1 /* $OpenBSD: ieee80211_input.c,v 1.111 2009/03/26 20:34:54 damien Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/proc.h> 44 #include <sys/sysctl.h> 45 #include <sys/endian.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_arp.h> 51 #include <net/if_llc.h> 52 53 #if NBPFILTER > 0 54 #include <net/bpf.h> 55 #endif 56 57 #ifdef INET 58 #include <netinet/in.h> 59 #include <netinet/if_ether.h> 60 #endif 61 62 #include <net80211/ieee80211_var.h> 63 #include <net80211/ieee80211_priv.h> 64 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 #ifndef IEEE80211_NO_HT 68 void ieee80211_input_ba(struct ifnet *, struct mbuf *, 69 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 70 void ieee80211_ba_move_window(struct ieee80211com *, 71 struct ieee80211_node *, u_int8_t, u_int16_t); 72 #endif 73 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 74 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 75 struct ieee80211_node *, int); 76 #ifndef IEEE80211_NO_HT 77 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 #endif 80 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 int ieee80211_parse_edca_params_body(struct ieee80211com *, 83 const u_int8_t *); 84 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 85 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 86 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 87 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 88 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 89 u_int, struct ieee80211_rsnparams *); 90 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 91 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 93 #ifndef IEEE80211_STA_ONLY 94 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #endif 97 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *); 99 #ifndef IEEE80211_STA_ONLY 100 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 102 #endif 103 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 104 struct ieee80211_node *, int); 105 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *); 107 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *); 109 #ifndef IEEE80211_NO_HT 110 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 #endif 117 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 #ifndef IEEE80211_STA_ONLY 120 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 121 struct ieee80211_node *); 122 #endif 123 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 124 struct ieee80211_node *); 125 #ifndef IEEE80211_STA_ONLY 126 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 127 struct ieee80211_node *); 128 #endif 129 #ifndef IEEE80211_NO_HT 130 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 131 struct ieee80211_node *); 132 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 133 u_int8_t, u_int16_t); 134 #endif 135 136 /* 137 * Retrieve the length in bytes of an 802.11 header. 138 */ 139 u_int 140 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 141 { 142 u_int size = sizeof(*wh); 143 144 /* NB: does not work with control frames */ 145 KASSERT(ieee80211_has_seq(wh)); 146 147 if (ieee80211_has_addr4(wh)) 148 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 149 if (ieee80211_has_qos(wh)) 150 size += sizeof(u_int16_t); /* i_qos */ 151 if (ieee80211_has_htc(wh)) 152 size += sizeof(u_int32_t); /* i_ht */ 153 return size; 154 } 155 156 /* 157 * Process a received frame. The node associated with the sender 158 * should be supplied. If nothing was found in the node table then 159 * the caller is assumed to supply a reference to ic_bss instead. 160 * The RSSI and a timestamp are also supplied. The RSSI data is used 161 * during AP scanning to select a AP to associate with; it can have 162 * any units so long as values have consistent units and higher values 163 * mean ``better signal''. The receive timestamp is currently not used 164 * by the 802.11 layer. 165 */ 166 void 167 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 168 struct ieee80211_rxinfo *rxi) 169 { 170 struct ieee80211com *ic = (void *)ifp; 171 struct ieee80211_frame *wh; 172 u_int16_t *orxseq, nrxseq, qos; 173 u_int8_t dir, type, subtype, tid; 174 int hdrlen, hasqos; 175 176 KASSERT(ni != NULL); 177 178 /* in monitor mode, send everything directly to bpf */ 179 if (ic->ic_opmode == IEEE80211_M_MONITOR) 180 goto out; 181 182 /* 183 * Do not process frames without an Address 2 field any further. 184 * Only CTS and ACK control frames do not have this field. 185 */ 186 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 187 DPRINTF(("frame too short, len %u\n", m->m_len)); 188 ic->ic_stats.is_rx_tooshort++; 189 goto out; 190 } 191 192 wh = mtod(m, struct ieee80211_frame *); 193 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 194 IEEE80211_FC0_VERSION_0) { 195 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 196 ic->ic_stats.is_rx_badversion++; 197 goto err; 198 } 199 200 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 201 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 202 203 if (type != IEEE80211_FC0_TYPE_CTL) { 204 hdrlen = ieee80211_get_hdrlen(wh); 205 if (m->m_len < hdrlen) { 206 DPRINTF(("frame too short, len %u\n", m->m_len)); 207 ic->ic_stats.is_rx_tooshort++; 208 goto err; 209 } 210 } 211 if ((hasqos = ieee80211_has_qos(wh))) { 212 qos = ieee80211_get_qos(wh); 213 tid = qos & IEEE80211_QOS_TID; 214 } 215 216 /* duplicate detection (see 9.2.9) */ 217 if (ieee80211_has_seq(wh) && 218 ic->ic_state != IEEE80211_S_SCAN) { 219 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 220 IEEE80211_SEQ_SEQ_SHIFT; 221 if (hasqos) 222 orxseq = &ni->ni_qos_rxseqs[tid]; 223 else 224 orxseq = &ni->ni_rxseq; 225 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 226 nrxseq == *orxseq) { 227 /* duplicate, silently discarded */ 228 ic->ic_stats.is_rx_dup++; 229 goto out; 230 } 231 *orxseq = nrxseq; 232 } 233 if (ic->ic_state != IEEE80211_S_SCAN) { 234 ni->ni_rssi = rxi->rxi_rssi; 235 ni->ni_rstamp = rxi->rxi_tstamp; 236 ni->ni_inact = 0; 237 } 238 239 #ifndef IEEE80211_STA_ONLY 240 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 241 (ic->ic_caps & IEEE80211_C_APPMGT) && 242 ni->ni_state == IEEE80211_STA_ASSOC) { 243 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 244 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 245 /* turn on PS mode */ 246 ni->ni_pwrsave = IEEE80211_PS_DOZE; 247 ic->ic_pssta++; 248 DPRINTF(("PS mode on for %s, count %d\n", 249 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 250 } 251 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 252 /* turn off PS mode */ 253 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 254 ic->ic_pssta--; 255 DPRINTF(("PS mode off for %s, count %d\n", 256 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 257 258 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 259 260 /* dequeue buffered unicast frames */ 261 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 262 struct mbuf *m; 263 IF_DEQUEUE(&ni->ni_savedq, m); 264 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 265 (*ifp->if_start)(ifp); 266 } 267 } 268 } 269 #endif 270 switch (type) { 271 case IEEE80211_FC0_TYPE_DATA: 272 switch (ic->ic_opmode) { 273 case IEEE80211_M_STA: 274 if (dir != IEEE80211_FC1_DIR_FROMDS) { 275 ic->ic_stats.is_rx_wrongdir++; 276 goto out; 277 } 278 if (ic->ic_state != IEEE80211_S_SCAN && 279 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 280 /* Source address is not our BSS. */ 281 DPRINTF(("discard frame from SA %s\n", 282 ether_sprintf(wh->i_addr2))); 283 ic->ic_stats.is_rx_wrongbss++; 284 goto out; 285 } 286 if ((ifp->if_flags & IFF_SIMPLEX) && 287 IEEE80211_IS_MULTICAST(wh->i_addr1) && 288 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 289 /* 290 * In IEEE802.11 network, multicast frame 291 * sent from me is broadcasted from AP. 292 * It should be silently discarded for 293 * SIMPLEX interface. 294 */ 295 ic->ic_stats.is_rx_mcastecho++; 296 goto out; 297 } 298 break; 299 #ifndef IEEE80211_STA_ONLY 300 case IEEE80211_M_IBSS: 301 case IEEE80211_M_AHDEMO: 302 if (dir != IEEE80211_FC1_DIR_NODS) { 303 ic->ic_stats.is_rx_wrongdir++; 304 goto out; 305 } 306 if (ic->ic_state != IEEE80211_S_SCAN && 307 !IEEE80211_ADDR_EQ(wh->i_addr3, 308 ic->ic_bss->ni_bssid) && 309 !IEEE80211_ADDR_EQ(wh->i_addr3, 310 etherbroadcastaddr)) { 311 /* Destination is not our BSS or broadcast. */ 312 DPRINTF(("discard data frame to DA %s\n", 313 ether_sprintf(wh->i_addr3))); 314 ic->ic_stats.is_rx_wrongbss++; 315 goto out; 316 } 317 break; 318 case IEEE80211_M_HOSTAP: 319 if (dir != IEEE80211_FC1_DIR_TODS) { 320 ic->ic_stats.is_rx_wrongdir++; 321 goto out; 322 } 323 if (ic->ic_state != IEEE80211_S_SCAN && 324 !IEEE80211_ADDR_EQ(wh->i_addr1, 325 ic->ic_bss->ni_bssid) && 326 !IEEE80211_ADDR_EQ(wh->i_addr1, 327 etherbroadcastaddr)) { 328 /* BSS is not us or broadcast. */ 329 DPRINTF(("discard data frame to BSS %s\n", 330 ether_sprintf(wh->i_addr1))); 331 ic->ic_stats.is_rx_wrongbss++; 332 goto out; 333 } 334 /* check if source STA is associated */ 335 if (ni == ic->ic_bss) { 336 DPRINTF(("data from unknown src %s\n", 337 ether_sprintf(wh->i_addr2))); 338 /* NB: caller deals with reference */ 339 ni = ieee80211_dup_bss(ic, wh->i_addr2); 340 if (ni != NULL) { 341 IEEE80211_SEND_MGMT(ic, ni, 342 IEEE80211_FC0_SUBTYPE_DEAUTH, 343 IEEE80211_REASON_NOT_AUTHED); 344 } 345 ic->ic_stats.is_rx_notassoc++; 346 goto err; 347 } 348 if (ni->ni_associd == 0) { 349 DPRINTF(("data from unassoc src %s\n", 350 ether_sprintf(wh->i_addr2))); 351 IEEE80211_SEND_MGMT(ic, ni, 352 IEEE80211_FC0_SUBTYPE_DISASSOC, 353 IEEE80211_REASON_NOT_ASSOCED); 354 ic->ic_stats.is_rx_notassoc++; 355 goto err; 356 } 357 break; 358 #endif /* IEEE80211_STA_ONLY */ 359 default: 360 /* can't get there */ 361 goto out; 362 } 363 364 #ifndef IEEE80211_NO_HT 365 if (!