1 /* $OpenBSD: ieee80211_input.c,v 1.203 2019/01/15 10:01:46 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/sysctl.h> 44 #include <sys/task.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 51 #if NBPFILTER > 0 52 #include <net/bpf.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 62 void ieee80211_defrag_timeout(void *); 63 void ieee80211_input_ba(struct ieee80211com *, struct mbuf *, 64 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 65 void ieee80211_input_ba_flush(struct ieee80211com *, struct ieee80211_node *, 66 struct ieee80211_rx_ba *); 67 void ieee80211_input_ba_gap_timeout(void *arg); 68 void ieee80211_ba_move_window(struct ieee80211com *, 69 struct ieee80211_node *, u_int8_t, u_int16_t); 70 void ieee80211_input_ba_seq(struct ieee80211com *, 71 struct ieee80211_node *, uint8_t, uint16_t); 72 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 73 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 74 struct ieee80211_node *, int); 75 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 76 struct ieee80211_node *, int); 77 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 int ieee80211_parse_edca_params_body(struct ieee80211com *, 80 const u_int8_t *); 81 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 82 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 83 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 84 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 85 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 86 u_int, struct ieee80211_rsnparams *); 87 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 88 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 89 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 90 #ifndef IEEE80211_STA_ONLY 91 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *); 93 #endif 94 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #ifndef IEEE80211_STA_ONLY 97 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 99 #endif 100 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, int); 102 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 103 struct ieee80211_node *); 104 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 105 struct ieee80211_node *); 106 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 107 struct ieee80211_node *); 108 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 109 struct ieee80211_node *); 110 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 #ifndef IEEE80211_STA_ONLY 115 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 116 struct ieee80211_node *); 117 #endif 118 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 119 struct ieee80211_node *); 120 #ifndef IEEE80211_STA_ONLY 121 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 122 struct ieee80211_node *); 123 #endif 124 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 125 struct ieee80211_node *); 126 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 127 u_int8_t, u_int16_t); 128 129 /* 130 * Retrieve the length in bytes of an 802.11 header. 131 */ 132 u_int 133 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 134 { 135 u_int size = sizeof(*wh); 136 137 /* NB: does not work with control frames */ 138 KASSERT(ieee80211_has_seq(wh)); 139 140 if (ieee80211_has_addr4(wh)) 141 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 142 if (ieee80211_has_qos(wh)) 143 size += sizeof(u_int16_t); /* i_qos */ 144 if (ieee80211_has_htc(wh)) 145 size += sizeof(u_int32_t); /* i_ht */ 146 return size; 147 } 148 149 /* 150 * Process a received frame. The node associated with the sender 151 * should be supplied. If nothing was found in the node table then 152 * the caller is assumed to supply a reference to ic_bss instead. 153 * The RSSI and a timestamp are also supplied. The RSSI data is used 154 * during AP scanning to select a AP to associate with; it can have 155 * any units so long as values have consistent units and higher values 156 * mean ``better signal''. The receive timestamp is currently not used 157 * by the 802.11 layer. 158 */ 159 void 160 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 161 struct ieee80211_rxinfo *rxi) 162 { 163 struct ieee80211com *ic = (void *)ifp; 164 struct ieee80211_frame *wh; 165 u_int16_t *orxseq, nrxseq, qos; 166 u_int8_t dir, type, subtype, tid; 167 int hdrlen, hasqos; 168 169 KASSERT(ni != NULL); 170 171 /* in monitor mode, send everything directly to bpf */ 172 if (ic->ic_opmode == IEEE80211_M_MONITOR) 173 goto out; 174 175 /* 176 * Do not process frames without an Address 2 field any further. 177 * Only CTS and ACK control frames do not have this field. 178 */ 179 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 180 DPRINTF(("frame too short, len %u\n", m->m_len)); 181 ic->ic_stats.is_rx_tooshort++; 182 goto out; 183 } 184 185 wh = mtod(m, struct ieee80211_frame *); 186 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 187 IEEE80211_FC0_VERSION_0) { 188 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 189 ic->ic_stats.is_rx_badversion++; 190 goto err; 191 } 192 193 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 194 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 195 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 196 197 if (type != IEEE80211_FC0_TYPE_CTL) { 198 hdrlen = ieee80211_get_hdrlen(wh); 199 if (m->m_len < hdrlen) { 200 DPRINTF(("frame too short, len %u\n", m->m_len)); 201 ic->ic_stats.is_rx_tooshort++; 202 goto err; 203 } 204 } 205 if ((hasqos = ieee80211_has_qos(wh))) { 206 qos = ieee80211_get_qos(wh); 207 tid = qos & IEEE80211_QOS_TID; 208 } else { 209 qos = 0; 210 tid = 0; 211 } 212 213 if (type == IEEE80211_FC0_TYPE_DATA && hasqos && 214 (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 && 215 !