1 /* $OpenBSD: ieee80211_input.c,v 1.196 2017/09/04 09:11:46 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 129 /* 130 * Retrieve the length in bytes of an 802.11 header. 131 */ 132 u_int 133 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 134 { 135 u_int size = sizeof(*wh); 136 137 /* NB: does not work with control frames */ 138 KASSERT(ieee80211_has_seq(wh)); 139 140 if (ieee80211_has_addr4(wh)) 141 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 142 if (ieee80211_has_qos(wh)) 143 size += sizeof(u_int16_t); /* i_qos */ 144 if (ieee80211_has_htc(wh)) 145 size += sizeof(u_int32_t); /* i_ht */ 146 return size; 147 } 148 149 /* 150 * Process a received frame. The node associated with the sender 151 * should be supplied. If nothing was found in the node table then 152 * the caller is assumed to supply a reference to ic_bss instead. 153 * The RSSI and a timestamp are also supplied. The RSSI data is used 154 * during AP scanning to select a AP to associate with; it can have 155 * any units so long as values have consistent units and higher values 156 * mean ``better signal''. The receive timestamp is currently not used 157 * by the 802.11 layer. 158 */ 159 void 160 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 161 struct ieee80211_rxinfo *rxi) 162 { 163 struct ieee80211com *ic = (void *)ifp; 164 struct ieee80211_frame *wh; 165 u_int16_t *orxseq, nrxseq, qos; 166 u_int8_t dir, type, subtype, tid; 167 int hdrlen, hasqos; 168 169 KASSERT(ni != NULL); 170 171 /* in monitor mode, send everything directly to bpf */ 172 if (ic->ic_opmode == IEEE80211_M_MONITOR) 173 goto out; 174 175 /* 176 * Do not process frames without an Address 2 field any further. 177 * Only CTS and ACK control frames do not have this field. 178 */ 179 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 180 DPRINTF(("frame too short, len %u\n", m->m_len)); 181 ic->ic_stats.is_rx_tooshort++; 182 goto out; 183 } 184 185 wh = mtod(m, struct ieee80211_frame *); 186 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 187 IEEE80211_FC0_VERSION_0) { 188 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 189 ic->ic_stats.is_rx_badversion++; 190 goto err; 191 } 192 193 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 194 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 195 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 196 197 if (type != IEEE80211_FC0_TYPE_CTL) { 198 hdrlen = ieee80211_get_hdrlen(wh); 199 if (m->m_len < hdrlen) { 200 DPRINTF(("frame too short, len %u\n", m->m_len)); 201 ic->ic_stats.is_rx_tooshort++; 202 goto err; 203 } 204 } 205 if ((hasqos = ieee80211_has_qos(wh))) { 206 qos = ieee80211_get_qos(wh); 207 tid = qos & IEEE80211_QOS_TID; 208 } else { 209 qos = 0; 210 tid = 0; 211 } 212 213 if (type == IEEE80211_FC0_TYPE_DATA && hasqos && 214 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 215 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) { 216 int ba_state = ni->ni_rx_ba[tid].ba_state; 217 218 /* 219 * If Block Ack was explicitly requested, check 220 * if we have a BA agreement for this RA/TID. 221 */ 222 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 223 IEEE80211_QOS_ACK_POLICY_BA && 224 ba_state != IEEE80211_BA_AGREED) { 225 DPRINTF(("no BA agreement for %s, TID %d\n", 226 ether_sprintf(ni->ni_macaddr), tid)); 227 /* send a DELBA with reason code UNKNOWN-BA */ 228 IEEE80211_SEND_ACTION(ic, ni, 229 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 230 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 231 goto err; 232 } 233 234 /* 235 * Check if we have an explicit or implicit 236 * Block Ack Request for a valid BA agreement. 237 */ 238 if (ba_state == IEEE80211_BA_AGREED && 239 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 240 IEEE80211_QOS_ACK_POLICY_BA || 241 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 242 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 243 /* go through A-MPDU reordering */ 244 ieee80211_input_ba(ic, m, ni, tid, rxi); 245 return; /* don't free m! */ 246 } 247 } 248 249 /* duplicate detection (see 9.2.9) */ 250 if (ieee80211_has_seq(wh) && 251 ic->ic_state != IEEE80211_S_SCAN) { 252 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 253 IEEE80211_SEQ_SEQ_SHIFT; 254 if (hasqos) 255 orxseq = &ni->ni_qos_rxseqs[tid]; 256 else 257 orxseq = &ni->ni_rxseq; 258 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 259 nrxseq == *orxseq) { 260 /* duplicate, silently discarded */ 261 ic->ic_stats.is_rx_dup++; 262 goto out; 263 } 264 *orxseq = nrxseq; 265 } 266 if (ic->ic_state != IEEE80211_S_SCAN) { 267 ni->ni_rssi = rxi->rxi_rssi; 268 ni->ni_rstamp = rxi->rxi_tstamp; 269 ni->ni_inact = 0; 270 } 271 272 #ifndef IEEE80211_STA_ONLY 273 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 274 (ic->ic_caps & IEEE80211_C_APPMGT) && 275 ni->ni_state == IEEE80211_STA_ASSOC) { 276 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 277 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 278 /* turn on PS mode */ 279 ni->ni_pwrsave = IEEE80211_PS_DOZE; 280 DPRINTF(("PS mode on for %s\n", 281 ether_sprintf(wh->i_addr2))); 282 } 283 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 284 struct mbuf *m; 285 286 /* turn off PS mode */ 287 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 288 DPRINTF(("PS mode off for %s\n", 289 ether_sprintf(wh->i_addr2))); 290 291 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 292 293 /* dequeue buffered unicast frames */ 294 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 295 mq_enqueue(&ic->ic_pwrsaveq, m); 296 if_start(ifp); 297 } 298 } 299 } 300 #endif 301 switch (type) { 302 case IEEE80211_FC0_TYPE_DATA: 303 switch (ic->ic_opmode) { 304 case IEEE80211_M_STA: 305 if (dir != IEEE80211_FC1_DIR_FROMDS) { 306 ic->ic_stats.is_rx_wrongdir++; 307 goto out; 308 } 309 if (ic->ic_state != IEEE80211_S_SCAN && 310 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 311 /* Source address is not our BSS. */ 312 DPRINTF(("discard frame from SA %s\n", 313 ether_sprintf(wh->i_addr2))); 314 ic->ic_stats.is_rx_wrongbss++; 315 goto out; 316 } 317 if ((ifp->if_flags & IFF_SIMPLEX) && 318 IEEE80211_IS_MULTICAST(wh->i_addr1) && 319 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 320 /* 321 * In IEEE802.11 network, multicast frame 322 * sent from me is broadcasted from AP. 323 * It should be silently discarded for 324 * SIMPLEX interface. 325 */ 326 ic->ic_stats.is_rx_mcastecho++; 327 goto out; 328 } 329 break; 330 #ifndef IEEE80211_STA_ONLY 331 case IEEE80211_M_IBSS: 332 case IEEE80211_M_AHDEMO: 333 if (dir != IEEE80211_FC1_DIR_NODS) { 334 ic->ic_stats.is_rx_wrongdir++; 335 goto out; 336 } 337 if (ic->ic_state != IEEE80211_S_SCAN && 338 !IEEE80211_ADDR_EQ(wh->i_addr3, 339 ic->ic_bss->ni_bssid) && 340 !IEEE80211_ADDR_EQ(wh->i_addr3, 341 etherbroadcastaddr)) { 342 /* Destination is not our BSS or broadcast. */ 343 DPRINTF(("discard data frame to DA %s\n", 344 ether_sprintf(wh->i_addr3))); 345 ic->ic_stats.is_rx_wrongbss++; 346 goto out; 347 } 348 break; 349 case IEEE80211_M_HOSTAP: 350 if (dir != IEEE80211_FC1_DIR_TODS) { 351 ic->ic_stats.is_rx_wrongdir++; 352 goto out; 353 } 354 if (ic->ic_state != IEEE80211_S_SCAN && 355 !IEEE80211_ADDR_EQ(wh->i_addr1, 356 ic->ic_bss->ni_bssid) && 357 !IEEE80211_ADDR_EQ(wh->i_addr1, 358 etherbroadcastaddr)) { 359 /* BSS is not us or broadcast. */ 360 DPRINTF(("discard data frame to BSS %s\n", 361 ether_sprintf(wh->i_addr1))); 362 ic->ic_stats.is_rx_wrongbss++; 363 goto out; 364 } 365 /* check if source STA is associated */ 366 if (ni == ic->ic_bss) { 367 DPRINTF(("data from unknown src %s\n", 368 ether_sprintf(wh->i_addr2))); 369 /* NB: caller deals with reference */ 370 ni = ieee80211_find_node(ic, wh->i_addr2); 371 if (ni == NULL) 372 ni = ieee80211_dup_bss(ic, wh->i_addr2); 373 if (ni != NULL) { 374 IEEE80211_SEND_MGMT(ic, ni, 375 IEEE80211_FC0_SUBTYPE_DEAUTH, 376 IEEE80211_REASON_NOT_AUTHED); 377 } 378 ic->ic_stats.is_rx_notassoc++; 379 goto err; 380 } 381 if (ni->ni_state != IEEE80211_STA_ASSOC) { 382 DPRINTF(("data from unassoc src %s\n", 383 ether_sprintf(wh->i_addr2))); 384 IEEE80211_SEND_MGMT(ic, ni, 385 IEEE80211_FC0_SUBTYPE_DISASSOC, 386 IEEE80211_REASON_NOT_ASSOCED); 387 ic->ic_stats.is_rx_notassoc++; 388 goto err; 389 } 390 break; 391 #endif /* IEEE80211_STA_ONLY */ 392 default: 393 /* can't get there */ 394 goto out; 395 } 396 397 if ((ic->ic_flags & IEEE80211_F_WEPON) || 398 ((ic->ic_flags & IEEE80211_F_RSNON) && 399 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 400 /* protection is on for Rx */ 401 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 402 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 403 /* drop unencrypted */ 404 ic->ic_stats.is_rx_unencrypted++; 405 goto err; 406 } 407 /* do software decryption */ 408 m = ieee80211_decrypt(ic, m, ni); 409 if (m == NULL) { 410 ic->ic_stats.is_rx_wepfail++; 411 goto err; 412 } 413 wh = mtod(m, struct ieee80211_frame *); 414 } 415 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 416 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 417 /* frame encrypted but protection off for Rx */ 418 ic->ic_stats.is_rx_nowep++; 419 goto out; 420 } 421 422 #if NBPFILTER > 0 423 /* copy to listener after decrypt */ 424 if (ic->ic_rawbpf) 425 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 426 #endif 427 428 if ((ni->ni_flags & IEEE80211_NODE_HT) && 429 hasqos && (qos & IEEE80211_QOS_AMSDU)) 430 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 431 else 432 ieee80211_decap(ic, m, ni, hdrlen); 433 return; 434 435 case IEEE80211_FC0_TYPE_MGT: 436 if (dir != IEEE80211_FC1_DIR_NODS) { 437 ic->ic_stats.is_rx_wrongdir++; 438 goto err; 439 } 440 #ifndef IEEE80211_STA_ONLY 441 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 442 ic->ic_stats.is_rx_ahdemo_mgt++; 443 goto out; 444 } 445 #endif 446 /* drop frames without interest */ 447 if (ic->ic_state == IEEE80211_S_SCAN) { 448 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 449 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 450 ic->ic_stats.is_rx_mgtdiscard++; 451 goto out; 452 } 453 } 454 455 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 456 /* MMPDU protection is on for Rx */ 457 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 458 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 459 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 460 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 461 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 462 /* unicast mgmt not encrypted */ 463 goto out; 464 } 465 /* do software decryption */ 466 m = ieee80211_decrypt(ic, m, ni); 467 if (m == NULL) { 468 /* XXX stats */ 469 goto out; 470 } 471 wh = mtod(m, struct ieee80211_frame *); 472 } 473 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 474 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 475 /* encrypted but MMPDU Rx protection off for TA */ 476 goto out; 477 } 478 479 #if NBPFILTER > 0 480 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 481 /* 482 * Drop mbuf if it was filtered by bpf. Normally, 483 * this is done in ether_input() but IEEE 802.11 484 * management frames are a special case. 485 */ 486 m_freem(m); 487 return; 488 } 489 #endif 490 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 491 m_freem(m); 492 return; 493 494 case IEEE80211_FC0_TYPE_CTL: 495 ic->ic_stats.is_rx_ctl++; 496 switch (subtype) { 497 #ifndef IEEE80211_STA_ONLY 498 case IEEE80211_FC0_SUBTYPE_PS_POLL: 499 ieee80211_recv_pspoll(ic, m, ni); 500 break; 501 #endif 502 case IEEE80211_FC0_SUBTYPE_BAR: 503 ieee80211_recv_bar(ic, m, ni); 504 break; 505 default: 506 break; 507 } 508 goto out; 509 510 default: 511 DPRINTF(("bad frame type %x\n", type)); 512 /* should not come here */ 513 break; 514 } 515 err: 516 ifp->if_ierrors++; 517 out: 518 if (m != NULL) { 519 #if NBPFILTER > 0 520 if (ic->ic_rawbpf) 521 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 522 #endif 523 m_freem(m); 524 } 525 } 526 527 /* 528 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 529 * reception of fragments of three fragmented MSDUs or MMPDUs. 