(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) && 366 hasqos && (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 367 IEEE80211_QOS_ACK_POLICY_BA) { 368 /* check if we have a BA agreement for this RA/TID */ 369 if (ni->ni_rx_ba[tid].ba_state != 370 IEEE80211_BA_AGREED) { 371 DPRINTF(("no BA agreement for %s, TID %d\n", 372 ether_sprintf(ni->ni_macaddr), tid)); 373 /* send a DELBA with reason code UNKNOWN-BA */ 374 IEEE80211_SEND_ACTION(ic, ni, 375 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 376 IEEE80211_REASON_SETUP_REQUIRED << 16 | 377 tid); 378 goto err; 379 } 380 /* go through A-MPDU reordering */ 381 ieee80211_input_ba(ifp, m, ni, tid, rxi); 382 return; /* don't free m! */ 383 } 384 #endif 385 if ((ic->ic_flags & IEEE80211_F_WEPON) || 386 ((ic->ic_flags & IEEE80211_F_RSNON) && 387 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 388 /* protection is on for Rx */ 389 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 390 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 391 /* drop unencrypted */ 392 ic->ic_stats.is_rx_unencrypted++; 393 goto err; 394 } 395 /* do software decryption */ 396 m = ieee80211_decrypt(ic, m, ni); 397 if (m == NULL) { 398 ic->ic_stats.is_rx_wepfail++; 399 goto err; 400 } 401 wh = mtod(m, struct ieee80211_frame *); 402 } 403 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 404 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 405 /* frame encrypted but protection off for Rx */ 406 ic->ic_stats.is_rx_nowep++; 407 goto out; 408 } 409 410 #if NBPFILTER > 0 411 /* copy to listener after decrypt */ 412 if (ic->ic_rawbpf) 413 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 414 #endif 415 416 #ifndef IEEE80211_NO_HT 417 if ((ni->ni_flags & IEEE80211_NODE_HT) && 418 hasqos && (qos & IEEE80211_QOS_AMSDU)) 419 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 420 else 421 #endif 422 ieee80211_decap(ic, m, ni, hdrlen); 423 return; 424 425 case IEEE80211_FC0_TYPE_MGT: 426 if (dir != IEEE80211_FC1_DIR_NODS) { 427 ic->ic_stats.is_rx_wrongdir++; 428 goto err; 429 } 430 #ifndef IEEE80211_STA_ONLY 431 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 432 ic->ic_stats.is_rx_ahdemo_mgt++; 433 goto out; 434 } 435 #endif 436 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 437 438 /* drop frames without interest */ 439 if (ic->ic_state == IEEE80211_S_SCAN) { 440 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 441 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 442 ic->ic_stats.is_rx_mgtdiscard++; 443 goto out; 444 } 445 } 446 447 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 448 /* MMPDU protection is on for Rx */ 449 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 450 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 451 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 452 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 453 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 454 /* unicast mgmt not encrypted */ 455 goto out; 456 } 457 /* do software decryption */ 458 m = ieee80211_decrypt(ic, m, ni); 459 if (m == NULL) { 460 /* XXX stats */ 461 goto out; 462 } 463 wh = mtod(m, struct ieee80211_frame *); 464 } 465 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 466 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 467 /* encrypted but MMPDU Rx protection off for TA */ 468 goto out; 469 } 470 471 if (ifp->if_flags & IFF_DEBUG) { 472 /* avoid to print too many frames */ 473 int doprint = 0; 474 475 switch (subtype) { 476 case IEEE80211_FC0_SUBTYPE_BEACON: 477 if (ic->ic_state == IEEE80211_S_SCAN) 478 doprint = 1; 479 break; 480 #ifndef IEEE80211_STA_ONLY 481 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 482 if (ic->ic_opmode == IEEE80211_M_IBSS) 483 doprint = 1; 484 break; 485 #endif 486 default: 487 doprint = 1; 488 break; 489 } 490 #ifdef IEEE80211_DEBUG 491 doprint += ieee80211_debug; 492 #endif 493 if (doprint) 494 printf("%s: received %s from %s rssi %d mode %s\n", 495 ifp->if_xname, 496 ieee80211_mgt_subtype_name[subtype 497 >> IEEE80211_FC0_SUBTYPE_SHIFT], 498 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 499 ieee80211_phymode_name[ieee80211_chan2mode(ic, 500 ic->ic_bss->ni_chan)]); 501 } 502 #if NBPFILTER > 0 503 if (ic->ic_rawbpf) 504 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 505 /* 506 * Drop mbuf if it was filtered by bpf. Normally, this is 507 * done in ether_input() but IEEE 802.11 management frames 508 * are a special case. 509 */ 510 if (m->m_flags & M_FILDROP) { 511 m_freem(m); 512 return; 513 } 514 #endif 515 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 516 m_freem(m); 517 return; 518 519 case IEEE80211_FC0_TYPE_CTL: 520 ic->ic_stats.is_rx_ctl++; 521 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 522 switch (subtype) { 523 #ifndef IEEE80211_STA_ONLY 524 case IEEE80211_FC0_SUBTYPE_PS_POLL: 525 ieee80211_recv_pspoll(ic, m, ni); 526 break; 527 #endif 528 #ifndef IEEE80211_NO_HT 529 case IEEE80211_FC0_SUBTYPE_BAR: 530 ieee80211_recv_bar(ic, m, ni); 531 break; 532 #endif 533 default: 534 break; 535 } 536 goto out; 537 538 default: 539 DPRINTF(("bad frame type %x\n", type)); 540 /* should not come here */ 541 break; 542 } 543 err: 544 ifp->if_ierrors++; 545 out: 546 if (m != NULL) { 547 #if NBPFILTER > 0 548 if (ic->ic_rawbpf) 549 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 550 #endif 551 m_freem(m); 552 } 553 } 554 555 /* 556 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 557 * reception of fragments of three fragmented MSDUs or MMPDUs. 558 */ 559 struct mbuf * 560 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 561 { 562 const struct ieee80211_frame *owh, *wh; 563 struct ieee80211_defrag *df; 564 u_int16_t rxseq, seq; 565 u_int8_t frag; 566 int i; 567 568 wh = mtod(m, struct ieee80211_frame *); 569 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 570 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 571 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 572 573 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 574 return m; /* not fragmented */ 575 576 if (frag == 0) { 577 /* first fragment, setup entry in the fragment cache */ 578 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 579 ic->ic_defrag_cur = 0; 580 df = &ic->ic_defrag[ic->ic_defrag_cur]; 581 if (df->df_m != NULL) 582 m_freem(df->df_m); /* discard old entry */ 583 df->df_seq = seq; 584 df->df_frag = 0; 585 df->df_m = m; 586 /* start receive MSDU timer of aMaxReceiveLifetime */ 587 timeout_add_sec(&df->df_to, 1); 588 return NULL; /* MSDU or MMPDU not yet complete */ 589 } 590 591 /* find matching entry in the fragment cache */ 592 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 593 df = &ic->ic_defrag[i]; 594 if (df->df_m == NULL) 595 continue; 596 if (df->df_seq != seq || df->df_frag + 1 != frag) 597 continue; 598 owh = mtod(df->df_m, struct ieee80211_frame *); 599 /* frame type, source and destination must match */ 600 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 601 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 602 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 603 continue; 604 /* matching entry found */ 605 break; 606 } 607 if (i == IEEE80211_DEFRAG_SIZE) { 608 /* no matching entry found, discard fragment */ 609 ic->ic_if.if_ierrors++; 610 m_freem(m); 611 return NULL; 612 } 613 614 df->df_frag = frag; 615 /* strip 802.11 header and concatenate fragment */ 616 m_adj(m, hdrlen); 617 m_cat(df->df_m, m); 618 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 619 620 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 621 return NULL; /* MSDU or MMPDU not yet complete */ 622 623 /* MSDU or MMPDU complete */ 624 timeout_del(&df->df_to); 625 m = df->df_m; 626 df->df_m = NULL; 627 return m; 628 } 629 630 /* 631 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 632 */ 633 void 634 ieee80211_defrag_timeout(void *arg) 635 { 636 struct ieee80211_defrag *df = arg; 637 int s = splnet(); 638 639 /* discard all received fragments */ 640 m_freem(df->df_m); 641 df->df_m = NULL; 642 643 splx(s); 644 } 645 646 #ifndef IEEE80211_NO_HT 647 /* 648 * Process a received data MPDU related to a specific HT-immediate Block Ack 649 * agreement (see 9.10.7.6). 650 */ 651 void 652 ieee80211_input_ba(struct ifnet *ifp, struct mbuf *m, 653 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 654 { 655 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 656 struct ieee80211_frame *wh; 657 int idx, count; 658 u_int16_t sn; 659 660 wh = mtod(m, struct ieee80211_frame *); 661 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 662 663 /* reset Block Ack inactivity timer */ 664 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 665 666 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 667 ifp->if_ierrors++; 668 m_freem(m); /* discard the MPDU */ 669 return; 670 } 671 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 672 count = (sn - ba->ba_winend) & 0xfff; 673 if (count > ba->ba_winsize) /* no overlap */ 674 count = ba->ba_winsize; 675 while (count-- > 0) { 676 /* gaps may exist */ 677 if (ba->ba_buf[ba->ba_head].m != NULL) { 678 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 679 ni, &ba->ba_buf[ba->ba_head].rxi); 680 ba->ba_buf[ba->ba_head].m = NULL; 681 } 682 ba->ba_head = (ba->ba_head + 1) % 683 IEEE80211_BA_MAX_WINSZ; 684 } 685 /* move window forward */ 686 ba->ba_winend = sn; 687 ba->ba_winstart = (sn - ba->ba_winsize + 1) & 0xfff; 688 } 689 /* WinStartB <= SN <= WinEndB */ 690 691 idx = (sn - ba->ba_winstart) & 0xfff; 692 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 693 /* store the received MPDU in the buffer */ 694 if (ba->ba_buf[idx].m != NULL) { 695 ifp->if_ierrors++; 696 m_freem(m); 697 return; 698 } 699 ba->ba_buf[idx].m = m; 700 /* store Rx meta-data too */ 701 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 702 ba->ba_buf[idx].rxi = *rxi; 703 704 /* pass reordered MPDUs up to the next MAC process */ 705 while (ba->ba_buf[ba->ba_head].m != NULL) { 706 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 707 &ba->ba_buf[ba->ba_head].rxi); 708 ba->ba_buf[ba->ba_head].m = NULL; 709 710 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 711 /* move window forward */ 712 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 713 } 714 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 715 } 716 717 /* 718 * Change the value of WinStartB (move window forward) upon reception of a 719 * BlockAckReq frame or an ADDBA Request (PBAC). 