(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) { 216 int ba_state = ni->ni_rx_ba[tid].ba_state; 217 218 /* 219 * If Block Ack was explicitly requested, check 220 * if we have a BA agreement for this RA/TID. 221 */ 222 if ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 223 IEEE80211_QOS_ACK_POLICY_BA && 224 ba_state != IEEE80211_BA_AGREED) { 225 DPRINTF(("no BA agreement for %s, TID %d\n", 226 ether_sprintf(ni->ni_macaddr), tid)); 227 /* send a DELBA with reason code UNKNOWN-BA */ 228 IEEE80211_SEND_ACTION(ic, ni, 229 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 230 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 231 goto err; 232 } 233 234 /* 235 * Check if we have an explicit or implicit 236 * Block Ack Request for a valid BA agreement. 237 */ 238 if (ba_state == IEEE80211_BA_AGREED && 239 ((qos & IEEE80211_QOS_ACK_POLICY_MASK) == 240 IEEE80211_QOS_ACK_POLICY_BA || 241 (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 242 IEEE80211_QOS_ACK_POLICY_NORMAL)) { 243 /* go through A-MPDU reordering */ 244 ieee80211_input_ba(ic, m, ni, tid, rxi); 245 return; /* don't free m! */ 246 } 247 } 248 249 /* duplicate detection (see 9.2.9) */ 250 if (ieee80211_has_seq(wh) && 251 ic->ic_state != IEEE80211_S_SCAN) { 252 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 253 IEEE80211_SEQ_SEQ_SHIFT; 254 if (hasqos) 255 orxseq = &ni->ni_qos_rxseqs[tid]; 256 else 257 orxseq = &ni->ni_rxseq; 258 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 259 nrxseq == *orxseq) { 260 /* duplicate, silently discarded */ 261 ic->ic_stats.is_rx_dup++; 262 goto out; 263 } 264 *orxseq = nrxseq; 265 } 266 if (ic->ic_state > IEEE80211_S_SCAN) { 267 ni->ni_rssi = rxi->rxi_rssi; 268 ni->ni_rstamp = rxi->rxi_tstamp; 269 ni->ni_inact = 0; 270 271 if (ic->ic_state == IEEE80211_S_RUN && ic->ic_bgscan_start) { 272 /* Cancel or start background scan based on RSSI. */ 273 if ((*ic->ic_node_checkrssi)(ic, ni)) 274 timeout_del(&ic->ic_bgscan_timeout); 275 else if (!timeout_pending(&ic->ic_bgscan_timeout) && 276 (ic->ic_flags & IEEE80211_F_BGSCAN) == 0 && 277 (ic->ic_flags & IEEE80211_F_DESBSSID) == 0) 278 timeout_add_msec(&ic->ic_bgscan_timeout, 279 500 * (ic->ic_bgscan_fail + 1)); 280 } 281 } 282 283 #ifndef IEEE80211_STA_ONLY 284 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 285 (ic->ic_caps & IEEE80211_C_APPMGT) && 286 ni->ni_state == IEEE80211_STA_ASSOC) { 287 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 288 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 289 /* turn on PS mode */ 290 ni->ni_pwrsave = IEEE80211_PS_DOZE; 291 DPRINTF(("PS mode on for %s\n", 292 ether_sprintf(wh->i_addr2))); 293 } 294 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 295 struct mbuf *m; 296 297 /* turn off PS mode */ 298 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 299 DPRINTF(("PS mode off for %s\n", 300 ether_sprintf(wh->i_addr2))); 301 302 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 303 304 /* dequeue buffered unicast frames */ 305 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 306 mq_enqueue(&ic->ic_pwrsaveq, m); 307 if_start(ifp); 308 } 309 } 310 } 311 #endif 312 switch (type) { 313 case IEEE80211_FC0_TYPE_DATA: 314 switch (ic->ic_opmode) { 315 case IEEE80211_M_STA: 316 if (dir != IEEE80211_FC1_DIR_FROMDS) { 317 ic->ic_stats.is_rx_wrongdir++; 318 goto out; 319 } 320 if (ic->ic_state != IEEE80211_S_SCAN && 321 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 322 /* Source address is not our BSS. */ 323 DPRINTF(("discard frame from SA %s\n", 324 ether_sprintf(wh->i_addr2))); 325 ic->ic_stats.is_rx_wrongbss++; 326 goto out; 327 } 328 if ((ifp->if_flags & IFF_SIMPLEX) && 329 IEEE80211_IS_MULTICAST(wh->i_addr1) && 330 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 331 /* 332 * In IEEE802.11 network, multicast frame 333 * sent from me is broadcasted from AP. 334 * It should be silently discarded for 335 * SIMPLEX interface. 336 */ 337 ic->ic_stats.is_rx_mcastecho++; 338 goto out; 339 } 340 break; 341 #ifndef IEEE80211_STA_ONLY 342 case IEEE80211_M_IBSS: 343 case IEEE80211_M_AHDEMO: 344 if (dir != IEEE80211_FC1_DIR_NODS) { 345 ic->ic_stats.is_rx_wrongdir++; 346 goto out; 347 } 348 if (ic->ic_state != IEEE80211_S_SCAN && 349 !IEEE80211_ADDR_EQ(wh->i_addr3, 350 ic->ic_bss->ni_bssid) && 351 !IEEE80211_ADDR_EQ(wh->i_addr3, 352 etherbroadcastaddr)) { 353 /* Destination is not our BSS or broadcast. */ 354 DPRINTF(("discard data frame to DA %s\n", 355 ether_sprintf(wh->i_addr3))); 356 ic->ic_stats.is_rx_wrongbss++; 357 goto out; 358 } 359 break; 360 case IEEE80211_M_HOSTAP: 361 if (dir != IEEE80211_FC1_DIR_TODS) { 362 ic->ic_stats.is_rx_wrongdir++; 363 goto out; 364 } 365 if (ic->ic_state != IEEE80211_S_SCAN && 366 !IEEE80211_ADDR_EQ(wh->i_addr1, 367 ic->ic_bss->ni_bssid) && 368 !IEEE80211_ADDR_EQ(wh->i_addr1, 369 etherbroadcastaddr)) { 370 /* BSS is not us or broadcast. */ 371 DPRINTF(("discard data frame to BSS %s\n", 372 ether_sprintf(wh->i_addr1))); 373 ic->ic_stats.is_rx_wrongbss++; 374 goto out; 375 } 376 /* check if source STA is associated */ 377 if (ni == ic->ic_bss) { 378 DPRINTF(("data from unknown src %s\n", 379 ether_sprintf(wh->i_addr2))); 380 /* NB: caller deals with reference */ 381 ni = ieee80211_find_node(ic, wh->i_addr2); 382 if (ni == NULL) 383 ni = ieee80211_dup_bss(ic, wh->i_addr2); 384 if (ni != NULL) { 385 IEEE80211_SEND_MGMT(ic, ni, 386 IEEE80211_FC0_SUBTYPE_DEAUTH, 387 IEEE80211_REASON_NOT_AUTHED); 