530 */ 531 struct mbuf * 532 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 533 { 534 const struct ieee80211_frame *owh, *wh; 535 struct ieee80211_defrag *df; 536 u_int16_t rxseq, seq; 537 u_int8_t frag; 538 int i; 539 540 wh = mtod(m, struct ieee80211_frame *); 541 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 542 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 543 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 544 545 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 546 return m; /* not fragmented */ 547 548 if (frag == 0) { 549 /* first fragment, setup entry in the fragment cache */ 550 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 551 ic->ic_defrag_cur = 0; 552 df = &ic->ic_defrag[ic->ic_defrag_cur]; 553 m_freem(df->df_m); /* discard old entry */ 554 df->df_seq = seq; 555 df->df_frag = 0; 556 df->df_m = m; 557 /* start receive MSDU timer of aMaxReceiveLifetime */ 558 timeout_add_sec(&df->df_to, 1); 559 return NULL; /* MSDU or MMPDU not yet complete */ 560 } 561 562 /* find matching entry in the fragment cache */ 563 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 564 df = &ic->ic_defrag[i]; 565 if (df->df_m == NULL) 566 continue; 567 if (df->df_seq != seq || df->df_frag + 1 != frag) 568 continue; 569 owh = mtod(df->df_m, struct ieee80211_frame *); 570 /* frame type, source and destination must match */ 571 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 572 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 573 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 574 continue; 575 /* matching entry found */ 576 break; 577 } 578 if (i == IEEE80211_DEFRAG_SIZE) { 579 /* no matching entry found, discard fragment */ 580 ic->ic_if.if_ierrors++; 581 m_freem(m); 582 return NULL; 583 } 584 585 df->df_frag = frag; 586 /* strip 802.11 header and concatenate fragment */ 587 m_adj(m, hdrlen); 588 m_cat(df->df_m, m); 589 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 590 591 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 592 return NULL; /* MSDU or MMPDU not yet complete */ 593 594 /* MSDU or MMPDU complete */ 595 timeout_del(&df->df_to); 596 m = df->df_m; 597 df->df_m = NULL; 598 return m; 599 } 600 601 /* 602 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 603 */ 604 void 605 ieee80211_defrag_timeout(void *arg) 606 { 607 struct ieee80211_defrag *df = arg; 608 int s = splnet(); 609 610 /* discard all received fragments */ 611 m_freem(df->df_m); 612 df->df_m = NULL; 613 614 splx(s); 615 } 616 617 /* 618 * Process a received data MPDU related to a specific HT-immediate Block Ack 619 * agreement (see 9.10.7.6). 620 */ 621 void 622 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 623 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 624 { 625 struct ifnet *ifp = &ic->ic_if; 626 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 627 struct ieee80211_frame *wh; 628 int idx, count; 629 u_int16_t sn; 630 631 wh = mtod(m, struct ieee80211_frame *); 632 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 633 634 /* reset Block Ack inactivity timer */ 635 if (ba->ba_timeout_val != 0) 636 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 637 638 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 639 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 640 m_freem(m); /* discard the MPDU */ 641 return; 642 } 643 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 644 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 645 count = (sn - ba->ba_winend) & 0xfff; 646 if (count > ba->ba_winsize) { 647 /* 648 * Check whether we're consistently behind the window, 649 * and let the window move forward if neccessary. 650 */ 651 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 652 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 653 ba->ba_winmiss++; 654 else 655 ba->ba_winmiss = 0; 656 ba->ba_missedsn = sn; 657 ifp->if_ierrors++; 658 m_freem(m); /* discard the MPDU */ 659 return; 660 } 661 662 /* It appears the window has moved for real. */ 663 ic->ic_stats.is_ht_rx_ba_window_jump++; 664 ba->ba_winmiss = 0; 665 ba->ba_missedsn = 0; 666 ieee80211_ba_move_window(ic, ni, tid, sn); 667 } else { 668 ic->ic_stats.is_ht_rx_ba_window_slide++; 669 ieee80211_input_ba_seq(ic, ni, tid, 670 (ba->ba_winstart + count) & 0xfff); 671 ieee80211_input_ba_flush(ic, ni, ba); 672 } 673 } 674 /* WinStartB <= SN <= WinEndB */ 675 676 ba->ba_winmiss = 0; 677 ba->ba_missedsn = 0; 678 idx = (sn - ba->ba_winstart) & 0xfff; 679 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 680 /* store the received MPDU in the buffer */ 681 if (ba->ba_buf[idx].m != NULL) { 682 ifp->if_ierrors++; 683 ic->ic_stats.is_ht_rx_ba_no_buf++; 684 m_freem(m); 685 return; 686 } 687 ba->ba_buf[idx].m = m; 688 /* store Rx meta-data too */ 689 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 690 ba->ba_buf[idx].rxi = *rxi; 691 692 if (ba->ba_buf[ba->ba_head].m == NULL) 693 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 694 else if (timeout_pending(&ba->ba_gap_to)) 695 timeout_del(&ba->ba_gap_to); 696 697 ieee80211_input_ba_flush(ic, ni, ba); 698 } 699 700 /* 701 * Forward buffered frames with sequence number lower than max_seq. 702 * See 802.11-2012 9.21.7.6.2 b. 703 */ 704 void 705 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 706 uint8_t tid, uint16_t max_seq) 707 { 708 struct ifnet *ifp = &ic->ic_if; 709 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 710 struct ieee80211_frame *wh; 711 uint16_t seq; 712 int i = 0; 713 714 while (i++ < ba->ba_winsize) { 715 /* gaps may exist */ 716 if (ba->ba_buf[ba->ba_head].m != NULL) { 717 wh = mtod(ba->ba_buf[ba->ba_head].m, 718 struct ieee80211_frame *); 719 KASSERT(ieee80211_has_seq(wh)); 720 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 721 IEEE80211_SEQ_SEQ_SHIFT; 722 if (!SEQ_LT(seq, max_seq)) 723 return; 724 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 725 ni, &ba->ba_buf[ba->ba_head].rxi); 726 ba->ba_buf[ba->ba_head].m = NULL; 727 } else 728 ic->ic_stats.is_ht_rx_ba_frame_lost++; 729 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 730 } 731 } 732 733 /* Flush a consecutive sequence of frames from the reorder buffer. */ 734 void 735 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 736 struct ieee80211_rx_ba *ba) 737 738 { 739 struct ifnet *ifp = &ic->ic_if; 740 741 /* pass reordered MPDUs up to the next MAC process */ 742 while (ba->ba_buf[ba->ba_head].m != NULL) { 743 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 744 &ba->ba_buf[ba->ba_head].rxi); 745 ba->ba_buf[ba->ba_head].m = NULL; 746 747 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 748 /* move window forward */ 749 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 750 } 751 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 752 } 753 754 /* 755 * Forcibly move the BA window forward to remove a leading gap which has 756 * been causing frames to linger in the reordering buffer for too long. 757 * A leading gap will occur if a particular A-MPDU subframe never arrives 758 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 759 */ 760 void 761 ieee80211_input_ba_gap_timeout(void *arg) 762 { 763 struct ieee80211_rx_ba *ba = arg; 764 struct ieee80211_node *ni = ba->ba_ni; 765 struct ieee80211com *ic = ni->ni_ic; 766 int s, skipped; 767 768 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 769 770 s = splnet(); 771 772 skipped = 0; 773 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 774 /* move window forward */ 775 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 776 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 777 skipped++; 778 ic->ic_stats.is_ht_rx_ba_frame_lost++; 779 } 780 if (skipped > 0) 781 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 782 783 ieee80211_input_ba_flush(ic, ni, ba); 784 785 splx(s); 786 } 787 788 789 /* 790 * Change the value of WinStartB (move window forward) upon reception of a 791 * BlockAckReq frame or an ADDBA Request (PBAC). 792 */ 793 void 794 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 795 u_int8_t tid, u_int16_t ssn) 796 { 797 struct ifnet *ifp = &ic->ic_if; 798 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 799 int count; 800 801 /* assert(WinStartB <= SSN) */ 802 803 count = (ssn - ba->ba_winstart) & 0xfff; 804 if (count > ba->ba_winsize) /* no overlap */ 805 count = ba->ba_winsize; 806 while (count-- > 0) { 807 /* gaps may exist */ 808 if (ba->ba_buf[ba->ba_head].m != NULL) { 809 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 810 &ba->ba_buf[ba->ba_head].rxi); 811 ba->ba_buf[ba->ba_head].m = NULL; 812 } else 813 ic->ic_stats.is_ht_rx_ba_frame_lost++; 814 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 815 } 816 /* move window forward */ 817 ba->ba_winstart = ssn; 818 819 ieee80211_input_ba_flush(ic, ni, ba); 820 } 821 822 void 823 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 824 struct ieee80211_node *ni, int mcast) 825 { 826 struct ifnet *ifp = &ic->ic_if; 827 struct ether_header *eh; 828 struct mbuf *m1; 829 830 eh = mtod(m, struct ether_header *); 831 832 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 833 eh->ether_type != htons(ETHERTYPE_PAE)) { 834 DPRINTF(("port not valid: %s\n", 835 ether_sprintf(eh->ether_dhost))); 836 ic->ic_stats.is_rx_unauth++; 837 m_freem(m); 838 return; 839 } 840 841 /* 842 * Perform as a bridge within the AP. Notice that we do not 843 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 844 * And we do not forward unicast frames received on a multicast address. 