720 */ 721 void 722 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 723 u_int8_t tid, u_int16_t ssn) 724 { 725 struct ifnet *ifp = &ic->ic_if; 726 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 727 int count; 728 729 /* assert(WinStartB <= SSN) */ 730 731 count = (ssn - ba->ba_winstart) & 0xfff; 732 if (count > ba->ba_winsize) /* no overlap */ 733 count = ba->ba_winsize; 734 while (count-- > 0) { 735 /* gaps may exist */ 736 if (ba->ba_buf[ba->ba_head].m != NULL) { 737 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 738 &ba->ba_buf[ba->ba_head].rxi); 739 ba->ba_buf[ba->ba_head].m = NULL; 740 } 741 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 742 } 743 /* move window forward */ 744 ba->ba_winstart = ssn; 745 746 /* pass reordered MPDUs up to the next MAC process */ 747 while (ba->ba_buf[ba->ba_head].m != NULL) { 748 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 749 &ba->ba_buf[ba->ba_head].rxi); 750 ba->ba_buf[ba->ba_head].m = NULL; 751 752 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 753 /* move window forward */ 754 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 755 } 756 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 757 } 758 #endif /* !IEEE80211_NO_HT */ 759 760 void 761 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 762 struct ieee80211_node *ni) 763 { 764 struct ifnet *ifp = &ic->ic_if; 765 struct ether_header *eh; 766 struct mbuf *m1; 767 768 eh = mtod(m, struct ether_header *); 769 770 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 771 eh->ether_type != htons(ETHERTYPE_PAE)) { 772 DPRINTF(("port not valid: %s\n", 773 ether_sprintf(eh->ether_dhost))); 774 ic->ic_stats.is_rx_unauth++; 775 m_freem(m); 776 return; 777 } 778 ifp->if_ipackets++; 779 780 /* 781 * Perform as a bridge within the AP. Notice that we do not 782 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 783 */ 784 m1 = NULL; 785 #ifndef IEEE80211_STA_ONLY 786 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 787 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 788 eh->ether_type != htons(ETHERTYPE_PAE)) { 789 struct ieee80211_node *ni1; 790 int error, len; 791 792 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 793 m1 = m_copym(m, 0, M_COPYALL, M_DONTWAIT); 794 if (m1 == NULL) 795 ifp->if_oerrors++; 796 else 797 m1->m_flags |= M_MCAST; 798 } else { 799 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 800 if (ni1 != NULL && 801 ni1->ni_state == IEEE80211_STA_ASSOC) { 802 m1 = m; 803 m = NULL; 804 } 805 } 806 if (m1 != NULL) { 807 len = m1->m_pkthdr.len; 808 IFQ_ENQUEUE(&ifp->if_snd, m1, NULL, error); 809 if (error) 810 ifp->if_oerrors++; 811 else { 812 if (m != NULL) 813 ifp->if_omcasts++; 814 ifp->if_obytes += len; 815 if_start(ifp); 816 } 817 } 818 } 819 #endif 820 if (m != NULL) { 821 #if NBPFILTER > 0 822 /* 823 * If we forward frame into transmitter of the AP, 824 * we don't need to duplicate for DLT_EN10MB. 825 */ 826 if (ifp->if_bpf && m1 == NULL) 827 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 828 #endif 829 if ((ic->ic_flags & IEEE80211_F_RSNON) && 830 eh->ether_type == htons(ETHERTYPE_PAE)) 831 ieee80211_eapol_key_input(ic, m, ni); 832 else 833 ether_input_mbuf(ifp, m); 834 } 835 } 836 837 /* 838 * Make sure protocol header (e.g. IP) is aligned on a 32-bit boundary. 839 * This is achieved by copying mbufs so drivers should try to map their 840 * buffers such that this copying is not necessary. It is however not 841 * always possible because 802.11 header length may vary (non-QoS+LLC 842 * is 32 bytes while QoS+LLC is 34 bytes). Some devices are smart and 843 * add 2 padding bytes after the 802.11 header in the QoS case so this 844 * function is there for stupid drivers/devices only. 845 */ 846 struct mbuf * 847 ieee80211_align_mbuf(struct mbuf *m) 848 { 849 struct mbuf *n, *n0, **np; 850 caddr_t newdata; 851 int off, pktlen; 852 853 n0 = NULL; 854 np = &n0; 855 off = 0; 856 pktlen = m->m_pkthdr.len; 857 while (pktlen > off) { 858 if (n0 == NULL) { 859 MGETHDR(n, M_DONTWAIT, MT_DATA); 860 if (n == NULL) { 861 m_freem(m); 862 return NULL; 863 } 864 M_DUP_PKTHDR(n, m); 865 n->m_len = MHLEN; 866 } else { 867 MGET(n, M_DONTWAIT, MT_DATA); 868 if (n == NULL) { 869 m_freem(m); 870 m_freem(n0); 871 return NULL; 872 } 873 n->m_len = MLEN; 874 } 875 if (pktlen - off >= MINCLSIZE) { 876 MCLGET(n, M_DONTWAIT); 877 if (n->m_flags & M_EXT) 878 n->m_len = n->m_ext.ext_size; 879 } 880 if (n0 == NULL) { 881 newdata = (caddr_t)ALIGN(n->m_data + ETHER_HDR_LEN) - 882 ETHER_HDR_LEN; 883 n->m_len -= newdata - n->m_data; 884 n->m_data = newdata; 885 } 886 if (n->m_len > pktlen - off) 887 n->m_len = pktlen - off; 888 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 889 off += n->m_len; 890 *np = n; 891 np = &n->m_next; 892 } 893 m_freem(m); 894 return n0; 895 } 896 897 void 898 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 899 struct ieee80211_node *ni, int hdrlen) 900 { 901 struct ieee80211_qosframe_addr4 wh; /* largest 802.11 header */ 902 struct ether_header *eh; 903 struct llc *llc; 904 905 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 906 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 907 ic->ic_stats.is_rx_decap++; 908 return; 909 } 910 memcpy(&wh, mtod(m, caddr_t), hdrlen); 911 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 912 if (llc->llc_dsap == LLC_SNAP_LSAP && 913 llc->llc_ssap == LLC_SNAP_LSAP && 914 llc->llc_control == LLC_UI && 915 llc->llc_snap.org_code[0] == 0 && 916 llc->llc_snap.org_code[1] == 0 && 917 llc->llc_snap.org_code[2] == 0) { 918 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 919 llc = NULL; 920 } else { 921 m_adj(m, hdrlen - ETHER_HDR_LEN); 922 } 923 eh = mtod(m, struct ether_header *); 924 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 925 case IEEE80211_FC1_DIR_NODS: 926 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 927 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 928 break; 929 case IEEE80211_FC1_DIR_TODS: 930 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 931 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 932 break; 933 case IEEE80211_FC1_DIR_FROMDS: 934 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 935 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 936 break; 937 case IEEE80211_FC1_DIR_DSTODS: 938 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 939 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 940 break; 941 } 942 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 943 if ((m = ieee80211_align_mbuf(m)) == NULL) { 944 ic->ic_stats.is_rx_decap++; 945 return; 946 } 947 } 948 if (llc != NULL) { 949 eh = mtod(m, struct ether_header *); 950 eh->ether_type = htons(m->m_pkthdr.len - ETHER_HDR_LEN); 951 } 952 ieee80211_deliver_data(ic, m, ni); 953 } 954 955 #ifndef IEEE80211_NO_HT 956 /* 957 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 958 */ 959 void 960 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 961 struct ieee80211_node *ni, int hdrlen) 962 { 963 struct mbuf *n; 964 struct ether_header *eh; 965 struct llc *llc; 966 int len, pad; 967 968 /* strip 802.11 header */ 969 m_adj(m, hdrlen); 970 971 for (;;) { 972 /* process an A-MSDU subframe */ 973 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 974 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 975 if (m == NULL) { 976 ic->ic_stats.is_rx_decap++; 977 break; 978 } 979 } 980 eh = mtod(m, struct ether_header *); 981 /* examine 802.3 header */ 982 len = ntohs(eh->ether_type); 983 if (len < LLC_SNAPFRAMELEN) { 984 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 985 /* stop processing A-MSDU subframes */ 986 ic->ic_stats.is_rx_decap++; 987 m_freem(m); 988 break; 989 } 990 llc = (struct llc *)&eh[1]; 991 /* examine 802.2 LLC header */ 992 if (llc->llc_dsap == LLC_SNAP_LSAP && 993 llc->llc_ssap == LLC_SNAP_LSAP && 994 llc->llc_control == LLC_UI && 995 llc->llc_snap.org_code[0] == 0 && 996 llc->llc_snap.org_code[1] == 0 && 997 llc->llc_snap.org_code[2] == 0) { 998 /* convert to Ethernet II header */ 999 eh->ether_type = llc->llc_snap.ether_type; 1000 /* strip LLC+SNAP headers */ 1001 ovbcopy(eh, (u_int8_t *)eh + LLC_SNAPFRAMELEN, 1002 ETHER_HDR_LEN); 1003 m_adj(m, LLC_SNAPFRAMELEN); 1004 len -= LLC_SNAPFRAMELEN; 1005 } 1006 len += ETHER_HDR_LEN; 1007 1008 /* "detach" our A-MSDU subframe from the others */ 1009 n = m_split(m, len, M_NOWAIT); 1010 if (n == NULL) { 1011 /* stop processing A-MSDU subframes */ 1012 ic->ic_stats.is_rx_decap++; 1013 m_freem(m); 1014 break; 1015 } 1016 ieee80211_deliver_data(ic, m, ni); 1017 1018 m = n; 1019 /* remove padding */ 1020 pad = ((len + 3) & ~3) - len; 1021 m_adj(m, pad); 1022 } 1023 } 1024 #endif /* !IEEE80211_NO_HT */ 1025 1026 /* 1027 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1028 */ 1029 int 1030 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1031 { 1032 u_int updtcount; 1033 int aci; 1034 1035 /* 1036 * Check if EDCA parameters have changed XXX if we miss more than 1037 * 15 consecutive beacons, we might not detect changes to EDCA 1038 * parameters due to wraparound of the 4-bit Update Count field. 1039 */ 1040 updtcount = frm[0] & 0xf; 1041 if (updtcount == ic->ic_edca_updtcount) 1042 return 0; /* no changes to EDCA parameters, ignore */ 1043 ic->ic_edca_updtcount = updtcount; 1044 1045 frm += 2; /* skip QoS Info & Reserved fields */ 1046 1047 /* parse AC Parameter Records */ 1048 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1049 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1050 1051 ac->ac_acm = (frm[0] >> 4) & 0x1; 1052 ac->ac_aifsn = frm[0] & 0xf; 1053 ac->ac_ecwmin = frm[1] & 0xf; 1054 ac->ac_ecwmax = frm[1] >> 4; 1055 ac->ac_txoplimit = LE_READ_2(frm + 2); 1056 frm += 4; 1057 } 1058 /* give drivers a chance to update their settings */ 1059 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1060 (*ic->ic_updateedca)(ic); 1061 1062 return 0; 1063 } 1064 1065 int 1066 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1067 { 1068 if (frm[1] < 18) { 1069 ic->ic_stats.is_rx_elem_toosmall++; 1070 return IEEE80211_REASON_IE_INVALID; 1071 } 1072 return ieee80211_parse_edca_params_body(ic, frm + 2); 1073 } 1074 1075 int 1076 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1077 { 1078 if (frm[1] < 24) { 1079 ic->ic_stats.is_rx_elem_toosmall++; 1080 return IEEE80211_REASON_IE_INVALID; 1081 } 1082 return ieee80211_parse_edca_params_body(ic, frm + 8); 1083 } 1084 1085 enum ieee80211_cipher 1086 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1087 { 1088 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1089 switch (selector[3]) { 1090 case 0: /* use group data cipher suite */ 1091 return IEEE80211_CIPHER_USEGROUP; 1092 case 1: /* WEP-40 */ 1093 return IEEE80211_CIPHER_WEP40; 1094 case 2: /* TKIP */ 1095 return IEEE80211_CIPHER_TKIP; 1096 case 4: /* CCMP (RSNA default) */ 1097 return IEEE80211_CIPHER_CCMP; 1098 case 5: /* WEP-104 */ 1099 return IEEE80211_CIPHER_WEP104; 1100 } 1101 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1102 /* from IEEE Std 802.11 - Table 20da */ 1103 switch (selector[3]) { 1104 case 0: /* use group data cipher suite */ 1105 return IEEE80211_CIPHER_USEGROUP; 1106 case 1: /* WEP-40 */ 1107 return IEEE80211_CIPHER_WEP40; 1108 case 2: /* TKIP */ 1109 return IEEE80211_CIPHER_TKIP; 1110 case 4: /* CCMP (RSNA default) */ 1111 return IEEE80211_CIPHER_CCMP; 1112 case 5: /* WEP-104 */ 1113 return IEEE80211_CIPHER_WEP104; 1114 case 6: /* BIP */ 1115 return IEEE80211_CIPHER_BIP; 1116 } 1117 } 1118 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1119 } 1120 1121 enum ieee80211_akm 1122 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1123 { 1124 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1125 switch (selector[3]) { 1126 case 1: /* IEEE 802.1X (RSNA default) */ 1127 return IEEE80211_AKM_8021X; 1128 case 2: /* PSK */ 1129 return IEEE80211_AKM_PSK; 1130 } 1131 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1132 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1133 switch (selector[3]) { 1134 case 1: /* IEEE 802.1X (RSNA default) */ 1135 return IEEE80211_AKM_8021X; 1136 case 2: /* PSK */ 1137 return IEEE80211_AKM_PSK; 1138 case 5: /* IEEE 802.1X with SHA256 KDF */ 1139 return IEEE80211_AKM_SHA256_8021X; 1140 case 6: /* PSK with SHA256 KDF */ 1141 return IEEE80211_AKM_SHA256_PSK; 1142 } 1143 } 1144 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1145 } 1146 1147 /* 1148 * Parse an RSN element (see 7.3.2.25). 