388 } 389 ic->ic_stats.is_rx_notassoc++; 390 goto err; 391 } 392 if (ni->ni_state != IEEE80211_STA_ASSOC) { 393 DPRINTF(("data from unassoc src %s\n", 394 ether_sprintf(wh->i_addr2))); 395 IEEE80211_SEND_MGMT(ic, ni, 396 IEEE80211_FC0_SUBTYPE_DISASSOC, 397 IEEE80211_REASON_NOT_ASSOCED); 398 ic->ic_stats.is_rx_notassoc++; 399 goto err; 400 } 401 break; 402 #endif /* IEEE80211_STA_ONLY */ 403 default: 404 /* can't get there */ 405 goto out; 406 } 407 408 /* Do not process "no data" frames any further. */ 409 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 410 if (ic->ic_rawbpf) 411 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 412 goto out; 413 } 414 415 if ((ic->ic_flags & IEEE80211_F_WEPON) || 416 ((ic->ic_flags & IEEE80211_F_RSNON) && 417 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 418 /* protection is on for Rx */ 419 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 420 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 421 /* drop unencrypted */ 422 ic->ic_stats.is_rx_unencrypted++; 423 goto err; 424 } 425 /* do software decryption */ 426 m = ieee80211_decrypt(ic, m, ni); 427 if (m == NULL) { 428 ic->ic_stats.is_rx_wepfail++; 429 goto err; 430 } 431 wh = mtod(m, struct ieee80211_frame *); 432 } 433 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 434 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 435 /* frame encrypted but protection off for Rx */ 436 ic->ic_stats.is_rx_nowep++; 437 goto out; 438 } 439 440 #if NBPFILTER > 0 441 /* copy to listener after decrypt */ 442 if (ic->ic_rawbpf) 443 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 444 #endif 445 446 if ((ni->ni_flags & IEEE80211_NODE_HT) && 447 hasqos && (qos & IEEE80211_QOS_AMSDU)) 448 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 449 else 450 ieee80211_decap(ic, m, ni, hdrlen); 451 return; 452 453 case IEEE80211_FC0_TYPE_MGT: 454 if (dir != IEEE80211_FC1_DIR_NODS) { 455 ic->ic_stats.is_rx_wrongdir++; 456 goto err; 457 } 458 #ifndef IEEE80211_STA_ONLY 459 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 460 ic->ic_stats.is_rx_ahdemo_mgt++; 461 goto out; 462 } 463 #endif 464 /* drop frames without interest */ 465 if (ic->ic_state == IEEE80211_S_SCAN) { 466 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 467 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 468 ic->ic_stats.is_rx_mgtdiscard++; 469 goto out; 470 } 471 } 472 473 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 474 /* MMPDU protection is on for Rx */ 475 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 476 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 477 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 478 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 479 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 480 /* unicast mgmt not encrypted */ 481 goto out; 482 } 483 /* do software decryption */ 484 m = ieee80211_decrypt(ic, m, ni); 485 if (m == NULL) { 486 /* XXX stats */ 487 goto out; 488 } 489 wh = mtod(m, struct ieee80211_frame *); 490 } 491 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 492 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 493 /* encrypted but MMPDU Rx protection off for TA */ 494 goto out; 495 } 496 497 #if NBPFILTER > 0 498 if (bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN) != 0) { 499 /* 500 * Drop mbuf if it was filtered by bpf. Normally, 501 * this is done in ether_input() but IEEE 802.11 502 * management frames are a special case. 503 */ 504 m_freem(m); 505 return; 506 } 507 #endif 508 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 509 m_freem(m); 510 return; 511 512 case IEEE80211_FC0_TYPE_CTL: 513 ic->ic_stats.is_rx_ctl++; 514 switch (subtype) { 515 #ifndef IEEE80211_STA_ONLY 516 case IEEE80211_FC0_SUBTYPE_PS_POLL: 517 ieee80211_recv_pspoll(ic, m, ni); 518 break; 519 #endif 520 case IEEE80211_FC0_SUBTYPE_BAR: 521 ieee80211_recv_bar(ic, m, ni); 522 break; 523 default: 524 break; 525 } 526 goto out; 527 528 default: 529 DPRINTF(("bad frame type %x\n", type)); 530 /* should not come here */ 531 break; 532 } 533 err: 534 ifp->if_ierrors++; 535 out: 536 if (m != NULL) { 537 #if NBPFILTER > 0 538 if (ic->ic_rawbpf) 539 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 540 #endif 541 m_freem(m); 542 } 543 } 544 545 /* 546 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 547 * reception of fragments of three fragmented MSDUs or MMPDUs. 548 */ 549 struct mbuf * 550 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 551 { 552 const struct ieee80211_frame *owh, *wh; 553 struct ieee80211_defrag *df; 554 u_int16_t rxseq, seq; 555 u_int8_t frag; 556 int i; 557 558 wh = mtod(m, struct ieee80211_frame *); 559 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 560 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 561 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 562 563 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 564 return m; /* not fragmented */ 565 566 if (frag == 0) { 567 /* first fragment, setup entry in the fragment cache */ 568 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 569 ic->ic_defrag_cur = 0; 570 df = &ic->ic_defrag[ic->ic_defrag_cur]; 571 m_freem(df->df_m); /* discard old entry */ 572 df->df_seq = seq; 573 df->df_frag = 0; 574 df->df_m = m; 575 /* start receive MSDU timer of aMaxReceiveLifetime */ 576 timeout_add_sec(&df->df_to, 1); 577 return NULL; /* MSDU or MMPDU not yet complete */ 578 } 579 580 /* find matching entry in the fragment cache */ 581 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 582 df = &ic->ic_defrag[i]; 