1 /* $OpenBSD: ieee80211_input.c,v 1.198 2017/12/12 15:57:11 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 129 /* 130 * Retrieve the length in bytes of an 802.11 header. 131 */ 132 u_int 133 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 134 { 135 u_int size = sizeof(*wh); 136 137 /* NB: does not work with control frames */ 138 KASSERT(ieee80211_has_seq(wh)); 139 140 if (ieee80211_has_addr4(wh)) 141 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 142 if (ieee80211_has_qos(wh)) 143 size += sizeof(u_int16_t); /* i_qos */ 144 if (ieee80211_has_htc(wh)) 145 size += sizeof(u_int32_t); /* i_ht */ 146 return size; 147 } 148 149 /* 150 * Process a received frame. The node associated with the sender 151 * should be supplied. If nothing was found in the node table then 152 * the caller is assumed to supply a reference to ic_bss instead. 153 * The RSSI and a timestamp are also supplied. The RSSI data is used 154 * during AP scanning to select a AP to associate with; it can have 155 * any units so long as values have consistent units and higher values 156 * mean ``better signal''. The receive timestamp is currently not used 157 * by the 802.11 layer. 158 */ 159 void 160 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 161 struct ieee80211_rxinfo *rxi) 162 { 163 struct ieee80211com *ic = (void *)ifp; 164 struct ieee80211_frame *wh; 165 u_int16_t *orxseq, nrxseq, qos; 166 u_int8_t dir, type, subtype, tid; 167 int hdrlen, hasqos; 168 169 KASSERT(ni != NULL); 170 171 /* in monitor mode, send everything directly to bpf */ 172 if (ic->ic_opmode == IEEE80211_M_MONITOR) 173 goto out; 174 175 /* 176 * Do not process frames without an Address 2 field any further. 177 * Only CTS and ACK control frames do not have this field. 178 */ 179 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 180 DPRINTF(("frame too short, len %u\n", m->m_len)); 181 ic->ic_stats.is_rx_tooshort++; 182 goto out; 183 } 184 185 wh = mtod(m, struct ieee80211_frame *); 186 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 187 IEEE80211_FC0_VERSION_0) { 188 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 189 ic->ic_stats.is_rx_badversion++; 190 goto err; 191 } 192 193 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 194 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 195 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 196 197 if (type != IEEE80211_FC0_TYPE_CTL) { 198 hdrlen = ieee80211_get_hdrlen(wh); 199 if (m->m_len < hdrlen) { 200 DPRINTF(("frame too short, len %u\n", m->m_len)); 201 ic->ic_stats.is_rx_tooshort++; 202 goto err; 203 } 204 } 205 if ((hasqos = ieee80211_has_qos(wh))) { 206 qos = ieee80211_get_qos(wh); 207 tid = qos & IEEE80211_QOS_TID; 208 } else { 209 qos = 0; 210 tid = 0; 211 } 212 213 if (type == IEEE80211_FC0_TYPE_DATA && hasqos && 214 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 215 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) { 216 int ba_state = ni->ni_rx_ba[tid].ba_state; 217 218 /* 219 * If Block Ack was explicitly requested, check 220 * if we have a BA agreement for this RA/TID. 221 */ 222 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 223 IEEE80211_QOS_ACK_POLICY_BA && 224 ba_state != IEEE80211_BA_AGREED) { 225 DPRINTF(("no BA agreement for %s, TID %d\n", 226 ether_sprintf(ni->ni_macaddr), tid)); 227 /* send a DELBA with reason code UNKNOWN-BA */ 228 IEEE80211_SEND_ACTION(ic, ni, 229 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 230 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 231 goto err; 232 } 233 234 /* 235 * Check if we have an explicit or implicit 236 * Block Ack Request for a valid BA agreement. 237 */ 238 if (ba_state == IEEE80211_BA_AGREED && 239 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 240 IEEE80211_QOS_ACK_POLICY_BA || 241 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 242 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 243 /* go through A-MPDU reordering */ 244 ieee80211_input_ba(ic, m, ni, tid, rxi); 245 return; /* don't free m! */ 246 } 247 } 248 249 /* duplicate detection (see 9.2.9) */ 250 if (ieee80211_has_seq(wh) && 251 ic->ic_state != IEEE80211_S_SCAN) { 252 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 253 IEEE80211_SEQ_SEQ_SHIFT; 254 if (hasqos) 255 orxseq = &ni->ni_qos_rxseqs[tid]; 256 else 257 orxseq = &ni->ni_rxseq; 258 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 259 nrxseq == *orxseq) { 260 /* duplicate, silently discarded */ 261 ic->ic_stats.is_rx_dup++; 262 goto out; 263 } 264 *orxseq = nrxseq; 265 } 266 if (ic->ic_state > IEEE80211_S_SCAN) { 267 ni->ni_rssi = rxi->rxi_rssi; 268 ni->ni_rstamp = rxi->rxi_tstamp; 269 ni->ni_inact = 0; 270 271 if (ic->ic_state == IEEE80211_S_RUN) { 272 /* Cancel or start background scan based on RSSI. */ 273 if ((*ic->ic_node_checkrssi)(ic, ni)) 274 timeout_del(&ic->ic_bgscan_timeout); 275 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 276 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 277 timeout_add_msec(&ic->ic_bgscan_timeout, 278 500 * (ic->ic_bgscan_fail + 1)); 279 } 280 } 281 282 #ifndef IEEE80211_STA_ONLY 283 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 284 (ic->ic_caps & IEEE80211_C_APPMGT) && 285 ni->ni_state == IEEE80211_STA_ASSOC) { 286 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 287 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 288 /* turn on PS mode */ 289 ni->ni_pwrsave = IEEE80211_PS_DOZE; 290 DPRINTF(("PS mode on for %s\n", 291 ether_sprintf(wh->i_addr2))); 292 } 293 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 294 struct mbuf *m; 295 296 /* turn off PS mode */ 297 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 298 DPRINTF(("PS mode off for %s\n", 299 ether_sprintf(wh->i_addr2))); 300 301 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 302 303 /* dequeue buffered unicast frames */ 304 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 305 mq_enqueue(&ic->ic_pwrsaveq, m); 306 if_start(ifp); 307 } 308 } 309 } 310 #endif 311 switch (type) { 312 case IEEE80211_FC0_TYPE_DATA: 313 switch (ic->ic_opmode) { 314 case IEEE80211_M_STA: 315 if (dir != IEEE80211_FC1_DIR_FROMDS) { 316 ic->ic_stats.is_rx_wrongdir++; 317 goto out; 318 } 319 if (ic->ic_state != IEEE80211_S_SCAN && 320 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 321 /* Source address is not our BSS. */ 322 DPRINTF(("discard frame from SA %s\n", 323 ether_sprintf(wh->i_addr2))); 324 ic->ic_stats.is_rx_wrongbss++; 325 goto out; 326 } 327 if ((ifp->if_flags & IFF_SIMPLEX) && 328 IEEE80211_IS_MULTICAST(wh->i_addr1) && 329 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 330 /* 331 * In IEEE802.11 network, multicast frame 332 * sent from me is broadcasted from AP. 333 * It should be silently discarded for 334 * SIMPLEX interface. 335 */ 336 ic->ic_stats.is_rx_mcastecho++; 337 goto out; 338 } 339 break; 340 #ifndef IEEE80211_STA_ONLY 341 case IEEE80211_M_IBSS: 342 case IEEE80211_M_AHDEMO: 343 if (dir != IEEE80211_FC1_DIR_NODS) { 344 ic->ic_stats.is_rx_wrongdir++; 345 goto out; 346 } 347 if (ic->ic_state != IEEE80211_S_SCAN && 348 !IEEE80211_ADDR_EQ(wh->i_addr3, 349 ic->ic_bss->ni_bssid) && 350 !IEEE80211_ADDR_EQ(wh->i_addr3, 351 etherbroadcastaddr)) { 352 /* Destination is not our BSS or broadcast. */ 353 DPRINTF(("discard data frame to DA %s\n", 354 ether_sprintf(wh->i_addr3))); 355 ic->ic_stats.is_rx_wrongbss++; 356 goto out; 357 } 358 break; 359 case IEEE80211_M_HOSTAP: 360 if (dir != IEEE80211_FC1_DIR_TODS) { 361 ic->ic_stats.is_rx_wrongdir++; 362 goto out; 363 } 364 if (ic->ic_state != IEEE80211_S_SCAN && 365 !IEEE80211_ADDR_EQ(wh->i_addr1, 366 ic->ic_bss->ni_bssid) && 367 !IEEE80211_ADDR_EQ(wh->i_addr1, 368 etherbroadcastaddr)) { 369 /* BSS is not us or broadcast. */ 370 DPRINTF(("discard data frame to BSS %s\n", 371 ether_sprintf(wh->i_addr1))); 372 ic->ic_stats.is_rx_wrongbss++; 373 goto out; 374 } 375 /* check if source STA is associated */ 376 if (ni == ic->ic_bss) { 377 DPRINTF(("data from unknown src %s\n", 378 ether_sprintf(wh->i_addr2))); 379 /* NB: caller deals with reference */ 380 ni = ieee80211_find_node(ic, wh->i_addr2); 381 if (ni == NULL) 382 ni = ieee80211_dup_bss(ic, wh->i_addr2); 383 if (ni != NULL) { 384 IEEE80211_SEND_MGMT(ic, ni, 385 IEEE80211_FC0_SUBTYPE_DEAUTH, 386 IEEE80211_REASON_NOT_AUTHED); 387 } 388 ic->ic_stats.is_rx_notassoc++; 389 goto err; 390 } 391 if (ni->ni_state != IEEE80211_STA_ASSOC) { 392 DPRINTF(("data from unassoc src %s\n", 393 ether_sprintf(wh->i_addr2))); 394 IEEE80211_SEND_MGMT(ic, ni, 395 IEEE80211_FC0_SUBTYPE_DISASSOC, 396 IEEE80211_REASON_NOT_ASSOCED); 397 ic->ic_stats.is_rx_notassoc++; 398 goto err; 399 } 400 break; 401 #endif /* IEEE80211_STA_ONLY */ 402 default: 403 /* can't get there */ 404 goto out; 405 } 406 407 if ((ic->ic_flags & IEEE80211_F_WEPON) || 408 ((ic->ic_flags & IEEE80211_F_RSNON) && 409 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 410 /* protection is on for Rx */ 411 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 412 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 413 /* drop unencrypted */ 414 ic->ic_stats.is_rx_unencrypted++; 415 goto err; 416 } 417 /* do software decryption */ 418 m = ieee80211_decrypt(ic, m, ni); 419 if (m == NULL) { 420 ic->ic_stats.is_rx_wepfail++; 421 goto err; 422 } 423 wh = mtod(m, struct ieee80211_frame *); 424 } 425 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 426 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 427 /* frame encrypted but protection off for Rx */ 428 ic->ic_stats.is_rx_nowep++; 429 goto out; 430 } 431 432 #if NBPFILTER > 0 433 /* copy to listener after decrypt */ 434 if (ic->ic_rawbpf) 435 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 436 #endif 437 438 if ((ni->ni_flags & IEEE80211_NODE_HT) && 439 hasqos && (qos & IEEE80211_QOS_AMSDU)) 440 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 441 else 442 ieee80211_decap(ic, m, ni, hdrlen); 443 return; 444 445 case IEEE80211_FC0_TYPE_MGT: 446 if (dir != IEEE80211_FC1_DIR_NODS) { 447 ic->ic_stats.is_rx_wrongdir++; 448 goto err; 449 } 450 #ifndef IEEE80211_STA_ONLY 451 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 452 ic->ic_stats.is_rx_ahdemo_mgt++; 453 goto out; 454 } 455 #endif 456 /* drop frames without interest */ 457 if (ic->ic_state == IEEE80211_S_SCAN) { 458 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 459 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 460 ic->ic_stats.is_rx_mgtdiscard++; 461 goto out; 462 } 463 } 464 465 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 466 /* MMPDU protection is on for Rx */ 467 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 468 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 469 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 470 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 471 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 472 /* unicast mgmt not encrypted */ 473 goto out; 474 } 475 /* do software decryption */ 476 m = ieee80211_decrypt(ic, m, ni); 477 if (m == NULL) { 478 /* XXX stats */ 479 goto out; 480 } 481 wh = mtod(m, struct ieee80211_frame *); 482 } 483 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 484 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 485 /* encrypted but MMPDU Rx protection off for TA */ 486 goto out; 487 } 488 489 #if NBPFILTER > 0 490 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 491 /* 492 * Drop mbuf if it was filtered by bpf. Normally, 493 * this is done in ether_input() but IEEE 802.11 494 * management frames are a special case. 495 */ 496 m_freem(m); 497 return; 498 } 499 #endif 500 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 501 m_freem(m); 502 return; 503 504 case IEEE80211_FC0_TYPE_CTL: 505 ic->ic_stats.is_rx_ctl++; 506 switch (subtype) { 507 #ifndef IEEE80211_STA_ONLY 508 case IEEE80211_FC0_SUBTYPE_PS_POLL: 509 ieee80211_recv_pspoll(ic, m, ni); 510 break; 511 #endif 512 case IEEE80211_FC0_SUBTYPE_BAR: 513 ieee80211_recv_bar(ic, m, ni); 514 break; 515 default: 516 break; 517 } 518 goto out; 519 520 default: 521 DPRINTF(("bad frame type %x\n", type)); 522 /* should not come here */ 523 break; 524 } 525 err: 526 ifp->if_ierrors++; 527 out: 528 if (m != NULL) { 529 #if NBPFILTER > 0 530 if (ic->ic_rawbpf) 531 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 532 #endif 533 m_freem(m); 534 } 535 } 536 537 /* 538 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 539 * reception of fragments of three fragmented MSDUs or MMPDUs. 