1 /* $OpenBSD: ieee80211_input.c,v 1.206 2019/05/12 18:12:38 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 129 /* 130 * Retrieve the length in bytes of an 802.11 header. 131 */ 132 u_int 133 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 134 { 135 u_int size = sizeof(*wh); 136 137 /* NB: does not work with control frames */ 138 KASSERT(ieee80211_has_seq(wh)); 139 140 if (ieee80211_has_addr4(wh)) 141 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 142 if (ieee80211_has_qos(wh)) 143 size += sizeof(u_int16_t); /* i_qos */ 144 if (ieee80211_has_htc(wh)) 145 size += sizeof(u_int32_t); /* i_ht */ 146 return size; 147 } 148 149 /* 150 * Process a received frame. The node associated with the sender 151 * should be supplied. If nothing was found in the node table then 152 * the caller is assumed to supply a reference to ic_bss instead. 153 * The RSSI and a timestamp are also supplied. The RSSI data is used 154 * during AP scanning to select a AP to associate with; it can have 155 * any units so long as values have consistent units and higher values 156 * mean ``better signal''. The receive timestamp is currently not used 157 * by the 802.11 layer. 158 */ 159 void 160 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 161 struct ieee80211_rxinfo *rxi) 162 { 163 struct ieee80211com *ic = (void *)ifp; 164 struct ieee80211_frame *wh; 165 u_int16_t *orxseq, nrxseq, qos; 166 u_int8_t dir, type, subtype, tid; 167 int hdrlen, hasqos; 168 169 KASSERT(ni != NULL); 170 171 /* in monitor mode, send everything directly to bpf */ 172 if (ic->ic_opmode == IEEE80211_M_MONITOR) 173 goto out; 174 175 /* 176 * Do not process frames without an Address 2 field any further. 177 * Only CTS and ACK control frames do not have this field. 178 */ 179 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 180 DPRINTF(("frame too short, len %u\n", m->m_len)); 181 ic->ic_stats.is_rx_tooshort++; 182 goto out; 183 } 184 185 wh = mtod(m, struct ieee80211_frame *); 186 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 187 IEEE80211_FC0_VERSION_0) { 188 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 189 ic->ic_stats.is_rx_badversion++; 190 goto err; 191 } 192 193 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 194 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 195 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 196 197 if (type != IEEE80211_FC0_TYPE_CTL) { 198 hdrlen = ieee80211_get_hdrlen(wh); 199 if (m->m_len < hdrlen) { 200 DPRINTF(("frame too short, len %u\n", m->m_len)); 201 ic->ic_stats.is_rx_tooshort++; 202 goto err; 203 } 204 } 205 if ((hasqos = ieee80211_has_qos(wh))) { 206 qos = ieee80211_get_qos(wh); 207 tid = qos & IEEE80211_QOS_TID; 208 } else { 209 qos = 0; 210 tid = 0; 211 } 212 213 if (ic->ic_state == IEEE80211_S_RUN && 214 type == IEEE80211_FC0_TYPE_DATA && hasqos && 215 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 216 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) 217 #ifndef IEEE80211_STA_ONLY 218 && (ic->ic_opmode == IEEE80211_M_STA || ni != ic->ic_bss) 219 #endif 220 ) { 221 int ba_state = ni->ni_rx_ba[tid].ba_state; 222 223 #ifndef IEEE80211_STA_ONLY 224 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 225 if (!IEEE80211_ADDR_EQ(wh->i_addr1, 226 ic->ic_bss->ni_bssid)) { 227 ic->ic_stats.is_rx_wrongbss++; 228 goto err; 229 } 230 if (ni->ni_state != IEEE80211_S_ASSOC) { 231 ic->ic_stats.is_rx_notassoc++; 232 goto err; 233 } 234 } 235 #endif 236 /* 237 * If Block Ack was explicitly requested, check 238 * if we have a BA agreement for this RA/TID. 239 */ 240 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 241 IEEE80211_QOS_ACK_POLICY_BA && 242 ba_state != IEEE80211_BA_AGREED) { 243 DPRINTF(("no BA agreement for %s, TID %d\n", 244 ether_sprintf(ni->ni_macaddr), tid)); 245 /* send a DELBA with reason code UNKNOWN-BA */ 246 IEEE80211_SEND_ACTION(ic, ni, 247 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 248 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 249 goto err; 250 } 251 252 /* 253 * Check if we have an explicit or implicit 254 * Block Ack Request for a valid BA agreement. 255 */ 256 if (ba_state == IEEE80211_BA_AGREED && 257 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 258 IEEE80211_QOS_ACK_POLICY_BA || 259 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 260 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 261 /* go through A-MPDU reordering */ 262 ieee80211_input_ba(ic, m, ni, tid, rxi); 263 return; /* don't free m! */ 264 } 265 } 266 267 /* duplicate detection (see 9.2.9) */ 268 if (ieee80211_has_seq(wh) && 269 ic->ic_state != IEEE80211_S_SCAN) { 270 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 271 IEEE80211_SEQ_SEQ_SHIFT; 272 if (hasqos) 273 orxseq = &ni->ni_qos_rxseqs[tid]; 274 else 275 orxseq = &ni->ni_rxseq; 276 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 277 nrxseq == *orxseq) { 278 /* duplicate, silently discarded */ 279 ic->ic_stats.is_rx_dup++; 280 goto out; 281 } 282 *orxseq = nrxseq; 283 } 284 if (ic->ic_state > IEEE80211_S_SCAN) { 285 ni->ni_rssi = rxi->rxi_rssi; 286 ni->ni_rstamp = rxi->rxi_tstamp; 287 ni->ni_inact = 0; 288 289 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 290 /* Cancel or start background scan based on RSSI. */ 291 if ((*ic->ic_node_checkrssi)(ic, ni)) 292 timeout_del(&ic->ic_bgscan_timeout); 293 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 294 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 295 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 296 timeout_add_msec(&ic->ic_bgscan_timeout, 297 500 * (ic->ic_bgscan_fail + 1)); 298 } 299 } 300 301 #ifndef IEEE80211_STA_ONLY 302 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 303 (ic->ic_caps & IEEE80211_C_APPMGT) && 304 ni->ni_state == IEEE80211_STA_ASSOC) { 305 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 306 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 307 /* turn on PS mode */ 308 ni->ni_pwrsave = IEEE80211_PS_DOZE; 309 DPRINTF(("PS mode on for %s\n", 310 ether_sprintf(wh->i_addr2))); 311 } 312 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 313 struct mbuf *m; 314 315 /* turn off PS mode */ 316 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 317 DPRINTF(("PS mode off for %s\n", 318 ether_sprintf(wh->i_addr2))); 319 320 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 321 322 /* dequeue buffered unicast frames */ 323 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 324 mq_enqueue(&ic->ic_pwrsaveq, m); 325 if_start(ifp); 326 } 327 } 328 } 329 #endif 330 switch (type) { 331 case IEEE80211_FC0_TYPE_DATA: 332 switch (ic->ic_opmode) { 333 case IEEE80211_M_STA: 334 if (dir != IEEE80211_FC1_DIR_FROMDS) { 335 ic->ic_stats.is_rx_wrongdir++; 336 goto out; 337 } 338 if (ic->ic_state != IEEE80211_S_SCAN && 339 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 340 /* Source address is not our BSS. */ 341 DPRINTF(("discard frame from SA %s\n", 342 ether_sprintf(wh->i_addr2))); 343 ic->ic_stats.is_rx_wrongbss++; 344 goto out; 345 } 346 if ((ifp->if_flags & IFF_SIMPLEX) && 347 IEEE80211_IS_MULTICAST(wh->i_addr1) && 348 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 349 /* 350 * In IEEE802.11 network, multicast frame 351 * sent from me is broadcasted from AP. 352 * It should be silently discarded for 353 * SIMPLEX interface. 354 */ 355 ic->ic_stats.is_rx_mcastecho++; 356 goto out; 357 } 358 break; 359 #ifndef IEEE80211_STA_ONLY 360 case IEEE80211_M_IBSS: 361 case IEEE80211_M_AHDEMO: 362 if (dir != IEEE80211_FC1_DIR_NODS) { 363 ic->ic_stats.is_rx_wrongdir++; 364 goto out; 365 } 366 if (ic->ic_state != IEEE80211_S_SCAN && 367 !IEEE80211_ADDR_EQ(wh->i_addr3, 368 ic->ic_bss->ni_bssid) && 369 !IEEE80211_ADDR_EQ(wh->i_addr3, 370 etherbroadcastaddr)) { 371 /* Destination is not our BSS or broadcast. */ 372 DPRINTF(("discard data frame to DA %s\n", 373 ether_sprintf(wh->i_addr3))); 374 ic->ic_stats.is_rx_wrongbss++; 375 goto out; 376 } 377 break; 378 case IEEE80211_M_HOSTAP: 379 if (dir != IEEE80211_FC1_DIR_TODS) { 380 ic->ic_stats.is_rx_wrongdir++; 381 goto out; 382 } 383 if (ic->ic_state != IEEE80211_S_SCAN && 384 !IEEE80211_ADDR_EQ(wh->i_addr1, 385 ic->ic_bss->ni_bssid) && 386 !IEEE80211_ADDR_EQ(wh->i_addr1, 387 etherbroadcastaddr)) { 388 /* BSS is not us or broadcast. */ 389 DPRINTF(("discard data frame to BSS %s\n", 390 ether_sprintf(wh->i_addr1))); 391 ic->ic_stats.is_rx_wrongbss++; 392 goto out; 393 } 394 /* check if source STA is associated */ 395 if (ni == ic->ic_bss) { 396 DPRINTF(("data from unknown src %s\n", 397 ether_sprintf(wh->i_addr2))); 398 /* NB: caller deals with reference */ 399 ni = ieee80211_find_node(ic, wh->i_addr2); 400 if (ni == NULL) 401 ni = ieee80211_dup_bss(ic, wh->i_addr2); 402 if (ni != NULL) { 403 IEEE80211_SEND_MGMT(ic, ni, 404 IEEE80211_FC0_SUBTYPE_DEAUTH, 405 IEEE80211_REASON_NOT_AUTHED); 406 } 407 ic->ic_stats.is_rx_notassoc++; 408 goto err; 409 } 410 if (ni->ni_state != IEEE80211_STA_ASSOC) { 411 DPRINTF(("data from unassoc src %s\n", 412 ether_sprintf(wh->i_addr2))); 413 IEEE80211_SEND_MGMT(ic, ni, 414 IEEE80211_FC0_SUBTYPE_DISASSOC, 415 IEEE80211_REASON_NOT_ASSOCED); 416 ic->ic_stats.is_rx_notassoc++; 417 goto err; 418 } 419 break; 420 #endif /* IEEE80211_STA_ONLY */ 421 default: 422 /* can't get there */ 423 goto out; 424 } 425 426 /* Do not process "no data" frames any further. */ 427 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 428 if (ic->ic_rawbpf) 429 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 430 goto out; 431 } 432 433 if ((ic->ic_flags & IEEE80211_F_WEPON) || 434 ((ic->ic_flags & IEEE80211_F_RSNON) && 435 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 436 /* protection is on for Rx */ 437 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 438 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 439 /* drop unencrypted */ 440 ic->ic_stats.is_rx_unencrypted++; 441 goto err; 442 } 443 /* do software decryption */ 444 m = ieee80211_decrypt(ic, m, ni); 445 if (m == NULL) { 446 ic->ic_stats.is_rx_wepfail++; 447 goto err; 448 } 449 wh = mtod(m, struct ieee80211_frame *); 450 } 451 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 452 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 453 /* frame encrypted but protection off for Rx */ 454 ic->ic_stats.is_rx_nowep++; 455 goto out; 456 } 457 458 #if NBPFILTER > 0 459 /* copy to listener after decrypt */ 460 if (ic->ic_rawbpf) 461 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 462 #endif 463 464 if ((ni->ni_flags & IEEE80211_NODE_HT) && 465 hasqos && (qos & IEEE80211_QOS_AMSDU)) 466 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 467 else 468 ieee80211_decap(ic, m, ni, hdrlen); 469 return; 470 471 case IEEE80211_FC0_TYPE_MGT: 472 if (dir != IEEE80211_FC1_DIR_NODS) { 473 ic->ic_stats.is_rx_wrongdir++; 474 goto err; 475 } 476 #ifndef IEEE80211_STA_ONLY 477 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 478 ic->ic_stats.is_rx_ahdemo_mgt++; 479 goto out; 480 } 481 #endif 482 /* drop frames without interest */ 483 if (ic->ic_state == IEEE80211_S_SCAN) { 484 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 485 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 486 ic->ic_stats.is_rx_mgtdiscard++; 487 goto out; 488 } 489 } 490 491 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 492 /* MMPDU protection is on for Rx */ 493 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 494 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 495 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 496 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 497 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 498 /* unicast mgmt not encrypted */ 499 goto out; 500 } 501 /* do software decryption */ 502 m = ieee80211_decrypt(ic, m, ni); 503 if (m == NULL) { 504 /* XXX stats */ 505 goto out; 506 } 507 wh = mtod(m, struct ieee80211_frame *); 508 } 509 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 510 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 511 /* encrypted but MMPDU Rx protection off for TA */ 512 goto out; 513 } 514 515 #if NBPFILTER > 0 516 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 517 /* 518 * Drop mbuf if it was filtered by bpf. Normally, 519 * this is done in ether_input() but IEEE 802.11 520 * management frames are a special case. 521 */ 522 m_freem(m); 523 return; 524 } 525 #endif 526 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 527 m_freem(m); 528 return; 529 530 case IEEE80211_FC0_TYPE_CTL: 531 ic->ic_stats.is_rx_ctl++; 532 switch (subtype) { 533 #ifndef IEEE80211_STA_ONLY 534 case IEEE80211_FC0_SUBTYPE_PS_POLL: 535 ieee80211_recv_pspoll(ic, m, ni); 536 break; 537 #endif 538 case IEEE80211_FC0_SUBTYPE_BAR: 539 ieee80211_recv_bar(ic, m, ni); 540 break; 541 default: 542 break; 543 } 544 goto out; 545 546 default: 547 DPRINTF(("bad frame type %x\n", type)); 548 /* should not come here */ 549 break; 550 } 551 err: 552 ifp->if_ierrors++; 553 out: 554 if (m != NULL) { 555 #if NBPFILTER > 0 556 if (ic->ic_rawbpf) 557 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 558 #endif 559 m_freem(m); 560 } 561 } 562 563 /* 564 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 565 * reception of fragments of three fragmented MSDUs or MMPDUs. 