845 */ 846 m1 = NULL; 847 #ifndef IEEE80211_STA_ONLY 848 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 849 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 850 eh->ether_type != htons(ETHERTYPE_PAE)) { 851 struct ieee80211_node *ni1; 852 853 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 854 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 855 if (m1 == NULL) 856 ifp->if_oerrors++; 857 else 858 m1->m_flags |= M_MCAST; 859 } else if (!mcast) { 860 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 861 if (ni1 != NULL && 862 ni1->ni_state == IEEE80211_STA_ASSOC) { 863 m1 = m; 864 m = NULL; 865 } 866 } 867 if (m1 != NULL) { 868 if (if_enqueue(ifp, m1)) 869 ifp->if_oerrors++; 870 } 871 } 872 #endif 873 if (m != NULL) { 874 if ((ic->ic_flags & IEEE80211_F_RSNON) && 875 eh->ether_type == htons(ETHERTYPE_PAE)) { 876 ifp->if_ipackets++; 877 #if NBPFILTER > 0 878 /* 879 * If we forward frame into transmitter of the AP, 880 * we don't need to duplicate for DLT_EN10MB. 881 */ 882 if (ifp->if_bpf && m1 == NULL) 883 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 884 #endif 885 ieee80211_eapol_key_input(ic, m, ni); 886 } else { 887 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 888 ml_enqueue(&ml, m); 889 if_input(ifp, &ml); 890 } 891 } 892 } 893 894 void 895 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 896 struct ieee80211_node *ni, int hdrlen) 897 { 898 struct ether_header eh; 899 struct ieee80211_frame *wh; 900 struct llc *llc; 901 int mcast; 902 903 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 904 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 905 ic->ic_stats.is_rx_decap++; 906 return; 907 } 908 wh = mtod(m, struct ieee80211_frame *); 909 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 910 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 911 case IEEE80211_FC1_DIR_NODS: 912 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 913 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 914 break; 915 case IEEE80211_FC1_DIR_TODS: 916 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 917 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 918 break; 919 case IEEE80211_FC1_DIR_FROMDS: 920 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 921 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 922 break; 923 case IEEE80211_FC1_DIR_DSTODS: 924 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 925 IEEE80211_ADDR_COPY(eh.ether_shost, 926 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 927 break; 928 } 929 llc = (struct llc *)((caddr_t)wh + hdrlen); 930 if (llc->llc_dsap == LLC_SNAP_LSAP && 931 llc->llc_ssap == LLC_SNAP_LSAP && 932 llc->llc_control == LLC_UI && 933 llc->llc_snap.org_code[0] == 0 && 934 llc->llc_snap.org_code[1] == 0 && 935 llc->llc_snap.org_code[2] == 0) { 936 eh.ether_type = llc->llc_snap.ether_type; 937 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 938 } else { 939 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 940 m_adj(m, hdrlen - ETHER_HDR_LEN); 941 } 942 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 943 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 944 struct mbuf *m0 = m; 945 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 946 m_freem(m0); 947 if (m == NULL) { 948 ic->ic_stats.is_rx_decap++; 949 return; 950 } 951 } 952 ieee80211_deliver_data(ic, m, ni, mcast); 953 } 954 955 /* 956 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 957 */ 958 void 959 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 960 struct ieee80211_node *ni, int hdrlen) 961 { 962 struct mbuf *n; 963 struct ether_header *eh; 964 struct llc *llc; 965 int len, pad, mcast; 966 struct ieee80211_frame *wh; 967 968 wh = mtod(m, struct ieee80211_frame *); 969 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 970 971 /* strip 802.11 header */ 972 m_adj(m, hdrlen); 973 974 for (;;) { 975 /* process an A-MSDU subframe */ 976 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 977 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 978 if (m == NULL) { 979 ic->ic_stats.is_rx_decap++; 980 break; 981 } 982 } 983 eh = mtod(m, struct ether_header *); 984 /* examine 802.3 header */ 985 len = ntohs(eh->ether_type); 986 if (len < LLC_SNAPFRAMELEN) { 987 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 988 /* stop processing A-MSDU subframes */ 989 ic->ic_stats.is_rx_decap++; 990 m_freem(m); 991 break; 992 } 993 llc = (struct llc *)&eh[1]; 994 /* examine 802.2 LLC header */ 995 if (llc->llc_dsap == LLC_SNAP_LSAP && 996 llc->llc_ssap == LLC_SNAP_LSAP && 997 llc->llc_control == LLC_UI && 998 llc->llc_snap.org_code[0] == 0 && 999 llc->llc_snap.org_code[1] == 0 && 1000 llc->llc_snap.org_code[2] == 0) { 1001 /* convert to Ethernet II header */ 1002 eh->ether_type = llc->llc_snap.ether_type; 1003 /* strip LLC+SNAP headers */ 1004 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1005 ETHER_HDR_LEN); 1006 m_adj(m, LLC_SNAPFRAMELEN); 1007 len -= LLC_SNAPFRAMELEN; 1008 } 1009 len += ETHER_HDR_LEN; 1010 if (len > m->m_pkthdr.len) { 1011 /* stop processing A-MSDU subframes */ 1012 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1013 ic->ic_stats.is_rx_decap++; 1014 m_freem(m); 1015 break; 1016 } 1017 1018 /* "detach" our A-MSDU subframe from the others */ 1019 n = m_split(m, len, M_NOWAIT); 1020 if (n == NULL) { 1021 /* stop processing A-MSDU subframes */ 1022 ic->ic_stats.is_rx_decap++; 1023 m_freem(m); 1024 break; 1025 } 1026 ieee80211_deliver_data(ic, m, ni, mcast); 1027 1028 if (n->m_pkthdr.len == 0) { 1029 m_freem(n); 1030 break; 1031 } 1032 m = n; 1033 /* remove padding */ 1034 pad = ((len + 3) & ~3) - len; 1035 m_adj(m, pad); 1036 } 1037 } 1038 1039 /* 1040 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1041 */ 1042 int 1043 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1044 { 1045 u_int updtcount; 1046 int aci; 1047 1048 /* 1049 * Check if EDCA parameters have changed XXX if we miss more than 1050 * 15 consecutive beacons, we might not detect changes to EDCA 1051 * parameters due to wraparound of the 4-bit Update Count field. 1052 */ 1053 updtcount = frm[0] & 0xf; 1054 if (updtcount == ic->ic_edca_updtcount) 1055 return 0; /* no changes to EDCA parameters, ignore */ 1056 ic->ic_edca_updtcount = updtcount; 1057 1058 frm += 2; /* skip QoS Info & Reserved fields */ 1059 1060 /* parse AC Parameter Records */ 1061 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1062 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1063 1064 ac->ac_acm = (frm[0] >> 4) & 0x1; 1065 ac->ac_aifsn = frm[0] & 0xf; 1066 ac->ac_ecwmin = frm[1] & 0xf; 1067 ac->ac_ecwmax = frm[1] >> 4; 1068 ac->ac_txoplimit = LE_READ_2(frm + 2); 1069 frm += 4; 1070 } 1071 /* give drivers a chance to update their settings */ 1072 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1073 (*ic->ic_updateedca)(ic); 1074 1075 return 0; 1076 } 1077 1078 int 1079 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1080 { 1081 if (frm[1] < 18) { 1082 ic->ic_stats.is_rx_elem_toosmall++; 1083 return IEEE80211_REASON_IE_INVALID; 1084 } 1085 return ieee80211_parse_edca_params_body(ic, frm + 2); 1086 } 1087 1088 int 1089 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1090 { 1091 if (frm[1] < 24) { 1092 ic->ic_stats.is_rx_elem_toosmall++; 1093 return IEEE80211_REASON_IE_INVALID; 1094 } 1095 return ieee80211_parse_edca_params_body(ic, frm + 8); 1096 } 1097 1098 enum ieee80211_cipher 1099 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1100 { 1101 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1102 switch (selector[3]) { 1103 case 0: /* use group data cipher suite */ 1104 return IEEE80211_CIPHER_USEGROUP; 1105 case 1: /* WEP-40 */ 1106 return IEEE80211_CIPHER_WEP40; 1107 case 2: /* TKIP */ 1108 return IEEE80211_CIPHER_TKIP; 1109 case 4: /* CCMP (RSNA default) */ 1110 return IEEE80211_CIPHER_CCMP; 1111 case 5: /* WEP-104 */ 1112 return IEEE80211_CIPHER_WEP104; 1113 } 1114 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1115 /* see 802.11-2012 Table 8-99 */ 1116 switch (selector[3]) { 1117 case 0: /* use group data cipher suite */ 1118 return IEEE80211_CIPHER_USEGROUP; 1119 case 1: /* WEP-40 */ 1120 return IEEE80211_CIPHER_WEP40; 1121 case 2: /* TKIP */ 1122 return IEEE80211_CIPHER_TKIP; 1123 case 4: /* CCMP (RSNA default) */ 1124 return IEEE80211_CIPHER_CCMP; 1125 case 5: /* WEP-104 */ 1126 return IEEE80211_CIPHER_WEP104; 1127 case 6: /* BIP */ 1128 return IEEE80211_CIPHER_BIP; 1129 } 1130 } 1131 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1132 } 1133 1134 enum ieee80211_akm 1135 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1136 { 1137 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1138 switch (selector[3]) { 1139 case 1: /* IEEE 802.1X (RSNA default) */ 1140 return IEEE80211_AKM_8021X; 1141 case 2: /* PSK */ 1142 return IEEE80211_AKM_PSK; 1143 } 1144 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1145 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1146 switch (selector[3]) { 1147 case 1: /* IEEE 802.1X (RSNA default) */ 1148 return IEEE80211_AKM_8021X; 1149 case 2: /* PSK */ 1150 return IEEE80211_AKM_PSK; 1151 case 5: /* IEEE 802.1X with SHA256 KDF */ 1152 return IEEE80211_AKM_SHA256_8021X; 1153 case 6: /* PSK with SHA256 KDF */ 1154 return IEEE80211_AKM_SHA256_PSK; 1155 } 1156 } 1157 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1158 } 1159 1160 /* 1161 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1162 */ 1163 int 1164 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1165 u_int len, struct ieee80211_rsnparams *rsn) 1166 { 1167 const u_int8_t *efrm; 1168 u_int16_t m, n, s; 1169 1170 efrm = frm + len; 1171 1172 /* check Version field */ 1173 if (LE_READ_2(frm) != 1) 1174 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1175 frm += 2; 1176 1177 /* all fields after the Version field are optional */ 1178 1179 /* if Cipher Suite missing, default to CCMP */ 1180 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1181 rsn->rsn_nciphers = 1; 1182 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1183 /* if Group Management Cipher Suite missing, defaut to BIP */ 1184 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1185 /* if AKM Suite missing, default to 802.1X */ 1186 rsn->rsn_nakms = 1; 1187 rsn->rsn_akms = IEEE80211_AKM_8021X; 1188 /* if RSN capabilities missing, default to 0 */ 1189 rsn->rsn_caps = 0; 1190 rsn->rsn_npmkids = 0; 1191 1192 /* read Group Data Cipher Suite field */ 1193 if (frm + 4 > efrm) 1194 return 0; 1195 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1196 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1197 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1198 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1199 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1200 frm += 4; 1201 1202 /* read Pairwise Cipher Suite Count field */ 1203 if (frm + 2 > efrm) 1204 return 0; 1205 m = rsn->rsn_nciphers = LE_READ_2(frm); 1206 frm += 2; 1207 1208 /* read Pairwise Cipher Suite List */ 1209 if (frm + m * 4 > efrm) 1210 return IEEE80211_STATUS_IE_INVALID; 1211 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1212 while (m-- > 0) { 1213 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1214 frm += 4; 1215 } 1216 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1217 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1218 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1219 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1220 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1221 } 1222 1223 /* read AKM Suite List Count field */ 1224 if (frm + 2 > efrm) 1225 return 0; 1226 n = rsn->rsn_nakms = LE_READ_2(frm); 1227 frm += 2; 1228 1229 /* read AKM Suite List */ 1230 if (frm + n * 4 > efrm) 1231 return IEEE80211_STATUS_IE_INVALID; 1232 rsn->rsn_akms = IEEE80211_AKM_NONE; 1233 while (n-- > 0) { 1234 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1235 frm += 4; 1236 } 1237 1238 /* read RSN Capabilities field */ 1239 if (frm + 2 > efrm) 1240 return 0; 1241 rsn->rsn_caps = LE_READ_2(frm); 1242 frm += 2; 1243 1244 /* read PMKID Count field */ 1245 if (frm + 2 > efrm) 1246 return 0; 1247 s = rsn->rsn_npmkids = LE_READ_2(frm); 1248 frm += 2; 1249 1250 /* read PMKID List */ 1251 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1252 return IEEE80211_STATUS_IE_INVALID; 1253 if (s != 0) { 1254 rsn->rsn_pmkids = frm; 1255 frm += s * IEEE80211_PMKID_LEN; 1256 } 1257 1258 /* read Group Management Cipher Suite field */ 1259 if (frm + 4 > efrm) 1260 return 0; 1261 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1262 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1263 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1264 1265 return IEEE80211_STATUS_SUCCESS; 1266 } 1267 1268 int 1269 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1270 struct ieee80211_rsnparams *rsn) 1271 { 1272 if (frm[1] < 2) { 1273 ic->ic_stats.is_rx_elem_toosmall++; 1274 return IEEE80211_STATUS_IE_INVALID; 1275 } 1276 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1277 } 1278 1279 int 1280 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1281 struct ieee80211_rsnparams *rsn) 1282 { 1283 if (frm[1] < 6) { 1284 ic->ic_stats.is_rx_elem_toosmall++; 1285 return IEEE80211_STATUS_IE_INVALID; 1286 } 1287 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1288 } 1289 1290 /* 1291 * Create (or update) a copy of an information element. 