540 */ 541 struct mbuf * 542 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 543 { 544 const struct ieee80211_frame *owh, *wh; 545 struct ieee80211_defrag *df; 546 u_int16_t rxseq, seq; 547 u_int8_t frag; 548 int i; 549 550 wh = mtod(m, struct ieee80211_frame *); 551 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 552 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 553 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 554 555 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 556 return m; /* not fragmented */ 557 558 if (frag == 0) { 559 /* first fragment, setup entry in the fragment cache */ 560 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 561 ic->ic_defrag_cur = 0; 562 df = &ic->ic_defrag[ic->ic_defrag_cur]; 563 m_freem(df->df_m); /* discard old entry */ 564 df->df_seq = seq; 565 df->df_frag = 0; 566 df->df_m = m; 567 /* start receive MSDU timer of aMaxReceiveLifetime */ 568 timeout_add_sec(&df->df_to, 1); 569 return NULL; /* MSDU or MMPDU not yet complete */ 570 } 571 572 /* find matching entry in the fragment cache */ 573 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 574 df = &ic->ic_defrag[i]; 575 if (df->df_m == NULL) 576 continue; 577 if (df->df_seq != seq || df->df_frag + 1 != frag) 578 continue; 579 owh = mtod(df->df_m, struct ieee80211_frame *); 580 /* frame type, source and destination must match */ 581 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 582 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 583 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 584 continue; 585 /* matching entry found */ 586 break; 587 } 588 if (i == IEEE80211_DEFRAG_SIZE) { 589 /* no matching entry found, discard fragment */ 590 ic->ic_if.if_ierrors++; 591 m_freem(m); 592 return NULL; 593 } 594 595 df->df_frag = frag; 596 /* strip 802.11 header and concatenate fragment */ 597 m_adj(m, hdrlen); 598 m_cat(df->df_m, m); 599 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 600 601 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 602 return NULL; /* MSDU or MMPDU not yet complete */ 603 604 /* MSDU or MMPDU complete */ 605 timeout_del(&df->df_to); 606 m = df->df_m; 607 df->df_m = NULL; 608 return m; 609 } 610 611 /* 612 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 613 */ 614 void 615 ieee80211_defrag_timeout(void *arg) 616 { 617 struct ieee80211_defrag *df = arg; 618 int s = splnet(); 619 620 /* discard all received fragments */ 621 m_freem(df->df_m); 622 df->df_m = NULL; 623 624 splx(s); 625 } 626 627 /* 628 * Process a received data MPDU related to a specific HT-immediate Block Ack 629 * agreement (see 9.10.7.6). 630 */ 631 void 632 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 633 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 634 { 635 struct ifnet *ifp = &ic->ic_if; 636 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 637 struct ieee80211_frame *wh; 638 int idx, count; 639 u_int16_t sn; 640 641 wh = mtod(m, struct ieee80211_frame *); 642 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 643 644 /* reset Block Ack inactivity timer */ 645 if (ba->ba_timeout_val != 0) 646 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 647 648 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 649 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 650 m_freem(m); /* discard the MPDU */ 651 return; 652 } 653 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 654 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 655 count = (sn - ba->ba_winend) & 0xfff; 656 if (count > ba->ba_winsize) { 657 /* 658 * Check whether we're consistently behind the window, 659 * and let the window move forward if neccessary. 660 */ 661 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 662 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 663 ba->ba_winmiss++; 664 else 665 ba->ba_winmiss = 0; 666 ba->ba_missedsn = sn; 667 ifp->if_ierrors++; 668 m_freem(m); /* discard the MPDU */ 669 return; 670 } 671 672 /* It appears the window has moved for real. */ 673 ic->ic_stats.is_ht_rx_ba_window_jump++; 674 ba->ba_winmiss = 0; 675 ba->ba_missedsn = 0; 676 ieee80211_ba_move_window(ic, ni, tid, sn); 677 } else { 678 ic->ic_stats.is_ht_rx_ba_window_slide++; 679 ieee80211_input_ba_seq(ic, ni, tid, 680 (ba->ba_winstart + count) & 0xfff); 681 ieee80211_input_ba_flush(ic, ni, ba); 682 } 683 } 684 /* WinStartB <= SN <= WinEndB */ 685 686 ba->ba_winmiss = 0; 687 ba->ba_missedsn = 0; 688 idx = (sn - ba->ba_winstart) & 0xfff; 689 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 690 /* store the received MPDU in the buffer */ 691 if (ba->ba_buf[idx].m != NULL) { 692 ifp->if_ierrors++; 693 ic->ic_stats.is_ht_rx_ba_no_buf++; 694 m_freem(m); 695 return; 696 } 697 ba->ba_buf[idx].m = m; 698 /* store Rx meta-data too */ 699 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 700 ba->ba_buf[idx].rxi = *rxi; 701 702 if (ba->ba_buf[ba->ba_head].m == NULL) 703 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 704 else if (timeout_pending(&ba->ba_gap_to)) 705 timeout_del(&ba->ba_gap_to); 706 707 ieee80211_input_ba_flush(ic, ni, ba); 708 } 709 710 /* 711 * Forward buffered frames with sequence number lower than max_seq. 712 * See 802.11-2012 9.21.7.6.2 b. 713 */ 714 void 715 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 716 uint8_t tid, uint16_t max_seq) 717 { 718 struct ifnet *ifp = &ic->ic_if; 719 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 720 struct ieee80211_frame *wh; 721 uint16_t seq; 722 int i = 0; 723 724 while (i++ < ba->ba_winsize) { 725 /* gaps may exist */ 726 if (ba->ba_buf[ba->ba_head].m != NULL) { 727 wh = mtod(ba->ba_buf[ba->ba_head].m, 728 struct ieee80211_frame *); 729 KASSERT(ieee80211_has_seq(wh)); 730 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 731 IEEE80211_SEQ_SEQ_SHIFT; 732 if (!SEQ_LT(seq, max_seq)) 733 return; 734 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 735 ni, &ba->ba_buf[ba->ba_head].rxi); 736 ba->ba_buf[ba->ba_head].m = NULL; 737 } else 738 ic->ic_stats.is_ht_rx_ba_frame_lost++; 739 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 740 } 741 } 742 743 /* Flush a consecutive sequence of frames from the reorder buffer. */ 744 void 745 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 746 struct ieee80211_rx_ba *ba) 747 748 { 749 struct ifnet *ifp = &ic->ic_if; 750 751 /* pass reordered MPDUs up to the next MAC process */ 752 while (ba->ba_buf[ba->ba_head].m != NULL) { 753 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 754 &ba->ba_buf[ba->ba_head].rxi); 755 ba->ba_buf[ba->ba_head].m = NULL; 756 757 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 758 /* move window forward */ 759 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 760 } 761 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 762 } 763 764 /* 765 * Forcibly move the BA window forward to remove a leading gap which has 766 * been causing frames to linger in the reordering buffer for too long. 767 * A leading gap will occur if a particular A-MPDU subframe never arrives 768 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 769 */ 770 void 771 ieee80211_input_ba_gap_timeout(void *arg) 772 { 773 struct ieee80211_rx_ba *ba = arg; 774 struct ieee80211_node *ni = ba->ba_ni; 775 struct ieee80211com *ic = ni->ni_ic; 776 int s, skipped; 777 778 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 779 780 s = splnet(); 781 782 skipped = 0; 783 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 784 /* move window forward */ 785 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 786 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 787 skipped++; 788 ic->ic_stats.is_ht_rx_ba_frame_lost++; 789 } 790 if (skipped > 0) 791 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 792 793 ieee80211_input_ba_flush(ic, ni, ba); 794 795 splx(s); 796 } 797 798 799 /* 800 * Change the value of WinStartB (move window forward) upon reception of a 801 * BlockAckReq frame or an ADDBA Request (PBAC). 802 */ 803 void 804 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 805 u_int8_t tid, u_int16_t ssn) 806 { 807 struct ifnet *ifp = &ic->ic_if; 808 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 809 int count; 810 811 /* assert(WinStartB <= SSN) */ 812 813 count = (ssn - ba->ba_winstart) & 0xfff; 814 if (count > ba->ba_winsize) /* no overlap */ 815 count = ba->ba_winsize; 816 while (count-- > 0) { 817 /* gaps may exist */ 818 if (ba->ba_buf[ba->ba_head].m != NULL) { 819 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 820 &ba->ba_buf[ba->ba_head].rxi); 821 ba->ba_buf[ba->ba_head].m = NULL; 822 } else 823 ic->ic_stats.is_ht_rx_ba_frame_lost++; 824 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 825 } 826 /* move window forward */ 827 ba->ba_winstart = ssn; 828 829 ieee80211_input_ba_flush(ic, ni, ba); 830 } 831 832 void 833 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 834 struct ieee80211_node *ni, int mcast) 835 { 836 struct ifnet *ifp = &ic->ic_if; 837 struct ether_header *eh; 838 struct mbuf *m1; 839 840 eh = mtod(m, struct ether_header *); 841 842 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 843 eh->ether_type != htons(ETHERTYPE_PAE)) { 844 DPRINTF(("port not valid: %s\n", 845 ether_sprintf(eh->ether_dhost))); 846 ic->ic_stats.is_rx_unauth++; 847 m_freem(m); 848 return; 849 } 850 851 /* 852 * Perform as a bridge within the AP. Notice that we do not 853 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 854 * And we do not forward unicast frames received on a multicast address. 