583 if (df->df_m == NULL) 584 continue; 585 if (df->df_seq != seq || df->df_frag + 1 != frag) 586 continue; 587 owh = mtod(df->df_m, struct ieee80211_frame *); 588 /* frame type, source and destination must match */ 589 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 590 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 591 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 592 continue; 593 /* matching entry found */ 594 break; 595 } 596 if (i == IEEE80211_DEFRAG_SIZE) { 597 /* no matching entry found, discard fragment */ 598 ic->ic_if.if_ierrors++; 599 m_freem(m); 600 return NULL; 601 } 602 603 df->df_frag = frag; 604 /* strip 802.11 header and concatenate fragment */ 605 m_adj(m, hdrlen); 606 m_cat(df->df_m, m); 607 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 608 609 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 610 return NULL; /* MSDU or MMPDU not yet complete */ 611 612 /* MSDU or MMPDU complete */ 613 timeout_del(&df->df_to); 614 m = df->df_m; 615 df->df_m = NULL; 616 return m; 617 } 618 619 /* 620 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 621 */ 622 void 623 ieee80211_defrag_timeout(void *arg) 624 { 625 struct ieee80211_defrag *df = arg; 626 int s = splnet(); 627 628 /* discard all received fragments */ 629 m_freem(df->df_m); 630 df->df_m = NULL; 631 632 splx(s); 633 } 634 635 /* 636 * Process a received data MPDU related to a specific HT-immediate Block Ack 637 * agreement (see 9.10.7.6). 638 */ 639 void 640 ieee80211_input_ba(struct ieee80211com *ic, struct mbuf *m, 641 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 642 { 643 struct ifnet *ifp = &ic->ic_if; 644 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 645 struct ieee80211_frame *wh; 646 int idx, count; 647 u_int16_t sn; 648 649 wh = mtod(m, struct ieee80211_frame *); 650 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 651 652 /* reset Block Ack inactivity timer */ 653 if (ba->ba_timeout_val != 0) 654 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 655 656 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 657 ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; 658 m_freem(m); /* discard the MPDU */ 659 return; 660 } 661 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 662 ic->ic_stats.is_ht_rx_frame_above_ba_winend++; 663 count = (sn - ba->ba_winend) & 0xfff; 664 if (count > ba->ba_winsize) { 665 /* 666 * Check whether we're consistently behind the window, 667 * and let the window move forward if neccessary. 668 */ 669 if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { 670 if (ba->ba_missedsn == ((sn - 1) & 0xfff)) 671 ba->ba_winmiss++; 672 else 673 ba->ba_winmiss = 0; 674 ba->ba_missedsn = sn; 675 ifp->if_ierrors++; 676 m_freem(m); /* discard the MPDU */ 677 return; 678 } 679 680 /* It appears the window has moved for real. */ 681 ic->ic_stats.is_ht_rx_ba_window_jump++; 682 ba->ba_winmiss = 0; 683 ba->ba_missedsn = 0; 684 ieee80211_ba_move_window(ic, ni, tid, sn); 685 } else { 686 ic->ic_stats.is_ht_rx_ba_window_slide++; 687 ieee80211_input_ba_seq(ic, ni, tid, 688 (ba->ba_winstart + count) & 0xfff); 689 ieee80211_input_ba_flush(ic, ni, ba); 690 } 691 } 692 /* WinStartB <= SN <= WinEndB */ 693 694 ba->ba_winmiss = 0; 695 ba->ba_missedsn = 0; 696 idx = (sn - ba->ba_winstart) & 0xfff; 697 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 698 /* store the received MPDU in the buffer */ 699 if (ba->ba_buf[idx].m != NULL) { 700 ifp->if_ierrors++; 701 ic->ic_stats.is_ht_rx_ba_no_buf++; 702 m_freem(m); 703 return; 704 } 705 ba->ba_buf[idx].m = m; 706 /* store Rx meta-data too */ 707 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 708 ba->ba_buf[idx].rxi = *rxi; 709 710 if (ba->ba_buf[ba->ba_head].m == NULL) 711 timeout_add_msec(&ba->ba_gap_to, IEEE80211_BA_GAP_TIMEOUT); 712 else if (timeout_pending(&ba->ba_gap_to)) 713 timeout_del(&ba->ba_gap_to); 714 715 ieee80211_input_ba_flush(ic, ni, ba); 716 } 717 718 /* 719 * Forward buffered frames with sequence number lower than max_seq. 720 * See 802.11-2012 9.21.7.6.2 b. 721 */ 722 void 723 ieee80211_input_ba_seq(struct ieee80211com *ic, struct ieee80211_node *ni, 724 uint8_t tid, uint16_t max_seq) 725 { 726 struct ifnet *ifp = &ic->ic_if; 727 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 728 struct ieee80211_frame *wh; 729 uint16_t seq; 730 int i = 0; 731 732 while (i++ < ba->ba_winsize) { 733 /* gaps may exist */ 734 if (ba->ba_buf[ba->ba_head].m != NULL) { 735 wh = mtod(ba->ba_buf[ba->ba_head].m, 736 struct ieee80211_frame *); 737 KASSERT(ieee80211_has_seq(wh)); 738 seq = letoh16(*(u_int16_t *)wh->i_seq) >> 739 IEEE80211_SEQ_SEQ_SHIFT; 740 if (!SEQ_LT(seq, max_seq)) 741 return; 742 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 743 ni, &ba->ba_buf[ba->ba_head].rxi); 744 ba->ba_buf[ba->ba_head].m = NULL; 745 } else 746 ic->ic_stats.is_ht_rx_ba_frame_lost++; 747 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 748 } 749 } 750 751 /* Flush a consecutive sequence of frames from the reorder buffer. */ 752 void 753 ieee80211_input_ba_flush(struct ieee80211com *ic, struct ieee80211_node *ni, 754 struct ieee80211_rx_ba *ba) 755 756 { 757 struct ifnet *ifp = &ic->ic_if; 758 759 /* pass reordered MPDUs up to the next MAC process */ 760 while (ba->ba_buf[ba->ba_head].m != NULL) { 761 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 762 &ba->ba_buf[ba->ba_head].rxi); 763 ba->ba_buf[ba->ba_head].m = NULL; 764 765 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 766 /* move window forward */ 767 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 768 } 769 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 770 } 771 772 /* 773 * Forcibly move the BA window forward to remove a leading gap which has 774 * been causing frames to linger in the reordering buffer for too long. 775 * A leading gap will occur if a particular A-MPDU subframe never arrives 776 * or if a bug in the sender causes sequence numbers to jump forward by > 1. 