1292 */ 1293 int 1294 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1295 { 1296 int olen = *ie ? 2 + (*ie)[1] : 0; 1297 int len = 2 + frm[1]; 1298 1299 if (*ie == NULL || olen != len) { 1300 if (*ie != NULL) 1301 free(*ie, M_DEVBUF, olen); 1302 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1303 if (*ie == NULL) 1304 return ENOMEM; 1305 } 1306 memcpy(*ie, frm, len); 1307 return 0; 1308 } 1309 1310 /*- 1311 * Beacon/Probe response frame format: 1312 * [8] Timestamp 1313 * [2] Beacon interval 1314 * [2] Capability 1315 * [tlv] Service Set Identifier (SSID) 1316 * [tlv] Supported rates 1317 * [tlv] DS Parameter Set (802.11g) 1318 * [tlv] ERP Information (802.11g) 1319 * [tlv] Extended Supported Rates (802.11g) 1320 * [tlv] RSN (802.11i) 1321 * [tlv] EDCA Parameter Set (802.11e) 1322 * [tlv] QoS Capability (Beacon only, 802.11e) 1323 * [tlv] HT Capabilities (802.11n) 1324 * [tlv] HT Operation (802.11n) 1325 */ 1326 void 1327 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1328 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1329 { 1330 const struct ieee80211_frame *wh; 1331 const u_int8_t *frm, *efrm; 1332 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1333 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1334 u_int16_t capinfo, bintval; 1335 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1336 int is_new; 1337 1338 /* 1339 * We process beacon/probe response frames for: 1340 * o station mode: to collect state 1341 * updates such as 802.11g slot time and for passive 1342 * scanning of APs 1343 * o adhoc mode: to discover neighbors 1344 * o hostap mode: for passive scanning of neighbor APs 1345 * o when scanning 1346 * In other words, in all modes other than monitor (which 1347 * does not process incoming frames) and adhoc-demo (which 1348 * does not use management frames at all). 1349 */ 1350 #ifdef DIAGNOSTIC 1351 if (ic->ic_opmode != IEEE80211_M_STA && 1352 #ifndef IEEE80211_STA_ONLY 1353 ic->ic_opmode != IEEE80211_M_IBSS && 1354 ic->ic_opmode != IEEE80211_M_HOSTAP && 1355 #endif 1356 ic->ic_state != IEEE80211_S_SCAN) { 1357 panic("%s: impossible operating mode", __func__); 1358 } 1359 #endif 1360 /* make sure all mandatory fixed fields are present */ 1361 if (m->m_len < sizeof(*wh) + 12) { 1362 DPRINTF(("frame too short\n")); 1363 return; 1364 } 1365 wh = mtod(m, struct ieee80211_frame *); 1366 frm = (const u_int8_t *)&wh[1]; 1367 efrm = mtod(m, u_int8_t *) + m->m_len; 1368 1369 tstamp = frm; frm += 8; 1370 bintval = LE_READ_2(frm); frm += 2; 1371 capinfo = LE_READ_2(frm); frm += 2; 1372 1373 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1374 htcaps = htop = NULL; 1375 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1376 chan = bchan; 1377 erp = 0; 1378 dtim_count = dtim_period = 0; 1379 while (frm + 2 <= efrm) { 1380 if (frm + 2 + frm[1] > efrm) { 1381 ic->ic_stats.is_rx_elem_toosmall++; 1382 break; 1383 } 1384 switch (frm[0]) { 1385 case IEEE80211_ELEMID_SSID: 1386 ssid = frm; 1387 break; 1388 case IEEE80211_ELEMID_RATES: 1389 rates = frm; 1390 break; 1391 case IEEE80211_ELEMID_DSPARMS: 1392 if (frm[1] < 1) { 1393 ic->ic_stats.is_rx_elem_toosmall++; 1394 break; 1395 } 1396 chan = frm[2]; 1397 break; 1398 case IEEE80211_ELEMID_XRATES: 1399 xrates = frm; 1400 break; 1401 case IEEE80211_ELEMID_ERP: 1402 if (frm[1] < 1) { 1403 ic->ic_stats.is_rx_elem_toosmall++; 1404 break; 1405 } 1406 erp = frm[2]; 1407 break; 1408 case IEEE80211_ELEMID_RSN: 1409 rsnie = frm; 1410 break; 1411 case IEEE80211_ELEMID_EDCAPARMS: 1412 edcaie = frm; 1413 break; 1414 case IEEE80211_ELEMID_HTCAPS: 1415 htcaps = frm; 1416 break; 1417 case IEEE80211_ELEMID_HTOP: 1418 htop = frm; 1419 break; 1420 case IEEE80211_ELEMID_TIM: 1421 if (frm[1] > 3) { 1422 dtim_count = frm[2]; 1423 dtim_period = frm[3]; 1424 } 1425 break; 1426 case IEEE80211_ELEMID_VENDOR: 1427 if (frm[1] < 4) { 1428 ic->ic_stats.is_rx_elem_toosmall++; 1429 break; 1430 } 1431 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1432 if (frm[5] == 1) 1433 wpaie = frm; 1434 else if (frm[1] >= 5 && 1435 frm[5] == 2 && frm[6] == 1) 1436 wmmie = frm; 1437 } 1438 break; 1439 } 1440 frm += 2 + frm[1]; 1441 } 1442 /* supported rates element is mandatory */ 1443 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1444 DPRINTF(("invalid supported rates element\n")); 1445 return; 1446 } 1447 /* SSID element is mandatory */ 1448 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1449 DPRINTF(("invalid SSID element\n")); 1450 return; 1451 } 1452 1453 if ( 1454 #if IEEE80211_CHAN_MAX < 255 1455 chan > IEEE80211_CHAN_MAX || 1456 #endif 1457 isclr(ic->ic_chan_active, chan)) { 1458 DPRINTF(("ignore %s with invalid channel %u\n", 1459 isprobe ? "probe response" : "beacon", chan)); 1460 ic->ic_stats.is_rx_badchan++; 1461 return; 1462 } 1463 if ((ic->ic_state != IEEE80211_S_SCAN || 1464 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1465 chan != bchan) { 1466 /* 1467 * Frame was received on a channel different from the 1468 * one indicated in the DS params element id; 1469 * silently discard it. 1470 * 1471 * NB: this can happen due to signal leakage. 1472 */ 1473 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1474 isprobe ? "probe response" : "beacon", bchan, chan)); 1475 ic->ic_stats.is_rx_chanmismatch++; 1476 return; 1477 } 1478 /* 1479 * Use mac, channel and rssi so we collect only the 1480 * best potential AP with the equal bssid while scanning. 1481 * Collecting all potential APs may result in bloat of 1482 * the node tree. This call will return NULL if the node 1483 * for this APs does not exist or if the new node is the 1484 * potential better one. 1485 */ 1486 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1487 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1488 if (ni != NULL) { 1489 /* 1490 * If we are doing a directed scan for an AP with a hidden SSID 1491 * we must collect the SSID from a probe response to override 1492 * a non-zero-length SSID filled with zeroes that we may have 1493 * received earlier in a beacon. 1494 */ 1495 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1496 ni->ni_esslen = ssid[1]; 1497 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1498 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1499 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1500 } 1501 1502 return; 1503 } 1504 1505 #ifdef IEEE80211_DEBUG 1506 if (ieee80211_debug > 1 && 1507 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1508 printf("%s: %s%s on chan %u (bss chan %u) ", 1509 __func__, (ni == NULL ? "new " : ""), 1510 isprobe ? "probe response" : "beacon", 1511 chan, bchan); 1512 ieee80211_print_essid(ssid + 2, ssid[1]); 1513 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1514 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1515 __func__, capinfo, bintval, erp); 1516 } 1517 #endif 1518 1519 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1520 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1521 if (ni == NULL) 1522 return; 1523 is_new = 1; 1524 } else 1525 is_new = 0; 1526 1527 if (htcaps) 1528 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1529 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1])) 1530 htop = NULL; /* invalid HTOP */ 1531 1532 ni->ni_dtimcount = dtim_count; 1533 ni->ni_dtimperiod = dtim_period; 1534 1535 /* 1536 * When operating in station mode, check for state updates 1537 * while we're associated. 1538 */ 1539 if (ic->ic_opmode == IEEE80211_M_STA && 1540 ic->ic_state == IEEE80211_S_RUN && 1541 ni->ni_state == IEEE80211_STA_BSS) { 1542 /* 1543 * Check if protection mode has changed since last beacon. 1544 */ 1545 if (ni->ni_erp != erp) { 1546 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1547 ether_sprintf((u_int8_t *)wh->i_addr2), 1548 ni->ni_erp, erp)); 1549 if (ic->ic_curmode == IEEE80211_MODE_11G && 1550 (erp & IEEE80211_ERP_USE_PROTECTION)) 1551 ic->ic_flags |= IEEE80211_F_USEPROT; 1552 else 1553 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1554 ic->ic_bss->ni_erp = erp; 1555 } 1556 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1557 enum ieee80211_htprot htprot_last, htprot; 1558 htprot_last = 1559 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1560 >> IEEE80211_HTOP1_PROT_SHIFT); 1561 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1562 IEEE80211_HTOP1_PROT_SHIFT); 1563 if (htprot_last != htprot) { 1564 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1565 ether_sprintf((u_int8_t *)wh->i_addr2), 1566 htprot_last, htprot)); 1567 ic->ic_stats.is_ht_prot_change++; 1568 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1569 if (ic->ic_update_htprot) 1570 ic->ic_update_htprot(ic, ic->ic_bss); 1571 } 1572 } 1573 1574 /* 1575 * Check if AP short slot time setting has changed 1576 * since last beacon and give the driver a chance to 1577 * update the hardware. 1578 */ 1579 if ((ni->ni_capinfo ^ capinfo) & 1580 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1581 ieee80211_set_shortslottime(ic, 1582 ic->ic_curmode == IEEE80211_MODE_11A || 1583 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1584 } 1585 1586 /* 1587 * Reset management timer. If it is non-zero in RUN state, the 1588 * driver sent a probe request after a missed beacon event. 1589 * This probe response indicates the AP is still serving us 1590 * so don't allow ieee80211_watchdog() to move us into SCAN. 1591 */ 1592 ic->ic_mgt_timer = 0; 1593 } 1594 /* 1595 * We do not try to update EDCA parameters if QoS was not negotiated 1596 * with the AP at association time. 1597 */ 1598 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1599 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1600 if ((edcaie != NULL && 1601 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1602 (wmmie != NULL && 1603 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1604 ni->ni_flags |= IEEE80211_NODE_QOS; 1605 else 1606 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1607 } 1608 1609 if (ic->ic_state == IEEE80211_S_SCAN) { 1610 struct ieee80211_rsnparams rsn, wpa; 1611 1612 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1613 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1614 ni->ni_rsnakms = 0; 1615 ni->ni_supported_rsnakms = 0; 1616 ni->ni_rsnciphers = 0; 1617 ni->ni_rsngroupcipher = 0; 1618 ni->ni_rsngroupmgmtcipher = 0; 1619 ni->ni_rsncaps = 0; 1620 1621 if (rsnie != NULL && 1622 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1623 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1624 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1625 } 1626 if (wpaie != NULL && 1627 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1628 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1629 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1630 } 1631 1632 /* 1633 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1634 * we only use the highest protocol version we support. 