; 2645 #endif 2646 ba->ba_winstart = ssn; 2647 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2648 /* allocate and setup our reordering buffer */ 2649 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2650 M_DEVBUF, M_NOWAIT | M_ZERO); 2651 if (ba->ba_buf == NULL) 2652 goto refuse; 2653 2654 ba->ba_head = 0; 2655 2656 /* notify drivers of this new Block Ack agreement */ 2657 if (ic->ic_ampdu_rx_start != NULL) 2658 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2659 if (err == EBUSY) { 2660 /* driver will accept or refuse agreement when done */ 2661 return; 2662 } else if (err) { 2663 /* driver failed to setup, rollback */ 2664 ieee80211_addba_req_refuse(ic, ni, tid); 2665 } else 2666 ieee80211_addba_req_accept(ic, ni, tid); 2667 return; 2668 2669 refuse: 2670 /* MLME-ADDBA.response */ 2671 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2672 IEEE80211_ACTION_ADDBA_RESP, 2673 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2674 } 2675 2676 void 2677 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2678 uint8_t tid) 2679 { 2680 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2681 2682 ba->ba_state = IEEE80211_BA_AGREED; 2683 ic->ic_stats.is_ht_rx_ba_agreements++; 2684 /* start Block Ack inactivity timer */ 2685 if (ba->ba_timeout_val != 0) 2686 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2687 2688 /* MLME-ADDBA.response */ 2689 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2690 IEEE80211_ACTION_ADDBA_RESP, 2691 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2692 } 2693 2694 void 2695 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2696 uint8_t tid) 2697 { 2698 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2699 2700 free(ba->ba_buf, M_DEVBUF, 2701 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2702 ba->ba_buf = NULL; 2703 2704 /* MLME-ADDBA.response */ 2705 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2706 IEEE80211_ACTION_ADDBA_RESP, 2707 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2708 } 2709 2710 /*- 2711 * ADDBA Response frame format: 2712 * [1] Category 2713 * [1] Action 2714 * [1] Dialog Token 2715 * [2] Status Code 2716 * [2] Block Ack Parameter Set 2717 * [2] Block Ack Timeout Value 2718 */ 2719 void 2720 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2721 struct ieee80211_node *ni) 2722 { 2723 const struct ieee80211_frame *wh; 2724 const u_int8_t *frm; 2725 struct ieee80211_tx_ba *ba; 2726 u_int16_t status, params, bufsz, timeout; 2727 u_int8_t token, tid; 2728 int err = 0; 2729 2730 if (m->m_len < sizeof(*wh) + 9) { 2731 DPRINTF(("frame too short\n")); 2732 return; 2733 } 2734 wh = mtod(m, struct ieee80211_frame *); 2735 frm = (const u_int8_t *)&wh[1]; 2736 2737 token = frm[2]; 2738 status = LE_READ_2(&frm[3]); 2739 params = LE_READ_2(&frm[5]); 2740 tid = (params >> 2) & 0xf; 2741 bufsz = (params >> 6) & 0x3ff; 2742 timeout = LE_READ_2(&frm[7]); 2743 2744 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2745 ether_sprintf(ni->ni_macaddr), tid, status)); 2746 2747 /* 2748 * Ignore if no ADDBA request has been sent for this RA/TID or 2749 * if we already have a Block Ack agreement. 