855 */ 856 m1 = NULL; 857 #ifndef IEEE80211_STA_ONLY 858 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 859 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 860 eh->ether_type != htons(ETHERTYPE_PAE)) { 861 struct ieee80211_node *ni1; 862 863 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 864 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 865 if (m1 == NULL) 866 ifp->if_oerrors++; 867 else 868 m1->m_flags |= M_MCAST; 869 } else if (!mcast) { 870 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 871 if (ni1 != NULL && 872 ni1->ni_state == IEEE80211_STA_ASSOC) { 873 m1 = m; 874 m = NULL; 875 } 876 } 877 if (m1 != NULL) { 878 if (if_enqueue(ifp, m1)) 879 ifp->if_oerrors++; 880 } 881 } 882 #endif 883 if (m != NULL) { 884 if ((ic->ic_flags & IEEE80211_F_RSNON) && 885 eh->ether_type == htons(ETHERTYPE_PAE)) { 886 ifp->if_ipackets++; 887 #if NBPFILTER > 0 888 /* 889 * If we forward frame into transmitter of the AP, 890 * we don't need to duplicate for DLT_EN10MB. 891 */ 892 if (ifp->if_bpf && m1 == NULL) 893 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 894 #endif 895 ieee80211_eapol_key_input(ic, m, ni); 896 } else { 897 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 898 ml_enqueue(&ml, m); 899 if_input(ifp, &ml); 900 } 901 } 902 } 903 904 void 905 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 906 struct ieee80211_node *ni, int hdrlen) 907 { 908 struct ether_header eh; 909 struct ieee80211_frame *wh; 910 struct llc *llc; 911 int mcast; 912 913 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 914 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 915 ic->ic_stats.is_rx_decap++; 916 return; 917 } 918 wh = mtod(m, struct ieee80211_frame *); 919 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 920 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 921 case IEEE80211_FC1_DIR_NODS: 922 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 923 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 924 break; 925 case IEEE80211_FC1_DIR_TODS: 926 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 927 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 928 break; 929 case IEEE80211_FC1_DIR_FROMDS: 930 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 931 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 932 break; 933 case IEEE80211_FC1_DIR_DSTODS: 934 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 935 IEEE80211_ADDR_COPY(eh.ether_shost, 936 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 937 break; 938 } 939 llc = (struct llc *)((caddr_t)wh + hdrlen); 940 if (llc->llc_dsap == LLC_SNAP_LSAP && 941 llc->llc_ssap == LLC_SNAP_LSAP && 942 llc->llc_control == LLC_UI && 943 llc->llc_snap.org_code[0] == 0 && 944 llc->llc_snap.org_code[1] == 0 && 945 llc->llc_snap.org_code[2] == 0) { 946 eh.ether_type = llc->llc_snap.ether_type; 947 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 948 } else { 949 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 950 m_adj(m, hdrlen - ETHER_HDR_LEN); 951 } 952 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 953 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 954 struct mbuf *m0 = m; 955 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 956 m_freem(m0); 957 if (m == NULL) { 958 ic->ic_stats.is_rx_decap++; 959 return; 960 } 961 } 962 ieee80211_deliver_data(ic, m, ni, mcast); 963 } 964 965 /* 966 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 967 */ 968 void 969 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 970 struct ieee80211_node *ni, int hdrlen) 971 { 972 struct mbuf *n; 973 struct ether_header *eh; 974 struct llc *llc; 975 int len, pad, mcast; 976 struct ieee80211_frame *wh; 977 978 wh = mtod(m, struct ieee80211_frame *); 979 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 980 981 /* strip 802.11 header */ 982 m_adj(m, hdrlen); 983 984 for (;;) { 985 /* process an A-MSDU subframe */ 986 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 987 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 988 if (m == NULL) { 989 ic->ic_stats.is_rx_decap++; 990 break; 991 } 992 } 993 eh = mtod(m, struct ether_header *); 994 /* examine 802.3 header */ 995 len = ntohs(eh->ether_type); 996 if (len < LLC_SNAPFRAMELEN) { 997 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 998 /* stop processing A-MSDU subframes */ 999 ic->ic_stats.is_rx_decap++; 1000 m_freem(m); 1001 break; 1002 } 1003 llc = (struct llc *)&eh[1]; 1004 /* examine 802.2 LLC header */ 1005 if (llc->llc_dsap == LLC_SNAP_LSAP && 1006 llc->llc_ssap == LLC_SNAP_LSAP && 1007 llc->llc_control == LLC_UI && 1008 llc->llc_snap.org_code[0] == 0 && 1009 llc->llc_snap.org_code[1] == 0 && 1010 llc->llc_snap.org_code[2] == 0) { 1011 /* convert to Ethernet II header */ 1012 eh->ether_type = llc->llc_snap.ether_type; 1013 /* strip LLC+SNAP headers */ 1014 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1015 ETHER_HDR_LEN); 1016 m_adj(m, LLC_SNAPFRAMELEN); 1017 len -= LLC_SNAPFRAMELEN; 1018 } 1019 len += ETHER_HDR_LEN; 1020 if (len > m->m_pkthdr.len) { 1021 /* stop processing A-MSDU subframes */ 1022 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1023 ic->ic_stats.is_rx_decap++; 1024 m_freem(m); 1025 break; 1026 } 1027 1028 /* "detach" our A-MSDU subframe from the others */ 1029 n = m_split(m, len, M_NOWAIT); 1030 if (n == NULL) { 1031 /* stop processing A-MSDU subframes */ 1032 ic->ic_stats.is_rx_decap++; 1033 m_freem(m); 1034 break; 1035 } 1036 ieee80211_deliver_data(ic, m, ni, mcast); 1037 1038 if (n->m_pkthdr.len == 0) { 1039 m_freem(n); 1040 break; 1041 } 1042 m = n; 1043 /* remove padding */ 1044 pad = ((len + 3) & ~3) - len; 1045 m_adj(m, pad); 1046 } 1047 } 1048 1049 /* 1050 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1051 */ 1052 int 1053 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1054 { 1055 u_int updtcount; 1056 int aci; 1057 1058 /* 1059 * Check if EDCA parameters have changed XXX if we miss more than 1060 * 15 consecutive beacons, we might not detect changes to EDCA 1061 * parameters due to wraparound of the 4-bit Update Count field. 1062 */ 1063 updtcount = frm[0] & 0xf; 1064 if (updtcount == ic->ic_edca_updtcount) 1065 return 0; /* no changes to EDCA parameters, ignore */ 1066 ic->ic_edca_updtcount = updtcount; 1067 1068 frm += 2; /* skip QoS Info & Reserved fields */ 1069 1070 /* parse AC Parameter Records */ 1071 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1072 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1073 1074 ac->ac_acm = (frm[0] >> 4) & 0x1; 1075 ac->ac_aifsn = frm[0] & 0xf; 1076 ac->ac_ecwmin = frm[1] & 0xf; 1077 ac->ac_ecwmax = frm[1] >> 4; 1078 ac->ac_txoplimit = LE_READ_2(frm + 2); 1079 frm += 4; 1080 } 1081 /* give drivers a chance to update their settings */ 1082 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1083 (*ic->ic_updateedca)(ic); 1084 1085 return 0; 1086 } 1087 1088 int 1089 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1090 { 1091 if (frm[1] < 18) { 1092 ic->ic_stats.is_rx_elem_toosmall++; 1093 return IEEE80211_REASON_IE_INVALID; 1094 } 1095 return ieee80211_parse_edca_params_body(ic, frm + 2); 1096 } 1097 1098 int 1099 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1100 { 1101 if (frm[1] < 24) { 1102 ic->ic_stats.is_rx_elem_toosmall++; 1103 return IEEE80211_REASON_IE_INVALID; 1104 } 1105 return ieee80211_parse_edca_params_body(ic, frm + 8); 1106 } 1107 1108 enum ieee80211_cipher 1109 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1110 { 1111 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1112 switch (selector[3]) { 1113 case 0: /* use group data cipher suite */ 1114 return IEEE80211_CIPHER_USEGROUP; 1115 case 1: /* WEP-40 */ 1116 return IEEE80211_CIPHER_WEP40; 1117 case 2: /* TKIP */ 1118 return IEEE80211_CIPHER_TKIP; 1119 case 4: /* CCMP (RSNA default) */ 1120 return IEEE80211_CIPHER_CCMP; 1121 case 5: /* WEP-104 */ 1122 return IEEE80211_CIPHER_WEP104; 1123 } 1124 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1125 /* see 802.11-2012 Table 8-99 */ 1126 switch (selector[3]) { 1127 case 0: /* use group data cipher suite */ 1128 return IEEE80211_CIPHER_USEGROUP; 1129 case 1: /* WEP-40 */ 1130 return IEEE80211_CIPHER_WEP40; 1131 case 2: /* TKIP */ 1132 return IEEE80211_CIPHER_TKIP; 1133 case 4: /* CCMP (RSNA default) */ 1134 return IEEE80211_CIPHER_CCMP; 1135 case 5: /* WEP-104 */ 1136 return IEEE80211_CIPHER_WEP104; 1137 case 6: /* BIP */ 1138 return IEEE80211_CIPHER_BIP; 1139 } 1140 } 1141 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1142 } 1143 1144 enum ieee80211_akm 1145 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1146 { 1147 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1148 switch (selector[3]) { 1149 case 1: /* IEEE 802.1X (RSNA default) */ 1150 return IEEE80211_AKM_8021X; 1151 case 2: /* PSK */ 1152 return IEEE80211_AKM_PSK; 1153 } 1154 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1155 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1156 switch (selector[3]) { 1157 case 1: /* IEEE 802.1X (RSNA default) */ 1158 return IEEE80211_AKM_8021X; 1159 case 2: /* PSK */ 1160 return IEEE80211_AKM_PSK; 1161 case 5: /* IEEE 802.1X with SHA256 KDF */ 1162 return IEEE80211_AKM_SHA256_8021X; 1163 case 6: /* PSK with SHA256 KDF */ 1164 return IEEE80211_AKM_SHA256_PSK; 1165 } 1166 } 1167 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1168 } 1169 1170 /* 1171 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1172 */ 1173 int 1174 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1175 u_int len, struct ieee80211_rsnparams *rsn) 1176 { 1177 const u_int8_t *efrm; 1178 u_int16_t m, n, s; 1179 1180 efrm = frm + len; 1181 1182 /* check Version field */ 1183 if (LE_READ_2(frm) != 1) 1184 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1185 frm += 2; 1186 1187 /* all fields after the Version field are optional */ 1188 1189 /* if Cipher Suite missing, default to CCMP */ 1190 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1191 rsn->rsn_nciphers = 1; 1192 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1193 /* if Group Management Cipher Suite missing, defaut to BIP */ 1194 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1195 /* if AKM Suite missing, default to 802.1X */ 1196 rsn->rsn_nakms = 1; 1197 rsn->rsn_akms = IEEE80211_AKM_8021X; 1198 /* if RSN capabilities missing, default to 0 */ 1199 rsn->rsn_caps = 0; 1200 rsn->rsn_npmkids = 0; 1201 1202 /* read Group Data Cipher Suite field */ 1203 if (frm + 4 > efrm) 1204 return 0; 1205 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1206 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1207 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1208 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1209 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1210 frm += 4; 1211 1212 /* read Pairwise Cipher Suite Count field */ 1213 if (frm + 2 > efrm) 1214 return 0; 1215 m = rsn->rsn_nciphers = LE_READ_2(frm); 1216 frm += 2; 1217 1218 /* read Pairwise Cipher Suite List */ 1219 if (frm + m * 4 > efrm) 1220 return IEEE80211_STATUS_IE_INVALID; 1221 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1222 while (m-- > 0) { 1223 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1224 frm += 4; 1225 } 1226 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1227 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1228 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1229 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1230 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1231 } 1232 1233 /* read AKM Suite List Count field */ 1234 if (frm + 2 > efrm) 1235 return 0; 1236 n = rsn->rsn_nakms = LE_READ_2(frm); 1237 frm += 2; 1238 1239 /* read AKM Suite List */ 1240 if (frm + n * 4 > efrm) 1241 return IEEE80211_STATUS_IE_INVALID; 1242 rsn->rsn_akms = IEEE80211_AKM_NONE; 1243 while (n-- > 0) { 1244 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1245 frm += 4; 1246 } 1247 1248 /* read RSN Capabilities field */ 1249 if (frm + 2 > efrm) 1250 return 0; 1251 rsn->rsn_caps = LE_READ_2(frm); 1252 frm += 2; 1253 1254 /* read PMKID Count field */ 1255 if (frm + 2 > efrm) 1256 return 0; 1257 s = rsn->rsn_npmkids = LE_READ_2(frm); 1258 frm += 2; 1259 1260 /* read PMKID List */ 1261 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1262 return IEEE80211_STATUS_IE_INVALID; 1263 if (s != 0) { 1264 rsn->rsn_pmkids = frm; 1265 frm += s * IEEE80211_PMKID_LEN; 1266 } 1267 1268 /* read Group Management Cipher Suite field */ 1269 if (frm + 4 > efrm) 1270 return 0; 1271 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1272 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1273 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1274 1275 return IEEE80211_STATUS_SUCCESS; 1276 } 1277 1278 int 1279 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1280 struct ieee80211_rsnparams *rsn) 1281 { 1282 if (frm[1] < 2) { 1283 ic->ic_stats.is_rx_elem_toosmall++; 1284 return IEEE80211_STATUS_IE_INVALID; 1285 } 1286 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1287 } 1288 1289 int 1290 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1291 struct ieee80211_rsnparams *rsn) 1292 { 1293 if (frm[1] < 6) { 1294 ic->ic_stats.is_rx_elem_toosmall++; 1295 return IEEE80211_STATUS_IE_INVALID; 1296 } 1297 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1298 } 1299 1300 /* 1301 * Create (or update) a copy of an information element. 