1635 */ 1636 if (rsnie != NULL && 1637 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1638 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1639 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1640 #ifndef IEEE80211_STA_ONLY 1641 && ic->ic_opmode != IEEE80211_M_HOSTAP 1642 #endif 1643 ) { 1644 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1645 ni->ni_rsnakms = rsn.rsn_akms; 1646 ni->ni_rsnciphers = rsn.rsn_ciphers; 1647 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1648 ni->ni_rsngroupmgmtcipher = 1649 rsn.rsn_groupmgmtcipher; 1650 ni->ni_rsncaps = rsn.rsn_caps; 1651 } 1652 } else if (wpaie != NULL && 1653 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1654 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1655 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1656 #ifndef IEEE80211_STA_ONLY 1657 && ic->ic_opmode != IEEE80211_M_HOSTAP 1658 #endif 1659 ) { 1660 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1661 ni->ni_rsnakms = wpa.rsn_akms; 1662 ni->ni_rsnciphers = wpa.rsn_ciphers; 1663 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1664 ni->ni_rsngroupmgmtcipher = 1665 wpa.rsn_groupmgmtcipher; 1666 ni->ni_rsncaps = wpa.rsn_caps; 1667 } 1668 } 1669 } 1670 1671 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1672 ni->ni_esslen = ssid[1]; 1673 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1674 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1675 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1676 } 1677 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1678 ni->ni_rssi = rxi->rxi_rssi; 1679 ni->ni_rstamp = rxi->rxi_tstamp; 1680 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1681 ni->ni_intval = bintval; 1682 ni->ni_capinfo = capinfo; 1683 /* XXX validate channel # */ 1684 ni->ni_chan = &ic->ic_channels[chan]; 1685 ni->ni_erp = erp; 1686 /* NB: must be after ni_chan is setup */ 1687 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1688 #ifndef IEEE80211_STA_ONLY 1689 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1690 /* 1691 * Fake an association so the driver can setup it's 1692 * private state. The rate set has been setup above; 1693 * there is no handshake as in ap/station operation. 1694 */ 1695 if (ic->ic_newassoc) 1696 (*ic->ic_newassoc)(ic, ni, 1); 1697 } 1698 #endif 1699 } 1700 1701 #ifndef IEEE80211_STA_ONLY 1702 /*- 1703 * Probe request frame format: 1704 * [tlv] SSID 1705 * [tlv] Supported rates 1706 * [tlv] Extended Supported Rates (802.11g) 1707 * [tlv] HT Capabilities (802.11n) 1708 */ 1709 void 1710 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1711 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1712 { 1713 const struct ieee80211_frame *wh; 1714 const u_int8_t *frm, *efrm; 1715 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1716 u_int8_t rate; 1717 1718 if (ic->ic_opmode == IEEE80211_M_STA || 1719 ic->ic_state != IEEE80211_S_RUN) 1720 return; 1721 1722 wh = mtod(m, struct ieee80211_frame *); 1723 frm = (const u_int8_t *)&wh[1]; 1724 efrm = mtod(m, u_int8_t *) + m->m_len; 1725 1726 ssid = rates = xrates = htcaps = NULL; 1727 while (frm + 2 <= efrm) { 1728 if (frm + 2 + frm[1] > efrm) { 1729 ic->ic_stats.is_rx_elem_toosmall++; 1730 break; 1731 } 1732 switch (frm[0]) { 1733 case IEEE80211_ELEMID_SSID: 1734 ssid = frm; 1735 break; 1736 case IEEE80211_ELEMID_RATES: 1737 rates = frm; 1738 break; 1739 case IEEE80211_ELEMID_XRATES: 1740 xrates = frm; 1741 break; 1742 case IEEE80211_ELEMID_HTCAPS: 1743 htcaps = frm; 1744 break; 1745 } 1746 frm += 2 + frm[1]; 1747 } 1748 /* supported rates element is mandatory */ 1749 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1750 DPRINTF(("invalid supported rates element\n")); 1751 return; 1752 } 1753 /* SSID element is mandatory */ 1754 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1755 DPRINTF(("invalid SSID element\n")); 1756 return; 1757 } 1758 /* check that the specified SSID (if not wildcard) matches ours */ 1759 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1760 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1761 DPRINTF(("SSID mismatch\n")); 1762 ic->ic_stats.is_rx_ssidmismatch++; 1763 return; 1764 } 1765 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1766 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1767 DPRINTF(("wildcard SSID rejected")); 1768 ic->ic_stats.is_rx_ssidmismatch++; 1769 return; 1770 } 1771 1772 if (ni == ic->ic_bss) { 1773 ni = ieee80211_find_node(ic, wh->i_addr2); 1774 if (ni == NULL) 1775 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1776 if (ni == NULL) 1777 return; 1778 DPRINTF(("new probe req from %s\n", 1779 ether_sprintf((u_int8_t *)wh->i_addr2))); 1780 } 1781 ni->ni_rssi = rxi->rxi_rssi; 1782 ni->ni_rstamp = rxi->rxi_tstamp; 1783 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1784 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1785 IEEE80211_F_DODEL); 1786 if (rate & IEEE80211_RATE_BASIC) { 1787 DPRINTF(("rate mismatch for %s\n", 1788 ether_sprintf((u_int8_t *)wh->i_addr2))); 1789 return; 1790 } 1791 if (htcaps) 1792 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1793 else 1794 ieee80211_clear_htcaps(ni); 1795 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1796 } 1797 #endif /* IEEE80211_STA_ONLY */ 1798 1799 /*- 1800 * Authentication frame format: 1801 * [2] Authentication algorithm number 1802 * [2] Authentication transaction sequence number 1803 * [2] Status code 1804 */ 1805 void 1806 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1807 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1808 { 1809 const struct ieee80211_frame *wh; 1810 const u_int8_t *frm; 1811 u_int16_t algo, seq, status; 1812 1813 /* make sure all mandatory fixed fields are present */ 1814 if (m->m_len < sizeof(*wh) + 6) { 1815 DPRINTF(("frame too short\n")); 1816 return; 1817 } 1818 wh = mtod(m, struct ieee80211_frame *); 1819 frm = (const u_int8_t *)&wh[1]; 1820 1821 algo = LE_READ_2(frm); frm += 2; 1822 seq = LE_READ_2(frm); frm += 2; 1823 status = LE_READ_2(frm); frm += 2; 1824 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1825 ether_sprintf((u_int8_t *)wh->i_addr2))); 1826 1827 /* only "open" auth mode is supported */ 1828 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1829 DPRINTF(("unsupported auth algorithm %d from %s\n", 1830 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1831 ic->ic_stats.is_rx_auth_unsupported++; 1832 #ifndef IEEE80211_STA_ONLY 1833 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1834 /* XXX hack to workaround calling convention */ 1835 IEEE80211_SEND_MGMT(ic, ni, 1836 IEEE80211_FC0_SUBTYPE_AUTH, 1837 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1838 } 1839 #endif 1840 return; 1841 } 1842 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1843 } 1844 1845 #ifndef IEEE80211_STA_ONLY 1846 /*- 1847 * (Re)Association request frame format: 1848 * [2] Capability information 1849 * [2] Listen interval 1850 * [6*] Current AP address (Reassociation only) 1851 * [tlv] SSID 1852 * [tlv] Supported rates 1853 * [tlv] Extended Supported Rates (802.11g) 1854 * [tlv] RSN (802.11i) 1855 * [tlv] QoS Capability (802.11e) 1856 * [tlv] HT Capabilities (802.11n) 1857 */ 1858 void 1859 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1860 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1861 { 1862 const struct ieee80211_frame *wh; 1863 const u_int8_t *frm, *efrm; 1864 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1865 u_int16_t capinfo, bintval; 1866 int resp, status = 0; 1867 struct ieee80211_rsnparams rsn; 1868 u_int8_t rate; 1869 const u_int8_t *saveie = NULL; 1870 1871 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1872 ic->ic_state != IEEE80211_S_RUN) 1873 return; 1874 1875 /* make sure all mandatory fixed fields are present */ 1876 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1877 DPRINTF(("frame too short\n")); 1878 return; 1879 } 1880 wh = mtod(m, struct ieee80211_frame *); 1881 frm = (const u_int8_t *)&wh[1]; 1882 efrm = mtod(m, u_int8_t *) + m->m_len; 1883 1884 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1885 DPRINTF(("ignore other bss from %s\n", 1886 ether_sprintf((u_int8_t *)wh->i_addr2))); 1887 ic->ic_stats.is_rx_assoc_bss++; 1888 return; 1889 } 1890 capinfo = LE_READ_2(frm); frm += 2; 1891 bintval = LE_READ_2(frm); frm += 2; 1892 if (reassoc) { 1893 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1894 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1895 } else 1896 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1897 1898 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1899 while (frm + 2 <= efrm) { 1900 if (frm + 2 + frm[1] > efrm) { 1901 ic->ic_stats.is_rx_elem_toosmall++; 1902 break; 1903 } 1904 switch (frm[0]) { 1905 case IEEE80211_ELEMID_SSID: 1906 ssid = frm; 1907 break; 1908 case IEEE80211_ELEMID_RATES: 1909 rates = frm; 1910 break; 1911 case IEEE80211_ELEMID_XRATES: 1912 xrates = frm; 1913 break; 1914 case IEEE80211_ELEMID_RSN: 1915 rsnie = frm; 1916 break; 1917 case IEEE80211_ELEMID_QOS_CAP: 1918 break; 1919 case IEEE80211_ELEMID_HTCAPS: 1920 htcaps = frm; 1921 break; 1922 case IEEE80211_ELEMID_VENDOR: 1923 if (frm[1] < 4) { 1924 ic->ic_stats.is_rx_elem_toosmall++; 1925 break; 1926 } 1927 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1928 if (frm[5] == 1) 1929 wpaie = frm; 1930 } 1931 break; 1932 } 1933 frm += 2 + frm[1]; 1934 } 1935 /* supported rates element is mandatory */ 1936 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1937 DPRINTF(("invalid supported rates element\n")); 1938 return; 1939 } 1940 /* SSID element is mandatory */ 1941 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1942 DPRINTF(("invalid SSID element\n")); 1943 return; 1944 } 1945 /* check that the specified SSID matches ours */ 1946 if (ssid[1] != ic->ic_bss->ni_esslen || 1947 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1948 DPRINTF(("SSID mismatch\n")); 1949 ic->ic_stats.is_rx_ssidmismatch++; 1950 return; 1951 } 1952 1953 if (ni->ni_state != IEEE80211_STA_AUTH && 1954 ni->ni_state != IEEE80211_STA_ASSOC) { 1955 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1956 reassoc ? "re" : "", 1957 ether_sprintf((u_int8_t *)wh->i_addr2))); 1958 ni = ieee80211_find_node(ic, wh->i_addr2); 1959 if (ni == NULL) 1960 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1961 if (ni != NULL) { 1962 IEEE80211_SEND_MGMT(ic, ni, 1963 IEEE80211_FC0_SUBTYPE_DEAUTH, 1964 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1965 } 1966 ic->ic_stats.is_rx_assoc_notauth++; 1967 return; 1968 } 1969 