566 */ 567 struct mbuf * 568 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 569 { 570 const struct ieee80211_frame *owh, *wh; 571 struct ieee80211_defrag *df; 572 u_int16_t rxseq, seq; 573 u_int8_t frag; 574 int i; 575 576 wh = mtod(m, struct ieee80211_frame *); 577 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 578 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 579 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 580 581 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 582 return m; /* not fragmented */ 583 584 if (frag == 0) { 585 /* first fragment, setup entry in the fragment cache */ 586 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 587 ic->ic_defrag_cur = 0; 588 df = &ic->ic_defrag[ic->ic_defrag_cur]; 589 m_freem(df->df_m); /* discard old entry */ 590 df->df_seq = seq; 591 df->df_frag = 0; 592 df->df_m = m; 593 /* start receive MSDU timer of aMaxReceiveLifetime */ 594 timeout_add_sec(&df->df_to, 1); 595 return NULL; /* MSDU or MMPDU not yet complete */ 596 } 597 598 /* find matching entry in the fragment cache */ 599 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 600 df = &ic->ic_defrag[i]; 601 if (df->df_m == NULL) 602 continue; 603 if (df->df_seq != seq || df->df_frag + 1 != frag) 604 continue; 605 owh = mtod(df->df_m, struct ieee80211_frame *); 606 /* frame type, source and destination must match */ 607 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 608 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 609 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 610 continue; 611 /* matching entry found */ 612 break; 613 } 614 if (i == IEEE80211_DEFRAG_SIZE) { 615 /* no matching entry found, discard fragment */ 616 ic->ic_if.if_ierrors++; 617 m_freem(m); 618 return NULL; 619 } 620 621 df->df_frag = frag; 622 /* strip 802.11 header and concatenate fragment */ 623 m_adj(m, hdrlen); 624 m_cat(df->df_m, m); 625 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 626 627 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 628 return NULL; /* MSDU or MMPDU not yet complete */ 629 630 /* MSDU or MMPDU complete */ 631 timeout_del(&df->df_to); 632 m = df->df_m; 633 df->df_m = NULL; 634 return m; 635 } 636 637 /* 638 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 639 */ 640 void 641 ieee80211_defrag_timeout(void *arg) 642 { 643 struct ieee80211_defrag *df = arg; 644 int s = splnet(); 645 646 /* discard all received fragments */ 647 m_freem(df->df_m); 648 df->df_m = NULL; 649 650 splx(s); 651 } 652 653 /* 654 * Process a received data MPDU related to a specific HT-immediate Block Ack 655 * agreement (see 9.10.7.6). 656 */ 657 void 658 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 659 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 660 { 661 struct ifnet *ifp = &ic->ic_if; 662 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 663 struct ieee80211_frame *wh; 664 int idx, count; 665 u_int16_t sn; 666 667 wh = mtod(m, struct ieee80211_frame *); 668 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 669 670 /* reset Block Ack inactivity timer */ 671 if (ba->ba_timeout_val != 0) 672 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 673 674 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 675 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 676 m_freem(m); /* discard the MPDU */ 677 return; 678 } 679 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 680 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 681 count = (sn - ba->ba_winend) & 0xfff; 682 if (count > ba->ba_winsize) { 683 /* 684 * Check whether we're consistently behind the window, 685 * and let the window move forward if neccessary. 686 */ 687 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 688 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 689 ba->ba_winmiss++; 690 else 691 ba->ba_winmiss = 0; 692 ba->ba_missedsn = sn; 693 ifp->if_ierrors++; 694 m_freem(m); /* discard the MPDU */ 695 return; 696 } 697 698 /* It appears the window has moved for real. */ 699 ic->ic_stats.is_ht_rx_ba_window_jump++; 700 ba->ba_winmiss = 0; 701 ba->ba_missedsn = 0; 702 ieee80211_ba_move_window(ic, ni, tid, sn); 703 } else { 704 ic->ic_stats.is_ht_rx_ba_window_slide++; 705 ieee80211_input_ba_seq(ic, ni, tid, 706 (ba->ba_winstart + count) & 0xfff); 707 ieee80211_input_ba_flush(ic, ni, ba); 708 } 709 } 710 /* WinStartB <= SN <= WinEndB */ 711 712 ba->ba_winmiss = 0; 713 ba->ba_missedsn = 0; 714 idx = (sn - ba->ba_winstart) & 0xfff; 715 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 716 /* store the received MPDU in the buffer */ 717 if (ba->ba_buf[idx].m != NULL) { 718 ifp->if_ierrors++; 719 ic->ic_stats.is_ht_rx_ba_no_buf++; 720 m_freem(m); 721 return; 722 } 723 ba->ba_buf[idx].m = m; 724 /* store Rx meta-data too */ 725 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 726 ba->ba_buf[idx].rxi = *rxi; 727 728 if (ba->ba_buf[ba->ba_head].m == NULL) 729 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 730 else if (timeout_pending(&ba->ba_gap_to)) 731 timeout_del(&ba->ba_gap_to); 732 733 ieee80211_input_ba_flush(ic, ni, ba); 734 } 735 736 /* 737 * Forward buffered frames with sequence number lower than max_seq. 738 * See 802.11-2012 9.21.7.6.2 b. 739 */ 740 void 741 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 742 uint8_t tid, uint16_t max_seq) 743 { 744 struct ifnet *ifp = &ic->ic_if; 745 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 746 struct ieee80211_frame *wh; 747 uint16_t seq; 748 int i = 0; 749 750 while (i++ < ba->ba_winsize) { 751 /* gaps may exist */ 752 if (ba->ba_buf[ba->ba_head].m != NULL) { 753 wh = mtod(ba->ba_buf[ba->ba_head].m, 754 struct ieee80211_frame *); 755 KASSERT(ieee80211_has_seq(wh)); 756 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 757 IEEE80211_SEQ_SEQ_SHIFT; 758 if (!SEQ_LT(seq, max_seq)) 759 return; 760 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 761 ni, &ba->ba_buf[ba->ba_head].rxi); 762 ba->ba_buf[ba->ba_head].m = NULL; 763 } else 764 ic->ic_stats.is_ht_rx_ba_frame_lost++; 765 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 766 } 767 } 768 769 /* Flush a consecutive sequence of frames from the reorder buffer. */ 770 void 771 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 772 struct ieee80211_rx_ba *ba) 773 774 { 775 struct ifnet *ifp = &ic->ic_if; 776 777 /* pass reordered MPDUs up to the next MAC process */ 778 while (ba->ba_buf[ba->ba_head].m != NULL) { 779 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 780 &ba->ba_buf[ba->ba_head].rxi); 781 ba->ba_buf[ba->ba_head].m = NULL; 782 783 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 784 /* move window forward */ 785 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 786 } 787 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 788 } 789 790 /* 791 * Forcibly move the BA window forward to remove a leading gap which has 792 * been causing frames to linger in the reordering buffer for too long. 793 * A leading gap will occur if a particular A-MPDU subframe never arrives 794 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 795 */ 796 void 797 ieee80211_input_ba_gap_timeout(void *arg) 798 { 799 struct ieee80211_rx_ba *ba = arg; 800 struct ieee80211_node *ni = ba->ba_ni; 801 struct ieee80211com *ic = ni->ni_ic; 802 int s, skipped; 803 804 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 805 806 s = splnet(); 807 808 skipped = 0; 809 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 810 /* move window forward */ 811 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 812 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 813 skipped++; 814 ic->ic_stats.is_ht_rx_ba_frame_lost++; 815 } 816 if (skipped > 0) 817 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 818 819 ieee80211_input_ba_flush(ic, ni, ba); 820 821 splx(s); 822 } 823 824 825 /* 826 * Change the value of WinStartB (move window forward) upon reception of a 827 * BlockAckReq frame or an ADDBA Request (PBAC). 828 */ 829 void 830 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 831 u_int8_t tid, u_int16_t ssn) 832 { 833 struct ifnet *ifp = &ic->ic_if; 834 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 835 int count; 836 837 /* assert(WinStartB <= SSN) */ 838 839 count = (ssn - ba->ba_winstart) & 0xfff; 840 if (count > ba->ba_winsize) /* no overlap */ 841 count = ba->ba_winsize; 842 while (count-- > 0) { 843 /* gaps may exist */ 844 if (ba->ba_buf[ba->ba_head].m != NULL) { 845 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 846 &ba->ba_buf[ba->ba_head].rxi); 847 ba->ba_buf[ba->ba_head].m = NULL; 848 } else 849 ic->ic_stats.is_ht_rx_ba_frame_lost++; 850 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 851 } 852 /* move window forward */ 853 ba->ba_winstart = ssn; 854 855 ieee80211_input_ba_flush(ic, ni, ba); 856 } 857 858 void 859 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 860 struct ieee80211_node *ni, int mcast) 861 { 862 struct ifnet *ifp = &ic->ic_if; 863 struct ether_header *eh; 864 struct mbuf *m1; 865 866 eh = mtod(m, struct ether_header *); 867 868 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 869 eh->ether_type != htons(ETHERTYPE_PAE)) { 870 DPRINTF(("port not valid: %s\n", 871 ether_sprintf(eh->ether_dhost))); 872 ic->ic_stats.is_rx_unauth++; 873 m_freem(m); 874 return; 875 } 876 877 /* 878 * Perform as a bridge within the AP. Notice that we do not 879 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 880 * And we do not forward unicast frames received on a multicast address. 881 */ 882 m1 = NULL; 883 #ifndef IEEE80211_STA_ONLY 884 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 885 !