1149 */ 1150 int 1151 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1152 u_int len, struct ieee80211_rsnparams *rsn) 1153 { 1154 const u_int8_t *efrm; 1155 u_int16_t m, n, s; 1156 1157 efrm = frm + len; 1158 1159 /* check Version field */ 1160 if (LE_READ_2(frm) != 1) 1161 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1162 frm += 2; 1163 1164 /* all fields after the Version field are optional */ 1165 1166 /* if Cipher Suite missing, default to CCMP */ 1167 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1168 rsn->rsn_nciphers = 1; 1169 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1170 /* if Group Management Cipher Suite missing, defaut to BIP */ 1171 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1172 /* if AKM Suite missing, default to 802.1X */ 1173 rsn->rsn_nakms = 1; 1174 rsn->rsn_akms = IEEE80211_AKM_8021X; 1175 /* if RSN capabilities missing, default to 0 */ 1176 rsn->rsn_caps = 0; 1177 rsn->rsn_npmkids = 0; 1178 1179 /* read Group Data Cipher Suite field */ 1180 if (frm + 4 > efrm) 1181 return 0; 1182 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1183 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP) 1184 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1185 frm += 4; 1186 1187 /* read Pairwise Cipher Suite Count field */ 1188 if (frm + 2 > efrm) 1189 return 0; 1190 m = rsn->rsn_nciphers = LE_READ_2(frm); 1191 frm += 2; 1192 1193 /* read Pairwise Cipher Suite List */ 1194 if (frm + m * 4 > efrm) 1195 return IEEE80211_STATUS_IE_INVALID; 1196 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1197 while (m-- > 0) { 1198 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1199 frm += 4; 1200 } 1201 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1202 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1203 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1204 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1205 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1206 } 1207 1208 /* read AKM Suite List Count field */ 1209 if (frm + 2 > efrm) 1210 return 0; 1211 n = rsn->rsn_nakms = LE_READ_2(frm); 1212 frm += 2; 1213 1214 /* read AKM Suite List */ 1215 if (frm + n * 4 > efrm) 1216 return IEEE80211_STATUS_IE_INVALID; 1217 rsn->rsn_akms = IEEE80211_AKM_NONE; 1218 while (n-- > 0) { 1219 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1220 frm += 4; 1221 } 1222 1223 /* read RSN Capabilities field */ 1224 if (frm + 2 > efrm) 1225 return 0; 1226 rsn->rsn_caps = LE_READ_2(frm); 1227 frm += 2; 1228 1229 /* read PMKID Count field */ 1230 if (frm + 2 > efrm) 1231 return 0; 1232 s = rsn->rsn_npmkids = LE_READ_2(frm); 1233 frm += 2; 1234 1235 /* read PMKID List */ 1236 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1237 return IEEE80211_STATUS_IE_INVALID; 1238 if (s != 0) { 1239 rsn->rsn_pmkids = frm; 1240 frm += s * IEEE80211_PMKID_LEN; 1241 } 1242 1243 /* read Group Management Cipher Suite field */ 1244 if (frm + 4 > efrm) 1245 return 0; 1246 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1247 1248 return IEEE80211_STATUS_SUCCESS; 1249 } 1250 1251 int 1252 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1253 struct ieee80211_rsnparams *rsn) 1254 { 1255 if (frm[1] < 2) { 1256 ic->ic_stats.is_rx_elem_toosmall++; 1257 return IEEE80211_STATUS_IE_INVALID; 1258 } 1259 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1260 } 1261 1262 int 1263 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1264 struct ieee80211_rsnparams *rsn) 1265 { 1266 if (frm[1] < 6) { 1267 ic->ic_stats.is_rx_elem_toosmall++; 1268 return IEEE80211_STATUS_IE_INVALID; 1269 } 1270 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1271 } 1272 1273 /* 1274 * Create (or update) a copy of an information element. 1275 */ 1276 int 1277 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1278 { 1279 if (*ie == NULL || (*ie)[1] != frm[1]) { 1280 if (*ie != NULL) 1281 free(*ie, M_DEVBUF); 1282 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1283 if (*ie == NULL) 1284 return ENOMEM; 1285 } 1286 memcpy(*ie, frm, 2 + frm[1]); 1287 return 0; 1288 } 1289 1290 /*- 1291 * Beacon/Probe response frame format: 1292 * [8] Timestamp 1293 * [2] Beacon interval 1294 * [2] Capability 1295 * [tlv] Service Set Identifier (SSID) 1296 * [tlv] Supported rates 1297 * [tlv] DS Parameter Set (802.11g) 1298 * [tlv] ERP Information (802.11g) 1299 * [tlv] Extended Supported Rates (802.11g) 1300 * [tlv] RSN (802.11i) 1301 * [tlv] EDCA Parameter Set (802.11e) 1302 * [tlv] QoS Capability (Beacon only, 802.11e) 1303 * [tlv] HT Capabilities (802.11n) 1304 * [tlv] HT Operation (802.11n) 1305 */ 1306 void 1307 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1308 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1309 { 1310 const struct ieee80211_frame *wh; 1311 const u_int8_t *frm, *efrm; 1312 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1313 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1314 u_int16_t capinfo, bintval; 1315 u_int8_t chan, bchan, erp; 1316 int is_new; 1317 1318 /* 1319 * We process beacon/probe response frames for: 1320 * o station mode: to collect state 1321 * updates such as 802.11g slot time and for passive 1322 * scanning of APs 1323 * o adhoc mode: to discover neighbors 1324 * o hostap mode: for passive scanning of neighbor APs 1325 * o when scanning 1326 * In other words, in all modes other than monitor (which 1327 * does not process incoming frames) and adhoc-demo (which 1328 * does not use management frames at all). 1329 */ 1330 #ifdef DIAGNOSTIC 1331 if (ic->ic_opmode != IEEE80211_M_STA && 1332 #ifndef IEEE80211_STA_ONLY 1333 ic->ic_opmode != IEEE80211_M_IBSS && 1334 ic->ic_opmode != IEEE80211_M_HOSTAP && 1335 #endif 1336 ic->ic_state != IEEE80211_S_SCAN) { 1337 panic("%s: impossible operating mode", __func__); 1338 } 1339 #endif 1340 /* make sure all mandatory fixed fields are present */ 1341 if (m->m_len < sizeof(*wh) + 12) { 1342 DPRINTF(("frame too short\n")); 1343 return; 1344 } 1345 wh = mtod(m, struct ieee80211_frame *); 1346 frm = (const u_int8_t *)&wh[1]; 1347 efrm = mtod(m, u_int8_t *) + m->m_len; 1348 1349 tstamp = frm; frm += 8; 1350 bintval = LE_READ_2(frm); frm += 2; 1351 capinfo = LE_READ_2(frm); frm += 2; 1352 1353 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1354 htcaps = htop = NULL; 1355 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1356 chan = bchan; 1357 erp = 0; 1358 while (frm + 2 <= efrm) { 1359 if (frm + 2 + frm[1] > efrm) { 1360 ic->ic_stats.is_rx_elem_toosmall++; 1361 break; 1362 } 1363 switch (frm[0]) { 1364 case IEEE80211_ELEMID_SSID: 1365 ssid = frm; 1366 break; 1367 case IEEE80211_ELEMID_RATES: 1368 rates = frm; 1369 break; 1370 case IEEE80211_ELEMID_DSPARMS: 1371 if (frm[1] < 1) { 1372 ic->ic_stats.is_rx_elem_toosmall++; 1373 break; 1374 } 1375 chan = frm[2]; 1376 break; 1377 case IEEE80211_ELEMID_TIM: 1378 break; 1379 case IEEE80211_ELEMID_IBSSPARMS: 1380 break; 1381 case IEEE80211_ELEMID_XRATES: 1382 xrates = frm; 1383 break; 1384 case IEEE80211_ELEMID_ERP: 1385 if (frm[1] < 1) { 1386 ic->ic_stats.is_rx_elem_toosmall++; 1387 break; 1388 } 1389 erp = frm[2]; 1390 break; 1391 case IEEE80211_ELEMID_RSN: 1392 rsnie = frm; 1393 break; 1394 case IEEE80211_ELEMID_EDCAPARMS: 1395 edcaie = frm; 1396 break; 1397 case IEEE80211_ELEMID_QOS_CAP: 1398 break; 1399 #ifndef IEEE80211_NO_HT 1400 case IEEE80211_ELEMID_HTCAPS: 1401 htcaps = frm; 1402 break; 1403 case IEEE80211_ELEMID_HTOP: 1404 htop = frm; 1405 break; 1406 #endif 1407 case IEEE80211_ELEMID_VENDOR: 1408 if (frm[1] < 4) { 1409 ic->ic_stats.is_rx_elem_toosmall++; 1410 break; 1411 } 1412 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1413 if (frm[5] == 1) 1414 wpaie = frm; 1415 else if (frm[1] >= 5 && 1416 frm[5] == 2 && frm[6] == 1) 1417 wmmie = frm; 1418 } 1419 break; 1420 default: 1421 DPRINTF(("element id %u/len %u ignored\n", 1422 frm[0], frm[1])); 1423 ic->ic_stats.is_rx_elem_unknown++; 1424 break; 1425 } 1426 frm += 2 + frm[1]; 1427 } 1428 /* supported rates element is mandatory */ 1429 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1430 DPRINTF(("invalid supported rates element\n")); 1431 return; 1432 } 1433 /* SSID element is mandatory */ 1434 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1435 DPRINTF(("invalid SSID element\n")); 1436 return; 1437 } 1438 1439 if ( 1440 #if IEEE80211_CHAN_MAX < 255 1441 chan > IEEE80211_CHAN_MAX || 1442 #endif 1443 isclr(ic->ic_chan_active, chan)) { 1444 DPRINTF(("ignore %s with invalid channel %u\n", 1445 isprobe ? "probe response" : "beacon", chan)); 1446 ic->ic_stats.is_rx_badchan++; 1447 return; 1448 } 1449 if ((ic->ic_state != IEEE80211_S_SCAN || 1450 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1451 chan != bchan) { 1452 /* 1453 * Frame was received on a channel different from the 1454 * one indicated in the DS params element id; 1455 * silently discard it. 1456 * 1457 * NB: this can happen due to signal leakage. 1458 */ 1459 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1460 isprobe ? "probe response" : "beacon", bchan, chan)); 1461 ic->ic_stats.is_rx_chanmismatch++; 1462 return; 1463 } 1464 /* 1465 * Use mac, channel and rssi so we collect only the 1466 * best potential AP with the equal bssid while scanning. 1467 * Collecting all potential APs may result in bloat of 1468 * the node tree. This call will return NULL if the node 1469 * for this APs does not exist or if the new node is the 1470 * potential better one. 1471 */ 1472 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1473 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1474 return; 1475 1476 #ifdef IEEE80211_DEBUG 1477 if (ieee80211_debug && 1478 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1479 printf("%s: %s%s on chan %u (bss chan %u) ", 1480 __func__, (ni == NULL ? "new " : ""), 1481 isprobe ? "probe response" : "beacon", 1482 chan, bchan); 1483 ieee80211_print_essid(ssid + 2, ssid[1]); 1484 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1485 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1486 __func__, capinfo, bintval, erp); 1487 } 1488 #endif 1489 1490 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1491 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1492 if (ni == NULL) 1493 return; 1494 is_new = 1; 1495 } else 1496 is_new = 0; 1497 1498 /* 1499 * When operating in station mode, check for state updates 1500 * while we're associated. We consider only 11g stuff right 1501 * now. 1502 */ 1503 if (ic->ic_opmode == IEEE80211_M_STA && 1504 ic->ic_state == IEEE80211_S_RUN && 1505 ni->ni_state == IEEE80211_STA_BSS) { 1506 /* 1507 * Check if protection mode has changed since last beacon. 