2750 */ 2751 ba = &ni->ni_tx_ba[tid]; 2752 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2753 DPRINTF(("no matching ADDBA req found\n")); 2754 return; 2755 } 2756 if (token != ba->ba_token) { 2757 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2758 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2759 return; 2760 } 2761 /* we got an ADDBA Response matching our request, stop timeout */ 2762 timeout_del(&ba->ba_to); 2763 2764 if (status != IEEE80211_STATUS_SUCCESS) { 2765 if (ni->ni_addba_req_intval[tid] < 2766 IEEE80211_ADDBA_REQ_INTVAL_MAX) 2767 ni->ni_addba_req_intval[tid]++; 2768 2769 ieee80211_addba_resp_refuse(ic, ni, tid, status); 2770 2771 /* 2772 * In case the peer believes there is an existing 2773 * block ack agreement with us, try to delete it. 2774 */ 2775 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2776 IEEE80211_ACTION_DELBA, 2777 IEEE80211_REASON_SETUP_REQUIRED << 16 | 1 << 8 | tid); 2778 return; 2779 } 2780 2781 /* notify drivers of this new Block Ack agreement */ 2782 if (ic->ic_ampdu_tx_start != NULL) 2783 err = ic->ic_ampdu_tx_start(ic, ni, tid); 2784 2785 if (err == EBUSY) { 2786 /* driver will accept or refuse agreement when done */ 2787 return; 2788 } else if (err) { 2789 /* driver failed to setup, rollback */ 2790 ieee80211_addba_resp_refuse(ic, ni, tid, 2791 IEEE80211_STATUS_UNSPECIFIED); 2792 } else 2793 ieee80211_addba_resp_accept(ic, ni, tid); 2794 } 2795 2796 void 2797 ieee80211_addba_resp_accept(struct ieee80211com *ic, 2798 struct ieee80211_node *ni, uint8_t tid) 2799 { 2800 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2801 2802 /* MLME-ADDBA.confirm(Success) */ 2803 ba->ba_state = IEEE80211_BA_AGREED; 2804 ic->ic_stats.is_ht_tx_ba_agreements++; 2805 2806 /* Reset ADDBA request interval. */ 2807 ni->ni_addba_req_intval[tid] = 1; 2808 2809 /* start Block Ack inactivity timeout */ 2810 if (ba->ba_timeout_val != 0) 2811 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2812 } 2813 2814 void 2815 ieee80211_addba_resp_refuse(struct ieee80211com *ic, 2816 struct ieee80211_node *ni, uint8_t tid, uint16_t status) 2817 { 2818 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2819 2820 /* MLME-ADDBA.confirm(Failure) */ 2821 ba->ba_state = IEEE80211_BA_INIT; 2822 } 2823 2824 /*- 2825 * DELBA frame format: 2826 * [1] Category 2827 * [1] Action 2828 * [2] DELBA Parameter Set 2829 * [2] Reason Code 2830 */ 2831 void 2832 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2833 struct ieee80211_node *ni) 2834 { 2835 const struct ieee80211_frame *wh; 2836 const u_int8_t *frm; 2837 u_int16_t params, reason; 2838 u_int8_t tid; 2839 int i; 2840 2841 if (m->m_len < sizeof(*wh) + 6) { 2842 DPRINTF(("frame too short\n")); 2843 return; 2844 } 2845 wh = mtod(m, struct ieee80211_frame *); 2846 frm = (const u_int8_t *)&wh[1]; 2847 2848 params = LE_READ_2(&frm[2]); 2849 reason = LE_READ_2(&frm[4]); 2850 tid = params >> 12; 2851 2852 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2853 ether_sprintf(ni->ni_macaddr), tid, reason)); 2854 2855 if (params & IEEE80211_DELBA_INITIATOR) { 2856 /* MLME-DELBA.indication(Originator) */ 2857 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2858 2859 if (ba->ba_state != IEEE80211_BA_AGREED) { 2860 DPRINTF(("no matching Block Ack agreement\n")); 2861 return; 2862 } 2863 /* notify drivers of the end of the Block Ack agreement */ 2864 if (ic->ic_ampdu_rx_stop != NULL) 2865 ic->ic_ampdu_rx_stop(ic, ni, tid); 2866 2867 ba->ba_state = IEEE80211_BA_INIT; 2868 /* stop Block Ack inactivity timer */ 2869 timeout_del(&ba->ba_to); 2870 timeout_del(&ba->ba_gap_to); 2871 2872 if (ba->ba_buf != NULL) { 2873 /* free all MSDUs stored in reordering buffer */ 2874 