(ic->ic_userflags & IEEE80211_F_NOBRIDGE) && 886 eh->ether_type != htons(ETHERTYPE_PAE)) { 887 struct ieee80211_node *ni1; 888 889 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 890 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 891 if (m1 == NULL) 892 ifp->if_oerrors++; 893 else 894 m1->m_flags |= M_MCAST; 895 } else if (!mcast) { 896 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 897 if (ni1 != NULL && 898 ni1->ni_state == IEEE80211_STA_ASSOC) { 899 m1 = m; 900 m = NULL; 901 } 902 } 903 if (m1 != NULL) { 904 if (if_enqueue(ifp, m1)) 905 ifp->if_oerrors++; 906 } 907 } 908 #endif 909 if (m != NULL) { 910 if ((ic->ic_flags & IEEE80211_F_RSNON) && 911 eh->ether_type == htons(ETHERTYPE_PAE)) { 912 ifp->if_ipackets++; 913 #if NBPFILTER > 0 914 /* 915 * If we forward frame into transmitter of the AP, 916 * we don't need to duplicate for DLT_EN10MB. 917 */ 918 if (ifp->if_bpf && m1 == NULL) 919 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 920 #endif 921 ieee80211_eapol_key_input(ic, m, ni); 922 } else { 923 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 924 ml_enqueue(&ml, m); 925 if_input(ifp, &ml); 926 } 927 } 928 } 929 930 void 931 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 932 struct ieee80211_node *ni, int hdrlen) 933 { 934 struct ether_header eh; 935 struct ieee80211_frame *wh; 936 struct llc *llc; 937 int mcast; 938 939 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 940 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 941 ic->ic_stats.is_rx_decap++; 942 return; 943 } 944 wh = mtod(m, struct ieee80211_frame *); 945 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 946 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 947 case IEEE80211_FC1_DIR_NODS: 948 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 949 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 950 break; 951 case IEEE80211_FC1_DIR_TODS: 952 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 953 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 954 break; 955 case IEEE80211_FC1_DIR_FROMDS: 956 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 957 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 958 break; 959 case IEEE80211_FC1_DIR_DSTODS: 960 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 961 IEEE80211_ADDR_COPY(eh.ether_shost, 962 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 963 break; 964 } 965 llc = (struct llc *)((caddr_t)wh + hdrlen); 966 if (llc->llc_dsap == LLC_SNAP_LSAP && 967 llc->llc_ssap == LLC_SNAP_LSAP && 968 llc->llc_control == LLC_UI && 969 llc->llc_snap.org_code[0] == 0 && 970 llc->llc_snap.org_code[1] == 0 && 971 llc->llc_snap.org_code[2] == 0) { 972 eh.ether_type = llc->llc_snap.ether_type; 973 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 974 } else { 975 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 976 m_adj(m, hdrlen - ETHER_HDR_LEN); 977 } 978 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 979 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 980 struct mbuf *m0 = m; 981 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 982 m_freem(m0); 983 if (m == NULL) { 984 ic->ic_stats.is_rx_decap++; 985 return; 986 } 987 } 988 ieee80211_deliver_data(ic, m, ni, mcast); 989 } 990 991 /* 992 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 993 */ 994 void 995 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 996 struct ieee80211_node *ni, int hdrlen) 997 { 998 struct mbuf *n; 999 struct ether_header *eh; 1000 struct llc *llc; 1001 int len, pad, mcast; 1002 struct ieee80211_frame *wh; 1003 1004 wh = mtod(m, struct ieee80211_frame *); 1005 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 1006 1007 /* strip 802.11 header */ 1008 m_adj(m, hdrlen); 1009 1010 for (;;) { 1011 /* process an A-MSDU subframe */ 1012 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1013 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1014 if (m == NULL) { 1015 ic->ic_stats.is_rx_decap++; 1016 break; 1017 } 1018 } 1019 eh = mtod(m, struct ether_header *); 1020 /* examine 802.3 header */ 1021 len = ntohs(eh->ether_type); 1022 if (len < LLC_SNAPFRAMELEN) { 1023 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1024 /* stop processing A-MSDU subframes */ 1025 ic->ic_stats.is_rx_decap++; 1026 m_freem(m); 1027 break; 1028 } 1029 llc = (struct llc *)&eh[1]; 1030 /* examine 802.2 LLC header */ 1031 if (llc->llc_dsap == LLC_SNAP_LSAP && 1032 llc->llc_ssap == LLC_SNAP_LSAP && 1033 llc->llc_control == LLC_UI && 1034 llc->llc_snap.org_code[0] == 0 && 1035 llc->llc_snap.org_code[1] == 0 && 1036 llc->llc_snap.org_code[2] == 0) { 1037 /* convert to Ethernet II header */ 1038 eh->ether_type = llc->llc_snap.ether_type; 1039 /* strip LLC+SNAP headers */ 1040 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1041 ETHER_HDR_LEN); 1042 m_adj(m, LLC_SNAPFRAMELEN); 1043 len -= LLC_SNAPFRAMELEN; 1044 } 1045 len += ETHER_HDR_LEN; 1046 if (len > m->m_pkthdr.len) { 1047 /* stop processing A-MSDU subframes */ 1048 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1049 ic->ic_stats.is_rx_decap++; 1050 m_freem(m); 1051 break; 1052 } 1053 1054 /* "detach" our A-MSDU subframe from the others */ 1055 n = m_split(m, len, M_NOWAIT); 1056 if (n == NULL) { 1057 /* stop processing A-MSDU subframes */ 1058 ic->ic_stats.is_rx_decap++; 1059 m_freem(m); 1060 break; 1061 } 1062 ieee80211_deliver_data(ic, m, ni, mcast); 1063 1064 if (n->m_pkthdr.len == 0) { 1065 m_freem(n); 1066 break; 1067 } 1068 m = n; 1069 /* remove padding */ 1070 pad = ((len + 3) & ~3) - len; 1071 m_adj(m, pad); 1072 } 1073 } 1074 1075 /* 1076 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1077 */ 1078 int 1079 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1080 { 1081 u_int updtcount; 1082 int aci; 1083 1084 /* 1085 * Check if EDCA parameters have changed XXX if we miss more than 1086 * 15 consecutive beacons, we might not detect changes to EDCA 1087 * parameters due to wraparound of the 4-bit Update Count field. 1088 */ 1089 updtcount = frm[0] & 0xf; 1090 if (updtcount == ic->ic_edca_updtcount) 1091 return 0; /* no changes to EDCA parameters, ignore */ 1092 ic->ic_edca_updtcount = updtcount; 1093 1094 frm += 2; /* skip QoS Info & Reserved fields */ 1095 1096 /* parse AC Parameter Records */ 1097 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1098 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1099 1100 ac->ac_acm = (frm[0] >> 4) & 0x1; 1101 ac->ac_aifsn = frm[0] & 0xf; 1102 ac->ac_ecwmin = frm[1] & 0xf; 1103 ac->ac_ecwmax = frm[1] >> 4; 1104 ac->ac_txoplimit = LE_READ_2(frm + 2); 1105 frm += 4; 1106 } 1107 /* give drivers a chance to update their settings */ 1108 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1109 (*ic->ic_updateedca)(ic); 1110 1111 return 0; 1112 } 1113 1114 int 1115 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1116 { 1117 if (frm[1] < 18) { 1118 ic->ic_stats.is_rx_elem_toosmall++; 1119 return IEEE80211_REASON_IE_INVALID; 1120 } 1121 return ieee80211_parse_edca_params_body(ic, frm + 2); 1122 } 1123 1124 int 1125 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1126 { 1127 if (frm[1] < 24) { 1128 ic->ic_stats.is_rx_elem_toosmall++; 1129 return IEEE80211_REASON_IE_INVALID; 1130 } 1131 return ieee80211_parse_edca_params_body(ic, frm + 8); 1132 } 1133 1134 enum ieee80211_cipher 1135 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1136 { 1137 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1138 switch (selector[3]) { 1139 case 0: /* use group data cipher suite */ 1140 return IEEE80211_CIPHER_USEGROUP; 1141 case 1: /* WEP-40 */ 1142 return IEEE80211_CIPHER_WEP40; 1143 case 2: /* TKIP */ 1144 return IEEE80211_CIPHER_TKIP; 1145 case 4: /* CCMP (RSNA default) */ 1146 return IEEE80211_CIPHER_CCMP; 1147 case 5: /* WEP-104 */ 1148 return IEEE80211_CIPHER_WEP104; 1149 } 1150 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1151 /* see 802.11-2012 Table 8-99 */ 1152 switch (selector[3]) { 1153 case 0: /* use group data cipher suite */ 1154 return IEEE80211_CIPHER_USEGROUP; 1155 case 1: /* WEP-40 */ 1156 return IEEE80211_CIPHER_WEP40; 1157 case 2: /* TKIP */ 1158 return IEEE80211_CIPHER_TKIP; 1159 case 4: /* CCMP (RSNA default) */ 1160 return IEEE80211_CIPHER_CCMP; 1161 case 5: /* WEP-104 */ 1162 return IEEE80211_CIPHER_WEP104; 1163 case 6: /* BIP */ 1164 return IEEE80211_CIPHER_BIP; 1165 } 1166 } 1167 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1168 } 1169 1170 enum ieee80211_akm 1171 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1172 { 1173 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1174 switch (selector[3]) { 1175 case 1: /* IEEE 802.1X (RSNA default) */ 1176 return IEEE80211_AKM_8021X; 1177 case 2: /* PSK */ 1178 return IEEE80211_AKM_PSK; 1179 } 1180 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1181 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1182 switch (selector[3]) { 1183 case 1: /* IEEE 802.1X (RSNA default) */ 1184 return IEEE80211_AKM_8021X; 1185 case 2: /* PSK */ 1186 return IEEE80211_AKM_PSK; 1187 case 5: /* IEEE 802.1X with SHA256 KDF */ 1188 return IEEE80211_AKM_SHA256_8021X; 1189 case 6: /* PSK with SHA256 KDF */ 1190 return IEEE80211_AKM_SHA256_PSK; 1191 } 1192 } 1193 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1194 } 1195 1196 /* 1197 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1198 */ 1199 int 1200 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1201 u_int len, struct ieee80211_rsnparams *rsn) 1202 { 1203 const u_int8_t *efrm; 1204 u_int16_t m, n, s; 1205 1206 efrm = frm + len; 1207 1208 /* check Version field */ 1209 if (LE_READ_2(frm) != 1) 1210 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1211 frm += 2; 1212 1213 /* all fields after the Version field are optional */ 1214 1215 /* if Cipher Suite missing, default to CCMP */ 1216 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1217 rsn->rsn_nciphers = 1; 1218 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1219 /* if Group Management Cipher Suite missing, defaut to BIP */ 1220 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1221 /* if AKM Suite missing, default to 802.1X */ 1222 rsn->rsn_nakms = 1; 1223 rsn->rsn_akms = IEEE80211_AKM_8021X; 1224 /* if RSN capabilities missing, default to 0 */ 1225 rsn->rsn_caps = 0; 1226 rsn->rsn_npmkids = 0; 1227 1228 /* read Group Data Cipher Suite field */ 1229 if (frm + 4 > efrm) 1230 return 0; 1231 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1232 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1233 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1234 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1235 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1236 frm += 4; 1237 1238 /* read Pairwise Cipher Suite Count field */ 1239 if (frm + 2 > efrm) 1240 return 0; 1241 m = rsn->rsn_nciphers = LE_READ_2(frm); 1242 frm += 2; 1243 1244 /* read Pairwise Cipher Suite List */ 1245 if (frm + m * 4 > efrm) 1246 return IEEE80211_STATUS_IE_INVALID; 1247 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1248 while (m-- > 0) { 1249 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1250 frm += 4; 1251 } 1252 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1253 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1254 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1255 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1256 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1257 } 1258 1259 /* read AKM Suite List Count field */ 1260 if (frm + 2 > efrm) 1261 return 0; 1262 n = rsn->rsn_nakms = LE_READ_2(frm); 1263 frm += 2; 1264 1265 /* read AKM Suite List */ 1266 if (frm + n * 4 > efrm) 1267 return IEEE80211_STATUS_IE_INVALID; 1268 rsn->rsn_akms = IEEE80211_AKM_NONE; 1269 while (n-- > 0) { 1270 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1271 frm += 4; 1272 } 1273 1274 /* read RSN Capabilities field */ 1275 if (frm + 2 > efrm) 1276 return 0; 1277 rsn->rsn_caps = LE_READ_2(frm); 1278 frm += 2; 1279 1280 /* read PMKID Count field */ 1281 if (frm + 2 > efrm) 1282 return 0; 1283 s = rsn->rsn_npmkids = LE_READ_2(frm); 1284 frm += 2; 1285 1286 /* read PMKID List */ 1287 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1288 return IEEE80211_STATUS_IE_INVALID; 1289 if (s != 0) { 1290 rsn->rsn_pmkids = frm; 1291 frm += s * IEEE80211_PMKID_LEN; 1292 } 1293 1294 /* read Group Management Cipher Suite field */ 1295 if (frm + 4 > efrm) 1296 return 0; 1297 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1298 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1299 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1300 1301 return IEEE80211_STATUS_SUCCESS; 1302 } 1303 1304 int 1305 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1306 struct ieee80211_rsnparams *rsn) 1307 { 1308 if (frm[1] < 2) { 1309 ic->ic_stats.is_rx_elem_toosmall++; 1310 return IEEE80211_STATUS_IE_INVALID; 1311 } 1312 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1313 } 1314 1315 int 1316 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1317 struct ieee80211_rsnparams *rsn) 1318 { 1319 if (frm[1] < 6) { 1320 ic->ic_stats.is_rx_elem_toosmall++; 1321 return IEEE80211_STATUS_IE_INVALID; 1322 } 1323 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1324 } 1325 1326 /* 1327 * Create (or update) a copy of an information element. 