1508 */ 1509 if (ni->ni_erp != erp) { 1510 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1511 ether_sprintf((u_int8_t *)wh->i_addr2), 1512 ni->ni_erp, erp)); 1513 if (ic->ic_curmode == IEEE80211_MODE_11G && 1514 (erp & IEEE80211_ERP_USE_PROTECTION)) 1515 ic->ic_flags |= IEEE80211_F_USEPROT; 1516 else 1517 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1518 ic->ic_bss->ni_erp = erp; 1519 } 1520 /* 1521 * Check if AP short slot time setting has changed 1522 * since last beacon and give the driver a chance to 1523 * update the hardware. 1524 */ 1525 if ((ni->ni_capinfo ^ capinfo) & 1526 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1527 ieee80211_set_shortslottime(ic, 1528 ic->ic_curmode == IEEE80211_MODE_11A || 1529 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1530 } 1531 } 1532 /* 1533 * We do not try to update EDCA parameters if QoS was not negotiated 1534 * with the AP at association time. 1535 */ 1536 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1537 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1538 if (edcaie != NULL) 1539 ieee80211_parse_edca_params(ic, edcaie); 1540 else if (wmmie != NULL) 1541 ieee80211_parse_wmm_params(ic, wmmie); 1542 } 1543 1544 if (ic->ic_state == IEEE80211_S_SCAN && 1545 #ifndef IEEE80211_STA_ONLY 1546 ic->ic_opmode != IEEE80211_M_HOSTAP && 1547 #endif 1548 (ic->ic_flags & IEEE80211_F_RSNON)) { 1549 struct ieee80211_rsnparams rsn; 1550 const u_int8_t *saveie = NULL; 1551 /* 1552 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1553 * we only store the parameters of the highest protocol 1554 * version we support. 1555 */ 1556 if (rsnie != NULL && 1557 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1558 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1559 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1560 saveie = rsnie; 1561 } 1562 } else if (wpaie != NULL && 1563 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1564 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1565 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1566 saveie = wpaie; 1567 } 1568 } 1569 if (saveie != NULL && 1570 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1571 ni->ni_rsnakms = rsn.rsn_akms; 1572 ni->ni_rsnciphers = rsn.rsn_ciphers; 1573 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1574 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1575 ni->ni_rsncaps = rsn.rsn_caps; 1576 } else 1577 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1578 } else if (ic->ic_state == IEEE80211_S_SCAN) 1579 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1580 1581 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1582 ni->ni_esslen = ssid[1]; 1583 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1584 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1585 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1586 } 1587 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1588 ni->ni_rssi = rxi->rxi_rssi; 1589 ni->ni_rstamp = rxi->rxi_tstamp; 1590 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1591 ni->ni_intval = bintval; 1592 ni->ni_capinfo = capinfo; 1593 /* XXX validate channel # */ 1594 ni->ni_chan = &ic->ic_channels[chan]; 1595 ni->ni_erp = erp; 1596 /* NB: must be after ni_chan is setup */ 1597 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1598 1599 /* 1600 * When scanning we record results (nodes) with a zero 1601 * refcnt. Otherwise we want to hold the reference for 1602 * ibss neighbors so the nodes don't get released prematurely. 1603 * Anything else can be discarded (XXX and should be handled 1604 * above so we don't do so much work). 1605 */ 1606 if ( 1607 #ifndef IEEE80211_STA_ONLY 1608 ic->ic_opmode == IEEE80211_M_IBSS || 1609 #endif 1610 (is_new && isprobe)) { 1611 /* 1612 * Fake an association so the driver can setup it's 1613 * private state. The rate set has been setup above; 1614 * there is no handshake as in ap/station operation. 1615 */ 1616 if (ic->ic_newassoc) 1617 (*ic->ic_newassoc)(ic, ni, 1); 1618 } 1619 } 1620 1621 #ifndef IEEE80211_STA_ONLY 1622 /*- 1623 * Probe request frame format: 1624 * [tlv] SSID 1625 * [tlv] Supported rates 1626 * [tlv] Extended Supported Rates (802.11g) 1627 * [tlv] HT Capabilities (802.11n) 1628 */ 1629 void 1630 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1631 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1632 { 1633 const struct ieee80211_frame *wh; 1634 const u_int8_t *frm, *efrm; 1635 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1636 u_int8_t rate; 1637 1638 if (ic->ic_opmode == IEEE80211_M_STA || 1639 ic->ic_state != IEEE80211_S_RUN) 1640 return; 1641 1642 wh = mtod(m, struct ieee80211_frame *); 1643 frm = (const u_int8_t *)&wh[1]; 1644 efrm = mtod(m, u_int8_t *) + m->m_len; 1645 1646 ssid = rates = xrates = htcaps = NULL; 1647 while (frm + 2 <= efrm) { 1648 if (frm + 2 + frm[1] > efrm) { 1649 ic->ic_stats.is_rx_elem_toosmall++; 1650 break; 1651 } 1652 switch (frm[0]) { 1653 case IEEE80211_ELEMID_SSID: 1654 ssid = frm; 1655 break; 1656 case IEEE80211_ELEMID_RATES: 1657 rates = frm; 1658 break; 1659 case IEEE80211_ELEMID_XRATES: 1660 xrates = frm; 1661 break; 1662 #ifndef IEEE80211_NO_HT 1663 case IEEE80211_ELEMID_HTCAPS: 1664 htcaps = frm; 1665 break; 1666 #endif 1667 } 1668 frm += 2 + frm[1]; 1669 } 1670 /* supported rates element is mandatory */ 1671 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1672 DPRINTF(("invalid supported rates element\n")); 1673 return; 1674 } 1675 /* SSID element is mandatory */ 1676 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1677 DPRINTF(("invalid SSID element\n")); 1678 return; 1679 } 1680 /* check that the specified SSID (if not wildcard) matches ours */ 1681 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1682 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1683 DPRINTF(("SSID mismatch\n")); 1684 ic->ic_stats.is_rx_ssidmismatch++; 1685 return; 1686 } 1687 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1688 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1689 DPRINTF(("wildcard SSID rejected")); 1690 ic->ic_stats.is_rx_ssidmismatch++; 1691 return; 1692 } 1693 1694 if (ni == ic->ic_bss) { 1695 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1696 if (ni == NULL) 1697 return; 1698 DPRINTF(("new probe req from %s\n", 1699 ether_sprintf((u_int8_t *)wh->i_addr2))); 1700 } 1701 ni->ni_rssi = rxi->rxi_rssi; 1702 ni->ni_rstamp = rxi->rxi_tstamp; 1703 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1704 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1705 IEEE80211_F_DODEL); 1706 if (rate & IEEE80211_RATE_BASIC) { 1707 DPRINTF(("rate mismatch for %s\n", 1708 ether_sprintf((u_int8_t *)wh->i_addr2))); 1709 return; 1710 } 1711 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1712 } 1713 #endif /* IEEE80211_STA_ONLY */ 1714 1715 /*- 1716 * Authentication frame format: 1717 * [2] Authentication algorithm number 1718 * [2] Authentication transaction sequence number 1719 * [2] Status code 1720 */ 1721 void 1722 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1723 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1724 { 1725 const struct ieee80211_frame *wh; 1726 const u_int8_t *frm; 1727 u_int16_t algo, seq, status; 1728 1729 /* make sure all mandatory fixed fields are present */ 1730 if (m->m_len < sizeof(*wh) + 6) { 1731 DPRINTF(("frame too short\n")); 1732 return; 1733 } 1734 wh = mtod(m, struct ieee80211_frame *); 1735 frm = (const u_int8_t *)&wh[1]; 1736 1737 algo = LE_READ_2(frm); frm += 2; 1738 seq = LE_READ_2(frm); frm += 2; 1739 status = LE_READ_2(frm); frm += 2; 1740 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1741 ether_sprintf((u_int8_t *)wh->i_addr2))); 1742 1743 /* only "open" auth mode is supported */ 1744 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1745 DPRINTF(("unsupported auth algorithm %d from %s\n", 1746 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1747 ic->ic_stats.is_rx_auth_unsupported++; 1748 #ifndef IEEE80211_STA_ONLY 1749 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1750 /* XXX hack to workaround calling convention */ 1751 IEEE80211_SEND_MGMT(ic, ni, 1752 IEEE80211_FC0_SUBTYPE_AUTH, 1753 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1754 } 1755 #endif 1756 return; 1757 } 1758 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1759 } 1760 1761 #ifndef IEEE80211_STA_ONLY 1762 /*- 1763 * (Re)Association request frame format: 1764 * [2] Capability information 1765 * [2] Listen interval 1766 * [6*] Current AP address (Reassociation only) 1767 * [tlv] SSID 1768 * [tlv] Supported rates 1769 * [tlv] Extended Supported Rates (802.11g) 1770 * [tlv] RSN (802.11i) 1771 * [tlv] QoS Capability (802.11e) 1772 * [tlv] HT Capabilities (802.11n) 1773 */ 1774 void 1775 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1776 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1777 { 1778 const struct ieee80211_frame *wh; 1779 const u_int8_t *frm, *efrm; 1780 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1781 u_int16_t capinfo, bintval; 1782 int resp, status = 0; 1783 struct ieee80211_rsnparams rsn; 1784 u_int8_t rate; 1785 1786 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1787 ic->ic_state != IEEE80211_S_RUN) 1788 return; 1789 1790 /* make sure all mandatory fixed fields are present */ 1791 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1792 DPRINTF(("frame too short\n")); 1793 return; 1794 } 1795 wh = mtod(m, struct ieee80211_frame *); 1796 frm = (const u_int8_t *)&wh[1]; 1797 efrm = mtod(m, u_int8_t *) + m->m_len; 1798 1799 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1800 DPRINTF(("ignore other bss from %s\n", 1801 ether_sprintf((u_int8_t *)wh->i_addr2))); 1802 ic->ic_stats.is_rx_assoc_bss++; 1803 return; 1804 } 1805 capinfo = LE_READ_2(frm); frm += 2; 1806 bintval = LE_READ_2(frm); frm += 2; 1807 if (reassoc) { 1808 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1809 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1810 } else 1811 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1812 1813 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1814 while (frm + 2 <= efrm) { 1815 if (frm + 2 + frm[1] > efrm) { 1816 ic->ic_stats.is_rx_elem_toosmall++; 1817 break; 1818 } 1819 switch (frm[0]) { 1820 case IEEE80211_ELEMID_SSID: 1821 ssid = frm; 1822 break; 1823 case IEEE80211_ELEMID_RATES: 1824 rates = frm; 1825 break; 1826 case IEEE80211_ELEMID_XRATES: 1827 xrates = frm; 1828 break; 1829 case IEEE80211_ELEMID_RSN: 1830 rsnie = frm; 1831 break; 1832 case IEEE80211_ELEMID_QOS_CAP: 1833 break; 1834 #ifndef IEEE80211_NO_HT 