1302 */ 1303 int 1304 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1305 { 1306 int olen = *ie ? 2 + (*ie)[1] : 0; 1307 int len = 2 + frm[1]; 1308 1309 if (*ie == NULL || olen != len) { 1310 if (*ie != NULL) 1311 free(*ie, M_DEVBUF, olen); 1312 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1313 if (*ie == NULL) 1314 return ENOMEM; 1315 } 1316 memcpy(*ie, frm, len); 1317 return 0; 1318 } 1319 1320 /*- 1321 * Beacon/Probe response frame format: 1322 * [8] Timestamp 1323 * [2] Beacon interval 1324 * [2] Capability 1325 * [tlv] Service Set Identifier (SSID) 1326 * [tlv] Supported rates 1327 * [tlv] DS Parameter Set (802.11g) 1328 * [tlv] ERP Information (802.11g) 1329 * [tlv] Extended Supported Rates (802.11g) 1330 * [tlv] RSN (802.11i) 1331 * [tlv] EDCA Parameter Set (802.11e) 1332 * [tlv] QoS Capability (Beacon only, 802.11e) 1333 * [tlv] HT Capabilities (802.11n) 1334 * [tlv] HT Operation (802.11n) 1335 */ 1336 void 1337 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1338 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1339 { 1340 const struct ieee80211_frame *wh; 1341 const u_int8_t *frm, *efrm; 1342 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1343 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1344 u_int16_t capinfo, bintval; 1345 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1346 int is_new; 1347 1348 /* 1349 * We process beacon/probe response frames for: 1350 * o station mode: to collect state 1351 * updates such as 802.11g slot time and for passive 1352 * scanning of APs 1353 * o adhoc mode: to discover neighbors 1354 * o hostap mode: for passive scanning of neighbor APs 1355 * o when scanning 1356 * In other words, in all modes other than monitor (which 1357 * does not process incoming frames) and adhoc-demo (which 1358 * does not use management frames at all). 1359 */ 1360 #ifdef DIAGNOSTIC 1361 if (ic->ic_opmode != IEEE80211_M_STA && 1362 #ifndef IEEE80211_STA_ONLY 1363 ic->ic_opmode != IEEE80211_M_IBSS && 1364 ic->ic_opmode != IEEE80211_M_HOSTAP && 1365 #endif 1366 ic->ic_state != IEEE80211_S_SCAN) { 1367 panic("%s: impossible operating mode", __func__); 1368 } 1369 #endif 1370 /* make sure all mandatory fixed fields are present */ 1371 if (m->m_len < sizeof(*wh) + 12) { 1372 DPRINTF(("frame too short\n")); 1373 return; 1374 } 1375 wh = mtod(m, struct ieee80211_frame *); 1376 frm = (const u_int8_t *)&wh[1]; 1377 efrm = mtod(m, u_int8_t *) + m->m_len; 1378 1379 tstamp = frm; frm += 8; 1380 bintval = LE_READ_2(frm); frm += 2; 1381 capinfo = LE_READ_2(frm); frm += 2; 1382 1383 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1384 htcaps = htop = NULL; 1385 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1386 chan = bchan; 1387 erp = 0; 1388 dtim_count = dtim_period = 0; 1389 while (frm + 2 <= efrm) { 1390 if (frm + 2 + frm[1] > efrm) { 1391 ic->ic_stats.is_rx_elem_toosmall++; 1392 break; 1393 } 1394 switch (frm[0]) { 1395 case IEEE80211_ELEMID_SSID: 1396 ssid = frm; 1397 break; 1398 case IEEE80211_ELEMID_RATES: 1399 rates = frm; 1400 break; 1401 case IEEE80211_ELEMID_DSPARMS: 1402 if (frm[1] < 1) { 1403 ic->ic_stats.is_rx_elem_toosmall++; 1404 break; 1405 } 1406 chan = frm[2]; 1407 break; 1408 case IEEE80211_ELEMID_XRATES: 1409 xrates = frm; 1410 break; 1411 case IEEE80211_ELEMID_ERP: 1412 if (frm[1] < 1) { 1413 ic->ic_stats.is_rx_elem_toosmall++; 1414 break; 1415 } 1416 erp = frm[2]; 1417 break; 1418 case IEEE80211_ELEMID_RSN: 1419 rsnie = frm; 1420 break; 1421 case IEEE80211_ELEMID_EDCAPARMS: 1422 edcaie = frm; 1423 break; 1424 case IEEE80211_ELEMID_HTCAPS: 1425 htcaps = frm; 1426 break; 1427 case IEEE80211_ELEMID_HTOP: 1428 htop = frm; 1429 break; 1430 case IEEE80211_ELEMID_TIM: 1431 if (frm[1] > 3) { 1432 dtim_count = frm[2]; 1433 dtim_period = frm[3]; 1434 } 1435 break; 1436 case IEEE80211_ELEMID_VENDOR: 1437 if (frm[1] < 4) { 1438 ic->ic_stats.is_rx_elem_toosmall++; 1439 break; 1440 } 1441 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1442 if (frm[5] == 1) 1443 wpaie = frm; 1444 else if (frm[1] >= 5 && 1445 frm[5] == 2 && frm[6] == 1) 1446 wmmie = frm; 1447 } 1448 break; 1449 } 1450 frm += 2 + frm[1]; 1451 } 1452 /* supported rates element is mandatory */ 1453 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1454 DPRINTF(("invalid supported rates element\n")); 1455 return; 1456 } 1457 /* SSID element is mandatory */ 1458 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1459 DPRINTF(("invalid SSID element\n")); 1460 return; 1461 } 1462 1463 if ( 1464 #if IEEE80211_CHAN_MAX < 255 1465 chan > IEEE80211_CHAN_MAX || 1466 #endif 1467 isclr(ic->ic_chan_active, chan)) { 1468 DPRINTF(("ignore %s with invalid channel %u\n", 1469 isprobe ? "probe response" : "beacon", chan)); 1470 ic->ic_stats.is_rx_badchan++; 1471 return; 1472 } 1473 if ((ic->ic_state != IEEE80211_S_SCAN || 1474 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1475 chan != bchan) { 1476 /* 1477 * Frame was received on a channel different from the 1478 * one indicated in the DS params element id; 1479 * silently discard it. 1480 * 1481 * NB: this can happen due to signal leakage. 1482 */ 1483 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1484 isprobe ? "probe response" : "beacon", bchan, chan)); 1485 ic->ic_stats.is_rx_chanmismatch++; 1486 return; 1487 } 1488 /* 1489 * Use mac, channel and rssi so we collect only the 1490 * best potential AP with the equal bssid while scanning. 1491 * Collecting all potential APs may result in bloat of 1492 * the node tree. This call will return NULL if the node 1493 * for this APs does not exist or if the new node is the 1494 * potential better one. 1495 */ 1496 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1497 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1498 if (ni != NULL) { 1499 /* 1500 * If we are doing a directed scan for an AP with a hidden SSID 1501 * we must collect the SSID from a probe response to override 1502 * a non-zero-length SSID filled with zeroes that we may have 1503 * received earlier in a beacon. 1504 */ 1505 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1506 ni->ni_esslen = ssid[1]; 1507 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1508 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1509 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1510 } 1511 1512 return; 1513 } 1514 1515 #ifdef IEEE80211_DEBUG 1516 if (ieee80211_debug > 1 && 1517 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1518 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1519 printf("%s: %s%s on chan %u (bss chan %u) ", 1520 __func__, (ni == NULL ? "new " : ""), 1521 isprobe ? "probe response" : "beacon", 1522 chan, bchan); 1523 ieee80211_print_essid(ssid + 2, ssid[1]); 1524 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1525 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1526 __func__, capinfo, bintval, erp); 1527 } 1528 #endif 1529 1530 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1531 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1532 if (ni == NULL) 1533 return; 1534 is_new = 1; 1535 } else 1536 is_new = 0; 1537 1538 if (htcaps) 1539 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1540 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1])) 1541 htop = NULL; /* invalid HTOP */ 1542 1543 ni->ni_dtimcount = dtim_count; 1544 ni->ni_dtimperiod = dtim_period; 1545 1546 /* 1547 * When operating in station mode, check for state updates 1548 * while we're associated. 1549 */ 1550 if (ic->ic_opmode == IEEE80211_M_STA && 1551 ic->ic_state == IEEE80211_S_RUN && 1552 ni->ni_state == IEEE80211_STA_BSS) { 1553 /* 1554 * Check if protection mode has changed since last beacon. 1555 */ 1556 if (ni->ni_erp != erp) { 1557 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1558 ether_sprintf((u_int8_t *)wh->i_addr2), 1559 ni->ni_erp, erp)); 1560 if (ic->ic_curmode == IEEE80211_MODE_11G && 1561 (erp & IEEE80211_ERP_USE_PROTECTION)) 1562 ic->ic_flags |= IEEE80211_F_USEPROT; 1563 else 1564 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1565 ic->ic_bss->ni_erp = erp; 1566 } 1567 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1568 enum ieee80211_htprot htprot_last, htprot; 1569 htprot_last = 1570 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1571 >> IEEE80211_HTOP1_PROT_SHIFT); 1572 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1573 IEEE80211_HTOP1_PROT_SHIFT); 1574 if (htprot_last != htprot) { 1575 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1576 ether_sprintf((u_int8_t *)wh->i_addr2), 1577 htprot_last, htprot)); 1578 ic->ic_stats.is_ht_prot_change++; 1579 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1580 if (ic->ic_update_htprot) 1581 ic->ic_update_htprot(ic, ic->ic_bss); 1582 } 1583 } 1584 1585 /* 1586 * Check if AP short slot time setting has changed 1587 * since last beacon and give the driver a chance to 1588 * update the hardware. 1589 */ 1590 if ((ni->ni_capinfo ^ capinfo) & 1591 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1592 ieee80211_set_shortslottime(ic, 1593 ic->ic_curmode == IEEE80211_MODE_11A || 1594 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1595 } 1596 1597 /* 1598 * Reset management timer. If it is non-zero in RUN state, the 1599 * driver sent a probe request after a missed beacon event. 1600 * This probe response indicates the AP is still serving us 1601 * so don't allow ieee80211_watchdog() to move us into SCAN. 1602 */ 1603 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1604 ic->ic_mgt_timer = 0; 1605 } 1606 /* 1607 * We do not try to update EDCA parameters if QoS was not negotiated 1608 * with the AP at association time. 1609 */ 1610 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1611 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1612 if ((edcaie != NULL && 1613 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1614 (wmmie != NULL && 1615 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1616 ni->ni_flags |= IEEE80211_NODE_QOS; 1617 else 1618 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1619 } 1620 1621 if (ic->ic_state == IEEE80211_S_SCAN || 1622 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1623 struct ieee80211_rsnparams rsn, wpa; 1624 1625 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1626 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1627 ni->ni_rsnakms = 0; 1628 ni->ni_supported_rsnakms = 0; 1629 ni->ni_rsnciphers = 0; 1630 ni->ni_rsngroupcipher = 0; 1631 ni->ni_rsngroupmgmtcipher = 0; 1632 ni->ni_rsncaps = 0; 1633 1634 if (rsnie != NULL && 1635 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1636 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1637 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1638 } 1639 if (wpaie != NULL && 1640 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1641 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1642 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1643 } 1644 1645 /* 1646 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1647 * we only use the highest protocol version we support. 