1328 */ 1329 int 1330 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1331 { 1332 int olen = *ie ? 2 + (*ie)[1] : 0; 1333 int len = 2 + frm[1]; 1334 1335 if (*ie == NULL || olen != len) { 1336 if (*ie != NULL) 1337 free(*ie, M_DEVBUF, olen); 1338 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1339 if (*ie == NULL) 1340 return ENOMEM; 1341 } 1342 memcpy(*ie, frm, len); 1343 return 0; 1344 } 1345 1346 /*- 1347 * Beacon/Probe response frame format: 1348 * [8] Timestamp 1349 * [2] Beacon interval 1350 * [2] Capability 1351 * [tlv] Service Set Identifier (SSID) 1352 * [tlv] Supported rates 1353 * [tlv] DS Parameter Set (802.11g) 1354 * [tlv] ERP Information (802.11g) 1355 * [tlv] Extended Supported Rates (802.11g) 1356 * [tlv] RSN (802.11i) 1357 * [tlv] EDCA Parameter Set (802.11e) 1358 * [tlv] QoS Capability (Beacon only, 802.11e) 1359 * [tlv] HT Capabilities (802.11n) 1360 * [tlv] HT Operation (802.11n) 1361 */ 1362 void 1363 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1364 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1365 { 1366 const struct ieee80211_frame *wh; 1367 const u_int8_t *frm, *efrm; 1368 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1369 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1370 u_int16_t capinfo, bintval; 1371 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1372 int is_new; 1373 1374 /* 1375 * We process beacon/probe response frames for: 1376 * o station mode: to collect state 1377 * updates such as 802.11g slot time and for passive 1378 * scanning of APs 1379 * o adhoc mode: to discover neighbors 1380 * o hostap mode: for passive scanning of neighbor APs 1381 * o when scanning 1382 * In other words, in all modes other than monitor (which 1383 * does not process incoming frames) and adhoc-demo (which 1384 * does not use management frames at all). 1385 */ 1386 #ifdef DIAGNOSTIC 1387 if (ic->ic_opmode != IEEE80211_M_STA && 1388 #ifndef IEEE80211_STA_ONLY 1389 ic->ic_opmode != IEEE80211_M_IBSS && 1390 ic->ic_opmode != IEEE80211_M_HOSTAP && 1391 #endif 1392 ic->ic_state != IEEE80211_S_SCAN) { 1393 panic("%s: impossible operating mode", __func__); 1394 } 1395 #endif 1396 /* make sure all mandatory fixed fields are present */ 1397 if (m->m_len < sizeof(*wh) + 12) { 1398 DPRINTF(("frame too short\n")); 1399 return; 1400 } 1401 wh = mtod(m, struct ieee80211_frame *); 1402 frm = (const u_int8_t *)&wh[1]; 1403 efrm = mtod(m, u_int8_t *) + m->m_len; 1404 1405 tstamp = frm; frm += 8; 1406 bintval = LE_READ_2(frm); frm += 2; 1407 capinfo = LE_READ_2(frm); frm += 2; 1408 1409 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1410 htcaps = htop = NULL; 1411 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1412 chan = bchan; 1413 erp = 0; 1414 dtim_count = dtim_period = 0; 1415 while (frm + 2 <= efrm) { 1416 if (frm + 2 + frm[1] > efrm) { 1417 ic->ic_stats.is_rx_elem_toosmall++; 1418 break; 1419 } 1420 switch (frm[0]) { 1421 case IEEE80211_ELEMID_SSID: 1422 ssid = frm; 1423 break; 1424 case IEEE80211_ELEMID_RATES: 1425 rates = frm; 1426 break; 1427 case IEEE80211_ELEMID_DSPARMS: 1428 if (frm[1] < 1) { 1429 ic->ic_stats.is_rx_elem_toosmall++; 1430 break; 1431 } 1432 chan = frm[2]; 1433 break; 1434 case IEEE80211_ELEMID_XRATES: 1435 xrates = frm; 1436 break; 1437 case IEEE80211_ELEMID_ERP: 1438 if (frm[1] < 1) { 1439 ic->ic_stats.is_rx_elem_toosmall++; 1440 break; 1441 } 1442 erp = frm[2]; 1443 break; 1444 case IEEE80211_ELEMID_RSN: 1445 rsnie = frm; 1446 break; 1447 case IEEE80211_ELEMID_EDCAPARMS: 1448 edcaie = frm; 1449 break; 1450 case IEEE80211_ELEMID_HTCAPS: 1451 htcaps = frm; 1452 break; 1453 case IEEE80211_ELEMID_HTOP: 1454 htop = frm; 1455 break; 1456 case IEEE80211_ELEMID_TIM: 1457 if (frm[1] > 3) { 1458 dtim_count = frm[2]; 1459 dtim_period = frm[3]; 1460 } 1461 break; 1462 case IEEE80211_ELEMID_VENDOR: 1463 if (frm[1] < 4) { 1464 ic->ic_stats.is_rx_elem_toosmall++; 1465 break; 1466 } 1467 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1468 if (frm[5] == 1) 1469 wpaie = frm; 1470 else if (frm[1] >= 5 && 1471 frm[5] == 2 && frm[6] == 1) 1472 wmmie = frm; 1473 } 1474 break; 1475 } 1476 frm += 2 + frm[1]; 1477 } 1478 /* supported rates element is mandatory */ 1479 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1480 DPRINTF(("invalid supported rates element\n")); 1481 return; 1482 } 1483 /* SSID element is mandatory */ 1484 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1485 DPRINTF(("invalid SSID element\n")); 1486 return; 1487 } 1488 1489 if ( 1490 #if IEEE80211_CHAN_MAX < 255 1491 chan > IEEE80211_CHAN_MAX || 1492 #endif 1493 isclr(ic->ic_chan_active, chan)) { 1494 DPRINTF(("ignore %s with invalid channel %u\n", 1495 isprobe ? "probe response" : "beacon", chan)); 1496 ic->ic_stats.is_rx_badchan++; 1497 return; 1498 } 1499 if ((ic->ic_state != IEEE80211_S_SCAN || 1500 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1501 chan != bchan) { 1502 /* 1503 * Frame was received on a channel different from the 1504 * one indicated in the DS params element id; 1505 * silently discard it. 1506 * 1507 * NB: this can happen due to signal leakage. 1508 */ 1509 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1510 isprobe ? "probe response" : "beacon", bchan, chan)); 1511 ic->ic_stats.is_rx_chanmismatch++; 1512 return; 1513 } 1514 /* 1515 * Use mac, channel and rssi so we collect only the 1516 * best potential AP with the equal bssid while scanning. 1517 * Collecting all potential APs may result in bloat of 1518 * the node tree. This call will return NULL if the node 1519 * for this APs does not exist or if the new node is the 1520 * potential better one. 1521 */ 1522 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1523 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1524 if (ni != NULL) { 1525 /* 1526 * If we are doing a directed scan for an AP with a hidden SSID 1527 * we must collect the SSID from a probe response to override 1528 * a non-zero-length SSID filled with zeroes that we may have 1529 * received earlier in a beacon. 1530 */ 1531 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1532 ni->ni_esslen = ssid[1]; 1533 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1534 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1535 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1536 } 1537 1538 return; 1539 } 1540 1541 #ifdef IEEE80211_DEBUG 1542 if (ieee80211_debug > 1 && 1543 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1544 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1545 printf("%s: %s%s on chan %u (bss chan %u) ", 1546 __func__, (ni == NULL ? "new " : ""), 1547 isprobe ? "probe response" : "beacon", 1548 chan, bchan); 1549 ieee80211_print_essid(ssid + 2, ssid[1]); 1550 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1551 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1552 __func__, capinfo, bintval, erp); 1553 } 1554 #endif 1555 1556 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1557 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1558 if (ni == NULL) 1559 return; 1560 is_new = 1; 1561 } else 1562 is_new = 0; 1563 1564 if (htcaps) 1565 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1566 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1567 htop = NULL; /* invalid HTOP */ 1568 1569 ni->ni_dtimcount = dtim_count; 1570 ni->ni_dtimperiod = dtim_period; 1571 1572 /* 1573 * When operating in station mode, check for state updates 1574 * while we're associated. 1575 */ 1576 if (ic->ic_opmode == IEEE80211_M_STA && 1577 ic->ic_state == IEEE80211_S_RUN && 1578 ni->ni_state == IEEE80211_STA_BSS) { 1579 /* 1580 * Check if protection mode has changed since last beacon. 1581 */ 1582 if (ni->ni_erp != erp) { 1583 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1584 ether_sprintf((u_int8_t *)wh->i_addr2), 1585 ni->ni_erp, erp)); 1586 if ((ic->ic_curmode == IEEE80211_MODE_11G || 1587 (ic->ic_curmode == IEEE80211_MODE_11N && 1588 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 1589 (erp & IEEE80211_ERP_USE_PROTECTION)) 1590 ic->ic_flags |= IEEE80211_F_USEPROT; 1591 else 1592 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1593 ic->ic_bss->ni_erp = erp; 1594 } 1595 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1596 enum ieee80211_htprot htprot_last, htprot; 1597 htprot_last = 1598 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1599 >> IEEE80211_HTOP1_PROT_SHIFT); 1600 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1601 IEEE80211_HTOP1_PROT_SHIFT); 1602 if (htprot_last != htprot) { 1603 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1604 ether_sprintf((u_int8_t *)wh->i_addr2), 1605 htprot_last, htprot)); 1606 ic->ic_stats.is_ht_prot_change++; 1607 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1608 if (ic->ic_update_htprot) 1609 ic->ic_update_htprot(ic, ic->ic_bss); 1610 } 1611 } 1612 1613 /* 1614 * Check if AP short slot time setting has changed 1615 * since last beacon and give the driver a chance to 1616 * update the hardware. 1617 */ 1618 if ((ni->ni_capinfo ^ capinfo) & 1619 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1620 ieee80211_set_shortslottime(ic, 1621 ic->ic_curmode == IEEE80211_MODE_11A || 1622 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1623 } 1624 1625 /* 1626 * Reset management timer. If it is non-zero in RUN state, the 1627 * driver sent a probe request after a missed beacon event. 