1835 case IEEE80211_ELEMID_HTCAPS: 1836 htcaps = frm; 1837 break; 1838 #endif 1839 case IEEE80211_ELEMID_VENDOR: 1840 if (frm[1] < 4) { 1841 ic->ic_stats.is_rx_elem_toosmall++; 1842 break; 1843 } 1844 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1845 if (frm[5] == 1) 1846 wpaie = frm; 1847 } 1848 break; 1849 } 1850 frm += 2 + frm[1]; 1851 } 1852 /* supported rates element is mandatory */ 1853 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1854 DPRINTF(("invalid supported rates element\n")); 1855 return; 1856 } 1857 /* SSID element is mandatory */ 1858 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1859 DPRINTF(("invalid SSID element\n")); 1860 return; 1861 } 1862 /* check that the specified SSID matches ours */ 1863 if (ssid[1] != ic->ic_bss->ni_esslen || 1864 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1865 DPRINTF(("SSID mismatch\n")); 1866 ic->ic_stats.is_rx_ssidmismatch++; 1867 return; 1868 } 1869 1870 if (ni->ni_state != IEEE80211_STA_AUTH && 1871 ni->ni_state != IEEE80211_STA_ASSOC) { 1872 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1873 reassoc ? "re" : "", 1874 ether_sprintf((u_int8_t *)wh->i_addr2))); 1875 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1876 if (ni != NULL) { 1877 IEEE80211_SEND_MGMT(ic, ni, 1878 IEEE80211_FC0_SUBTYPE_DEAUTH, 1879 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1880 } 1881 ic->ic_stats.is_rx_assoc_notauth++; 1882 return; 1883 } 1884 1885 if (ni->ni_state == IEEE80211_STA_ASSOC && 1886 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1887 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1888 /* send a protected Disassociate frame */ 1889 IEEE80211_SEND_MGMT(ic, ni, 1890 IEEE80211_FC0_SUBTYPE_DISASSOC, 1891 IEEE80211_REASON_AUTH_EXPIRE); 1892 /* terminate the old SA */ 1893 ieee80211_node_leave(ic, ni); 1894 } else { 1895 /* reject the (Re)Association Request temporarily */ 1896 IEEE80211_SEND_MGMT(ic, ni, resp, 1897 IEEE80211_STATUS_TRY_AGAIN_LATER); 1898 /* start SA Query procedure if not already engaged */ 1899 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1900 ieee80211_sa_query_request(ic, ni); 1901 /* do not modify association state */ 1902 } 1903 return; 1904 } 1905 1906 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1907 ic->ic_stats.is_rx_assoc_capmismatch++; 1908 status = IEEE80211_STATUS_CAPINFO; 1909 goto end; 1910 } 1911 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1912 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1913 IEEE80211_F_DODEL); 1914 if (rate & IEEE80211_RATE_BASIC) { 1915 ic->ic_stats.is_rx_assoc_norate++; 1916 status = IEEE80211_STATUS_BASIC_RATE; 1917 goto end; 1918 } 1919 1920 if (ic->ic_flags & IEEE80211_F_RSNON) { 1921 const u_int8_t *saveie; 1922 /* 1923 * A station should never include both a WPA and an RSN IE 1924 * in its (Re)Association Requests, but if it does, we only 1925 * consider the IE of the highest version of the protocol 1926 * that is allowed (ie RSN over WPA). 1927 */ 1928 if (rsnie != NULL && 1929 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1930 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 1931 if (status != 0) 1932 goto end; 1933 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1934 saveie = rsnie; 1935 } else if (wpaie != NULL && 1936 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1937 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 1938 if (status != 0) 1939 goto end; 1940 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1941 saveie = wpaie; 1942 } else { 1943 /* 1944 * In an RSN, an AP shall not associate with STAs 1945 * that fail to include the RSN IE in the 1946 * (Re)Association Request. 1947 */ 1948 status = IEEE80211_STATUS_IE_INVALID; 1949 goto end; 1950 } 1951 /* 1952 * The initiating STA's RSN IE shall include one authentication 1953 * and pairwise cipher suite among those advertised by the 1954 * targeted AP. It shall also specify the group cipher suite 1955 * specified by the targeted AP. 1956 */ 1957 if (rsn.rsn_nakms != 1 || 1958 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 1959 status = IEEE80211_STATUS_BAD_AKMP; 1960 goto end; 1961 } 1962 if (rsn.rsn_nciphers != 1 || 1963 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 1964 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1965 goto end; 1966 } 1967 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 1968 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 1969 goto end; 1970 } 1971 1972 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 1973 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 1974 status = IEEE80211_STATUS_MFP_POLICY; 1975 goto end; 1976 } 1977 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 1978 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 1979 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 1980 /* STA advertises an invalid setting */ 1981 status = IEEE80211_STATUS_MFP_POLICY; 1982 goto end; 1983 } 1984 /* 1985 * A STA that has associated with Management Frame Protection 1986 * enabled shall not use cipher suite pairwise selector WEP40, 1987 * WEP104, TKIP, or "Use Group cipher suite". 1988 */ 1989 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 1990 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 1991 rsn.rsn_groupmgmtcipher != 1992 ic->ic_bss->ni_rsngroupmgmtcipher)) { 1993 status = IEEE80211_STATUS_MFP_POLICY; 1994 goto end; 1995 } 1996 1997 /* 1998 * Disallow new associations using TKIP if countermeasures 1999 * are active. 2000 */ 2001 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2002 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2003 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2004 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2005 goto end; 2006 } 2007 2008 /* everything looks fine, save IE and parameters */ 2009 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2010 status = IEEE80211_STATUS_TOOMANY; 2011 goto end; 2012 } 2013 ni->ni_rsnakms = rsn.rsn_akms; 2014 ni->ni_rsnciphers = rsn.rsn_ciphers; 2015 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2016 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2017 ni->ni_rsncaps = rsn.rsn_caps; 2018 2019 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2020 struct ieee80211_pmk *pmk = NULL; 2021 const u_int8_t *pmkid = rsn.rsn_pmkids; 2022 /* 2023 * Check if we have a cached PMK entry matching one 2024 * of the PMKIDs specified in the RSN IE. 2025 */ 2026 while (rsn.rsn_npmkids-- > 0) { 2027 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2028 if (pmk != NULL) 2029 break; 2030 pmkid += IEEE80211_PMKID_LEN; 2031 } 2032 if (pmk != NULL) { 2033 memcpy(ni->ni_pmk, pmk->pmk_key, 2034 IEEE80211_PMK_LEN); 2035 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2036 IEEE80211_PMKID_LEN); 2037 ni->ni_flags |= IEEE80211_NODE_PMK; 2038 } 2039 } 2040 } else 2041 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2042 2043 ni->ni_rssi = rxi->rxi_rssi; 2044 ni->ni_rstamp = rxi->rxi_tstamp; 2045 ni->ni_intval = bintval; 2046 ni->ni_capinfo = capinfo; 2047 ni->ni_chan = ic->ic_bss->ni_chan; 2048 end: 2049 if (status != 0) { 2050 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2051 ieee80211_node_leave(ic, ni); 2052 } else 2053 ieee80211_node_join(ic, ni, resp); 2054 } 2055 #endif /* IEEE80211_STA_ONLY */ 2056 2057 /*- 2058 * (Re)Association response frame format: 2059 * [2] Capability information 2060 * [2] Status code 2061 * [2] Association ID (AID) 2062 * [tlv] Supported rates 2063 * [tlv] Extended Supported Rates (802.11g) 2064 * [tlv] EDCA Parameter Set (802.11e) 2065 * [tlv] HT Capabilities (802.11n) 2066 * [tlv] HT Operation (802.11n) 2067 */ 2068 void 2069 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2070 struct ieee80211_node *ni, int reassoc) 2071 { 2072 struct ifnet *ifp = &ic->ic_if; 2073 const struct ieee80211_frame *wh; 2074 const u_int8_t *frm, *efrm; 2075 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2076 u_int16_t capinfo, status, associd; 2077 u_int8_t rate; 2078 2079 if (ic->ic_opmode != IEEE80211_M_STA || 2080 ic->ic_state != IEEE80211_S_ASSOC) { 2081 ic->ic_stats.is_rx_mgtdiscard++; 2082 return; 2083 } 2084 2085 /* make sure all mandatory fixed fields are present */ 2086 if (m->m_len < sizeof(*wh) + 6) { 2087 DPRINTF(("frame too short\n")); 2088 return; 2089 } 2090 wh = mtod(m, struct ieee80211_frame *); 2091 frm = (const u_int8_t *)&wh[1]; 2092 efrm = mtod(m, u_int8_t *) + m->m_len; 2093 2094 capinfo = LE_READ_2(frm); frm += 2; 2095 status = LE_READ_2(frm); frm += 2; 2096 if (status != IEEE80211_STATUS_SUCCESS) { 2097 if (ifp->if_flags & IFF_DEBUG) 2098 printf("%s: %sassociation failed (status %d)" 2099 " for %s\n", ifp->if_xname, 2100 reassoc ? "re" : "", 2101 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2102 if (ni != ic->ic_bss) 2103 ni->ni_fails++; 2104 ic->ic_stats.is_rx_auth_fail++; 2105 return; 2106 } 2107 associd = LE_READ_2(frm); frm += 2; 2108 2109 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2110 while (frm + 2 <= efrm) { 2111 if (frm + 2 + frm[1] > efrm) { 2112 ic->ic_stats.is_rx_elem_toosmall++; 2113 break; 2114 } 2115 switch (frm[0]) { 2116 case IEEE80211_ELEMID_RATES: 2117 rates = frm; 2118 break; 2119 case IEEE80211_ELEMID_XRATES: 2120 xrates = frm; 2121 break; 2122 case IEEE80211_ELEMID_EDCAPARMS: 2123 edcaie = frm; 2124 break; 2125 #ifndef IEEE80211_NO_HT 2126 case IEEE80211_ELEMID_HTCAPS: 2127 htcaps = frm; 2128 break; 2129 case IEEE80211_ELEMID_HTOP: 2130 htop = frm; 2131 break; 2132 #endif 2133 case IEEE80211_ELEMID_VENDOR: 2134 if (frm[1] < 4) { 2135 ic->ic_stats.is_rx_elem_toosmall++; 2136 break; 2137 } 2138 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2139 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2140 wmmie = frm; 2141 } 2142 break; 2143 } 2144 frm += 2 + frm[1]; 2145 } 2146 /* supported rates element is mandatory */ 2147 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2148 DPRINTF(("invalid supported rates element\n")); 2149 return; 2150 } 2151 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2152 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2153 IEEE80211_F_DODEL); 2154 if (rate & IEEE80211_RATE_BASIC) { 2155 DPRINTF(("rate mismatch for %s\n", 2156 ether_sprintf((u_int8_t *)wh->i_addr2))); 2157 ic->ic_stats.is_rx_assoc_norate++; 2158 return; 2159 } 2160 ni->ni_capinfo = capinfo; 2161 ni->ni_associd = associd; 2162 if (edcaie != NULL || wmmie != NULL) { 2163 /* force update of EDCA parameters */ 2164 ic->ic_edca_updtcount = -1; 2165 2166 if ((edcaie != NULL && 2167 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2168 (wmmie != NULL && 2169 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2170 ni->ni_flags |= IEEE80211_NODE_QOS; 2171 else /* for Reassociation */ 2172 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2173 } 2174 /* 2175 * Configure state now that we are associated. 