1648 */ 1649 if (rsnie != NULL && 1650 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1651 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1652 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1653 #ifndef IEEE80211_STA_ONLY 1654 && ic->ic_opmode != IEEE80211_M_HOSTAP 1655 #endif 1656 ) { 1657 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1658 ni->ni_rsnakms = rsn.rsn_akms; 1659 ni->ni_rsnciphers = rsn.rsn_ciphers; 1660 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1661 ni->ni_rsngroupmgmtcipher = 1662 rsn.rsn_groupmgmtcipher; 1663 ni->ni_rsncaps = rsn.rsn_caps; 1664 } 1665 } else if (wpaie != NULL && 1666 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1667 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1668 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1669 #ifndef IEEE80211_STA_ONLY 1670 && ic->ic_opmode != IEEE80211_M_HOSTAP 1671 #endif 1672 ) { 1673 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1674 ni->ni_rsnakms = wpa.rsn_akms; 1675 ni->ni_rsnciphers = wpa.rsn_ciphers; 1676 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1677 ni->ni_rsngroupmgmtcipher = 1678 wpa.rsn_groupmgmtcipher; 1679 ni->ni_rsncaps = wpa.rsn_caps; 1680 } 1681 } 1682 } 1683 1684 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1685 ni->ni_esslen = ssid[1]; 1686 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1687 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1688 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1689 } 1690 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1691 ni->ni_rssi = rxi->rxi_rssi; 1692 ni->ni_rstamp = rxi->rxi_tstamp; 1693 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1694 ni->ni_intval = bintval; 1695 ni->ni_capinfo = capinfo; 1696 /* XXX validate channel # */ 1697 ni->ni_chan = &ic->ic_channels[chan]; 1698 ni->ni_erp = erp; 1699 /* NB: must be after ni_chan is setup */ 1700 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1701 #ifndef IEEE80211_STA_ONLY 1702 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1703 /* 1704 * Fake an association so the driver can setup it's 1705 * private state. The rate set has been setup above; 1706 * there is no handshake as in ap/station operation. 1707 */ 1708 if (ic->ic_newassoc) 1709 (*ic->ic_newassoc)(ic, ni, 1); 1710 } 1711 #endif 1712 } 1713 1714 #ifndef IEEE80211_STA_ONLY 1715 /*- 1716 * Probe request frame format: 1717 * [tlv] SSID 1718 * [tlv] Supported rates 1719 * [tlv] Extended Supported Rates (802.11g) 1720 * [tlv] HT Capabilities (802.11n) 1721 */ 1722 void 1723 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1724 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1725 { 1726 const struct ieee80211_frame *wh; 1727 const u_int8_t *frm, *efrm; 1728 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1729 u_int8_t rate; 1730 1731 if (ic->ic_opmode == IEEE80211_M_STA || 1732 ic->ic_state != IEEE80211_S_RUN) 1733 return; 1734 1735 wh = mtod(m, struct ieee80211_frame *); 1736 frm = (const u_int8_t *)&wh[1]; 1737 efrm = mtod(m, u_int8_t *) + m->m_len; 1738 1739 ssid = rates = xrates = htcaps = NULL; 1740 while (frm + 2 <= efrm) { 1741 if (frm + 2 + frm[1] > efrm) { 1742 ic->ic_stats.is_rx_elem_toosmall++; 1743 break; 1744 } 1745 switch (frm[0]) { 1746 case IEEE80211_ELEMID_SSID: 1747 ssid = frm; 1748 break; 1749 case IEEE80211_ELEMID_RATES: 1750 rates = frm; 1751 break; 1752 case IEEE80211_ELEMID_XRATES: 1753 xrates = frm; 1754 break; 1755 case IEEE80211_ELEMID_HTCAPS: 1756 htcaps = frm; 1757 break; 1758 } 1759 frm += 2 + frm[1]; 1760 } 1761 /* supported rates element is mandatory */ 1762 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1763 DPRINTF(("invalid supported rates element\n")); 1764 return; 1765 } 1766 /* SSID element is mandatory */ 1767 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1768 DPRINTF(("invalid SSID element\n")); 1769 return; 1770 } 1771 /* check that the specified SSID (if not wildcard) matches ours */ 1772 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1773 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1774 DPRINTF(("SSID mismatch\n")); 1775 ic->ic_stats.is_rx_ssidmismatch++; 1776 return; 1777 } 1778 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1779 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1780 DPRINTF(("wildcard SSID rejected")); 1781 ic->ic_stats.is_rx_ssidmismatch++; 1782 return; 1783 } 1784 1785 if (ni == ic->ic_bss) { 1786 ni = ieee80211_find_node(ic, wh->i_addr2); 1787 if (ni == NULL) 1788 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1789 if (ni == NULL) 1790 return; 1791 DPRINTF(("new probe req from %s\n", 1792 ether_sprintf((u_int8_t *)wh->i_addr2))); 1793 } 1794 ni->ni_rssi = rxi->rxi_rssi; 1795 ni->ni_rstamp = rxi->rxi_tstamp; 1796 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1797 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1798 IEEE80211_F_DODEL); 1799 if (rate & IEEE80211_RATE_BASIC) { 1800 DPRINTF(("rate mismatch for %s\n", 1801 ether_sprintf((u_int8_t *)wh->i_addr2))); 1802 return; 1803 } 1804 if (htcaps) 1805 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1806 else 1807 ieee80211_clear_htcaps(ni); 1808 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1809 } 1810 #endif /* IEEE80211_STA_ONLY */ 1811 1812 /*- 1813 * Authentication frame format: 1814 * [2] Authentication algorithm number 1815 * [2] Authentication transaction sequence number 1816 * [2] Status code 1817 */ 1818 void 1819 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1820 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1821 { 1822 const struct ieee80211_frame *wh; 1823 const u_int8_t *frm; 1824 u_int16_t algo, seq, status; 1825 1826 /* make sure all mandatory fixed fields are present */ 1827 if (m->m_len < sizeof(*wh) + 6) { 1828 DPRINTF(("frame too short\n")); 1829 return; 1830 } 1831 wh = mtod(m, struct ieee80211_frame *); 1832 frm = (const u_int8_t *)&wh[1]; 1833 1834 algo = LE_READ_2(frm); frm += 2; 1835 seq = LE_READ_2(frm); frm += 2; 1836 status = LE_READ_2(frm); frm += 2; 1837 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1838 ether_sprintf((u_int8_t *)wh->i_addr2))); 1839 1840 /* only "open" auth mode is supported */ 1841 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1842 DPRINTF(("unsupported auth algorithm %d from %s\n", 1843 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1844 ic->ic_stats.is_rx_auth_unsupported++; 1845 #ifndef IEEE80211_STA_ONLY 1846 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1847 /* XXX hack to workaround calling convention */ 1848 IEEE80211_SEND_MGMT(ic, ni, 1849 IEEE80211_FC0_SUBTYPE_AUTH, 1850 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1851 } 1852 #endif 1853 return; 1854 } 1855 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1856 } 1857 1858 #ifndef IEEE80211_STA_ONLY 1859 /*- 1860 * (Re)Association request frame format: 1861 * [2] Capability information 1862 * [2] Listen interval 1863 * [6*] Current AP address (Reassociation only) 1864 * [tlv] SSID 1865 * [tlv] Supported rates 1866 * [tlv] Extended Supported Rates (802.11g) 1867 * [tlv] RSN (802.11i) 1868 * [tlv] QoS Capability (802.11e) 1869 * [tlv] HT Capabilities (802.11n) 1870 */ 1871 void 1872 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1873 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1874 { 1875 const struct ieee80211_frame *wh; 1876 const u_int8_t *frm, *efrm; 1877 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1878 u_int16_t capinfo, bintval; 1879 int resp, status = 0; 1880 struct ieee80211_rsnparams rsn; 1881 u_int8_t rate; 1882 const u_int8_t *saveie = NULL; 1883 1884 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1885 ic->ic_state != IEEE80211_S_RUN) 1886 return; 1887 1888 /* make sure all mandatory fixed fields are present */ 1889 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1890 DPRINTF(("frame too short\n")); 1891 return; 1892 } 1893 wh = mtod(m, struct ieee80211_frame *); 1894 frm = (const u_int8_t *)&wh[1]; 1895 efrm = mtod(m, u_int8_t *) + m->m_len; 1896 1897 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1898 DPRINTF(("ignore other bss from %s\n", 1899 ether_sprintf((u_int8_t *)wh->i_addr2))); 1900 ic->ic_stats.is_rx_assoc_bss++; 1901 return; 1902 } 1903 capinfo = LE_READ_2(frm); frm += 2; 1904 bintval = LE_READ_2(frm); frm += 2; 1905 if (reassoc) { 1906 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1907 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1908 } else 1909 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1910 1911 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1912 while (frm + 2 <= efrm) { 1913 if (frm + 2 + frm[1] > efrm) { 1914 ic->ic_stats.is_rx_elem_toosmall++; 1915 break; 1916 } 1917 switch (frm[0]) { 1918 case IEEE80211_ELEMID_SSID: 1919 ssid = frm; 1920 break; 1921 case IEEE80211_ELEMID_RATES: 1922 rates = frm; 1923 break; 1924 case IEEE80211_ELEMID_XRATES: 1925 xrates = frm; 1926 break; 1927 case IEEE80211_ELEMID_RSN: 1928 rsnie = frm; 1929 break; 1930 case IEEE80211_ELEMID_QOS_CAP: 1931 break; 1932 case IEEE80211_ELEMID_HTCAPS: 1933 htcaps = frm; 1934 break; 1935 case IEEE80211_ELEMID_VENDOR: 1936 if (frm[1] < 4) { 1937 ic->ic_stats.is_rx_elem_toosmall++; 1938 break; 1939 } 1940 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1941 if (frm[5] == 1) 1942 wpaie = frm; 1943 } 1944 break; 1945 } 1946 frm += 2 + frm[1]; 1947 } 1948 /* supported rates element is mandatory */ 1949 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1950 DPRINTF(("invalid supported rates element\n")); 1951 return; 1952 } 1953 /* SSID element is mandatory */ 1954 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1955 DPRINTF(("invalid SSID element\n")); 1956 return; 1957 } 1958 /* check that the specified SSID matches ours */ 1959 if (ssid[1] != ic->ic_bss->ni_esslen || 1960 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1961 DPRINTF(("SSID mismatch\n")); 1962 ic->ic_stats.is_rx_ssidmismatch++; 1963 return; 1964 } 1965 1966 if (ni->ni_state != IEEE80211_STA_AUTH && 1967 ni->ni_state != IEEE80211_STA_ASSOC) { 1968 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1969 reassoc ? "re" : "", 1970 ether_sprintf((u_int8_t *)wh->i_addr2))); 1971 ni = ieee80211_find_node(ic, wh->i_addr2); 1972 if (ni == NULL) 1973 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1974 if (ni != NULL) { 1975 IEEE80211_SEND_MGMT(ic, ni, 1976 IEEE80211_FC0_SUBTYPE_DEAUTH, 1977 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1978 } 1979 ic->ic_stats.is_rx_assoc_notauth++; 1980 