1628 * This probe response indicates the AP is still serving us 1629 * so don't allow ieee80211_watchdog() to move us into SCAN. 1630 */ 1631 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1632 ic->ic_mgt_timer = 0; 1633 } 1634 /* 1635 * We do not try to update EDCA parameters if QoS was not negotiated 1636 * with the AP at association time. 1637 */ 1638 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1639 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1640 if ((edcaie != NULL && 1641 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1642 (wmmie != NULL && 1643 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1644 ni->ni_flags |= IEEE80211_NODE_QOS; 1645 else 1646 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1647 } 1648 1649 if (ic->ic_state == IEEE80211_S_SCAN || 1650 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1651 struct ieee80211_rsnparams rsn, wpa; 1652 1653 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1654 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1655 ni->ni_rsnakms = 0; 1656 ni->ni_supported_rsnakms = 0; 1657 ni->ni_rsnciphers = 0; 1658 ni->ni_rsngroupcipher = 0; 1659 ni->ni_rsngroupmgmtcipher = 0; 1660 ni->ni_rsncaps = 0; 1661 1662 if (rsnie != NULL && 1663 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1664 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1665 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1666 } 1667 if (wpaie != NULL && 1668 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1669 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1670 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1671 } 1672 1673 /* 1674 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1675 * we only use the highest protocol version we support. 1676 */ 1677 if (rsnie != NULL && 1678 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1679 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1680 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1681 #ifndef IEEE80211_STA_ONLY 1682 && ic->ic_opmode != IEEE80211_M_HOSTAP 1683 #endif 1684 ) { 1685 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1686 ni->ni_rsnakms = rsn.rsn_akms; 1687 ni->ni_rsnciphers = rsn.rsn_ciphers; 1688 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1689 ni->ni_rsngroupmgmtcipher = 1690 rsn.rsn_groupmgmtcipher; 1691 ni->ni_rsncaps = rsn.rsn_caps; 1692 } 1693 } else if (wpaie != NULL && 1694 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1695 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1696 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1697 #ifndef IEEE80211_STA_ONLY 1698 && ic->ic_opmode != IEEE80211_M_HOSTAP 1699 #endif 1700 ) { 1701 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1702 ni->ni_rsnakms = wpa.rsn_akms; 1703 ni->ni_rsnciphers = wpa.rsn_ciphers; 1704 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1705 ni->ni_rsngroupmgmtcipher = 1706 wpa.rsn_groupmgmtcipher; 1707 ni->ni_rsncaps = wpa.rsn_caps; 1708 } 1709 } 1710 } 1711 1712 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1713 ni->ni_esslen = ssid[1]; 1714 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1715 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1716 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1717 } 1718 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1719 /* XXX validate channel # */ 1720 ni->ni_chan = &ic->ic_channels[chan]; 1721 if (ic->ic_state == IEEE80211_S_SCAN && 1722 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1723 /* 1724 * During a scan on 5Ghz, prefer RSSI measured for probe 1725 * response frames. i.e. don't allow beacons to lower the 1726 * measured RSSI. Some 5GHz APs send beacons with much 1727 * less Tx power than they use for probe responses. 1728 */ 1729 if (isprobe) 1730 ni->ni_rssi = rxi->rxi_rssi; 1731 else if (ni->ni_rssi < rxi->rxi_rssi) 1732 ni->ni_rssi = rxi->rxi_rssi; 1733 } else 1734 ni->ni_rssi = rxi->rxi_rssi; 1735 ni->ni_rstamp = rxi->rxi_tstamp; 1736 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1737 ni->ni_intval = bintval; 1738 ni->ni_capinfo = capinfo; 1739 ni->ni_erp = erp; 1740 /* NB: must be after ni_chan is setup */ 1741 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1742 #ifndef IEEE80211_STA_ONLY 1743 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1744 /* 1745 * Fake an association so the driver can setup it's 1746 * private state. The rate set has been setup above; 1747 * there is no handshake as in ap/station operation. 1748 */ 1749 if (ic->ic_newassoc) 1750 (*ic->ic_newassoc)(ic, ni, 1); 1751 } 1752 #endif 1753 } 1754 1755 #ifndef IEEE80211_STA_ONLY 1756 /*- 1757 * Probe request frame format: 1758 * [tlv] SSID 1759 * [tlv] Supported rates 1760 * [tlv] Extended Supported Rates (802.11g) 1761 * [tlv] HT Capabilities (802.11n) 1762 */ 1763 void 1764 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1765 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1766 { 1767 const struct ieee80211_frame *wh; 1768 const u_int8_t *frm, *efrm; 1769 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1770 u_int8_t rate; 1771 1772 if (ic->ic_opmode == IEEE80211_M_STA || 1773 ic->ic_state != IEEE80211_S_RUN) 1774 return; 1775 1776 wh = mtod(m, struct ieee80211_frame *); 1777 frm = (const u_int8_t *)&wh[1]; 1778 efrm = mtod(m, u_int8_t *) + m->m_len; 1779 1780 ssid = rates = xrates = htcaps = NULL; 1781 while (frm + 2 <= efrm) { 1782 if (frm + 2 + frm[1] > efrm) { 1783 ic->ic_stats.is_rx_elem_toosmall++; 1784 break; 1785 } 1786 switch (frm[0]) { 1787 case IEEE80211_ELEMID_SSID: 1788 ssid = frm; 1789 break; 1790 case IEEE80211_ELEMID_RATES: 1791 rates = frm; 1792 break; 1793 case IEEE80211_ELEMID_XRATES: 1794 xrates = frm; 1795 break; 1796 case IEEE80211_ELEMID_HTCAPS: 1797 htcaps = frm; 1798 break; 1799 } 1800 frm += 2 + frm[1]; 1801 } 1802 /* supported rates element is mandatory */ 1803 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1804 DPRINTF(("invalid supported rates element\n")); 1805 return; 1806 } 1807 /* SSID element is mandatory */ 1808 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1809 DPRINTF(("invalid SSID element\n")); 1810 return; 1811 } 1812 /* check that the specified SSID (if not wildcard) matches ours */ 1813 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1814 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1815 DPRINTF(("SSID mismatch\n")); 1816 ic->ic_stats.is_rx_ssidmismatch++; 1817 return; 1818 } 1819 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1820 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1821 DPRINTF(("wildcard SSID rejected")); 1822 ic->ic_stats.is_rx_ssidmismatch++; 1823 return; 1824 } 1825 1826 if (ni == ic->ic_bss) { 1827 ni = ieee80211_find_node(ic, wh->i_addr2); 1828 if (ni == NULL) 1829 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1830 if (ni == NULL) 1831 return; 1832 DPRINTF(("new probe req from %s\n", 1833 ether_sprintf((u_int8_t *)wh->i_addr2))); 1834 } 1835 ni->ni_rssi = rxi->rxi_rssi; 1836 ni->ni_rstamp = rxi->rxi_tstamp; 1837 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1838 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1839 IEEE80211_F_DODEL); 1840 if (rate & IEEE80211_RATE_BASIC) { 1841 DPRINTF(("rate mismatch for %s\n", 1842 ether_sprintf((u_int8_t *)wh->i_addr2))); 1843 return; 1844 } 1845 if (htcaps) 1846 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1847 else 1848 ieee80211_clear_htcaps(ni); 1849 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1850 } 1851 #endif /* IEEE80211_STA_ONLY */ 1852 1853 /*- 1854 * Authentication frame format: 1855 * [2] Authentication algorithm number 1856 * [2] Authentication transaction sequence number 1857 * [2] Status code 1858 */ 1859 void 1860 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1861 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1862 { 1863 const struct ieee80211_frame *wh; 1864 const u_int8_t *frm; 1865 u_int16_t algo, seq, status; 1866 1867 /* make sure all mandatory fixed fields are present */ 1868 if (m->m_len < sizeof(*wh) + 6) { 1869 DPRINTF(("frame too short\n")); 1870 return; 1871 } 1872 wh = mtod(m, struct ieee80211_frame *); 1873 frm = (const u_int8_t *)&wh[1]; 1874 1875 algo = LE_READ_2(frm); frm += 2; 1876 seq = LE_READ_2(frm); frm += 2; 1877 status = LE_READ_2(frm); frm += 2; 1878 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1879 ether_sprintf((u_int8_t *)wh->i_addr2))); 1880 1881 /* only "open" auth mode is supported */ 1882 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1883 DPRINTF(("unsupported auth algorithm %d from %s\n", 1884 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1885 ic->ic_stats.is_rx_auth_unsupported++; 1886 #ifndef IEEE80211_STA_ONLY 1887 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1888 /* XXX hack to workaround calling convention */ 1889 IEEE80211_SEND_MGMT(ic, ni, 1890 IEEE80211_FC0_SUBTYPE_AUTH, 1891 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1892 } 1893 #endif 1894 return; 1895 } 1896 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1897 } 1898 1899 #ifndef IEEE80211_STA_ONLY 1900 /*- 1901 * (Re)Association request frame format: 1902 * [2] Capability information 1903 * [2] Listen interval 1904 * [6*] Current AP address (Reassociation only) 1905 * [tlv] SSID 1906 * [tlv] Supported rates 1907 * [tlv] Extended Supported Rates (802.11g) 1908 * [tlv] RSN (802.11i) 1909 * [tlv] QoS Capability (802.11e) 1910 * [tlv] HT Capabilities (802.11n) 1911 */ 1912 void 1913 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1914 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1915 { 1916 const struct ieee80211_frame *wh; 1917 const u_int8_t *frm, *efrm; 1918 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1919 u_int16_t capinfo, bintval; 1920 int resp, status = 0; 1921 struct ieee80211_rsnparams rsn; 1922 u_int8_t rate; 1923 const u_int8_t *saveie = NULL; 1924 1925 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1926 ic->ic_state != IEEE80211_S_RUN) 1927 return; 1928 1929 /* make sure all mandatory fixed fields are present */ 1930 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1931 DPRINTF(("frame too short\n")); 1932 return; 1933 } 1934 wh = mtod(m, struct ieee80211_frame *); 1935 frm = (const u_int8_t *)&wh[1]; 1936 efrm = mtod(m, u_int8_t *) + m->m_len; 1937 1938 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1939 DPRINTF(("ignore other bss from %s\n", 1940 ether_sprintf((u_int8_t *)wh->i_addr2))); 1941 ic->ic_stats.is_rx_assoc_bss++; 1942 return; 1943 } 1944 capinfo = LE_READ_2(frm); frm += 2; 1945 bintval = LE_READ_2(frm); frm += 2; 1946 if (reassoc) { 1947 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1948 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1949 } else 1950 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1951 1952 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1953 while (frm + 2 <= efrm) { 1954 if (frm + 2 + frm[1] > efrm) { 1955 ic->ic_stats.is_rx_elem_toosmall++; 1956 break; 1957 } 1958 switch (frm[0]) { 1959 case IEEE80211_ELEMID_SSID: 1960 ssid = frm; 1961 break; 1962 case IEEE80211_ELEMID_RATES: 1963 rates = frm; 1964 break; 1965 case IEEE80211_ELEMID_XRATES: 1966 xrates = frm; 1967 break; 1968 case IEEE80211_ELEMID_RSN: 1969 rsnie = frm; 1970 break; 1971 case IEEE80211_ELEMID_QOS_CAP: 1972 break; 1973 case IEEE80211_ELEMID_HTCAPS: 1974 htcaps = frm; 1975 break; 1976 case IEEE80211_ELEMID_VENDOR: 1977 if (frm[1] < 4) { 1978 ic->ic_stats.is_rx_elem_toosmall++; 1979 break; 1980 } 1981 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1982 if (frm[5] == 1) 1983 wpaie = frm; 1984 } 1985 break; 1986 } 1987 frm += 2 + frm[1]; 1988 } 1989 /* supported rates element is mandatory */ 1990 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1991 DPRINTF(("invalid supported rates element\n")); 1992 return; 1993 } 1994 /* SSID element is mandatory */ 1995 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1996 DPRINTF(("invalid SSID element\n")); 1997 return; 1998 } 1999 /* check that the specified SSID matches ours */ 2000 if (ssid[1] != ic->ic_bss->ni_esslen || 2001 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 2002 DPRINTF(("SSID mismatch\n")); 2003 ic->ic_stats.is_rx_ssidmismatch++; 2004 return; 2005 } 2006 2007 if (ni->ni_state != IEEE80211_STA_AUTH && 2008 ni->ni_state != IEEE80211_STA_ASSOC) { 2009 DPRINTF(("deny %sassoc from %s, not authenticated\n", 2010 reassoc ? "re" : "", 2011 ether_sprintf((u_int8_t *)wh->i_addr2))); 2012 ni = ieee80211_find_node(ic, wh->i_addr2); 2013 if (ni == NULL) 2014 ni = ieee80211_dup_bss(ic, wh->i_addr2); 2015 if (ni != NULL) { 2016 IEEE80211_SEND_MGMT(ic, ni, 2017 IEEE80211_FC0_SUBTYPE_DEAUTH, 2018 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2019 } 2020 ic->ic_stats.is_rx_assoc_notauth++; 2021 return; 2022 } 2023 2024 if (ni->ni_state == IEEE80211_STA_ASSOC && 2025 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2026 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2027 /* send a protected Disassociate frame */ 2028 IEEE80211_SEND_MGMT(ic, ni, 2029 IEEE80211_FC0_SUBTYPE_DISASSOC, 2030 IEEE80211_REASON_AUTH_EXPIRE); 2031 /* terminate the old SA */ 2032 ieee80211_node_leave(ic, ni); 2033 } else { 2034 /* reject the (Re)Association Request temporarily */ 2035 IEEE80211_SEND_MGMT(ic, ni, resp, 2036 IEEE80211_STATUS_TRY_AGAIN_LATER); 2037 /* start SA Query procedure if not already engaged */ 2038 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2039 ieee80211_sa_query_request(ic, ni); 2040 /* do not modify association state */ 2041 } 2042 return; 2043 } 2044 2045 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2046 ic->ic_stats.is_rx_assoc_capmismatch++; 2047 status = IEEE80211_STATUS_CAPINFO; 2048 goto end; 2049 } 2050 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2051 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2052 IEEE80211_F_DODEL); 2053 if (rate & IEEE80211_RATE_BASIC) { 2054 ic->ic_stats.is_rx_assoc_norate++; 2055 status = IEEE80211_STATUS_BASIC_RATE; 2056 goto end; 2057 } 2058 2059 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2060 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2061 ni->ni_rsnakms = 0; 2062 ni->ni_supported_rsnakms = 0; 2063 ni->ni_rsnciphers = 0; 2064 ni->ni_rsngroupcipher = 0; 2065 ni->ni_rsngroupmgmtcipher = 0; 2066 ni->ni_rsncaps = 0; 2067 2068 /* 2069 * A station should never include both a WPA and an RSN IE 2070 * in its (Re)Association Requests, but if it does, we only 2071 * consider the IE of the highest version of the protocol 2072 * that is allowed (ie RSN over WPA). 2073 */ 2074 if (rsnie != NULL) { 2075 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2076 if (status != 0) 2077 goto end; 2078 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2079 ni->ni_supported_rsnakms = rsn.rsn_akms; 2080 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2081 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2082 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2083 saveie = rsnie; 2084 } 2085 } else if (wpaie != NULL) { 2086 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2087 if (status != 0) 2088 goto end; 2089 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2090 ni->ni_supported_rsnakms = rsn.rsn_akms; 2091 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2092 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2093 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2094 saveie = wpaie; 2095 } 2096 } 2097 2098 if (ic->ic_flags & IEEE80211_F_RSNON) { 2099 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2100 /* 2101 * In an RSN, an AP shall not associate with STAs 2102 * that fail to include the RSN IE in the 2103 * (Re)Association Request. 2104 */ 2105 status = IEEE80211_STATUS_IE_INVALID; 2106 goto end; 2107 } 2108 /* 2109 * The initiating STA's RSN IE shall include one authentication 2110 * and pairwise cipher suite among those advertised by the 2111 * targeted AP. It shall also specify the group cipher suite 2112 * specified by the targeted AP. 2113 */ 2114 if (rsn.rsn_nakms != 1 || 2115 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2116 status = IEEE80211_STATUS_BAD_AKMP; 2117 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2118 goto end; 2119 } 2120 if (rsn.rsn_nciphers != 1 || 2121 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2122 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2123 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2124 goto end; 2125 } 2126 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2127 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2128 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2129 goto end; 2130 } 2131 2132 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2133 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2134 status = IEEE80211_STATUS_MFP_POLICY; 2135 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2136 goto end; 2137 } 2138 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2139 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2140 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2141 /* STA advertises an invalid setting */ 2142 status = IEEE80211_STATUS_MFP_POLICY; 2143 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2144 goto end; 2145 } 2146 /* 2147 * A STA that has associated with Management Frame Protection 2148 * enabled shall not use cipher suite pairwise selector WEP40, 2149 * WEP104, TKIP, or "Use Group cipher suite". 2150 */ 2151 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2152 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2153 rsn.rsn_groupmgmtcipher != 2154 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2155 status = IEEE80211_STATUS_MFP_POLICY; 2156 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2157 goto end; 2158 } 2159 2160 /* 2161 * Disallow new associations using TKIP if countermeasures 2162 * are active. 2163 */ 2164 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2165 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2166 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2167 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2168 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2169 goto end; 2170 } 2171 2172 /* everything looks fine, save IE and parameters */ 2173 if (saveie == NULL || 2174 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2175 status = IEEE80211_STATUS_TOOMANY; 2176 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2177 goto end; 2178 } 2179 ni->ni_rsnakms = rsn.rsn_akms; 2180 ni->ni_rsnciphers = rsn.rsn_ciphers; 2181 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2182 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2183 ni->ni_rsncaps = rsn.rsn_caps; 2184 2185 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2186 struct ieee80211_pmk *pmk = NULL; 2187 const u_int8_t *pmkid = rsn.rsn_pmkids; 2188 /* 2189 * Check if we have a cached PMK entry matching one 2190 * of the PMKIDs specified in the RSN IE. 2191 */ 2192 while (rsn.rsn_npmkids-- > 0) { 2193 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2194 if (pmk != NULL) 2195 break; 2196 pmkid += IEEE80211_PMKID_LEN; 2197 } 2198 if (pmk != NULL) { 2199 memcpy(ni->ni_pmk, pmk->pmk_key, 2200 IEEE80211_PMK_LEN); 2201 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2202 IEEE80211_PMKID_LEN); 2203 ni->ni_flags |= IEEE80211_NODE_PMK; 2204 } 2205 } 2206 } 2207 2208 ni->ni_rssi = rxi->rxi_rssi; 2209 ni->ni_rstamp = rxi->rxi_tstamp; 2210 ni->ni_intval = bintval; 2211 ni->ni_capinfo = capinfo; 2212 ni->ni_chan = ic->ic_bss->ni_chan; 2213 if (htcaps) 2214 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2215 else 2216 ieee80211_clear_htcaps(ni); 2217 end: 2218 if (status != 0) { 2219 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2220 ieee80211_node_leave(ic, ni); 2221 } else 2222 ieee80211_node_join(ic, ni, resp); 2223 } 2224 #endif /* IEEE80211_STA_ONLY */ 2225 2226 /*- 2227 * (Re)Association response frame format: 2228 * [2] Capability information 2229 * [2] Status code 2230 * [2] Association ID (AID) 2231 * [tlv] Supported rates 2232 * [tlv] Extended Supported Rates (802.11g) 2233 * [tlv] EDCA Parameter Set (802.11e) 2234 * [tlv] HT Capabilities (802.11n) 2235 * [tlv] HT Operation (802.11n) 2236 */ 2237 void 2238 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2239 struct ieee80211_node *ni, int reassoc) 2240 { 2241 struct ifnet *ifp = &ic->ic_if; 2242 const struct ieee80211_frame *wh; 2243 const u_int8_t *frm, *efrm; 2244 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2245 u_int16_t capinfo, status, associd; 2246 u_int8_t rate; 2247 2248 if (ic->ic_opmode != IEEE80211_M_STA || 2249 ic->ic_state != IEEE80211_S_ASSOC) { 2250 ic->ic_stats.is_rx_mgtdiscard++; 2251 return; 2252 } 2253 2254 /* make sure all mandatory fixed fields are present */ 2255 if (m->m_len < sizeof(*wh) + 6) { 2256 DPRINTF(("frame too short\n")); 2257 return; 2258 } 2259 wh = mtod(m, struct ieee80211_frame *); 2260 frm = (const u_int8_t *)&wh[1]; 2261 efrm = mtod(m, u_int8_t *) + m->m_len; 2262 2263 capinfo = LE_READ_2(frm); frm += 2; 2264 status = LE_READ_2(frm); frm += 2; 2265 if (status != IEEE80211_STATUS_SUCCESS) { 2266 if (ifp->if_flags & IFF_DEBUG) 2267 printf("%s: %sassociation failed (status %d)" 2268 " for %s\n", ifp->if_xname, 2269 reassoc ? "re" : "", 2270 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2271 if (ni != ic->ic_bss) 2272 ni->ni_fails++; 2273 ic->ic_stats.is_rx_auth_fail++; 2274 return; 2275 } 2276 associd = LE_READ_2(frm); frm += 2; 2277 2278 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2279 while (frm + 2 <= efrm) { 2280 if (frm + 2 + frm[1] > efrm) { 2281 ic->ic_stats.is_rx_elem_toosmall++; 2282 break; 2283 } 2284 switch (frm[0]) { 2285 case IEEE80211_ELEMID_RATES: 2286 rates = frm; 2287 break; 2288 case IEEE80211_ELEMID_XRATES: 2289 xrates = frm; 2290 break; 2291 case IEEE80211_ELEMID_EDCAPARMS: 2292 edcaie = frm; 2293 break; 2294 case IEEE80211_ELEMID_HTCAPS: 2295 htcaps = frm; 2296 break; 2297 case IEEE80211_ELEMID_HTOP: 2298 htop = frm; 2299 break; 2300 case IEEE80211_ELEMID_VENDOR: 2301 if (frm[1] < 4) { 2302 ic->ic_stats.is_rx_elem_toosmall++; 2303 break; 2304 } 2305 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2306 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2307 wmmie = frm; 2308 } 2309 break; 2310 } 2311 frm += 2 + frm[1]; 2312 } 2313 /* supported rates element is mandatory */ 2314 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2315 DPRINTF(("invalid supported rates element\n")); 2316 return; 2317 } 2318 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2319 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2320 IEEE80211_F_DODEL); 2321 if (rate & IEEE80211_RATE_BASIC) { 2322 DPRINTF(("rate mismatch for %s\n", 2323 ether_sprintf((u_int8_t *)wh->i_addr2))); 2324 ic->ic_stats.is_rx_assoc_norate++; 2325 return; 2326 } 2327 ni->ni_capinfo = capinfo; 2328 ni->ni_associd = associd; 2329 if (edcaie != NULL || wmmie != NULL) { 2330 /* force update of EDCA parameters */ 2331 ic->ic_edca_updtcount = -1; 2332 2333 if ((edcaie != NULL && 2334 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2335 (wmmie != NULL && 2336 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2337 ni->ni_flags |= IEEE80211_NODE_QOS; 2338 else /* for Reassociation */ 2339 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2340 } 2341 if (htcaps) 2342 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2343 if (htop) 2344 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2345 ieee80211_ht_negotiate(ic, ni); 2346 2347 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2348 if (ni->ni_flags & IEEE80211_NODE_HT) 2349 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2350 else 2351 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2352 /* 2353 * Reset the erp state (mostly the slot time) now that 2354 * our operating mode has been nailed down. 2355 */ 2356 ieee80211_reset_erp(ic); 2357 2358 /* 2359 * Configure state now that we are associated. 