2176 */ 2177 if (ic->ic_curmode == IEEE80211_MODE_11A || 2178 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2179 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2180 else 2181 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2182 2183 ieee80211_set_shortslottime(ic, 2184 ic->ic_curmode == IEEE80211_MODE_11A || 2185 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2186 /* 2187 * Honor ERP protection. 2188 */ 2189 if (ic->ic_curmode == IEEE80211_MODE_11G && 2190 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2191 ic->ic_flags |= IEEE80211_F_USEPROT; 2192 else 2193 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2194 /* 2195 * If not an RSNA, mark the port as valid, otherwise wait for 2196 * 802.1X authentication and 4-way handshake to complete.. 2197 */ 2198 if (ic->ic_flags & IEEE80211_F_RSNON) { 2199 /* XXX ic->ic_mgt_timer = 5; */ 2200 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2201 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2202 2203 ieee80211_new_state(ic, IEEE80211_S_RUN, 2204 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2205 } 2206 2207 /*- 2208 * Deauthentication frame format: 2209 * [2] Reason code 2210 */ 2211 void 2212 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2213 struct ieee80211_node *ni) 2214 { 2215 const struct ieee80211_frame *wh; 2216 const u_int8_t *frm; 2217 u_int16_t reason; 2218 2219 /* make sure all mandatory fixed fields are present */ 2220 if (m->m_len < sizeof(*wh) + 2) { 2221 DPRINTF(("frame too short\n")); 2222 return; 2223 } 2224 wh = mtod(m, struct ieee80211_frame *); 2225 frm = (const u_int8_t *)&wh[1]; 2226 2227 reason = LE_READ_2(frm); 2228 2229 ic->ic_stats.is_rx_deauth++; 2230 switch (ic->ic_opmode) { 2231 case IEEE80211_M_STA: 2232 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2233 IEEE80211_FC0_SUBTYPE_DEAUTH); 2234 break; 2235 #ifndef IEEE80211_STA_ONLY 2236 case IEEE80211_M_HOSTAP: 2237 if (ni != ic->ic_bss) { 2238 if (ic->ic_if.if_flags & IFF_DEBUG) 2239 printf("%s: station %s deauthenticated " 2240 "by peer (reason %d)\n", 2241 ic->ic_if.if_xname, 2242 ether_sprintf(ni->ni_macaddr), 2243 reason); 2244 ieee80211_node_leave(ic, ni); 2245 } 2246 break; 2247 #endif 2248 default: 2249 break; 2250 } 2251 } 2252 2253 /*- 2254 * Disassociation frame format: 2255 * [2] Reason code 2256 */ 2257 void 2258 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2259 struct ieee80211_node *ni) 2260 { 2261 const struct ieee80211_frame *wh; 2262 const u_int8_t *frm; 2263 u_int16_t reason; 2264 2265 /* make sure all mandatory fixed fields are present */ 2266 if (m->m_len < sizeof(*wh) + 2) { 2267 DPRINTF(("frame too short\n")); 2268 return; 2269 } 2270 wh = mtod(m, struct ieee80211_frame *); 2271 frm = (const u_int8_t *)&wh[1]; 2272 2273 reason = LE_READ_2(frm); 2274 2275 ic->ic_stats.is_rx_disassoc++; 2276 switch (ic->ic_opmode) { 2277 case IEEE80211_M_STA: 2278 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2279 IEEE80211_FC0_SUBTYPE_DISASSOC); 2280 break; 2281 #ifndef IEEE80211_STA_ONLY 2282 case IEEE80211_M_HOSTAP: 2283 if (ni != ic->ic_bss) { 2284 if (ic->ic_if.if_flags & IFF_DEBUG) 2285 printf("%s: station %s disassociated " 2286 "by peer (reason %d)\n", 2287 ic->ic_if.if_xname, 2288 ether_sprintf(ni->ni_macaddr), 2289 reason); 2290 ieee80211_node_leave(ic, ni); 2291 } 2292 break; 2293 #endif 2294 default: 2295 break; 2296 } 2297 } 2298 2299 #ifndef IEEE80211_NO_HT 2300 /*- 2301 * ADDBA Request frame format: 2302 * [1] Category 2303 * [1] Action 2304 * [1] Dialog Token 2305 * [2] Block Ack Parameter Set 2306 * [2] Block Ack Timeout Value 2307 * [2] Block Ack Starting Sequence Control 2308 */ 2309 void 2310 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2311 struct ieee80211_node *ni) 2312 { 2313 const struct ieee80211_frame *wh; 2314 const u_int8_t *frm; 2315 struct ieee80211_rx_ba *ba; 2316 u_int16_t params, ssn, bufsz, timeout, status; 2317 u_int8_t token, tid; 2318 2319 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2320 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2321 ether_sprintf(ni->ni_macaddr))); 2322 return; 2323 } 2324 if (m->m_len < sizeof(*wh) + 9) { 2325 DPRINTF(("frame too short\n")); 2326 return; 2327 } 2328 /* MLME-ADDBA.indication */ 2329 wh = mtod(m, struct ieee80211_frame *); 2330 frm = (const u_int8_t *)&wh[1]; 2331 2332 token = frm[2]; 2333 params = LE_READ_2(&frm[3]); 2334 tid = (params >> 2) & 0xf; 2335 bufsz = (params >> 6) & 0x3ff; 2336 timeout = LE_READ_2(&frm[5]); 2337 ssn = LE_READ_2(&frm[7]) >> 4; 2338 2339 ba = &ni->ni_rx_ba[tid]; 2340 /* check if we already have a Block Ack agreement for this RA/TID */ 2341 if (ba->ba_state == IEEE80211_BA_AGREED) { 2342 /* XXX should we update the timeout value? */ 2343 /* reset Block Ack inactivity timer */ 2344 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2345 2346 /* check if it's a Protected Block Ack agreement */ 2347 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2348 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2349 return; /* not a PBAC, ignore */ 2350 2351 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2352 if (SEQ_LT(ba->ba_winstart, ssn)) 2353 ieee80211_ba_move_window(ic, ni, tid, ssn); 2354 return; 2355 } 2356 /* if PBAC required but RA does not support it, refuse request */ 2357 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2358 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2359 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2360 status = IEEE80211_STATUS_REFUSED; 2361 goto resp; 2362 } 2363 /* 2364 * If the TID for which the Block Ack agreement is requested is 2365 * configured with a no-ACK policy, refuse the agreement. 2366 */ 2367 if (ic->ic_tid_noack & (1 << tid)) { 2368 status = IEEE80211_STATUS_REFUSED; 2369 goto resp; 2370 } 2371 /* check that we support the requested Block Ack Policy */ 2372 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2373 !(params & IEEE80211_BA_ACK_POLICY)) { 2374 status = IEEE80211_STATUS_INVALID_PARAM; 2375 goto resp; 2376 } 2377 2378 /* setup Block Ack agreement */ 2379 ba->ba_state = IEEE80211_BA_INIT; 2380 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2381 if (ba->ba_timeout_val < IEEE80211_BA_MIN_TIMEOUT) 2382 ba->ba_timeout_val = IEEE80211_BA_MIN_TIMEOUT; 2383 else if (ba->ba_timeout_val > IEEE80211_BA_MAX_TIMEOUT) 2384 ba->ba_timeout_val = IEEE80211_BA_MAX_TIMEOUT; 2385 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2386 ba->ba_winsize = bufsz; 2387 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2388 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2389 ba->ba_winstart = ssn; 2390 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2391 /* allocate and setup our reordering buffer */ 2392 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2393 M_DEVBUF, M_NOWAIT | M_ZERO); 2394 if (ba->ba_buf == NULL) { 2395 status = IEEE80211_STATUS_REFUSED; 2396 goto resp; 2397 } 2398 ba->ba_head = 0; 2399 2400 /* notify drivers of this new Block Ack agreement */ 2401 if (ic->ic_ampdu_rx_start != NULL && 2402 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2403 /* driver failed to setup, rollback */ 2404 free(ba->ba_buf, M_DEVBUF); 2405 ba->ba_buf = NULL; 2406 status = IEEE80211_STATUS_REFUSED; 2407 goto resp; 2408 } 2409 ba->ba_state = IEEE80211_BA_AGREED; 2410 /* start Block Ack inactivity timer */ 2411 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2412 status = IEEE80211_STATUS_SUCCESS; 2413 resp: 2414 /* MLME-ADDBA.response */ 2415 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2416 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2417 } 2418 2419 /*- 2420 * ADDBA Response frame format: 2421 * [1] Category 2422 * [1] Action 2423 * [1] Dialog Token 2424 * [2] Status Code 2425 * [2] Block Ack Parameter Set 2426 * [2] Block Ack Timeout Value 2427 */ 2428 void 2429 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2430 struct ieee80211_node *ni) 2431 { 2432 const struct ieee80211_frame *wh; 2433 const u_int8_t *frm; 2434 struct ieee80211_tx_ba *ba; 2435 u_int16_t status, params, bufsz, timeout; 2436 u_int8_t token, tid; 2437 2438 if (m->m_len < sizeof(*wh) + 9) { 2439 DPRINTF(("frame too short\n")); 2440 return; 2441 } 2442 wh = mtod(m, struct ieee80211_frame *); 2443 frm = (const u_int8_t *)&wh[1]; 2444 2445 token = frm[2]; 2446 status = LE_READ_2(&frm[3]); 2447 params = LE_READ_2(&frm[5]); 2448 tid = (params >> 2) & 0xf; 2449 bufsz = (params >> 6) & 0x3ff; 2450 timeout = LE_READ_2(&frm[7]); 2451 2452 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2453 ether_sprintf(ni->ni_macaddr), tid, status)); 2454 2455 /* 2456 * Ignore if no ADDBA request has been sent for this RA/TID or 2457 * if we already have a Block Ack agreement. 2458 */ 2459 ba = &ni->ni_tx_ba[tid]; 2460 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2461 DPRINTF(("no matching ADDBA req found\n")); 2462 return; 2463 } 2464 if (token != ba->ba_token) { 2465 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2466 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2467 return; 2468 } 2469 /* we got an ADDBA Response matching our request, stop timeout */ 2470 timeout_del(&ba->ba_to); 2471 2472 if (status != IEEE80211_STATUS_SUCCESS) { 2473 /* MLME-ADDBA.confirm(Failure) */ 2474 ba->ba_state = IEEE80211_BA_INIT; 2475 return; 2476 } 2477 /* MLME-ADDBA.confirm(Success) */ 2478 ba->ba_state = IEEE80211_BA_AGREED; 2479 2480 /* notify drivers of this new Block Ack agreement */ 2481 if (ic->ic_ampdu_tx_start != NULL) 2482 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2483 2484 /* start Block Ack inactivity timeout */ 2485 if (ba->ba_timeout_val != 0) 2486 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2487 } 2488 2489 /*- 2490 * DELBA frame format: 2491 * [1] Category 2492 * [1] Action 2493 * [2] DELBA Parameter Set 2494 * [2] Reason Code 2495 */ 2496 void 2497 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2498 struct ieee80211_node *ni) 2499 { 2500 const struct ieee80211_frame *wh; 2501 const u_int8_t *frm; 2502 u_int16_t params, reason; 2503 u_int8_t tid; 2504 int i; 2505 2506 if (m->m_len < sizeof(*wh) + 6) { 2507 DPRINTF(("frame too short\n")); 2508 return; 2509 } 2510 wh = mtod(m, struct ieee80211_frame *); 2511 frm = (const u_int8_t *)&wh[1]; 2512 2513 params = LE_READ_2(&frm[2]); 2514 reason = LE_READ_2(&frm[4]); 2515 tid = params >> 12; 2516 2517 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2518 ether_sprintf(ni->ni_macaddr), tid, reason)); 2519 2520 if (params & IEEE80211_DELBA_INITIATOR) { 2521 /* MLME-DELBA.indication(Originator) */ 2522 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2523 2524 if (ba->ba_state != IEEE80211_BA_AGREED) { 2525 DPRINTF(("no