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2875 m_freem(ba->ba_buf[i].m); 2876 /* free reordering buffer */ 2877 free(ba->ba_buf, M_DEVBUF, 2878 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2879 ba->ba_buf = NULL; 2880 } 2881 } else { 2882 /* MLME-DELBA.indication(Recipient) */ 2883 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2884 2885 if (ba->ba_state != IEEE80211_BA_AGREED) { 2886 DPRINTF(("no matching Block Ack agreement\n")); 2887 return; 2888 } 2889 /* notify drivers of the end of the Block Ack agreement */ 2890 if (ic->ic_ampdu_tx_stop != NULL) 2891 ic->ic_ampdu_tx_stop(ic, ni, tid); 2892 2893 ba->ba_state = IEEE80211_BA_INIT; 2894 /* stop Block Ack inactivity timer */ 2895 timeout_del(&ba->ba_to); 2896 } 2897 } 2898 2899 /*- 2900 * SA Query Request frame format: 2901 * [1] Category 2902 * [1] Action 2903 * [2] Transaction Identifier 2904 */ 2905 void 2906 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2907 struct ieee80211_node *ni) 2908 { 2909 const struct ieee80211_frame *wh; 2910 const u_int8_t *frm; 2911 2912 if (ic->ic_opmode != IEEE80211_M_STA || 2913 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2914 DPRINTF(("unexpected SA Query req from %s\n", 2915 ether_sprintf(ni->ni_macaddr))); 2916 return; 2917 } 2918 if (m->m_len < sizeof(*wh) + 4) { 2919 DPRINTF(("frame too short\n")); 2920 return; 2921 } 2922 wh = mtod(m, struct ieee80211_frame *); 2923 frm = (const u_int8_t *)&wh[1]; 2924 2925 /* MLME-SAQuery.indication */ 2926 2927 /* save Transaction Identifier for SA Query Response */ 2928 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2929 2930 /* MLME-SAQuery.response */ 2931 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2932 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2933 } 2934 2935 #ifndef IEEE80211_STA_ONLY 2936 /*- 2937 * SA Query Response frame format: 2938 * [1] Category 2939 * [1] Action 2940 * [2] Transaction Identifier 2941 */ 2942 void 2943 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2944 struct ieee80211_node *ni) 2945 { 2946 const struct ieee80211_frame *wh; 2947 const u_int8_t *frm; 2948 2949 /* ignore if we're not engaged in an SA Query with that STA */ 2950 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2951 DPRINTF(("unexpected SA Query resp from %s\n", 2952 ether_sprintf(ni->ni_macaddr))); 2953 return; 2954 } 2955 if (m->m_len < sizeof(*wh) + 4) { 2956 DPRINTF(("frame too short\n")); 2957 return; 2958 } 2959 wh = mtod(m, struct ieee80211_frame *); 2960 frm = (const u_int8_t *)&wh[1]; 2961 2962 /* check that Transaction Identifier matches */ 2963 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2964 DPRINTF(("transaction identifier does not match\n")); 2965 return; 2966 } 2967 /* MLME-SAQuery.confirm */ 2968 timeout_del(&ni->ni_sa_query_to); 2969 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2970 } 2971 #endif 2972 2973 /*- 2974 * Action frame format: 2975 * [1] Category 2976 * [1] Action 2977 */ 2978 void 2979 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2980 struct ieee80211_node *ni) 2981 { 2982 const struct ieee80211_frame *wh; 2983 const u_int8_t *frm; 2984 2985 if (m->m_len < sizeof(*wh) + 2) { 2986 DPRINTF(("frame too short\n")); 2987 return; 2988 } 2989 wh = mtod(m, struct ieee80211_frame *); 2990 frm = (const u_int8_t *)&wh[1]; 2991 2992 switch (frm[0]) { 2993 case IEEE80211_CATEG_BA: 2994 switch (frm[1]) { 2995 case IEEE80211_ACTION_ADDBA_REQ: 2996 