return; 1981 } 1982 1983 if (ni->ni_state == IEEE80211_STA_ASSOC && 1984 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1985 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1986 /* send a protected Disassociate frame */ 1987 IEEE80211_SEND_MGMT(ic, ni, 1988 IEEE80211_FC0_SUBTYPE_DISASSOC, 1989 IEEE80211_REASON_AUTH_EXPIRE); 1990 /* terminate the old SA */ 1991 ieee80211_node_leave(ic, ni); 1992 } else { 1993 /* reject the (Re)Association Request temporarily */ 1994 IEEE80211_SEND_MGMT(ic, ni, resp, 1995 IEEE80211_STATUS_TRY_AGAIN_LATER); 1996 /* start SA Query procedure if not already engaged */ 1997 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1998 ieee80211_sa_query_request(ic, ni); 1999 /* do not modify association state */ 2000 } 2001 return; 2002 } 2003 2004 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2005 ic->ic_stats.is_rx_assoc_capmismatch++; 2006 status = IEEE80211_STATUS_CAPINFO; 2007 goto end; 2008 } 2009 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2010 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2011 IEEE80211_F_DODEL); 2012 if (rate & IEEE80211_RATE_BASIC) { 2013 ic->ic_stats.is_rx_assoc_norate++; 2014 status = IEEE80211_STATUS_BASIC_RATE; 2015 goto end; 2016 } 2017 2018 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2019 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2020 ni->ni_rsnakms = 0; 2021 ni->ni_supported_rsnakms = 0; 2022 ni->ni_rsnciphers = 0; 2023 ni->ni_rsngroupcipher = 0; 2024 ni->ni_rsngroupmgmtcipher = 0; 2025 ni->ni_rsncaps = 0; 2026 2027 /* 2028 * A station should never include both a WPA and an RSN IE 2029 * in its (Re)Association Requests, but if it does, we only 2030 * consider the IE of the highest version of the protocol 2031 * that is allowed (ie RSN over WPA). 2032 */ 2033 if (rsnie != NULL) { 2034 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2035 if (status != 0) 2036 goto end; 2037 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2038 ni->ni_supported_rsnakms = rsn.rsn_akms; 2039 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2040 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2041 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2042 saveie = rsnie; 2043 } 2044 } else if (wpaie != NULL) { 2045 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2046 if (status != 0) 2047 goto end; 2048 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2049 ni->ni_supported_rsnakms = rsn.rsn_akms; 2050 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2051 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2052 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2053 saveie = wpaie; 2054 } 2055 } 2056 2057 if (ic->ic_flags & IEEE80211_F_RSNON) { 2058 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2059 /* 2060 * In an RSN, an AP shall not associate with STAs 2061 * that fail to include the RSN IE in the 2062 * (Re)Association Request. 2063 */ 2064 status = IEEE80211_STATUS_IE_INVALID; 2065 goto end; 2066 } 2067 /* 2068 * The initiating STA's RSN IE shall include one authentication 2069 * and pairwise cipher suite among those advertised by the 2070 * targeted AP. It shall also specify the group cipher suite 2071 * specified by the targeted AP. 2072 */ 2073 if (rsn.rsn_nakms != 1 || 2074 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2075 status = IEEE80211_STATUS_BAD_AKMP; 2076 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2077 goto end; 2078 } 2079 if (rsn.rsn_nciphers != 1 || 2080 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2081 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2082 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2083 goto end; 2084 } 2085 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2086 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2087 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2088 goto end; 2089 } 2090 2091 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2092 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2093 status = IEEE80211_STATUS_MFP_POLICY; 2094 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2095 goto end; 2096 } 2097 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2098 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2099 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2100 /* STA advertises an invalid setting */ 2101 status = IEEE80211_STATUS_MFP_POLICY; 2102 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2103 goto end; 2104 } 2105 /* 2106 * A STA that has associated with Management Frame Protection 2107 * enabled shall not use cipher suite pairwise selector WEP40, 2108 * WEP104, TKIP, or "Use Group cipher suite". 2109 */ 2110 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2111 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2112 rsn.rsn_groupmgmtcipher != 2113 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2114 status = IEEE80211_STATUS_MFP_POLICY; 2115 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2116 goto end; 2117 } 2118 2119 /* 2120 * Disallow new associations using TKIP if countermeasures 2121 * are active. 2122 */ 2123 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2124 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2125 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2126 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2127 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2128 goto end; 2129 } 2130 2131 /* everything looks fine, save IE and parameters */ 2132 if (saveie == NULL || 2133 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2134 status = IEEE80211_STATUS_TOOMANY; 2135 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2136 goto end; 2137 } 2138 ni->ni_rsnakms = rsn.rsn_akms; 2139 ni->ni_rsnciphers = rsn.rsn_ciphers; 2140 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2141 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2142 ni->ni_rsncaps = rsn.rsn_caps; 2143 2144 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2145 struct ieee80211_pmk *pmk = NULL; 2146 const u_int8_t *pmkid = rsn.rsn_pmkids; 2147 /* 2148 * Check if we have a cached PMK entry matching one 2149 * of the PMKIDs specified in the RSN IE. 2150 */ 2151 while (rsn.rsn_npmkids-- > 0) { 2152 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2153 if (pmk != NULL) 2154 break; 2155 pmkid += IEEE80211_PMKID_LEN; 2156 } 2157 if (pmk != NULL) { 2158 memcpy(ni->ni_pmk, pmk->pmk_key, 2159 IEEE80211_PMK_LEN); 2160 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2161 IEEE80211_PMKID_LEN); 2162 ni->ni_flags |= IEEE80211_NODE_PMK; 2163 } 2164 } 2165 } 2166 2167 ni->ni_rssi = rxi->rxi_rssi; 2168 ni->ni_rstamp = rxi->rxi_tstamp; 2169 ni->ni_intval = bintval; 2170 ni->ni_capinfo = capinfo; 2171 ni->ni_chan = ic->ic_bss->ni_chan; 2172 if (htcaps) 2173 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2174 else 2175 ieee80211_clear_htcaps(ni); 2176 end: 2177 if (status != 0) { 2178 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2179 ieee80211_node_leave(ic, ni); 2180 } else 2181 ieee80211_node_join(ic, ni, resp); 2182 } 2183 #endif /* IEEE80211_STA_ONLY */ 2184 2185 /*- 2186 * (Re)Association response frame format: 2187 * [2] Capability information 2188 * [2] Status code 2189 * [2] Association ID (AID) 2190 * [tlv] Supported rates 2191 * [tlv] Extended Supported Rates (802.11g) 2192 * [tlv] EDCA Parameter Set (802.11e) 2193 * [tlv] HT Capabilities (802.11n) 2194 * [tlv] HT Operation (802.11n) 2195 */ 2196 void 2197 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2198 struct ieee80211_node *ni, int reassoc) 2199 { 2200 struct ifnet *ifp = &ic->ic_if; 2201 const struct ieee80211_frame *wh; 2202 const u_int8_t *frm, *efrm; 2203 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2204 u_int16_t capinfo, status, associd; 2205 u_int8_t rate; 2206 2207 if (ic->ic_opmode != IEEE80211_M_STA || 2208 ic->ic_state != IEEE80211_S_ASSOC) { 2209 ic->ic_stats.is_rx_mgtdiscard++; 2210 return; 2211 } 2212 2213 /* make sure all mandatory fixed fields are present */ 2214 if (m->m_len < sizeof(*wh) + 6) { 2215 DPRINTF(("frame too short\n")); 2216 return; 2217 } 2218 wh = mtod(m, struct ieee80211_frame *); 2219 frm = (const u_int8_t *)&wh[1]; 2220 efrm = mtod(m, u_int8_t *) + m->m_len; 2221 2222 capinfo = LE_READ_2(frm); frm += 2; 2223 status = LE_READ_2(frm); frm += 2; 2224 if (status != IEEE80211_STATUS_SUCCESS) { 2225 if (ifp->if_flags & IFF_DEBUG) 2226 printf("%s: %sassociation failed (status %d)" 2227 " for %s\n", ifp->if_xname, 2228 reassoc ? "re" : "", 2229 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2230 if (ni != ic->ic_bss) 2231 ni->ni_fails++; 2232 ic->ic_stats.is_rx_auth_fail++; 2233 return; 2234 } 2235 associd = LE_READ_2(frm); frm += 2; 2236 2237 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2238 while (frm + 2 <= efrm) { 2239 if (frm + 2 + frm[1] > efrm) { 2240 ic->ic_stats.is_rx_elem_toosmall++; 2241 break; 2242 } 2243 switch (frm[0]) { 2244 case IEEE80211_ELEMID_RATES: 2245 rates = frm; 2246 break; 2247 case IEEE80211_ELEMID_XRATES: 2248 xrates = frm; 2249 break; 2250 case IEEE80211_ELEMID_EDCAPARMS: 2251 edcaie = frm; 2252 break; 2253 case IEEE80211_ELEMID_HTCAPS: 2254 htcaps = frm; 2255 break; 2256 case IEEE80211_ELEMID_HTOP: 2257 htop = frm; 2258 break; 2259 case IEEE80211_ELEMID_VENDOR: 2260 if (frm[1] < 4) { 2261 ic->ic_stats.is_rx_elem_toosmall++; 2262 break; 2263 } 2264 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2265 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2266 wmmie = frm; 2267 } 2268 break; 2269 } 2270 frm += 2 + frm[1]; 2271 } 2272 /* supported rates element is mandatory */ 2273 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2274 DPRINTF(("invalid supported rates element\n")); 2275 return; 2276 } 2277 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2278 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2279 IEEE80211_F_DODEL); 2280 if (rate & IEEE80211_RATE_BASIC) { 2281 DPRINTF(("rate mismatch for %s\n", 2282 ether_sprintf((u_int8_t *)wh->i_addr2))); 2283 ic->ic_stats.is_rx_assoc_norate++; 2284 return; 2285 } 2286 ni->ni_capinfo = capinfo; 2287 ni->ni_associd = associd; 2288 if (edcaie != NULL || wmmie != NULL) { 2289 /* force update of EDCA parameters */ 2290 ic->ic_edca_updtcount = -1; 2291 2292 if ((edcaie != NULL && 2293 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2294 (wmmie != NULL && 2295 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2296 ni->ni_flags |= IEEE80211_NODE_QOS; 2297 else /* for Reassociation */ 2298 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2299 } 2300 if (htcaps) 2301 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2302 if (htop) 2303 ieee80211_setup_htop(ni, htop + 2, htop[1]); 2304 ieee80211_ht_negotiate(ic, ni); 2305 2306 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2307 if (ni->ni_flags & IEEE80211_NODE_HT) 2308 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2309 else 2310 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2311 /* 2312 * Reset the erp state (mostly the slot time) now that 2313 * our operating mode has been nailed down. 2314 */ 2315 ieee80211_reset_erp(ic); 2316 2317 /* 2318 * Configure state now that we are associated. 