2360 */ 2361 if (ic->ic_curmode == IEEE80211_MODE_11A || 2362 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2363 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2364 else 2365 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2366 2367 ieee80211_set_shortslottime(ic, 2368 ic->ic_curmode == IEEE80211_MODE_11A || 2369 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2370 /* 2371 * Honor ERP protection. 2372 */ 2373 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2374 (ic->ic_curmode == IEEE80211_MODE_11N && 2375 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2376 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2377 ic->ic_flags |= IEEE80211_F_USEPROT; 2378 else 2379 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2380 /* 2381 * If not an RSNA, mark the port as valid, otherwise wait for 2382 * 802.1X authentication and 4-way handshake to complete.. 2383 */ 2384 if (ic->ic_flags & IEEE80211_F_RSNON) { 2385 /* XXX ic->ic_mgt_timer = 5; */ 2386 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2387 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2388 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2389 2390 ieee80211_new_state(ic, IEEE80211_S_RUN, 2391 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2392 } 2393 2394 /*- 2395 * Deauthentication frame format: 2396 * [2] Reason code 2397 */ 2398 void 2399 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2400 struct ieee80211_node *ni) 2401 { 2402 const struct ieee80211_frame *wh; 2403 const u_int8_t *frm; 2404 u_int16_t reason; 2405 2406 /* make sure all mandatory fixed fields are present */ 2407 if (m->m_len < sizeof(*wh) + 2) { 2408 DPRINTF(("frame too short\n")); 2409 return; 2410 } 2411 wh = mtod(m, struct ieee80211_frame *); 2412 frm = (const u_int8_t *)&wh[1]; 2413 2414 reason = LE_READ_2(frm); 2415 2416 ic->ic_stats.is_rx_deauth++; 2417 switch (ic->ic_opmode) { 2418 case IEEE80211_M_STA: { 2419 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2420 ic->ic_state == IEEE80211_S_RUN); 2421 int stay_auth = ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2422 ic->ic_state >= IEEE80211_S_AUTH); 2423 if (!(bgscan || stay_auth)) 2424 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2425 IEEE80211_FC0_SUBTYPE_DEAUTH); 2426 } 2427 break; 2428 #ifndef IEEE80211_STA_ONLY 2429 case IEEE80211_M_HOSTAP: 2430 if (ni != ic->ic_bss) { 2431 int stay_auth = 2432 ((ic->ic_userflags & IEEE80211_F_STAYAUTH) && 2433 (ni->ni_state == IEEE80211_STA_AUTH || 2434 ni->ni_state == IEEE80211_STA_ASSOC)); 2435 if (ic->ic_if.if_flags & IFF_DEBUG) 2436 printf("%s: station %s deauthenticated " 2437 "by peer (reason %d)\n", 2438 ic->ic_if.if_xname, 2439 ether_sprintf(ni->ni_macaddr), 2440 reason); 2441 if (!stay_auth) 2442 ieee80211_node_leave(ic, ni); 2443 } 2444 break; 2445 #endif 2446 default: 2447 break; 2448 } 2449 } 2450 2451 /*- 2452 * Disassociation frame format: 2453 * [2] Reason code 2454 */ 2455 void 2456 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2457 struct ieee80211_node *ni) 2458 { 2459 const struct ieee80211_frame *wh; 2460 const u_int8_t *frm; 2461 u_int16_t reason; 2462 2463 /* make sure all mandatory fixed fields are present */ 2464 if (m->m_len < sizeof(*wh) + 2) { 2465 DPRINTF(("frame too short\n")); 2466 return; 2467 } 2468 wh = mtod(m, struct ieee80211_frame *); 2469 frm = (const u_int8_t *)&wh[1]; 2470 2471 reason = LE_READ_2(frm); 2472 2473 ic->ic_stats.is_rx_disassoc++; 2474 switch (ic->ic_opmode) { 2475 case IEEE80211_M_STA: { 2476 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2477 ic->ic_state == IEEE80211_S_RUN); 2478 if (!bgscan) /* ignore disassoc during bgscan */ 2479 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2480 IEEE80211_FC0_SUBTYPE_DISASSOC); 2481 } 2482 break; 2483 #ifndef IEEE80211_STA_ONLY 2484 case IEEE80211_M_HOSTAP: 2485 if (ni != ic->ic_bss) { 2486 if (ic->ic_if.if_flags & IFF_DEBUG) 2487 printf("%s: station %s disassociated " 2488 "by peer (reason %d)\n", 2489 ic->ic_if.if_xname, 2490 ether_sprintf(ni->ni_macaddr), 2491 reason); 2492 ieee80211_node_leave(ic, ni); 2493 } 2494 break; 2495 #endif 2496 default: 2497 break; 2498 } 2499 } 2500 2501 /*- 2502 * ADDBA Request frame format: 2503 * [1] Category 2504 * [1] Action 2505 * [1] Dialog Token 2506 * [2] Block Ack Parameter Set 2507 * [2] Block Ack Timeout Value 2508 * [2] Block Ack Starting Sequence Control 2509 */ 2510 void 2511 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2512 struct ieee80211_node *ni) 2513 { 2514 const struct ieee80211_frame *wh; 2515 const u_int8_t *frm; 2516 struct ieee80211_rx_ba *ba; 2517 u_int16_t params, ssn, bufsz, timeout; 2518 u_int8_t token, tid; 2519 int err = 0; 2520 2521 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2522 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2523 ether_sprintf(ni->ni_macaddr))); 2524 return; 2525 } 2526 if (m->m_len < sizeof(*wh) + 9) { 2527 DPRINTF(("frame too short\n")); 2528 return; 2529 } 2530 /* MLME-ADDBA.indication */ 2531 wh = mtod(m, struct ieee80211_frame *); 2532 frm = (const u_int8_t *)&wh[1]; 2533 2534 token = frm[2]; 2535 params = LE_READ_2(&frm[3]); 2536 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2537 IEEE80211_ADDBA_TID_SHIFT); 2538 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2539 IEEE80211_ADDBA_BUFSZ_SHIFT; 2540 timeout = LE_READ_2(&frm[5]); 2541 ssn = LE_READ_2(&frm[7]) >> 4; 2542 2543 ba = &ni->ni_rx_ba[tid]; 2544 /* check if we already have a Block Ack agreement for this RA/TID */ 2545 if (ba->ba_state == IEEE80211_BA_AGREED) { 2546 /* XXX should we update the timeout value? */ 2547 /* reset Block Ack inactivity timer */ 2548 if (ba->ba_timeout_val != 0) 2549 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2550 2551 /* check if it's a Protected Block Ack agreement */ 2552 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2553 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2554 return; /* not a PBAC, ignore */ 2555 2556 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2557 if (SEQ_LT(ba->ba_winstart, ssn)) 2558 ieee80211_ba_move_window(ic, ni, tid, ssn); 2559 return; 2560 } 2561 2562 /* if PBAC required but RA does not support it, refuse request */ 2563 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2564 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2565 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2566 goto refuse; 2567 /* 2568 * If the TID for which the Block Ack agreement is requested is 2569 * configured with a no-ACK policy, refuse the agreement. 2570 */ 2571 if (ic->ic_tid_noack & (1 << tid)) 2572 goto refuse; 2573 2574 /* check that we support the requested Block Ack Policy */ 2575 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2576 !(params & IEEE80211_ADDBA_BA_POLICY)) 2577 goto refuse; 2578 2579 /* setup Block Ack agreement */ 2580 ba->ba_state = IEEE80211_BA_INIT; 2581 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2582 ba->ba_ni = ni; 2583 ba->ba_token = token; 2584 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2585 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2586 ba->ba_winsize = bufsz; 2587 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2588 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2589 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2590 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2591 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2592 ba->ba_winstart = ssn; 2593 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2594 /* allocate and setup our reordering buffer */ 2595 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2596 M_DEVBUF, M_NOWAIT | M_ZERO); 2597 if (ba->ba_buf == NULL) 2598 goto refuse; 2599 2600 ba->ba_head = 0; 2601 2602 /* notify drivers of this new Block Ack agreement */ 2603 if (ic->ic_ampdu_rx_start != NULL) 2604 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2605 if (err == EBUSY) { 2606 /* driver will accept or refuse agreement when done */ 2607 return; 2608 } else if (err) { 2609 /* driver failed to setup, rollback */ 2610 ieee80211_addba_req_refuse(ic, ni, tid); 2611 } else 2612 ieee80211_addba_req_accept(ic, ni, tid); 2613 return; 2614 2615 refuse: 2616 /* MLME-ADDBA.response */ 2617 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2618 IEEE80211_ACTION_ADDBA_RESP, 2619 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2620 } 2621 2622 void 2623 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2624 uint8_t tid) 2625 { 2626 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2627 2628 ba->ba_state = IEEE80211_BA_AGREED; 2629 ic->ic_stats.is_ht_rx_ba_agreements++; 2630 /* start Block Ack inactivity timer */ 2631 if (ba->ba_timeout_val != 0) 2632 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2633 2634 /* MLME-ADDBA.response */ 2635 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2636 IEEE80211_ACTION_ADDBA_RESP, 2637 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2638 } 2639 2640 void 2641 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2642 uint8_t tid) 2643 { 2644 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2645 2646 free(ba->ba_buf, M_DEVBUF, 2647 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2648 ba->ba_buf = NULL; 2649 2650 /* MLME-ADDBA.response */ 2651 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2652 IEEE80211_ACTION_ADDBA_RESP, 2653 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2654 } 2655 2656 /*- 2657 * ADDBA Response frame format: 2658 * [1] Category 2659 * [1] Action 2660 * [1] Dialog Token 2661 * [2] Status Code 2662 * [2] Block Ack Parameter Set 2663 * [2] Block Ack Timeout Value 2664 */ 2665 void 2666 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2667 struct ieee80211_node *ni) 2668 { 2669 const struct ieee80211_frame *wh; 2670 const u_int8_t *frm; 2671 struct ieee80211_tx_ba *ba; 2672 u_int16_t status, params, bufsz, timeout; 2673 u_int8_t token, tid; 2674 2675 if (m->m_len < sizeof(*wh) + 9) { 2676 DPRINTF(("frame too short\n")); 2677 return; 2678 } 2679 wh = mtod(m, struct ieee80211_frame *); 2680 frm = (const u_int8_t *)&wh[1]; 2681 2682 token = frm[2]; 2683 status = LE_READ_2(&frm[3]); 2684 params = LE_READ_2(&frm[5]); 2685 tid = (params >> 2) & 0xf; 2686 bufsz = (params >> 6) & 0x3ff; 2687 timeout = LE_READ_2(&frm[7]); 2688 2689 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2690 ether_sprintf(ni->ni_macaddr), tid, status)); 2691 2692 /* 2693 * Ignore if no ADDBA request has been sent for this RA/TID or 2694 * if we already have a Block Ack agreement. 