1970 if (ni->ni_state == IEEE80211_STA_ASSOC && 1971 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1972 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1973 /* send a protected Disassociate frame */ 1974 IEEE80211_SEND_MGMT(ic, ni, 1975 IEEE80211_FC0_SUBTYPE_DISASSOC, 1976 IEEE80211_REASON_AUTH_EXPIRE); 1977 /* terminate the old SA */ 1978 ieee80211_node_leave(ic, ni); 1979 } else { 1980 /* reject the (Re)Association Request temporarily */ 1981 IEEE80211_SEND_MGMT(ic, ni, resp, 1982 IEEE80211_STATUS_TRY_AGAIN_LATER); 1983 /* start SA Query procedure if not already engaged */ 1984 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1985 ieee80211_sa_query_request(ic, ni); 1986 /* do not modify association state */ 1987 } 1988 return; 1989 } 1990 1991 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1992 ic->ic_stats.is_rx_assoc_capmismatch++; 1993 status = IEEE80211_STATUS_CAPINFO; 1994 goto end; 1995 } 1996 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1997 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1998 IEEE80211_F_DODEL); 1999 if (rate & IEEE80211_RATE_BASIC) { 2000 ic->ic_stats.is_rx_assoc_norate++; 2001 status = IEEE80211_STATUS_BASIC_RATE; 2002 goto end; 2003 } 2004 2005 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2006 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2007 ni->ni_rsnakms = 0; 2008 ni->ni_supported_rsnakms = 0; 2009 ni->ni_rsnciphers = 0; 2010 ni->ni_rsngroupcipher = 0; 2011 ni->ni_rsngroupmgmtcipher = 0; 2012 ni->ni_rsncaps = 0; 2013 2014 /* 2015 * A station should never include both a WPA and an RSN IE 2016 * in its (Re)Association Requests, but if it does, we only 2017 * consider the IE of the highest version of the protocol 2018 * that is allowed (ie RSN over WPA). 2019 */ 2020 if (rsnie != NULL) { 2021 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2022 if (status != 0) 2023 goto end; 2024 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2025 ni->ni_supported_rsnakms = rsn.rsn_akms; 2026 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2027 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2028 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2029 saveie = rsnie; 2030 } 2031 } else if (wpaie != NULL) { 2032 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2033 if (status != 0) 2034 goto end; 2035 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2036 ni->ni_supported_rsnakms = rsn.rsn_akms; 2037 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2038 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2039 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2040 saveie = wpaie; 2041 } 2042 } 2043 2044 if (ic->ic_flags & IEEE80211_F_RSNON) { 2045 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2046 /* 2047 * In an RSN, an AP shall not associate with STAs 2048 * that fail to include the RSN IE in the 2049 * (Re)Association Request. 2050 */ 2051 status = IEEE80211_STATUS_IE_INVALID; 2052 goto end; 2053 } 2054 /* 2055 * The initiating STA's RSN IE shall include one authentication 2056 * and pairwise cipher suite among those advertised by the 2057 * targeted AP. It shall also specify the group cipher suite 2058 * specified by the targeted AP. 2059 */ 2060 if (rsn.rsn_nakms != 1 || 2061 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2062 status = IEEE80211_STATUS_BAD_AKMP; 2063 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2064 goto end; 2065 } 2066 if (rsn.rsn_nciphers != 1 || 2067 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2068 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2069 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2070 goto end; 2071 } 2072 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2073 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2074 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2075 goto end; 2076 } 2077 2078 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2079 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2080 status = IEEE80211_STATUS_MFP_POLICY; 2081 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2082 goto end; 2083 } 2084 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2085 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2086 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2087 /* STA advertises an invalid setting */ 2088 status = IEEE80211_STATUS_MFP_POLICY; 2089 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2090 goto end; 2091 } 2092 /* 2093 * A STA that has associated with Management Frame Protection 2094 * enabled shall not use cipher suite pairwise selector WEP40, 2095 * WEP104, TKIP, or "Use Group cipher suite". 2096 */ 2097 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2098 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2099 rsn.rsn_groupmgmtcipher != 2100 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2101 status = IEEE80211_STATUS_MFP_POLICY; 2102 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2103 goto end; 2104 } 2105 2106 /* 2107 * Disallow new associations using TKIP if countermeasures 2108 * are active. 2109 */ 2110 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2111 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2112 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2113 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2114 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2115 goto end; 2116 } 2117 2118 /* everything looks fine, save IE and parameters */ 2119 if (saveie == NULL || 2120 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2121 status = IEEE80211_STATUS_TOOMANY; 2122 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2123 goto end; 2124 } 2125 ni->ni_rsnakms = rsn.rsn_akms; 2126 ni->ni_rsnciphers = rsn.rsn_ciphers; 2127 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2128 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2129 ni->ni_rsncaps = rsn.rsn_caps; 2130 2131 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2132 struct ieee80211_pmk *pmk = NULL; 2133 const u_int8_t *pmkid = rsn.rsn_pmkids; 2134 /* 2135 * Check if we have a cached PMK entry matching one 2136 * of the PMKIDs specified in the RSN IE. 2137 */ 2138 while (rsn.rsn_npmkids-- > 0) { 2139 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2140 if (pmk != NULL) 2141 break; 2142 pmkid += IEEE80211_PMKID_LEN; 2143 } 2144 if (pmk != NULL) { 2145 memcpy(ni->ni_pmk, pmk->pmk_key, 2146 IEEE80211_PMK_LEN); 2147 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2148 IEEE80211_PMKID_LEN); 2149 ni->ni_flags |= IEEE80211_NODE_PMK; 2150 } 2151 } 2152 } 2153 2154 ni->ni_rssi = rxi->rxi_rssi; 2155 ni->ni_rstamp = rxi->rxi_tstamp; 2156 ni->ni_intval = bintval; 2157 ni->ni_capinfo = capinfo; 2158 ni->ni_chan = ic->ic_bss->ni_chan; 2159 if (htcaps) 2160 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2161 else 2162 ieee80211_clear_htcaps(ni); 2163 end: 2164 if (status != 0) { 2165 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2166 ieee80211_node_leave(ic, ni); 2167 } else 2168 ieee80211_node_join(ic, ni, resp); 2169 } 2170 #endif /* IEEE80211_STA_ONLY */ 2171 2172 /*- 2173 * (Re)Association response frame format: 2174 * [2] Capability information 2175 * [2] Status code 2176 * [2] Association ID (AID) 2177 * [tlv] Supported rates 2178 * [tlv] Extended Supported Rates (802.11g) 2179 * [tlv] EDCA Parameter Set (802.11e) 2180 * [tlv] HT Capabilities (802.11n) 2181 * [tlv] HT Operation (802.11n) 2182 */ 2183 void 2184 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2185 struct ieee80211_node *ni, int reassoc) 2186 { 2187 struct ifnet *ifp = &ic->ic_if; 2188 const struct ieee80211_frame *wh; 2189 const u_int8_t *frm, *efrm; 2190 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2191 u_int16_t capinfo, status, associd; 2192 u_int8_t rate; 2193 2194 if (ic->ic_opmode != IEEE80211_M_STA || 2195 ic->ic_state != IEEE80211_S_ASSOC) { 2196 ic->ic_stats.is_rx_mgtdiscard++; 2197 return; 2198 } 2199 2200 /* make sure all mandatory fixed fields are present */ 2201 if (m->m_len < sizeof(*wh) + 6) { 2202 DPRINTF(("frame too short\n")); 2203 return; 2204 } 2205 wh = mtod(m, struct ieee80211_frame *); 2206 frm = (const u_int8_t *)&wh[1]; 2207 efrm = mtod(m, u_int8_t *) + m->m_len; 2208 2209 capinfo = LE_READ_2(frm); frm += 2; 2210 status = LE_READ_2(frm); frm += 2; 2211 if (status != IEEE80211_STATUS_SUCCESS) { 2212 if (ifp->if_flags & IFF_DEBUG) 2213 printf("%s: %sassociation failed (status %d)" 2214 " for %s\n", ifp->if_xname, 2215 reassoc ? "re" : "", 2216 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2217 if (ni != ic->ic_bss) 2218 ni->ni_fails++; 2219 ic->ic_stats.is_rx_auth_fail++; 2220 return; 2221 } 2222 associd = LE_READ_2(frm); frm += 2; 2223 2224 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2225 while (frm + 2 <= efrm) { 2226 if (frm + 2 + frm[1] > efrm) { 2227 ic->ic_stats.is_rx_elem_toosmall++; 2228 break; 2229 } 2230 switch (frm[0]) { 2231 case IEEE80211_ELEMID_RATES: 2232 rates = frm; 2233 break; 2234 case IEEE80211_ELEMID_XRATES: 2235 xrates = frm; 2236 break; 2237 case IEEE80211_ELEMID_EDCAPARMS: 2238 edcaie = frm; 2239 break; 2240 case IEEE80211_ELEMID_HTCAPS: 2241 htcaps = frm; 2242 break; 2243 case IEEE80211_ELEMID_HTOP: 2244 htop = frm; 2245 break; 2246 case IEEE80211_ELEMID_VENDOR: 2247 if (frm[1] < 4) { 2248 ic->ic_stats.is_rx_elem_toosmall++; 2249 break; 2250 } 2251 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2252 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2253 wmmie = frm; 2254 } 2255 break; 2256 } 2257 frm += 2 + frm[1]; 2258 } 2259 /* supported rates element is mandatory */ 2260 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2261 DPRINTF(("invalid supported rates element\n")); 2262 return; 2263 } 2264 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2265 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2266 IEEE80211_F_DODEL); 2267 if (rate & IEEE80211_RATE_BASIC) { 2268 DPRINTF(("rate mismatch for %s\n", 2269 ether_sprintf((u_int8_t *)wh->i_addr2))); 2270 ic->ic_stats.is_rx_assoc_norate++; 2271 return; 2272 } 2273 ni->ni_capinfo = capinfo; 2274 ni->ni_associd = associd; 2275 if (edcaie != NULL || wmmie != NULL) { 2276 /* force update of EDCA parameters */ 2277 ic->ic_edca_updtcount = -1; 2278 2279 if ((edcaie != NULL && 2280 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2281 (wmmie != NULL && 2282 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2283 ni->ni_flags |= IEEE80211_NODE_QOS; 2284 else /* for Reassociation */ 2285 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2286 } 2287 if (htcaps) 2288 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2289 if (htop) 2290 ieee80211_setup_htop(ni, htop + 2, htop[1]); 2291 ieee80211_ht_negotiate(ic, ni); 2292 2293 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2294 if (ni->ni_flags & IEEE80211_NODE_HT) 2295 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2296 else 2297 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2298 /* 2299 * Reset the erp state (mostly the slot time) now that 2300 * our operating mode has been nailed down. 2301 */ 2302 ieee80211_reset_erp(ic); 2303 2304 /* 2305 * Configure state now that we are associated. 