ieee80211_recv_addba_req(ic, m, ni); 2997 break; 2998 case IEEE80211_ACTION_ADDBA_RESP: 2999 ieee80211_recv_addba_resp(ic, m, ni); 3000 break; 3001 case IEEE80211_ACTION_DELBA: 3002 ieee80211_recv_delba(ic, m, ni); 3003 break; 3004 } 3005 break; 3006 case IEEE80211_CATEG_SA_QUERY: 3007 switch (frm[1]) { 3008 case IEEE80211_ACTION_SA_QUERY_REQ: 3009 ieee80211_recv_sa_query_req(ic, m, ni); 3010 break; 3011 #ifndef IEEE80211_STA_ONLY 3012 case IEEE80211_ACTION_SA_QUERY_RESP: 3013 ieee80211_recv_sa_query_resp(ic, m, ni); 3014 break; 3015 #endif 3016 } 3017 break; 3018 default: 3019 DPRINTF(("action frame category %d not handled\n", frm[0])); 3020 break; 3021 } 3022 } 3023 3024 void 3025 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 3026 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 3027 { 3028 switch (subtype) { 3029 case IEEE80211_FC0_SUBTYPE_BEACON: 3030 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 3031 break; 3032 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3033 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 3034 break; 3035 #ifndef IEEE80211_STA_ONLY 3036 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3037 ieee80211_recv_probe_req(ic, m, ni, rxi); 3038 break; 3039 #endif 3040 case IEEE80211_FC0_SUBTYPE_AUTH: 3041 ieee80211_recv_auth(ic, m, ni, rxi); 3042 break; 3043 #ifndef IEEE80211_STA_ONLY 3044 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3045 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 3046 break; 3047 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3048 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 3049 break; 3050 #endif 3051 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3052 ieee80211_recv_assoc_resp(ic, m, ni, 0); 3053 break; 3054 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3055 ieee80211_recv_assoc_resp(ic, m, ni, 1); 3056 break; 3057 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3058 ieee80211_recv_deauth(ic, m, ni); 3059 break; 3060 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3061 ieee80211_recv_disassoc(ic, m, ni); 3062 break; 3063 case IEEE80211_FC0_SUBTYPE_ACTION: 3064 ieee80211_recv_action(ic, m, ni); 3065 break; 3066 default: 3067 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 3068 subtype)); 3069 ic->ic_stats.is_rx_badsubtype++; 3070 break; 3071 } 3072 } 3073 3074 #ifndef IEEE80211_STA_ONLY 3075 /* 3076 * Process an incoming PS-Poll control frame (see 11.2). 3077 */ 3078 void 3079 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 3080 struct ieee80211_node *ni) 3081 { 3082 struct ifnet *ifp = &ic->ic_if; 3083 struct ieee80211_frame_pspoll *psp; 3084 struct ieee80211_frame *wh; 3085 u_int16_t aid; 3086 3087 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 3088 !(ic->ic_caps & IEEE80211_C_APPMGT) || 3089 ni->ni_state != IEEE80211_STA_ASSOC) 3090 return; 3091 3092 if (m->m_len < sizeof(*psp)) { 3093 DPRINTF(("frame too short, len %u\n", m->m_len)); 3094 ic->ic_stats.is_rx_tooshort++; 3095 return; 3096 } 3097 psp = mtod(m, struct ieee80211_frame_pspoll *); 3098 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3099 DPRINTF(("discard pspoll frame to BSS %s\n", 3100 ether_sprintf(psp->i_bssid))); 3101 ic->ic_stats.is_rx_wrongbss++; 3102 return; 3103 } 3104 aid = letoh16(*(u_int16_t *)psp->i_aid); 3105 if (aid != ni->ni_associd) { 3106 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3107 ether_sprintf(psp->i_ta))); 3108 return; 3109 } 3110 3111 /* take the first queued frame and put it out.. */ 3112 m = mq_dequeue(&ni->ni_savedq); 3113 if (m == NULL) 3114 return; 3115 if (mq_empty(&ni->ni_savedq)) { 3116 /* last queued frame, turn off the TIM bit */ 3117 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3118 } else { 3119 /* more queued frames, set the more data bit */ 3120 wh = mtod(m, struct ieee80211_frame *); 3121 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3122 } 3123 mq_enqueue(&ic->ic_pwrsaveq, m); 3124 if_start(ifp); 3125 } 3126 #endif /* IEEE80211_STA_ONLY */ 3127 3128 /* 3129 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3130 */ 3131 void 3132 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3133 struct ieee80211_node *ni) 3134 { 3135 const struct ieee80211_frame_min *wh; 3136 const u_int8_t *frm; 3137 u_int16_t ctl, ssn; 3138 u_int8_t tid, ntids; 3139 3140 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3141 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3142 ether_sprintf(ni->ni_macaddr))); 3143 return; 3144 } 3145 if (m->m_len < sizeof(*wh) + 4) { 3146 DPRINTF(("frame too short\n")); 3147 return; 3148 } 3149 wh = mtod(m, struct ieee80211_frame_min *); 3150 frm = (const u_int8_t *)&wh[1]; 3151 3152 /* read BlockAckReq Control field */ 3153 ctl = LE_READ_2(&frm[0]); 3154 tid = ctl >> 12; 3155 3156 /* determine BlockAckReq frame variant */ 3157 if (ctl & IEEE80211_BA_MULTI_TID) { 3158 /* Multi-TID BlockAckReq variant (PSMP only) */ 3159 ntids = tid + 1; 3160 3161 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3162 DPRINTF(("MTBAR frame too short\n")); 3163 return; 3164 } 3165 frm += 2; /* skip BlockAckReq Control field */ 3166 while (ntids-- > 0) { 3167 /* read MTBAR Information field */ 3168 tid = LE_READ_2(&frm[0]) >> 12; 3169 ssn = LE_READ_2(&frm[2]) >> 4; 3170 ieee80211_bar_tid(ic, ni, tid, ssn); 3171 frm += 4; 3172 } 3173 } else { 3174 /* Basic or Compressed BlockAckReq variants */ 3175 ssn = LE_READ_2(&frm[2]) >> 4; 3176 ieee80211_bar_tid(ic, ni, tid, ssn); 3177 } 3178 } 3179 3180 /* 3181 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3182 * This is the common back-end for all BlockAckReq frame variants. 3183 */ 3184 void 3185 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3186 u_int8_t tid, u_int16_t ssn) 3187 { 3188 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3189 3190 /* check if we have a Block Ack agreement for RA/TID */ 3191 if (ba->ba_state != IEEE80211_BA_AGREED) { 3192 /* XXX not sure in PBAC case */ 3193 /* send a DELBA with reason code UNKNOWN-BA */ 3194 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3195 IEEE80211_ACTION_DELBA, 3196 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3197 return; 3198 } 3199 /* check if it is a Protected Block Ack agreement */ 3200 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3201 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3202 /* ADDBA Requests must be used in PBAC case */ 3203 if (SEQ_LT(ssn, ba->ba_winstart) || 3204 SEQ_LT(ba->ba_winend, ssn)) 3205 ic->ic_stats.is_pbac_errs++; 3206 return; /* PBAC, do not move window */ 3207 } 3208 /* reset Block Ack inactivity timer */ 3209 if (ba->ba_timeout_val != 0) 3210 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3211 3212 if (SEQ_LT(ba->ba_winstart, ssn)) { 3213 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 3214 ieee80211_ba_move_window(ic, ni, tid, ssn, &ml); 3215 if_input(&ic->ic_if, &ml); 3216 } 3217 } 3218