777 */ 778 void 779 ieee80211_input_ba_gap_timeout(void *arg) 780 { 781 struct ieee80211_rx_ba *ba = arg; 782 struct ieee80211_node *ni = ba->ba_ni; 783 struct ieee80211com *ic = ni->ni_ic; 784 int s, skipped; 785 786 ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; 787 788 s = splnet(); 789 790 skipped = 0; 791 while (skipped < ba->ba_winsize && ba->ba_buf[ba->ba_head].m == NULL) { 792 /* move window forward */ 793 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 794 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 795 skipped++; 796 ic->ic_stats.is_ht_rx_ba_frame_lost++; 797 } 798 if (skipped > 0) 799 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 800 801 ieee80211_input_ba_flush(ic, ni, ba); 802 803 splx(s); 804 } 805 806 807 /* 808 * Change the value of WinStartB (move window forward) upon reception of a 809 * BlockAckReq frame or an ADDBA Request (PBAC). 810 */ 811 void 812 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 813 u_int8_t tid, u_int16_t ssn) 814 { 815 struct ifnet *ifp = &ic->ic_if; 816 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 817 int count; 818 819 /* assert(WinStartB <= SSN) */ 820 821 count = (ssn - ba->ba_winstart) & 0xfff; 822 if (count > ba->ba_winsize) /* no overlap */ 823 count = ba->ba_winsize; 824 while (count-- > 0) { 825 /* gaps may exist */ 826 if (ba->ba_buf[ba->ba_head].m != NULL) { 827 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 828 &ba->ba_buf[ba->ba_head].rxi); 829 ba->ba_buf[ba->ba_head].m = NULL; 830 } else 831 ic->ic_stats.is_ht_rx_ba_frame_lost++; 832 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 833 } 834 /* move window forward */ 835 ba->ba_winstart = ssn; 836 837 ieee80211_input_ba_flush(ic, ni, ba); 838 } 839 840 void 841 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 842 struct ieee80211_node *ni, int mcast) 843 { 844 struct ifnet *ifp = &ic->ic_if; 845 struct ether_header *eh; 846 struct mbuf *m1; 847 848 eh = mtod(m, struct ether_header *); 849 850 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 851 eh->ether_type != htons(ETHERTYPE_PAE)) { 852 DPRINTF(("port not valid: %s\n", 853 ether_sprintf(eh->ether_dhost))); 854 ic->ic_stats.is_rx_unauth++; 855 m_freem(m); 856 return; 857 } 858 859 /* 860 * Perform as a bridge within the AP. Notice that we do not 861 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 862 * And we do not forward unicast frames received on a multicast address. 863 */ 864 m1 = NULL; 865 #ifndef IEEE80211_STA_ONLY 866 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 867 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 868 eh->ether_type != htons(ETHERTYPE_PAE)) { 869 struct ieee80211_node *ni1; 870 871 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 872 m1 = m_dup_pkt(m, ETHER_ALIGN, M_DONTWAIT); 873 if (m1 == NULL) 874 ifp->if_oerrors++; 875 else 876 m1->m_flags |= M_MCAST; 877 } else if (!mcast) { 878 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 879 if (ni1 != NULL && 880 ni1->ni_state == IEEE80211_STA_ASSOC) { 881 m1 = m; 882 m = NULL; 883 } 884 } 885 if (m1 != NULL) { 886 if (if_enqueue(ifp, m1)) 887 ifp->if_oerrors++; 888 } 889 } 890 #endif 891 if (m != NULL) { 892 if ((ic->ic_flags & IEEE80211_F_RSNON) && 893 eh->ether_type == htons(ETHERTYPE_PAE)) { 894 ifp->if_ipackets++; 895 #if NBPFILTER > 0 896 /* 897 * If we forward frame into transmitter of the AP, 898 * we don't need to duplicate for DLT_EN10MB. 899 */ 900 if (ifp->if_bpf && m1 == NULL) 901 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 902 #endif 903 ieee80211_eapol_key_input(ic, m, ni); 904 } else { 905 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 906 ml_enqueue(&ml, m); 907 if_input(ifp, &ml); 908 } 909 } 910 } 911 912 void 913 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 914 struct ieee80211_node *ni, int hdrlen) 915 { 916 struct ether_header eh; 917 struct ieee80211_frame *wh; 918 struct llc *llc; 919 int mcast; 920 921 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 922 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 923 ic->ic_stats.is_rx_decap++; 924 return; 925 } 926 wh = mtod(m, struct ieee80211_frame *); 927 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 928 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 929 case IEEE80211_FC1_DIR_NODS: 930 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 931 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 932 break; 933 case IEEE80211_FC1_DIR_TODS: 934 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 935 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 936 break; 937 case IEEE80211_FC1_DIR_FROMDS: 938 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 939 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 940 break; 941 case IEEE80211_FC1_DIR_DSTODS: 942 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 943 IEEE80211_ADDR_COPY(eh.ether_shost, 944 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 945 break; 946 } 947 llc = (struct llc *)((caddr_t)wh + hdrlen); 948 if (llc->llc_dsap == LLC_SNAP_LSAP && 949 llc->llc_ssap == LLC_SNAP_LSAP && 950 llc->llc_control == LLC_UI && 951 llc->llc_snap.org_code[0] == 0 && 952 llc->llc_snap.org_code[1] == 0 && 