2306 */ 2307 if (ic->ic_curmode == IEEE80211_MODE_11A || 2308 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2309 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2310 else 2311 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2312 2313 ieee80211_set_shortslottime(ic, 2314 ic->ic_curmode == IEEE80211_MODE_11A || 2315 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2316 /* 2317 * Honor ERP protection. 2318 */ 2319 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2320 (ic->ic_curmode == IEEE80211_MODE_11N && 2321 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2322 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2323 ic->ic_flags |= IEEE80211_F_USEPROT; 2324 else 2325 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2326 /* 2327 * If not an RSNA, mark the port as valid, otherwise wait for 2328 * 802.1X authentication and 4-way handshake to complete.. 2329 */ 2330 if (ic->ic_flags & IEEE80211_F_RSNON) { 2331 /* XXX ic->ic_mgt_timer = 5; */ 2332 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2333 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2334 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2335 2336 ieee80211_new_state(ic, IEEE80211_S_RUN, 2337 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2338 } 2339 2340 /*- 2341 * Deauthentication frame format: 2342 * [2] Reason code 2343 */ 2344 void 2345 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2346 struct ieee80211_node *ni) 2347 { 2348 const struct ieee80211_frame *wh; 2349 const u_int8_t *frm; 2350 u_int16_t reason; 2351 2352 /* make sure all mandatory fixed fields are present */ 2353 if (m->m_len < sizeof(*wh) + 2) { 2354 DPRINTF(("frame too short\n")); 2355 return; 2356 } 2357 wh = mtod(m, struct ieee80211_frame *); 2358 frm = (const u_int8_t *)&wh[1]; 2359 2360 reason = LE_READ_2(frm); 2361 2362 ic->ic_stats.is_rx_deauth++; 2363 switch (ic->ic_opmode) { 2364 case IEEE80211_M_STA: 2365 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2366 IEEE80211_FC0_SUBTYPE_DEAUTH); 2367 break; 2368 #ifndef IEEE80211_STA_ONLY 2369 case IEEE80211_M_HOSTAP: 2370 if (ni != ic->ic_bss) { 2371 if (ic->ic_if.if_flags & IFF_DEBUG) 2372 printf("%s: station %s deauthenticated " 2373 "by peer (reason %d)\n", 2374 ic->ic_if.if_xname, 2375 ether_sprintf(ni->ni_macaddr), 2376 reason); 2377 ieee80211_node_leave(ic, ni); 2378 } 2379 break; 2380 #endif 2381 default: 2382 break; 2383 } 2384 } 2385 2386 /*- 2387 * Disassociation frame format: 2388 * [2] Reason code 2389 */ 2390 void 2391 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2392 struct ieee80211_node *ni) 2393 { 2394 const struct ieee80211_frame *wh; 2395 const u_int8_t *frm; 2396 u_int16_t reason; 2397 2398 /* make sure all mandatory fixed fields are present */ 2399 if (m->m_len < sizeof(*wh) + 2) { 2400 DPRINTF(("frame too short\n")); 2401 return; 2402 } 2403 wh = mtod(m, struct ieee80211_frame *); 2404 frm = (const u_int8_t *)&wh[1]; 2405 2406 reason = LE_READ_2(frm); 2407 2408 ic->ic_stats.is_rx_disassoc++; 2409 switch (ic->ic_opmode) { 2410 case IEEE80211_M_STA: 2411 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2412 IEEE80211_FC0_SUBTYPE_DISASSOC); 2413 break; 2414 #ifndef IEEE80211_STA_ONLY 2415 case IEEE80211_M_HOSTAP: 2416 if (ni != ic->ic_bss) { 2417 if (ic->ic_if.if_flags & IFF_DEBUG) 2418 printf("%s: station %s disassociated " 2419 "by peer (reason %d)\n", 2420 ic->ic_if.if_xname, 2421 ether_sprintf(ni->ni_macaddr), 2422 reason); 2423 ieee80211_node_leave(ic, ni); 2424 } 2425 break; 2426 #endif 2427 default: 2428 break; 2429 } 2430 } 2431 2432 /*- 2433 * ADDBA Request frame format: 2434 * [1] Category 2435 * [1] Action 2436 * [1] Dialog Token 2437 * [2] Block Ack Parameter Set 2438 * [2] Block Ack Timeout Value 2439 * [2] Block Ack Starting Sequence Control 2440 */ 2441 void 2442 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2443 struct ieee80211_node *ni) 2444 { 2445 const struct ieee80211_frame *wh; 2446 const u_int8_t *frm; 2447 struct ieee80211_rx_ba *ba; 2448 u_int16_t params, ssn, bufsz, timeout; 2449 u_int8_t token, tid; 2450 int err = 0; 2451 2452 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2453 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2454 ether_sprintf(ni->ni_macaddr))); 2455 return; 2456 } 2457 if (m->m_len < sizeof(*wh) + 9) { 2458 DPRINTF(("frame too short\n")); 2459 return; 2460 } 2461 /* MLME-ADDBA.indication */ 2462 wh = mtod(m, struct ieee80211_frame *); 2463 frm = (const u_int8_t *)&wh[1]; 2464 2465 token = frm[2]; 2466 params = LE_READ_2(&frm[3]); 2467 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2468 IEEE80211_ADDBA_TID_SHIFT); 2469 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2470 IEEE80211_ADDBA_BUFSZ_SHIFT; 2471 timeout = LE_READ_2(&frm[5]); 2472 ssn = LE_READ_2(&frm[7]) >> 4; 2473 2474 ba = &ni->ni_rx_ba[tid]; 2475 /* check if we already have a Block Ack agreement for this RA/TID */ 2476 if (ba->ba_state == IEEE80211_BA_AGREED) { 2477 /* XXX should we update the timeout value? */ 2478 /* reset Block Ack inactivity timer */ 2479 if (ba->ba_timeout_val != 0) 2480 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2481 2482 /* check if it's a Protected Block Ack agreement */ 2483 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2484 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2485 return; /* not a PBAC, ignore */ 2486 2487 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2488 if (SEQ_LT(ba->ba_winstart, ssn)) 2489 ieee80211_ba_move_window(ic, ni, tid, ssn); 2490 return; 2491 } 2492 2493 /* if PBAC required but RA does not support it, refuse request */ 2494 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2495 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2496 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2497 goto refuse; 2498 /* 2499 * If the TID for which the Block Ack agreement is requested is 2500 * configured with a no-ACK policy, refuse the agreement. 2501 */ 2502 if (ic->ic_tid_noack & (1 << tid)) 2503 goto refuse; 2504 2505 /* check that we support the requested Block Ack Policy */ 2506 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2507 !(params & IEEE80211_ADDBA_BA_POLICY)) 2508 goto refuse; 2509 2510 /* setup Block Ack agreement */ 2511 ba->ba_state = IEEE80211_BA_INIT; 2512 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2513 ba->ba_ni = ni; 2514 ba->ba_token = token; 2515 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2516 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2517 ba->ba_winsize = bufsz; 2518 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2519 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2520 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2521 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2522 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2523 ba->ba_winstart = ssn; 2524 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2525 /* allocate and setup our reordering buffer */ 2526 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2527 M_DEVBUF, M_NOWAIT | M_ZERO); 2528 if (ba->ba_buf == NULL) 2529 goto refuse; 2530 2531 ba->ba_head = 0; 2532 2533 /* notify drivers of this new Block Ack agreement */ 2534 if (ic->ic_ampdu_rx_start != NULL) 2535 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2536 if (err == EBUSY) { 2537 /* driver will accept or refuse agreement when done */ 2538 return; 2539 } else if (err) { 2540 /* driver failed to setup, rollback */ 2541 ieee80211_addba_req_refuse(ic, ni, tid); 2542 } else 2543 ieee80211_addba_req_accept(ic, ni, tid); 2544 return; 2545 2546 refuse: 2547 /* MLME-ADDBA.response */ 2548 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2549 IEEE80211_ACTION_ADDBA_RESP, 2550 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2551 } 2552 2553 void 2554 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2555 uint8_t tid) 2556 { 2557 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2558 2559 ba->ba_state = IEEE80211_BA_AGREED; 2560 ic->ic_stats.is_ht_rx_ba_agreements++; 2561 /* start Block Ack inactivity timer */ 2562 if (ba->ba_timeout_val != 0) 2563 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2564 2565 /* MLME-ADDBA.response */ 2566 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2567 IEEE80211_ACTION_ADDBA_RESP, 2568 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2569 } 2570 2571 void 2572 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2573 uint8_t tid) 2574 { 2575 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2576 2577 free(ba->ba_buf, M_DEVBUF, 2578 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2579 ba->ba_buf = NULL; 2580 2581 /* MLME-ADDBA.response */ 2582 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2583 IEEE80211_ACTION_ADDBA_RESP, 2584 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2585 } 2586 2587 /*- 2588 * ADDBA Response frame format: 2589 * [1] Category 2590 * [1] Action 2591 * [1] Dialog Token 2592 * [2] Status Code 2593 * [2] Block Ack Parameter Set 2594 * [2] Block Ack Timeout Value 2595 */ 2596 void 2597 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2598 struct ieee80211_node *ni) 2599 { 2600 const struct ieee80211_frame *wh; 2601 const u_int8_t *frm; 2602 struct ieee80211_tx_ba *ba; 2603 u_int16_t status, params, bufsz, timeout; 2604 u_int8_t token, tid; 2605 2606 if (m->m_len < sizeof(*wh) + 9) { 2607 DPRINTF(("frame too short\n")); 2608 return; 2609 } 2610 wh = mtod(m, struct ieee80211_frame *); 2611 frm = (const u_int8_t *)&wh[1]; 2612 2613 token = frm[2]; 2614 status = LE_READ_2(&frm[3]); 2615 params = LE_READ_2(&frm[5]); 2616 tid = (params >> 2) & 0xf; 2617 bufsz = (params >> 6) & 0x3ff; 2618 timeout = LE_READ_2(&frm[7]); 2619 2620 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2621 ether_sprintf(ni->ni_macaddr), tid, status)); 2622 2623 /* 2624 * Ignore if no ADDBA request has been sent for this RA/TID or 2625 * if we already have a Block Ack agreement. 