2319 */ 2320 if (ic->ic_curmode == IEEE80211_MODE_11A || 2321 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2322 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2323 else 2324 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2325 2326 ieee80211_set_shortslottime(ic, 2327 ic->ic_curmode == IEEE80211_MODE_11A || 2328 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2329 /* 2330 * Honor ERP protection. 2331 */ 2332 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2333 (ic->ic_curmode == IEEE80211_MODE_11N && 2334 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2335 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2336 ic->ic_flags |= IEEE80211_F_USEPROT; 2337 else 2338 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2339 /* 2340 * If not an RSNA, mark the port as valid, otherwise wait for 2341 * 802.1X authentication and 4-way handshake to complete.. 2342 */ 2343 if (ic->ic_flags & IEEE80211_F_RSNON) { 2344 /* XXX ic->ic_mgt_timer = 5; */ 2345 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2346 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2347 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2348 2349 ieee80211_new_state(ic, IEEE80211_S_RUN, 2350 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2351 } 2352 2353 /*- 2354 * Deauthentication frame format: 2355 * [2] Reason code 2356 */ 2357 void 2358 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2359 struct ieee80211_node *ni) 2360 { 2361 const struct ieee80211_frame *wh; 2362 const u_int8_t *frm; 2363 u_int16_t reason; 2364 2365 /* make sure all mandatory fixed fields are present */ 2366 if (m->m_len < sizeof(*wh) + 2) { 2367 DPRINTF(("frame too short\n")); 2368 return; 2369 } 2370 wh = mtod(m, struct ieee80211_frame *); 2371 frm = (const u_int8_t *)&wh[1]; 2372 2373 reason = LE_READ_2(frm); 2374 2375 ic->ic_stats.is_rx_deauth++; 2376 switch (ic->ic_opmode) { 2377 case IEEE80211_M_STA: { 2378 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2379 ic->ic_state == IEEE80211_S_RUN); 2380 if (!bgscan) /* ignore deauth during bgscan */ 2381 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2382 IEEE80211_FC0_SUBTYPE_DEAUTH); 2383 } 2384 break; 2385 #ifndef IEEE80211_STA_ONLY 2386 case IEEE80211_M_HOSTAP: 2387 if (ni != ic->ic_bss) { 2388 if (ic->ic_if.if_flags & IFF_DEBUG) 2389 printf("%s: station %s deauthenticated " 2390 "by peer (reason %d)\n", 2391 ic->ic_if.if_xname, 2392 ether_sprintf(ni->ni_macaddr), 2393 reason); 2394 ieee80211_node_leave(ic, ni); 2395 } 2396 break; 2397 #endif 2398 default: 2399 break; 2400 } 2401 } 2402 2403 /*- 2404 * Disassociation frame format: 2405 * [2] Reason code 2406 */ 2407 void 2408 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2409 struct ieee80211_node *ni) 2410 { 2411 const struct ieee80211_frame *wh; 2412 const u_int8_t *frm; 2413 u_int16_t reason; 2414 2415 /* make sure all mandatory fixed fields are present */ 2416 if (m->m_len < sizeof(*wh) + 2) { 2417 DPRINTF(("frame too short\n")); 2418 return; 2419 } 2420 wh = mtod(m, struct ieee80211_frame *); 2421 frm = (const u_int8_t *)&wh[1]; 2422 2423 reason = LE_READ_2(frm); 2424 2425 ic->ic_stats.is_rx_disassoc++; 2426 switch (ic->ic_opmode) { 2427 case IEEE80211_M_STA: { 2428 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2429 ic->ic_state == IEEE80211_S_RUN); 2430 if (!bgscan) /* ignore disassoc during bgscan */ 2431 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2432 IEEE80211_FC0_SUBTYPE_DISASSOC); 2433 } 2434 break; 2435 #ifndef IEEE80211_STA_ONLY 2436 case IEEE80211_M_HOSTAP: 2437 if (ni != ic->ic_bss) { 2438 if (ic->ic_if.if_flags & IFF_DEBUG) 2439 printf("%s: station %s disassociated " 2440 "by peer (reason %d)\n", 2441 ic->ic_if.if_xname, 2442 ether_sprintf(ni->ni_macaddr), 2443 reason); 2444 ieee80211_node_leave(ic, ni); 2445 } 2446 break; 2447 #endif 2448 default: 2449 break; 2450 } 2451 } 2452 2453 /*- 2454 * ADDBA Request frame format: 2455 * [1] Category 2456 * [1] Action 2457 * [1] Dialog Token 2458 * [2] Block Ack Parameter Set 2459 * [2] Block Ack Timeout Value 2460 * [2] Block Ack Starting Sequence Control 2461 */ 2462 void 2463 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2464 struct ieee80211_node *ni) 2465 { 2466 const struct ieee80211_frame *wh; 2467 const u_int8_t *frm; 2468 struct ieee80211_rx_ba *ba; 2469 u_int16_t params, ssn, bufsz, timeout; 2470 u_int8_t token, tid; 2471 int err = 0; 2472 2473 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2474 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2475 ether_sprintf(ni->ni_macaddr))); 2476 return; 2477 } 2478 if (m->m_len < sizeof(*wh) + 9) { 2479 DPRINTF(("frame too short\n")); 2480 return; 2481 } 2482 /* MLME-ADDBA.indication */ 2483 wh = mtod(m, struct ieee80211_frame *); 2484 frm = (const u_int8_t *)&wh[1]; 2485 2486 token = frm[2]; 2487 params = LE_READ_2(&frm[3]); 2488 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2489 IEEE80211_ADDBA_TID_SHIFT); 2490 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2491 IEEE80211_ADDBA_BUFSZ_SHIFT; 2492 timeout = LE_READ_2(&frm[5]); 2493 ssn = LE_READ_2(&frm[7]) >> 4; 2494 2495 ba = &ni->ni_rx_ba[tid]; 2496 /* check if we already have a Block Ack agreement for this RA/TID */ 2497 if (ba->ba_state == IEEE80211_BA_AGREED) { 2498 /* XXX should we update the timeout value? */ 2499 /* reset Block Ack inactivity timer */ 2500 if (ba->ba_timeout_val != 0) 2501 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2502 2503 /* check if it's a Protected Block Ack agreement */ 2504 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2505 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2506 return; /* not a PBAC, ignore */ 2507 2508 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2509 if (SEQ_LT(ba->ba_winstart, ssn)) 2510 ieee80211_ba_move_window(ic, ni, tid, ssn); 2511 return; 2512 } 2513 2514 /* if PBAC required but RA does not support it, refuse request */ 2515 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2516 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2517 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2518 goto refuse; 2519 /* 2520 * If the TID for which the Block Ack agreement is requested is 2521 * configured with a no-ACK policy, refuse the agreement. 2522 */ 2523 if (ic->ic_tid_noack & (1 << tid)) 2524 goto refuse; 2525 2526 /* check that we support the requested Block Ack Policy */ 2527 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2528 !(params & IEEE80211_ADDBA_BA_POLICY)) 2529 goto refuse; 2530 2531 /* setup Block Ack agreement */ 2532 ba->ba_state = IEEE80211_BA_INIT; 2533 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2534 ba->ba_ni = ni; 2535 ba->ba_token = token; 2536 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2537 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2538 ba->ba_winsize = bufsz; 2539 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2540 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2541 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2542 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2543 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2544 ba->ba_winstart = ssn; 2545 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2546 /* allocate and setup our reordering buffer */ 2547 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2548 M_DEVBUF, M_NOWAIT | M_ZERO); 2549 if (ba->ba_buf == NULL) 2550 goto refuse; 2551 2552 ba->ba_head = 0; 2553 2554 /* notify drivers of this new Block Ack agreement */ 2555 if (ic->ic_ampdu_rx_start != NULL) 2556 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2557 if (err == EBUSY) { 2558 /* driver will accept or refuse agreement when done */ 2559 return; 2560 } else if (err) { 2561 /* driver failed to setup, rollback */ 2562 ieee80211_addba_req_refuse(ic, ni, tid); 2563 } else 2564 ieee80211_addba_req_accept(ic, ni, tid); 2565 return; 2566 2567 refuse: 2568 /* MLME-ADDBA.response */ 2569 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2570 IEEE80211_ACTION_ADDBA_RESP, 2571 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2572 } 2573 2574 void 2575 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2576 uint8_t tid) 2577 { 2578 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2579 2580 ba->ba_state = IEEE80211_BA_AGREED; 2581 ic->ic_stats.is_ht_rx_ba_agreements++; 2582 /* start Block Ack inactivity timer */ 2583 if (ba->ba_timeout_val != 0) 2584 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2585 2586 /* MLME-ADDBA.response */ 2587 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2588 IEEE80211_ACTION_ADDBA_RESP, 2589 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2590 } 2591 2592 void 2593 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2594 uint8_t tid) 2595 { 2596 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2597 2598 free(ba->ba_buf, M_DEVBUF, 2599 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2600 ba->ba_buf = NULL; 2601 2602 /* MLME-ADDBA.response */ 2603 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2604 IEEE80211_ACTION_ADDBA_RESP, 2605 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2606 } 2607 2608 /*- 2609 * ADDBA Response frame format: 2610 * [1] Category 2611 * [1] Action 2612 * [1] Dialog Token 2613 * [2] Status Code 2614 * [2] Block Ack Parameter Set 2615 * [2] Block Ack Timeout Value 2616 */ 2617 void 2618 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2619 struct ieee80211_node *ni) 2620 { 2621 const struct ieee80211_frame *wh; 2622 const u_int8_t *frm; 2623 struct ieee80211_tx_ba *ba; 2624 u_int16_t status, params, bufsz, timeout; 2625 u_int8_t token, tid; 2626 2627 if (m->m_len < sizeof(*wh) + 9) { 2628 DPRINTF(("frame too short\n")); 2629 return; 2630 } 2631 wh = mtod(m, struct ieee80211_frame *); 2632 frm = (const u_int8_t *)&wh[1]; 2633 2634 token = frm[2]; 2635 status = LE_READ_2(&frm[3]); 2636 params = LE_READ_2(&frm[5]); 2637 tid = (params >> 2) & 0xf; 2638 bufsz = (params >> 6) & 0x3ff; 2639 timeout = LE_READ_2(&frm[7]); 2640 2641 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2642 ether_sprintf(ni->ni_macaddr), tid, status)); 2643 2644 /* 2645 * Ignore if no ADDBA request has been sent for this RA/TID or 2646 * if we already have a Block Ack agreement. 