953 llc->llc_snap.org_code[2] == 0) { 954 eh.ether_type = llc->llc_snap.ether_type; 955 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 956 } else { 957 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 958 m_adj(m, hdrlen - ETHER_HDR_LEN); 959 } 960 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 961 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 962 struct mbuf *m0 = m; 963 m = m_dup_pkt(m0, ETHER_ALIGN, M_NOWAIT); 964 m_freem(m0); 965 if (m == NULL) { 966 ic->ic_stats.is_rx_decap++; 967 return; 968 } 969 } 970 ieee80211_deliver_data(ic, m, ni, mcast); 971 } 972 973 /* 974 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 975 */ 976 void 977 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 978 struct ieee80211_node *ni, int hdrlen) 979 { 980 struct mbuf *n; 981 struct ether_header *eh; 982 struct llc *llc; 983 int len, pad, mcast; 984 struct ieee80211_frame *wh; 985 986 wh = mtod(m, struct ieee80211_frame *); 987 mcast = IEEE80211_IS_MULTICAST(wh->i_addr1); 988 989 /* strip 802.11 header */ 990 m_adj(m, hdrlen); 991 992 for (;;) { 993 /* process an A-MSDU subframe */ 994 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 995 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 996 if (m == NULL) { 997 ic->ic_stats.is_rx_decap++; 998 break; 999 } 1000 } 1001 eh = mtod(m, struct ether_header *); 1002 /* examine 802.3 header */ 1003 len = ntohs(eh->ether_type); 1004 if (len < LLC_SNAPFRAMELEN) { 1005 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1006 /* stop processing A-MSDU subframes */ 1007 ic->ic_stats.is_rx_decap++; 1008 m_freem(m); 1009 break; 1010 } 1011 llc = (struct llc *)&eh[1]; 1012 /* examine 802.2 LLC header */ 1013 if (llc->llc_dsap == LLC_SNAP_LSAP && 1014 llc->llc_ssap == LLC_SNAP_LSAP && 1015 llc->llc_control == LLC_UI && 1016 llc->llc_snap.org_code[0] == 0 && 1017 llc->llc_snap.org_code[1] == 0 && 1018 llc->llc_snap.org_code[2] == 0) { 1019 /* convert to Ethernet II header */ 1020 eh->ether_type = llc->llc_snap.ether_type; 1021 /* strip LLC+SNAP headers */ 1022 memmove((u_int8_t *)eh + LLC_SNAPFRAMELEN, eh, 1023 ETHER_HDR_LEN); 1024 m_adj(m, LLC_SNAPFRAMELEN); 1025 len -= LLC_SNAPFRAMELEN; 1026 } 1027 len += ETHER_HDR_LEN; 1028 if (len > m->m_pkthdr.len) { 1029 /* stop processing A-MSDU subframes */ 1030 DPRINTF(("A-MSDU subframe too long (%d)\n", len)); 1031 ic->ic_stats.is_rx_decap++; 1032 m_freem(m); 1033 break; 1034 } 1035 1036 /* "detach" our A-MSDU subframe from the others */ 1037 n = m_split(m, len, M_NOWAIT); 1038 if (n == NULL) { 1039 /* stop processing A-MSDU subframes */ 1040 ic->ic_stats.is_rx_decap++; 1041 m_freem(m); 1042 break; 1043 } 1044 ieee80211_deliver_data(ic, m, ni, mcast); 1045 1046 if (n->m_pkthdr.len == 0) { 1047 m_freem(n); 1048 break; 1049 } 1050 m = n; 1051 /* remove padding */ 1052 pad = ((len + 3) & ~3) - len; 1053 m_adj(m, pad); 1054 } 1055 } 1056 1057 /* 1058 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1059 */ 1060 int 1061 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1062 { 1063 u_int updtcount; 1064 int aci; 1065 1066 /* 1067 * Check if EDCA parameters have changed XXX if we miss more than 1068 * 15 consecutive beacons, we might not detect changes to EDCA 1069 * parameters due to wraparound of the 4-bit Update Count field. 1070 */ 1071 updtcount = frm[0] & 0xf; 1072 if (updtcount == ic->ic_edca_updtcount) 1073 return 0; /* no changes to EDCA parameters, ignore */ 1074 ic->ic_edca_updtcount = updtcount; 1075 1076 frm += 2; /* skip QoS Info & Reserved fields */ 1077 1078 /* parse AC Parameter Records */ 1079 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1080 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1081 1082 ac->ac_acm = (frm[0] >> 4) & 0x1; 1083 ac->ac_aifsn = frm[0] & 0xf; 1084 ac->ac_ecwmin = frm[1] & 0xf; 1085 ac->ac_ecwmax = frm[1] >> 4; 1086 ac->ac_txoplimit = LE_READ_2(frm + 2); 1087 frm += 4; 1088 } 1089 /* give drivers a chance to update their settings */ 1090 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1091 (*ic->ic_updateedca)(ic); 1092 1093 return 0; 1094 } 1095 1096 int 1097 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1098 { 1099 if (frm[1] < 18) { 1100 ic->ic_stats.is_rx_elem_toosmall++; 1101 return IEEE80211_REASON_IE_INVALID; 1102 } 1103 return ieee80211_parse_edca_params_body(ic, frm + 2); 1104 } 1105 1106 int 1107 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1108 { 1109 if (frm[1] < 24) { 1110 ic->ic_stats.is_rx_elem_toosmall++; 1111 return IEEE80211_REASON_IE_INVALID; 1112 } 1113 return ieee80211_parse_edca_params_body(ic, frm + 8); 1114 } 1115 1116 enum ieee80211_cipher 1117 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1118 { 1119 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1120 switch (selector[3]) { 1121 case 0: /* use group data cipher suite */ 1122 return IEEE80211_CIPHER_USEGROUP; 1123 case 1: /* WEP-40 */ 1124 return IEEE80211_CIPHER_WEP40; 1125 case 2: /* TKIP */ 1126 return IEEE80211_CIPHER_TKIP; 1127 case 4: /* CCMP (RSNA default) */ 1128 return IEEE80211_CIPHER_CCMP; 1129 case 5: /* WEP-104 */ 1130 return IEEE80211_CIPHER_WEP104; 1131 } 1132 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1133 /* see 802.11-2012 Table 8-99 */ 1134 switch (selector[3]) { 1135 case 0: /* use group data cipher suite */ 1136 return IEEE80211_CIPHER_USEGROUP; 1137 case 1: /* WEP-40 */ 1138 return IEEE80211_CIPHER_WEP40; 1139 case 2: /* TKIP */ 1140 return IEEE80211_CIPHER_TKIP; 1141 case 4: /* CCMP (RSNA default) */ 1142 return IEEE80211_CIPHER_CCMP; 1143 case 5: /* WEP-104 */ 1144 return