2626 */ 2627 ba = &ni->ni_tx_ba[tid]; 2628 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2629 DPRINTF(("no matching ADDBA req found\n")); 2630 return; 2631 } 2632 if (token != ba->ba_token) { 2633 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2634 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2635 return; 2636 } 2637 /* we got an ADDBA Response matching our request, stop timeout */ 2638 timeout_del(&ba->ba_to); 2639 2640 if (status != IEEE80211_STATUS_SUCCESS) { 2641 /* MLME-ADDBA.confirm(Failure) */ 2642 ba->ba_state = IEEE80211_BA_INIT; 2643 return; 2644 } 2645 /* MLME-ADDBA.confirm(Success) */ 2646 ba->ba_state = IEEE80211_BA_AGREED; 2647 ic->ic_stats.is_ht_tx_ba_agreements++; 2648 2649 /* notify drivers of this new Block Ack agreement */ 2650 if (ic->ic_ampdu_tx_start != NULL) 2651 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2652 2653 /* start Block Ack inactivity timeout */ 2654 if (ba->ba_timeout_val != 0) 2655 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2656 } 2657 2658 /*- 2659 * DELBA frame format: 2660 * [1] Category 2661 * [1] Action 2662 * [2] DELBA Parameter Set 2663 * [2] Reason Code 2664 */ 2665 void 2666 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2667 struct ieee80211_node *ni) 2668 { 2669 const struct ieee80211_frame *wh; 2670 const u_int8_t *frm; 2671 u_int16_t params, reason; 2672 u_int8_t tid; 2673 int i; 2674 2675 if (m->m_len < sizeof(*wh) + 6) { 2676 DPRINTF(("frame too short\n")); 2677 return; 2678 } 2679 wh = mtod(m, struct ieee80211_frame *); 2680 frm = (const u_int8_t *)&wh[1]; 2681 2682 params = LE_READ_2(&frm[2]); 2683 reason = LE_READ_2(&frm[4]); 2684 tid = params >> 12; 2685 2686 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2687 ether_sprintf(ni->ni_macaddr), tid, reason)); 2688 2689 if (params & IEEE80211_DELBA_INITIATOR) { 2690 /* MLME-DELBA.indication(Originator) */ 2691 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2692 2693 if (ba->ba_state != IEEE80211_BA_AGREED) { 2694 DPRINTF(("no matching Block Ack agreement\n")); 2695 return; 2696 } 2697 /* notify drivers of the end of the Block Ack agreement */ 2698 if (ic->ic_ampdu_rx_stop != NULL) 2699 ic->ic_ampdu_rx_stop(ic, ni, tid); 2700 2701 ba->ba_state = IEEE80211_BA_INIT; 2702 /* stop Block Ack inactivity timer */ 2703 timeout_del(&ba->ba_to); 2704 timeout_del(&ba->ba_gap_to); 2705 2706 if (ba->ba_buf != NULL) { 2707 /* free all MSDUs stored in reordering buffer */ 2708 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2709 m_freem(ba->ba_buf[i].m); 2710 /* free reordering buffer */ 2711 free(ba->ba_buf, M_DEVBUF, 2712 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2713 ba->ba_buf = NULL; 2714 } 2715 } else { 2716 /* MLME-DELBA.indication(Recipient) */ 2717 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2718 2719 if (ba->ba_state != IEEE80211_BA_AGREED) { 2720 DPRINTF(("no matching Block Ack agreement\n")); 2721 return; 2722 } 2723 /* notify drivers of the end of the Block Ack agreement */ 2724 if (ic->ic_ampdu_tx_stop != NULL) 2725 ic->ic_ampdu_tx_stop(ic, ni, tid); 2726 2727 ba->ba_state = IEEE80211_BA_INIT; 2728 /* stop Block Ack inactivity timer */ 2729 timeout_del(&ba->ba_to); 2730 } 2731 } 2732 2733 /*- 2734 * SA Query Request frame format: 2735 * [1] Category 2736 * [1] Action 2737 * [2] Transaction Identifier 2738 */ 2739 void 2740 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2741 struct ieee80211_node *ni) 2742 { 2743 const struct ieee80211_frame *wh; 2744 const u_int8_t *frm; 2745 2746 if (ic->ic_opmode != IEEE80211_M_STA || 2747 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2748 DPRINTF(("unexpected SA Query req from %s\n", 2749 ether_sprintf(ni->ni_macaddr))); 2750 return; 2751 } 2752 if (m->m_len < sizeof(*wh) + 4) { 2753 DPRINTF(("frame too short\n")); 2754 return; 2755 } 2756 wh = mtod(m, struct ieee80211_frame *); 2757 frm = (const u_int8_t *)&wh[1]; 2758 2759 /* MLME-SAQuery.indication */ 2760 2761 /* save Transaction Identifier for SA Query Response */ 2762 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2763 2764 /* MLME-SAQuery.response */ 2765 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2766 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2767 } 2768 2769 #ifndef IEEE80211_STA_ONLY 2770 /*- 2771 * SA Query Response frame format: 2772 * [1] Category 2773 * [1] Action 2774 * [2] Transaction Identifier 2775 */ 2776 void 2777 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2778 struct ieee80211_node *ni) 2779 { 2780 const struct ieee80211_frame *wh; 2781 const u_int8_t *frm; 2782 2783 /* ignore if we're not engaged in an SA Query with that STA */ 2784 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2785 DPRINTF(("unexpected SA Query resp from %s\n", 2786 ether_sprintf(ni->ni_macaddr))); 2787 return; 2788 } 2789 if (m->m_len < sizeof(*wh) + 4) { 2790 DPRINTF(("frame too short\n")); 2791 return; 2792 } 2793 wh = mtod(m, struct ieee80211_frame *); 2794 frm = (const u_int8_t *)&wh[1]; 2795 2796 /* check that Transaction Identifier matches */ 2797 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2798 DPRINTF(("transaction identifier does not match\n")); 2799 return; 2800 } 2801 /* MLME-SAQuery.confirm */ 2802 timeout_del(&ni->ni_sa_query_to); 2803 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2804 } 2805 #endif 2806 2807 /*- 2808 * Action frame format: 2809 * [1] Category 2810 * [1] Action 2811 */ 2812 void 2813 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2814 struct ieee80211_node *ni) 2815 { 2816 const struct ieee80211_frame *wh; 2817 const u_int8_t *frm; 2818 2819 if (m->m_len < sizeof(*wh) + 2) { 2820 DPRINTF(("frame too short\n")); 2821 return; 2822 } 2823 wh = mtod(m, struct ieee80211_frame *); 2824 frm = (const u_int8_t *)&wh[1]; 2825 2826 switch (frm[0]) { 2827 case IEEE80211_CATEG_BA: 2828 switch (frm[1]) { 2829 case IEEE80211_ACTION_ADDBA_REQ: 2830 ieee80211_recv_addba_req(ic, m, ni); 2831 break; 2832 case IEEE80211_ACTION_ADDBA_RESP: 2833 ieee80211_recv_addba_resp(ic, m, ni); 2834 break; 2835 case IEEE80211_ACTION_DELBA: 2836 ieee80211_recv_delba(ic, m, ni); 2837 break; 2838 } 2839 break; 2840 case IEEE80211_CATEG_SA_QUERY: 2841 switch (frm[1]) { 2842 case IEEE80211_ACTION_SA_QUERY_REQ: 2843 ieee80211_recv_sa_query_req(ic, m, ni); 2844 break; 2845 #ifndef IEEE80211_STA_ONLY 2846 case IEEE80211_ACTION_SA_QUERY_RESP: 2847 ieee80211_recv_sa_query_resp(ic, m, ni); 2848 break; 2849 #endif 2850 } 2851 break; 2852 default: 2853 DPRINTF(("action frame category %d not handled\n", frm[0])); 2854 break; 2855 } 2856 } 2857 2858 void 2859 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2860 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2861 { 2862 switch (subtype) { 2863 case IEEE80211_FC0_SUBTYPE_BEACON: 2864 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2865 break; 2866 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2867 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2868 break; 2869 #ifndef IEEE80211_STA_ONLY 2870 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2871 ieee80211_recv_probe_req(ic, m, ni, rxi); 2872 break; 2873 #endif 2874 case IEEE80211_FC0_SUBTYPE_AUTH: 2875 ieee80211_recv_auth(ic, m, ni, rxi); 2876 break; 2877 #ifndef IEEE80211_STA_ONLY 2878 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2879 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2880 break; 2881 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2882 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2883 break; 2884 #endif 2885 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2886 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2887 break; 2888 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2889 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2890 break; 2891 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2892 ieee80211_recv_deauth(ic, m, ni); 2893 break; 2894 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2895 ieee80211_recv_disassoc(ic, m, ni); 2896 break; 2897 case IEEE80211_FC0_SUBTYPE_ACTION: 2898 ieee80211_recv_action(ic, m, ni); 2899 break; 2900 default: 2901 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2902 subtype)); 2903 ic->ic_stats.is_rx_badsubtype++; 2904 break; 2905 } 2906 } 2907 2908 #ifndef IEEE80211_STA_ONLY 2909 /* 2910 * Process an incoming PS-Poll control frame (see 11.2). 2911 */ 2912 void 2913 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2914 struct ieee80211_node *ni) 2915 { 2916 struct ifnet *ifp = &ic->ic_if; 2917 struct ieee80211_frame_pspoll *psp; 2918 struct ieee80211_frame *wh; 2919 u_int16_t aid; 2920 2921 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2922 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2923 ni->ni_state != IEEE80211_STA_ASSOC) 2924 return; 2925 2926 if (m->m_len < sizeof(*psp)) { 2927 DPRINTF(("frame too short, len %u\n", m->m_len)); 2928 ic->ic_stats.is_rx_tooshort++; 2929 return; 2930 } 2931 psp = mtod(m, struct ieee80211_frame_pspoll *); 2932 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2933 DPRINTF(("discard pspoll frame to BSS %s\n", 2934 ether_sprintf(psp->i_bssid))); 2935 ic->ic_stats.is_rx_wrongbss++; 2936 return; 2937 } 2938 aid = letoh16(*(u_int16_t *)psp->i_aid); 2939 if (aid != ni->ni_associd) { 2940 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2941 ether_sprintf(psp->i_ta))); 2942 return; 2943 } 2944 2945 /* take the first queued frame and put it out.. */ 2946 m = mq_dequeue(&ni->ni_savedq); 2947 if (m == NULL) 2948 return; 2949 if (mq_empty(&ni->ni_savedq)) { 2950 /* last queued frame, turn off the TIM bit */ 2951 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2952 } else { 2953 /* more queued frames, set the more data bit */ 2954 wh = mtod(m, struct ieee80211_frame *); 2955 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2956 } 2957 mq_enqueue(&ic->ic_pwrsaveq, m); 2958 if_start(ifp); 2959 } 2960 #endif /* IEEE80211_STA_ONLY */ 2961 2962 /* 2963 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2964 */ 2965 void 2966 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2967 struct ieee80211_node *ni) 2968 { 2969 const struct ieee80211_frame_min *wh; 2970 const u_int8_t *frm; 2971 u_int16_t ctl, ssn; 2972 u_int8_t tid, ntids; 2973 2974 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2975 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2976 ether_sprintf(ni->ni_macaddr))); 2977 return; 2978 } 2979 if (m->m_len < sizeof(*wh) + 4) { 2980 DPRINTF(("frame too short\n")); 2981 return; 2982 } 2983 wh = mtod(m, struct ieee80211_frame_min *); 2984 frm = (const u_int8_t *)&wh[1]; 2985 2986 /* read BlockAckReq Control field */ 2987 ctl = LE_READ_2(&frm[0]); 2988 tid = ctl >> 12; 2989 2990 /* determine BlockAckReq frame variant */ 2991 if (ctl & IEEE80211_BA_MULTI_TID) { 2992 /* Multi-TID BlockAckReq variant (PSMP only) */ 2993 ntids = tid + 1; 2994 2995 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2996 DPRINTF(("MTBAR frame too short\n")); 2997 return; 2998 } 2999 frm += 2; /* skip BlockAckReq Control field */ 3000 while (ntids-- > 0) { 3001 /* read MTBAR Information field */ 3002 tid = LE_READ_2(&frm[0]) >> 12; 3003 ssn = LE_READ_2(&frm[2]) >> 4; 3004 ieee80211_bar_tid(ic, ni, tid, ssn); 3005 frm += 4; 3006 } 3007 } else { 3008 /* Basic or Compressed BlockAckReq variants */ 3009 ssn = LE_READ_2(&frm[2]) >> 4; 3010 ieee80211_bar_tid(ic, ni, tid, ssn); 3011 } 3012 } 3013 3014 /* 3015 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3016 * This is the common back-end for all BlockAckReq frame variants. 3017 */ 3018 void 3019 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3020 u_int8_t tid, u_int16_t ssn) 3021 { 3022 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3023 3024 /* check if we have a Block Ack agreement for RA/TID */ 3025 if (ba->ba_state != IEEE80211_BA_AGREED) { 3026 /* XXX not sure in PBAC case */ 3027 /* send a DELBA with reason code UNKNOWN-BA */ 3028 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3029 IEEE80211_ACTION_DELBA, 3030 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3031 return; 3032 } 3033 /* check if it is a Protected Block Ack agreement */ 3034 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3035 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3036 /* ADDBA Requests must be used in PBAC case */ 3037 if (SEQ_LT(ssn, ba->ba_winstart) || 3038 SEQ_LT(ba->ba_winend, ssn)) 3039 ic->ic_stats.is_pbac_errs++; 3040 return; /* PBAC, do not move window */ 3041 } 3042 /* reset Block Ack inactivity timer */ 3043 if (ba->ba_timeout_val != 0) 3044 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3045 3046 if (SEQ_LT(ba->ba_winstart, ssn)) 3047 ieee80211_ba_move_window(ic, ni, tid, ssn); 3048 } 3049