matching Block Ack agreement\n")); 2526 return; 2527 } 2528 /* notify drivers of the end of the Block Ack agreement */ 2529 if (ic->ic_ampdu_rx_stop != NULL) 2530 ic->ic_ampdu_rx_stop(ic, ni, tid); 2531 2532 ba->ba_state = IEEE80211_BA_INIT; 2533 /* stop Block Ack inactivity timer */ 2534 timeout_del(&ba->ba_to); 2535 2536 if (ba->ba_buf != NULL) { 2537 /* free all MSDUs stored in reordering buffer */ 2538 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2539 if (ba->ba_buf[i].m != NULL) 2540 m_freem(ba->ba_buf[i].m); 2541 /* free reordering buffer */ 2542 free(ba->ba_buf, M_DEVBUF); 2543 ba->ba_buf = NULL; 2544 } 2545 } else { 2546 /* MLME-DELBA.indication(Recipient) */ 2547 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2548 2549 if (ba->ba_state != IEEE80211_BA_AGREED) { 2550 DPRINTF(("no matching Block Ack agreement\n")); 2551 return; 2552 } 2553 /* notify drivers of the end of the Block Ack agreement */ 2554 if (ic->ic_ampdu_tx_stop != NULL) 2555 ic->ic_ampdu_tx_stop(ic, ni, tid); 2556 2557 ba->ba_state = IEEE80211_BA_INIT; 2558 /* stop Block Ack inactivity timer */ 2559 timeout_del(&ba->ba_to); 2560 } 2561 } 2562 #endif /* !IEEE80211_NO_HT */ 2563 2564 /*- 2565 * SA Query Request frame format: 2566 * [1] Category 2567 * [1] Action 2568 * [16] Transaction Identifier 2569 */ 2570 void 2571 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2572 struct ieee80211_node *ni) 2573 { 2574 const struct ieee80211_frame *wh; 2575 const u_int8_t *frm; 2576 2577 if (ic->ic_opmode != IEEE80211_M_STA || 2578 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2579 DPRINTF(("unexpected SA Query req from %s\n", 2580 ether_sprintf(ni->ni_macaddr))); 2581 return; 2582 } 2583 if (m->m_len < sizeof(*wh) + 4) { 2584 DPRINTF(("frame too short\n")); 2585 return; 2586 } 2587 wh = mtod(m, struct ieee80211_frame *); 2588 frm = (const u_int8_t *)&wh[1]; 2589 2590 /* MLME-SAQuery.indication */ 2591 2592 /* save Transaction Identifier for SA Query Response */ 2593 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2594 2595 /* MLME-SAQuery.response */ 2596 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2597 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2598 } 2599 2600 #ifndef IEEE80211_STA_ONLY 2601 /*- 2602 * SA Query Response frame format: 2603 * [1] Category 2604 * [1] Action 2605 * [16] Transaction Identifier 2606 */ 2607 void 2608 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2609 struct ieee80211_node *ni) 2610 { 2611 const struct ieee80211_frame *wh; 2612 const u_int8_t *frm; 2613 2614 /* ignore if we're not engaged in an SA Query with that STA */ 2615 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2616 DPRINTF(("unexpected SA Query resp from %s\n", 2617 ether_sprintf(ni->ni_macaddr))); 2618 return; 2619 } 2620 if (m->m_len < sizeof(*wh) + 4) { 2621 DPRINTF(("frame too short\n")); 2622 return; 2623 } 2624 wh = mtod(m, struct ieee80211_frame *); 2625 frm = (const u_int8_t *)&wh[1]; 2626 2627 /* check that Transaction Identifier matches */ 2628 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2629 DPRINTF(("transaction identifier does not match\n")); 2630 return; 2631 } 2632 /* MLME-SAQuery.confirm */ 2633 timeout_del(&ni->ni_sa_query_to); 2634 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2635 } 2636 #endif 2637 2638 /*- 2639 * Action frame format: 2640 * [1] Category 2641 * [1] Action 2642 */ 2643 void 2644 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2645 struct ieee80211_node *ni) 2646 { 2647 const struct ieee80211_frame *wh; 2648 const u_int8_t *frm; 2649 2650 if (m->m_len < sizeof(*wh) + 2) { 2651 DPRINTF(("frame too short\n")); 2652 return; 2653 } 2654 wh = mtod(m, struct ieee80211_frame *); 2655 frm = (const u_int8_t *)&wh[1]; 2656 2657 switch (frm[0]) { 2658 #ifndef IEEE80211_NO_HT 2659 case IEEE80211_CATEG_BA: 2660 switch (frm[1]) { 2661 case IEEE80211_ACTION_ADDBA_REQ: 2662 ieee80211_recv_addba_req(ic, m, ni); 2663 break; 2664 case IEEE80211_ACTION_ADDBA_RESP: 2665 ieee80211_recv_addba_resp(ic, m, ni); 2666 break; 2667 case IEEE80211_ACTION_DELBA: 2668 ieee80211_recv_delba(ic, m, ni); 2669 break; 2670 } 2671 break; 2672 #endif 2673 case IEEE80211_CATEG_SA_QUERY: 2674 switch (frm[1]) { 2675 case IEEE80211_ACTION_SA_QUERY_REQ: 2676 ieee80211_recv_sa_query_req(ic, m, ni); 2677 break; 2678 #ifndef IEEE80211_STA_ONLY 2679 case IEEE80211_ACTION_SA_QUERY_RESP: 2680 ieee80211_recv_sa_query_resp(ic, m, ni); 2681 break; 2682 #endif 2683 } 2684 break; 2685 default: 2686 DPRINTF(("action frame category %d not handled\n", frm[0])); 2687 break; 2688 } 2689 } 2690 2691 void 2692 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2693 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2694 { 2695 switch (subtype) { 2696 case IEEE80211_FC0_SUBTYPE_BEACON: 2697 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2698 break; 2699 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2700 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2701 break; 2702 #ifndef IEEE80211_STA_ONLY 2703 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2704 ieee80211_recv_probe_req(ic, m, ni, rxi); 2705 break; 2706 #endif 2707 case IEEE80211_FC0_SUBTYPE_AUTH: 2708 ieee80211_recv_auth(ic, m, ni, rxi); 2709 break; 2710 #ifndef IEEE80211_STA_ONLY 2711 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2712 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2713 break; 2714 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2715 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2716 break; 2717 #endif 2718 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2719 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2720 break; 2721 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2722 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2723 break; 2724 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2725 ieee80211_recv_deauth(ic, m, ni); 2726 break; 2727 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2728 ieee80211_recv_disassoc(ic, m, ni); 2729 break; 2730 case IEEE80211_FC0_SUBTYPE_ACTION: 2731 ieee80211_recv_action(ic, m, ni); 2732 break; 2733 default: 2734 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2735 subtype)); 2736 ic->ic_stats.is_rx_badsubtype++; 2737 break; 2738 } 2739 } 2740 2741 #ifndef IEEE80211_STA_ONLY 2742 /* 2743 * Process an incoming PS-Poll control frame (see 11.2). 2744 */ 2745 void 2746 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2747 struct ieee80211_node *ni) 2748 { 2749 struct ifnet *ifp = &ic->ic_if; 2750 struct ieee80211_frame_pspoll *psp; 2751 struct ieee80211_frame *wh; 2752 u_int16_t aid; 2753 2754 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2755 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2756 ni->ni_state != IEEE80211_STA_ASSOC) 2757 return; 2758 2759 if (m->m_len < sizeof(*psp)) { 2760 DPRINTF(("frame too short, len %u\n", m->m_len)); 2761 ic->ic_stats.is_rx_tooshort++; 2762 return; 2763 } 2764 psp = mtod(m, struct ieee80211_frame_pspoll *); 2765 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2766 DPRINTF(("discard pspoll frame to BSS %s\n", 2767 ether_sprintf(psp->i_bssid))); 2768 ic->ic_stats.is_rx_wrongbss++; 2769 return; 2770 } 2771 aid = letoh16(*(u_int16_t *)psp->i_aid); 2772 if (aid != ni->ni_associd) { 2773 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2774 ether_sprintf(psp->i_ta))); 2775 return; 2776 } 2777 2778 /* take the first queued frame and put it out.. */ 2779 IF_DEQUEUE(&ni->ni_savedq, m); 2780 if (m == NULL) 2781 return; 2782 if (IF_IS_EMPTY(&ni->ni_savedq)) { 2783 /* last queued frame, turn off the TIM bit */ 2784 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2785 } else { 2786 /* more queued frames, set the more data bit */ 2787 wh = mtod(m, struct ieee80211_frame *); 2788 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2789 } 2790 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 2791 (*ifp->if_start)(ifp); 2792 } 2793 #endif /* IEEE80211_STA_ONLY */ 2794 2795 #ifndef IEEE80211_NO_HT 2796 /* 2797 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2798 */ 2799 void 2800 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2801 struct ieee80211_node *ni) 2802 { 2803 const struct ieee80211_frame_min *wh; 2804 const u_int8_t *frm; 2805 u_int16_t ctl, ssn; 2806 u_int8_t tid, ntids; 2807 2808 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2809 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2810 ether_sprintf(ni->ni_macaddr))); 2811 return; 2812 } 2813 if (m->m_len < sizeof(*wh) + 4) { 2814 DPRINTF(("frame too short\n")); 2815 return; 2816 } 2817 wh = mtod(m, struct ieee80211_frame_min *); 2818 frm = (const u_int8_t *)&wh[1]; 2819 2820 /* read BlockAckReq Control field */ 2821 ctl = LE_READ_2(&frm[0]); 2822 tid = ctl >> 12; 2823 2824 /* determine BlockAckReq frame variant */ 2825 if (ctl & IEEE80211_BA_MULTI_TID) { 2826 /* Multi-TID BlockAckReq variant (PSMP only) */ 2827 ntids = tid + 1; 2828 2829 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2830 DPRINTF(("MTBAR frame too short\n")); 2831 return; 2832 } 2833 frm += 2; /* skip BlockAckReq Control field */ 2834 while (ntids-- > 0) { 2835 /* read MTBAR Information field */ 2836 tid = LE_READ_2(&frm[0]) >> 12; 2837 ssn = LE_READ_2(&frm[2]) >> 4; 2838 ieee80211_bar_tid(ic, ni, tid, ssn); 2839 frm += 4; 2840 } 2841 } else { 2842 /* Basic or Compressed BlockAckReq variants */ 2843 ssn = LE_READ_2(&frm[2]) >> 4; 2844 ieee80211_bar_tid(ic, ni, tid, ssn); 2845 } 2846 } 2847 2848 /* 2849 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2850 * This is the common back-end for all BlockAckReq frame variants. 2851 */ 2852 void 2853 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2854 u_int8_t tid, u_int16_t ssn) 2855 { 2856 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2857 2858 /* check if we have a Block Ack agreement for RA/TID */ 2859 if (ba->ba_state != IEEE80211_BA_AGREED) { 2860 /* XXX not sure in PBAC case */ 2861 /* send a DELBA with reason code UNKNOWN-BA */ 2862 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2863 IEEE80211_ACTION_DELBA, 2864 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2865 return; 2866 } 2867 /* check if it is a Protected Block Ack agreement */ 2868 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2869 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2870 /* ADDBA Requests must be used in PBAC case */ 2871 if (SEQ_LT(ssn, ba->ba_winstart) || 2872 SEQ_LT(ba->ba_winend, ssn)) 2873 ic->ic_stats.is_pbac_errs++; 2874 return; /* PBAC, do not move window */ 2875 } 2876 /* reset Block Ack inactivity timer */ 2877 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2878 2879 if (SEQ_LT(ba->ba_winstart, ssn)) 2880 ieee80211_ba_move_window(ic, ni, tid, ssn); 2881 } 2882 #endif /* !IEEE80211_NO_HT */ 2883