IEEE80211_CIPHER_WEP104; 1145 case 6: /* BIP */ 1146 return IEEE80211_CIPHER_BIP; 1147 } 1148 } 1149 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1150 } 1151 1152 enum ieee80211_akm 1153 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1154 { 1155 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1156 switch (selector[3]) { 1157 case 1: /* IEEE 802.1X (RSNA default) */ 1158 return IEEE80211_AKM_8021X; 1159 case 2: /* PSK */ 1160 return IEEE80211_AKM_PSK; 1161 } 1162 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1163 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1164 switch (selector[3]) { 1165 case 1: /* IEEE 802.1X (RSNA default) */ 1166 return IEEE80211_AKM_8021X; 1167 case 2: /* PSK */ 1168 return IEEE80211_AKM_PSK; 1169 case 5: /* IEEE 802.1X with SHA256 KDF */ 1170 return IEEE80211_AKM_SHA256_8021X; 1171 case 6: /* PSK with SHA256 KDF */ 1172 return IEEE80211_AKM_SHA256_PSK; 1173 } 1174 } 1175 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1176 } 1177 1178 /* 1179 * Parse an RSN element (see 802.11-2012 8.4.2.27) 1180 */ 1181 int 1182 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1183 u_int len, struct ieee80211_rsnparams *rsn) 1184 { 1185 const u_int8_t *efrm; 1186 u_int16_t m, n, s; 1187 1188 efrm = frm + len; 1189 1190 /* check Version field */ 1191 if (LE_READ_2(frm) != 1) 1192 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1193 frm += 2; 1194 1195 /* all fields after the Version field are optional */ 1196 1197 /* if Cipher Suite missing, default to CCMP */ 1198 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1199 rsn->rsn_nciphers = 1; 1200 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1201 /* if Group Management Cipher Suite missing, defaut to BIP */ 1202 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1203 /* if AKM Suite missing, default to 802.1X */ 1204 rsn->rsn_nakms = 1; 1205 rsn->rsn_akms = IEEE80211_AKM_8021X; 1206 /* if RSN capabilities missing, default to 0 */ 1207 rsn->rsn_caps = 0; 1208 rsn->rsn_npmkids = 0; 1209 1210 /* read Group Data Cipher Suite field */ 1211 if (frm + 4 > efrm) 1212 return 0; 1213 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1214 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_NONE || 1215 rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP || 1216 rsn->rsn_groupcipher == IEEE80211_CIPHER_BIP) 1217 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1218 frm += 4; 1219 1220 /* read Pairwise Cipher Suite Count field */ 1221 if (frm + 2 > efrm) 1222 return 0; 1223 m = rsn->rsn_nciphers = LE_READ_2(frm); 1224 frm += 2; 1225 1226 /* read Pairwise Cipher Suite List */ 1227 if (frm + m * 4 > efrm) 1228 return IEEE80211_STATUS_IE_INVALID; 1229 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1230 while (m-- > 0) { 1231 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1232 frm += 4; 1233 } 1234 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1235 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1236 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1237 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1238 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1239 } 1240 1241 /* read AKM Suite List Count field */ 1242 if (frm + 2 > efrm) 1243 return 0; 1244 n = rsn->rsn_nakms = LE_READ_2(frm); 1245 frm += 2; 1246 1247 /* read AKM Suite List */ 1248 if (frm + n * 4 > efrm) 1249 return IEEE80211_STATUS_IE_INVALID; 1250 rsn->rsn_akms = IEEE80211_AKM_NONE; 1251 while (n-- > 0) { 1252 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1253 frm += 4; 1254 } 1255 1256 /* read RSN Capabilities field */ 1257 if (frm + 2 > efrm) 1258 return 0; 1259 rsn->rsn_caps = LE_READ_2(frm); 1260 frm += 2; 1261 1262 /* read PMKID Count field */ 1263 if (frm + 2 > efrm) 1264 return 0; 1265 s = rsn->rsn_npmkids = LE_READ_2(frm); 1266 frm += 2; 1267 1268 /* read PMKID List */ 1269 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1270 return IEEE80211_STATUS_IE_INVALID; 1271 if (s != 0) { 1272 rsn->rsn_pmkids = frm; 1273 frm += s * IEEE80211_PMKID_LEN; 1274 } 1275 1276 /* read Group Management Cipher Suite field */ 1277 if (frm + 4 > efrm) 1278 return 0; 1279 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1280 if (rsn->rsn_groupmgmtcipher != IEEE80211_CIPHER_BIP) 1281 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1282 1283 return IEEE80211_STATUS_SUCCESS; 1284 } 1285 1286 int 1287 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1288 struct ieee80211_rsnparams *rsn) 1289 { 1290 if (frm[1] < 2) { 1291 ic->ic_stats.is_rx_elem_toosmall++; 1292 return IEEE80211_STATUS_IE_INVALID; 1293 } 1294 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1295 } 1296 1297 int 1298 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1299 struct ieee80211_rsnparams *rsn) 1300 { 1301 if (frm[1] < 6) { 1302 ic->ic_stats.is_rx_elem_toosmall++; 1303 return IEEE80211_STATUS_IE_INVALID; 1304 } 1305 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1306 } 1307 1308 /* 1309 * Create (or update) a copy of an information element. 1310 */ 1311 int 1312 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1313 { 1314 int olen = *ie ? 