2647 */ 2648 ba = &ni->ni_tx_ba[tid]; 2649 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2650 DPRINTF(("no matching ADDBA req found\n")); 2651 return; 2652 } 2653 if (token != ba->ba_token) { 2654 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2655 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2656 return; 2657 } 2658 /* we got an ADDBA Response matching our request, stop timeout */ 2659 timeout_del(&ba->ba_to); 2660 2661 if (status != IEEE80211_STATUS_SUCCESS) { 2662 /* MLME-ADDBA.confirm(Failure) */ 2663 ba->ba_state = IEEE80211_BA_INIT; 2664 return; 2665 } 2666 /* MLME-ADDBA.confirm(Success) */ 2667 ba->ba_state = IEEE80211_BA_AGREED; 2668 ic->ic_stats.is_ht_tx_ba_agreements++; 2669 2670 /* notify drivers of this new Block Ack agreement */ 2671 if (ic->ic_ampdu_tx_start != NULL) 2672 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2673 2674 /* start Block Ack inactivity timeout */ 2675 if (ba->ba_timeout_val != 0) 2676 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2677 } 2678 2679 /*- 2680 * DELBA frame format: 2681 * [1] Category 2682 * [1] Action 2683 * [2] DELBA Parameter Set 2684 * [2] Reason Code 2685 */ 2686 void 2687 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2688 struct ieee80211_node *ni) 2689 { 2690 const struct ieee80211_frame *wh; 2691 const u_int8_t *frm; 2692 u_int16_t params, reason; 2693 u_int8_t tid; 2694 int i; 2695 2696 if (m->m_len < sizeof(*wh) + 6) { 2697 DPRINTF(("frame too short\n")); 2698 return; 2699 } 2700 wh = mtod(m, struct ieee80211_frame *); 2701 frm = (const u_int8_t *)&wh[1]; 2702 2703 params = LE_READ_2(&frm[2]); 2704 reason = LE_READ_2(&frm[4]); 2705 tid = params >> 12; 2706 2707 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2708 ether_sprintf(ni->ni_macaddr), tid, reason)); 2709 2710 if (params & IEEE80211_DELBA_INITIATOR) { 2711 /* MLME-DELBA.indication(Originator) */ 2712 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2713 2714 if (ba->ba_state != IEEE80211_BA_AGREED) { 2715 DPRINTF(("no matching Block Ack agreement\n")); 2716 return; 2717 } 2718 /* notify drivers of the end of the Block Ack agreement */ 2719 if (ic->ic_ampdu_rx_stop != NULL) 2720 ic->ic_ampdu_rx_stop(ic, ni, tid); 2721 2722 ba->ba_state = IEEE80211_BA_INIT; 2723 /* stop Block Ack inactivity timer */ 2724 timeout_del(&ba->ba_to); 2725 timeout_del(&ba->ba_gap_to); 2726 2727 if (ba->ba_buf != NULL) { 2728 /* free all MSDUs stored in reordering buffer */ 2729 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2730 m_freem(ba->ba_buf[i].m); 2731 /* free reordering buffer */ 2732 free(ba->ba_buf, M_DEVBUF, 2733 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2734 ba->ba_buf = NULL; 2735 } 2736 } else { 2737 /* MLME-DELBA.indication(Recipient) */ 2738 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2739 2740 if (ba->ba_state != IEEE80211_BA_AGREED) { 2741 DPRINTF(("no matching Block Ack agreement\n")); 2742 return; 2743 } 2744 /* notify drivers of the end of the Block Ack agreement */ 2745 if (ic->ic_ampdu_tx_stop != NULL) 2746 ic->ic_ampdu_tx_stop(ic, ni, tid); 2747 2748 ba->ba_state = IEEE80211_BA_INIT; 2749 /* stop Block Ack inactivity timer */ 2750 timeout_del(&ba->ba_to); 2751 } 2752 } 2753 2754 /*- 2755 * SA Query Request frame format: 2756 * [1] Category 2757 * [1] Action 2758 * [2] Transaction Identifier 2759 */ 2760 void 2761 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2762 struct ieee80211_node *ni) 2763 { 2764 const struct ieee80211_frame *wh; 2765 const u_int8_t *frm; 2766 2767 if (ic->ic_opmode != IEEE80211_M_STA || 2768 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2769 DPRINTF(("unexpected SA Query req from %s\n", 2770 ether_sprintf(ni->ni_macaddr))); 2771 return; 2772 } 2773 if (m->m_len < sizeof(*wh) + 4) { 2774 DPRINTF(("frame too short\n")); 2775 return; 2776 } 2777 wh = mtod(m, struct ieee80211_frame *); 2778 frm = (const u_int8_t *)&wh[1]; 2779 2780 /* MLME-SAQuery.indication */ 2781 2782 /* save Transaction Identifier for SA Query Response */ 2783 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2784 2785 /* MLME-SAQuery.response */ 2786 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2787 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2788 } 2789 2790 #ifndef IEEE80211_STA_ONLY 2791 /*- 2792 * SA Query Response frame format: 2793 * [1] Category 2794 * [1] Action 2795 * [2] Transaction Identifier 2796 */ 2797 void 2798 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2799 struct ieee80211_node *ni) 2800 { 2801 const struct ieee80211_frame *wh; 2802 const u_int8_t *frm; 2803 2804 /* ignore if we're not engaged in an SA Query with that STA */ 2805 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2806 DPRINTF(("unexpected SA Query resp from %s\n", 2807 ether_sprintf(ni->ni_macaddr))); 2808 return; 2809 } 2810 if (m->m_len < sizeof(*wh) + 4) { 2811 DPRINTF(("frame too short\n")); 2812 return; 2813 } 2814 wh = mtod(m, struct ieee80211_frame *); 2815 frm = (const u_int8_t *)&wh[1]; 2816 2817 /* check that Transaction Identifier matches */ 2818 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2819 DPRINTF(("transaction identifier does not match\n")); 2820 return; 2821 } 2822 /* MLME-SAQuery.confirm */ 2823 timeout_del(&ni->ni_sa_query_to); 2824 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2825 } 2826 #endif 2827 2828 /*- 2829 * Action frame format: 2830 * [1] Category 2831 * [1] Action 2832 */ 2833 void 2834 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2835 struct ieee80211_node *ni) 2836 { 2837 const struct ieee80211_frame *wh; 2838 const u_int8_t *frm; 2839 2840 if (m->m_len < sizeof(*wh) + 2) { 2841 DPRINTF(("frame too short\n")); 2842 return; 2843 } 2844 wh = mtod(m, struct ieee80211_frame *); 2845 frm = (const u_int8_t *)&wh[1]; 2846 2847 switch (frm[0]) { 2848 case IEEE80211_CATEG_BA: 2849 switch (frm[1]) { 2850 case IEEE80211_ACTION_ADDBA_REQ: 2851 ieee80211_recv_addba_req(ic, m, ni); 2852 break; 2853 case IEEE80211_ACTION_ADDBA_RESP: 2854 ieee80211_recv_addba_resp(ic, m, ni); 2855 break; 2856 case IEEE80211_ACTION_DELBA: 2857 ieee80211_recv_delba(ic, m, ni); 2858 break; 2859 } 2860 break; 2861 case IEEE80211_CATEG_SA_QUERY: 2862 switch (frm[1]) { 2863 case IEEE80211_ACTION_SA_QUERY_REQ: 2864 ieee80211_recv_sa_query_req(ic, m, ni); 2865 break; 2866 #ifndef IEEE80211_STA_ONLY 2867 case IEEE80211_ACTION_SA_QUERY_RESP: 2868 ieee80211_recv_sa_query_resp(ic, m, ni); 2869 break; 2870 #endif 2871 } 2872 break; 2873 default: 2874 DPRINTF(("action frame category %d not handled\n", frm[0])); 2875 break; 2876 } 2877 } 2878 2879 void 2880 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2881 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2882 { 2883 switch (subtype) { 2884 case IEEE80211_FC0_SUBTYPE_BEACON: 2885 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2886 break; 2887 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2888 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2889 break; 2890 #ifndef IEEE80211_STA_ONLY 2891 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2892 ieee80211_recv_probe_req(ic, m, ni, rxi); 2893 break; 2894 #endif 2895 case IEEE80211_FC0_SUBTYPE_AUTH: 2896 ieee80211_recv_auth(ic, m, ni, rxi); 2897 break; 2898 #ifndef IEEE80211_STA_ONLY 2899 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2900 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2901 break; 2902 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2903 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2904 break; 2905 #endif 2906 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2907 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2908 break; 2909 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2910 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2911 break; 2912 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2913 ieee80211_recv_deauth(ic, m, ni); 2914 break; 2915 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2916 ieee80211_recv_disassoc(ic, m, ni); 2917 break; 2918 case IEEE80211_FC0_SUBTYPE_ACTION: 2919 ieee80211_recv_action(ic, m, ni); 2920 break; 2921 default: 2922 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2923 subtype)); 2924 ic->ic_stats.is_rx_badsubtype++; 2925 break; 2926 } 2927 } 2928 2929 #ifndef IEEE80211_STA_ONLY 2930 /* 2931 * Process an incoming PS-Poll control frame (see 11.2). 2932 */ 2933 void 2934 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2935 struct ieee80211_node *ni) 2936 { 2937 struct ifnet *ifp = &ic->ic_if; 2938 struct ieee80211_frame_pspoll *psp; 2939 struct ieee80211_frame *wh; 2940 u_int16_t aid; 2941 2942 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2943 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2944 ni->ni_state != IEEE80211_STA_ASSOC) 2945 return; 2946 2947 if (m->m_len < sizeof(*psp)) { 2948 DPRINTF(("frame too short, len %u\n", m->m_len)); 2949 ic->ic_stats.is_rx_tooshort++; 2950 return; 2951 } 2952 psp = mtod(m, struct ieee80211_frame_pspoll *); 2953 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2954 DPRINTF(("discard pspoll frame to BSS %s\n", 2955 ether_sprintf(psp->i_bssid))); 2956 ic->ic_stats.is_rx_wrongbss++; 2957 return; 2958 } 2959 aid = letoh16(*(u_int16_t *)psp->i_aid); 2960 if (aid != ni->ni_associd) { 2961 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2962 ether_sprintf(psp->i_ta))); 2963 return; 2964 } 2965 2966 /* take the first queued frame and put it out.. */ 2967 m = mq_dequeue(&ni->ni_savedq); 2968 if (m == NULL) 2969 return; 2970 if (mq_empty(&ni->ni_savedq)) { 2971 /* last queued frame, turn off the TIM bit */ 2972 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2973 } else { 2974 /* more queued frames, set the more data bit */ 2975 wh = mtod(m, struct ieee80211_frame *); 2976 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2977 } 2978 mq_enqueue(&ic->ic_pwrsaveq, m); 2979 if_start(ifp); 2980 } 2981 #endif /* IEEE80211_STA_ONLY */ 2982 2983 /* 2984 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2985 */ 2986 void 2987 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2988 struct ieee80211_node *ni) 2989 { 2990 const struct ieee80211_frame_min *wh; 2991 const u_int8_t *frm; 2992 u_int16_t ctl, ssn; 2993 u_int8_t tid, ntids; 2994 2995 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2996 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2997 ether_sprintf(ni->ni_macaddr))); 2998 return; 2999 } 3000 if (m->m_len < sizeof(*wh) + 4) { 3001 DPRINTF(("frame too short\n")); 3002 return; 3003 } 3004 wh = mtod(m, struct ieee80211_frame_min *); 3005 frm = (const u_int8_t *)&wh[1]; 3006 3007 /* read BlockAckReq Control field */ 3008 ctl = LE_READ_2(&frm[0]); 3009 tid = ctl >> 12; 3010 3011 /* determine BlockAckReq frame variant */ 3012 if (ctl & IEEE80211_BA_MULTI_TID) { 3013 /* Multi-TID BlockAckReq variant (PSMP only) */ 3014 ntids = tid + 1; 3015 3016 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3017 DPRINTF(("MTBAR frame too short\n")); 3018 return; 3019 } 3020 frm += 2; /* skip BlockAckReq Control field */ 3021 while (ntids-- > 0) { 3022 /* read MTBAR Information field */ 3023 tid = LE_READ_2(&frm[0]) >> 12; 3024 ssn = LE_READ_2(&frm[2]) >> 4; 3025 ieee80211_bar_tid(ic, ni, tid, ssn); 3026 frm += 4; 3027 } 3028 } else { 3029 /* Basic or Compressed BlockAckReq variants */ 3030 ssn = LE_READ_2(&frm[2]) >> 4; 3031 ieee80211_bar_tid(ic, ni, tid, ssn); 3032 } 3033 } 3034 3035 /* 3036 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3037 * This is the common back-end for all BlockAckReq frame variants. 3038 */ 3039 void 3040 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3041 u_int8_t tid, u_int16_t ssn) 3042 { 3043 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3044 3045 /* check if we have a Block Ack agreement for RA/TID */ 3046 if (ba->ba_state != IEEE80211_BA_AGREED) { 3047 /* XXX not sure in PBAC case */ 3048 /* send a DELBA with reason code UNKNOWN-BA */ 3049 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3050 IEEE80211_ACTION_DELBA, 3051 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3052 return; 3053 } 3054 /* check if it is a Protected Block Ack agreement */ 3055 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3056 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3057 /* ADDBA Requests must be used in PBAC case */ 3058 if (SEQ_LT(ssn, ba->ba_winstart) || 3059 SEQ_LT(ba->ba_winend, ssn)) 3060 ic->ic_stats.is_pbac_errs++; 3061 return; /* PBAC, do not move window */ 3062 } 3063 /* reset Block Ack inactivity timer */ 3064 if (ba->ba_timeout_val != 0) 3065 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3066 3067 if (SEQ_LT(ba->ba_winstart, ssn)) 3068 ieee80211_ba_move_window(ic, ni, tid, ssn); 3069 } 3070