2695 */ 2696 ba = &ni->ni_tx_ba[tid]; 2697 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2698 DPRINTF(("no matching ADDBA req found\n")); 2699 return; 2700 } 2701 if (token != ba->ba_token) { 2702 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2703 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2704 return; 2705 } 2706 /* we got an ADDBA Response matching our request, stop timeout */ 2707 timeout_del(&ba->ba_to); 2708 2709 if (status != IEEE80211_STATUS_SUCCESS) { 2710 /* MLME-ADDBA.confirm(Failure) */ 2711 ba->ba_state = IEEE80211_BA_INIT; 2712 return; 2713 } 2714 /* MLME-ADDBA.confirm(Success) */ 2715 ba->ba_state = IEEE80211_BA_AGREED; 2716 ic->ic_stats.is_ht_tx_ba_agreements++; 2717 2718 /* notify drivers of this new Block Ack agreement */ 2719 if (ic->ic_ampdu_tx_start != NULL) 2720 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2721 2722 /* start Block Ack inactivity timeout */ 2723 if (ba->ba_timeout_val != 0) 2724 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2725 } 2726 2727 /*- 2728 * DELBA frame format: 2729 * [1] Category 2730 * [1] Action 2731 * [2] DELBA Parameter Set 2732 * [2] Reason Code 2733 */ 2734 void 2735 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2736 struct ieee80211_node *ni) 2737 { 2738 const struct ieee80211_frame *wh; 2739 const u_int8_t *frm; 2740 u_int16_t params, reason; 2741 u_int8_t tid; 2742 int i; 2743 2744 if (m->m_len < sizeof(*wh) + 6) { 2745 DPRINTF(("frame too short\n")); 2746 return; 2747 } 2748 wh = mtod(m, struct ieee80211_frame *); 2749 frm = (const u_int8_t *)&wh[1]; 2750 2751 params = LE_READ_2(&frm[2]); 2752 reason = LE_READ_2(&frm[4]); 2753 tid = params >> 12; 2754 2755 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2756 ether_sprintf(ni->ni_macaddr), tid, reason)); 2757 2758 if (params & IEEE80211_DELBA_INITIATOR) { 2759 /* MLME-DELBA.indication(Originator) */ 2760 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2761 2762 if (ba->ba_state != IEEE80211_BA_AGREED) { 2763 DPRINTF(("no matching Block Ack agreement\n")); 2764 return; 2765 } 2766 /* notify drivers of the end of the Block Ack agreement */ 2767 if (ic->ic_ampdu_rx_stop != NULL) 2768 ic->ic_ampdu_rx_stop(ic, ni, tid); 2769 2770 ba->ba_state = IEEE80211_BA_INIT; 2771 /* stop Block Ack inactivity timer */ 2772 timeout_del(&ba->ba_to); 2773 timeout_del(&ba->ba_gap_to); 2774 2775 if (ba->ba_buf != NULL) { 2776 /* free all MSDUs stored in reordering buffer */ 2777 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2778 m_freem(ba->ba_buf[i].m); 2779 /* free reordering buffer */ 2780 free(ba->ba_buf, M_DEVBUF, 2781 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2782 ba->ba_buf = NULL; 2783 } 2784 } else { 2785 /* MLME-DELBA.indication(Recipient) */ 2786 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2787 2788 if (ba->ba_state != IEEE80211_BA_AGREED) { 2789 DPRINTF(("no matching Block Ack agreement\n")); 2790 return; 2791 } 2792 /* notify drivers of the end of the Block Ack agreement */ 2793 if (ic->ic_ampdu_tx_stop != NULL) 2794 ic->ic_ampdu_tx_stop(ic, ni, tid); 2795 2796 ba->ba_state = IEEE80211_BA_INIT; 2797 /* stop Block Ack inactivity timer */ 2798 timeout_del(&ba->ba_to); 2799 } 2800 } 2801 2802 /*- 2803 * SA Query Request frame format: 2804 * [1] Category 2805 * [1] Action 2806 * [2] Transaction Identifier 2807 */ 2808 void 2809 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2810 struct ieee80211_node *ni) 2811 { 2812 const struct ieee80211_frame *wh; 2813 const u_int8_t *frm; 2814 2815 if (ic->ic_opmode != IEEE80211_M_STA || 2816 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2817 DPRINTF(("unexpected SA Query req from %s\n", 2818 ether_sprintf(ni->ni_macaddr))); 2819 return; 2820 } 2821 if (m->m_len < sizeof(*wh) + 4) { 2822 DPRINTF(("frame too short\n")); 2823 return; 2824 } 2825 wh = mtod(m, struct ieee80211_frame *); 2826 frm = (const u_int8_t *)&wh[1]; 2827 2828 /* MLME-SAQuery.indication */ 2829 2830 /* save Transaction Identifier for SA Query Response */ 2831 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2832 2833 /* MLME-SAQuery.response */ 2834 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2835 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2836 } 2837 2838 #ifndef IEEE80211_STA_ONLY 2839 /*- 2840 * SA Query Response frame format: 2841 * [1] Category 2842 * [1] Action 2843 * [2] Transaction Identifier 2844 */ 2845 void 2846 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2847 struct ieee80211_node *ni) 2848 { 2849 const struct ieee80211_frame *wh; 2850 const u_int8_t *frm; 2851 2852 /* ignore if we're not engaged in an SA Query with that STA */ 2853 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2854 DPRINTF(("unexpected SA Query resp from %s\n", 2855 ether_sprintf(ni->ni_macaddr))); 2856 return; 2857 } 2858 if (m->m_len < sizeof(*wh) + 4) { 2859 DPRINTF(("frame too short\n")); 2860 return; 2861 } 2862 wh = mtod(m, struct ieee80211_frame *); 2863 frm = (const u_int8_t *)&wh[1]; 2864 2865 /* check that Transaction Identifier matches */ 2866 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2867 DPRINTF(("transaction identifier does not match\n")); 2868 return; 2869 } 2870 /* MLME-SAQuery.confirm */ 2871 timeout_del(&ni->ni_sa_query_to); 2872 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2873 } 2874 #endif 2875 2876 /*- 2877 * Action frame format: 2878 * [1] Category 2879 * [1] Action 2880 */ 2881 void 2882 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2883 struct ieee80211_node *ni) 2884 { 2885 const struct ieee80211_frame *wh; 2886 const u_int8_t *frm; 2887 2888 if (m->m_len < sizeof(*wh) + 2) { 2889 DPRINTF(("frame too short\n")); 2890 return; 2891 } 2892 wh = mtod(m, struct ieee80211_frame *); 2893 frm = (const u_int8_t *)&wh[1]; 2894 2895 switch (frm[0]) { 2896 case IEEE80211_CATEG_BA: 2897 switch (frm[1]) { 2898 case IEEE80211_ACTION_ADDBA_REQ: 2899 ieee80211_recv_addba_req(ic, m, ni); 2900 break; 2901 case IEEE80211_ACTION_ADDBA_RESP: 2902 ieee80211_recv_addba_resp(ic, m, ni); 2903 break; 2904 case IEEE80211_ACTION_DELBA: 2905 ieee80211_recv_delba(ic, m, ni); 2906 break; 2907 } 2908 break; 2909 case IEEE80211_CATEG_SA_QUERY: 2910 switch (frm[1]) { 2911 case IEEE80211_ACTION_SA_QUERY_REQ: 2912 ieee80211_recv_sa_query_req(ic, m, ni); 2913 break; 2914 #ifndef IEEE80211_STA_ONLY 2915 case IEEE80211_ACTION_SA_QUERY_RESP: 2916 ieee80211_recv_sa_query_resp(ic, m, ni); 2917 break; 2918 #endif 2919 } 2920 break; 2921 default: 2922 DPRINTF(("action frame category %d not handled\n", frm[0])); 2923 break; 2924 } 2925 } 2926 2927 void 2928 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2929 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2930 { 2931 switch (subtype) { 2932 case IEEE80211_FC0_SUBTYPE_BEACON: 2933 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2934 break; 2935 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2936 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2937 break; 2938 #ifndef IEEE80211_STA_ONLY 2939 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2940 ieee80211_recv_probe_req(ic, m, ni, rxi); 2941 break; 2942 #endif 2943 case IEEE80211_FC0_SUBTYPE_AUTH: 2944 ieee80211_recv_auth(ic, m, ni, rxi); 2945 break; 2946 #ifndef IEEE80211_STA_ONLY 2947 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2948 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2949 break; 2950 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2951 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2952 break; 2953 #endif 2954 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2955 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2956 break; 2957 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2958 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2959 break; 2960 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2961 ieee80211_recv_deauth(ic, m, ni); 2962 break; 2963 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2964 ieee80211_recv_disassoc(ic, m, ni); 2965 break; 2966 case IEEE80211_FC0_SUBTYPE_ACTION: 2967 ieee80211_recv_action(ic, m, ni); 2968 break; 2969 default: 2970 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2971 subtype)); 2972 ic->ic_stats.is_rx_badsubtype++; 2973 break; 2974 } 2975 } 2976 2977 #ifndef IEEE80211_STA_ONLY 2978 /* 2979 * Process an incoming PS-Poll control frame (see 11.2). 2980 */ 2981 void 2982 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2983 struct ieee80211_node *ni) 2984 { 2985 struct ifnet *ifp = &ic->ic_if; 2986 struct ieee80211_frame_pspoll *psp; 2987 struct ieee80211_frame *wh; 2988 u_int16_t aid; 2989 2990 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2991 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2992 ni->ni_state != IEEE80211_STA_ASSOC) 2993 return; 2994 2995 if (m->m_len < sizeof(*psp)) { 2996 DPRINTF(("frame too short, len %u\n", m->m_len)); 2997 ic->ic_stats.is_rx_tooshort++; 2998 return; 2999 } 3000 psp = mtod(m, struct ieee80211_frame_pspoll *); 3001 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 3002 DPRINTF(("discard pspoll frame to BSS %s\n", 3003 ether_sprintf(psp->i_bssid))); 3004 ic->ic_stats.is_rx_wrongbss++; 3005 return; 3006 } 3007 aid = letoh16(*(u_int16_t *)psp->i_aid); 3008 if (aid != ni->ni_associd) { 3009 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 3010 ether_sprintf(psp->i_ta))); 3011 return; 3012 } 3013 3014 /* take the first queued frame and put it out.. */ 3015 m = mq_dequeue(&ni->ni_savedq); 3016 if (m == NULL) 3017 return; 3018 if (mq_empty(&ni->ni_savedq)) { 3019 /* last queued frame, turn off the TIM bit */ 3020 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 3021 } else { 3022 /* more queued frames, set the more data bit */ 3023 wh = mtod(m, struct ieee80211_frame *); 3024 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 3025 } 3026 mq_enqueue(&ic->ic_pwrsaveq, m); 3027 if_start(ifp); 3028 } 3029 #endif /* IEEE80211_STA_ONLY */ 3030 3031 /* 3032 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3033 */ 3034 void 3035 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3036 struct ieee80211_node *ni) 3037 { 3038 const struct ieee80211_frame_min *wh; 3039 const u_int8_t *frm; 3040 u_int16_t ctl, ssn; 3041 u_int8_t tid, ntids; 3042 3043 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3044 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3045 ether_sprintf(ni->ni_macaddr))); 3046 return; 3047 } 3048 if (m->m_len < sizeof(*wh) + 4) { 3049 DPRINTF(("frame too short\n")); 3050 return; 3051 } 3052 wh = mtod(m, struct ieee80211_frame_min *); 3053 frm = (const u_int8_t *)&wh[1]; 3054 3055 /* read BlockAckReq Control field */ 3056 ctl = LE_READ_2(&frm[0]); 3057 tid = ctl >> 12; 3058 3059 /* determine BlockAckReq frame variant */ 3060 if (ctl & IEEE80211_BA_MULTI_TID) { 3061 /* Multi-TID BlockAckReq variant (PSMP only) */ 3062 ntids = tid + 1; 3063 3064 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3065 DPRINTF(("MTBAR frame too short\n")); 3066 return; 3067 } 3068 frm += 2; /* skip BlockAckReq Control field */ 3069 while (ntids-- > 0) { 3070 /* read MTBAR Information field */ 3071 tid = LE_READ_2(&frm[0]) >> 12; 3072 ssn = LE_READ_2(&frm[2]) >> 4; 3073 ieee80211_bar_tid(ic, ni, tid, ssn); 3074 frm += 4; 3075 } 3076 } else { 3077 /* Basic or Compressed BlockAckReq variants */ 3078 ssn = LE_READ_2(&frm[2]) >> 4; 3079 ieee80211_bar_tid(ic, ni, tid, ssn); 3080 } 3081 } 3082 3083 /* 3084 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3085 * This is the common back-end for all BlockAckReq frame variants. 3086 */ 3087 void 3088 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3089 u_int8_t tid, u_int16_t ssn) 3090 { 3091 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3092 3093 /* check if we have a Block Ack agreement for RA/TID */ 3094 if (ba->ba_state != IEEE80211_BA_AGREED) { 3095 /* XXX not sure in PBAC case */ 3096 /* send a DELBA with reason code UNKNOWN-BA */ 3097 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3098 IEEE80211_ACTION_DELBA, 3099 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3100 return; 3101 } 3102 /* check if it is a Protected Block Ack agreement */ 3103 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3104 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3105 /* ADDBA Requests must be used in PBAC case */ 3106 if (SEQ_LT(ssn, ba->ba_winstart) || 3107 SEQ_LT(ba->ba_winend, ssn)) 3108 ic->ic_stats.is_pbac_errs++; 3109 return; /* PBAC, do not move window */ 3110 } 3111 /* reset Block Ack inactivity timer */ 3112 if (ba->ba_timeout_val != 0) 3113 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3114 3115 if (SEQ_LT(ba->ba_winstart, ssn)) 3116 ieee80211_ba_move_window(ic, ni, tid, ssn); 3117 } 3118