2 + (*ie)[1] : 0; 1315 int len = 2 + frm[1]; 1316 1317 if (*ie == NULL || olen != len) { 1318 if (*ie != NULL) 1319 free(*ie, M_DEVBUF, olen); 1320 *ie = malloc(len, M_DEVBUF, M_NOWAIT); 1321 if (*ie == NULL) 1322 return ENOMEM; 1323 } 1324 memcpy(*ie, frm, len); 1325 return 0; 1326 } 1327 1328 /*- 1329 * Beacon/Probe response frame format: 1330 * [8] Timestamp 1331 * [2] Beacon interval 1332 * [2] Capability 1333 * [tlv] Service Set Identifier (SSID) 1334 * [tlv] Supported rates 1335 * [tlv] DS Parameter Set (802.11g) 1336 * [tlv] ERP Information (802.11g) 1337 * [tlv] Extended Supported Rates (802.11g) 1338 * [tlv] RSN (802.11i) 1339 * [tlv] EDCA Parameter Set (802.11e) 1340 * [tlv] QoS Capability (Beacon only, 802.11e) 1341 * [tlv] HT Capabilities (802.11n) 1342 * [tlv] HT Operation (802.11n) 1343 */ 1344 void 1345 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1346 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1347 { 1348 const struct ieee80211_frame *wh; 1349 const u_int8_t *frm, *efrm; 1350 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1351 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1352 u_int16_t capinfo, bintval; 1353 u_int8_t chan, bchan, erp, dtim_count, dtim_period; 1354 int is_new; 1355 1356 /* 1357 * We process beacon/probe response frames for: 1358 * o station mode: to collect state 1359 * updates such as 802.11g slot time and for passive 1360 * scanning of APs 1361 * o adhoc mode: to discover neighbors 1362 * o hostap mode: for passive scanning of neighbor APs 1363 * o when scanning 1364 * In other words, in all modes other than monitor (which 1365 * does not process incoming frames) and adhoc-demo (which 1366 * does not use management frames at all). 1367 */ 1368 #ifdef DIAGNOSTIC 1369 if (ic->ic_opmode != IEEE80211_M_STA && 1370 #ifndef IEEE80211_STA_ONLY 1371 ic->ic_opmode != IEEE80211_M_IBSS && 1372 ic->ic_opmode != IEEE80211_M_HOSTAP && 1373 #endif 1374 ic->ic_state != IEEE80211_S_SCAN) { 1375 panic("%s: impossible operating mode", __func__); 1376 } 1377 #endif 1378 /* make sure all mandatory fixed fields are present */ 1379 if (m->m_len < sizeof(*wh) + 12) { 1380 DPRINTF(("frame too short\n")); 1381 return; 1382 } 1383 wh = mtod(m, struct ieee80211_frame *); 1384 frm = (const u_int8_t *)&wh[1]; 1385 efrm = mtod(m, u_int8_t *) + m->m_len; 1386 1387 tstamp = frm; frm += 8; 1388 bintval = LE_READ_2(frm); frm += 2; 1389 capinfo = LE_READ_2(frm); frm += 2; 1390 1391 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1392 htcaps = htop = NULL; 1393 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1394 chan = bchan; 1395 erp = 0; 1396 dtim_count = dtim_period = 0; 1397 while (frm + 2 <= efrm) { 1398 if (frm + 2 + frm[1] > efrm) { 1399 ic->ic_stats.is_rx_elem_toosmall++; 1400 break; 1401 } 1402 switch (frm[0]) { 1403 case IEEE80211_ELEMID_SSID: 1404 ssid = frm; 1405 break; 1406 case IEEE80211_ELEMID_RATES: 1407 rates = frm; 1408 break; 1409 case IEEE80211_ELEMID_DSPARMS: 1410 if (frm[1] < 1) { 1411 ic->ic_stats.is_rx_elem_toosmall++; 1412 break; 1413 } 1414 chan = frm[2]; 1415 break; 1416 case IEEE80211_ELEMID_XRATES: 1417 xrates = frm; 1418 break; 1419 case IEEE80211_ELEMID_ERP: 1420 if (frm[1] < 1) { 1421 ic->ic_stats.is_rx_elem_toosmall++; 1422 break; 1423 } 1424 erp = frm[2]; 1425 break; 1426 case IEEE80211_ELEMID_RSN: 1427 rsnie = frm; 1428 break; 1429 case IEEE80211_ELEMID_EDCAPARMS: 1430 edcaie = frm; 1431 break; 1432 case IEEE80211_ELEMID_HTCAPS: 1433 htcaps = frm; 1434 break; 1435 case IEEE80211_ELEMID_HTOP: 1436 htop = frm; 1437 break; 1438 case IEEE80211_ELEMID_TIM: 1439 if (frm[1] > 3) { 1440 dtim_count = frm[2]; 1441 dtim_period = frm[3]; 1442 } 1443 break; 1444 case IEEE80211_ELEMID_VENDOR: 1445 if (frm[1] < 4) { 1446 ic->ic_stats.is_rx_elem_toosmall++; 1447 break; 1448 } 1449 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1450 if (frm[5] == 1) 1451 wpaie = frm; 1452 else if (frm[1] >= 5 && 1453 frm[5] == 2 && frm[6] == 1) 1454 wmmie = frm; 1455 } 1456 break; 1457 } 1458 frm += 2 + frm[1]; 1459 } 1460 /* supported rates element is mandatory */ 1461 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1462 DPRINTF(("invalid supported rates element\n")); 1463 return; 1464 } 1465 /* SSID element is mandatory */ 1466 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1467 DPRINTF(("invalid SSID element\n")); 1468 return; 1469 } 1470 1471 if ( 1472 #if IEEE80211_CHAN_MAX < 255 1473 chan > IEEE80211_CHAN_MAX || 1474 #endif 1475 isclr(ic->ic_chan_active, chan)) { 1476 DPRINTF(("ignore %s with invalid channel %u\n", 1477 isprobe ? "probe response" : "beacon", chan)); 1478 ic->ic_stats.is_rx_badchan++; 1479 return; 1480 } 1481 if ((ic->ic_state != IEEE80211_S_SCAN || 1482 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1483 chan != bchan) { 1484 /* 1485 * Frame was received on a channel different from the 1486 * one indicated in the DS params element id; 1487 * silently discard it. 1488 * 1489 * NB: this can happen due to signal leakage. 1490 */ 1491 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1492 isprobe ? "probe response" : "beacon", bchan, chan)); 1493 ic->ic_stats.is_rx_chanmismatch++; 1494 return; 1495 } 1496 /* 1497 * Use mac, channel and rssi so we collect only the 1498 * best potential AP with the equal bssid while scanning. 1499 * Collecting all potential APs may result in bloat of 1500 * the node tree. This call will return NULL if the node 1501 * for this APs does not exist or if the new node is the 1502 * potential better one. 1503 */ 1504 ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1505 &ic->ic_channels[chan], ssid, rxi->rxi_rssi); 1506 if (ni != NULL) { 1507 /* 1508 * If we are doing a directed scan for an AP with a hidden SSID 1509 * we must collect the SSID from a probe response to override 1510 * a non-zero-length SSID filled with zeroes that we may have 1511 * received earlier in a beacon. 1512 */ 1513 if (isprobe && ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1514 ni->ni_esslen = ssid[1]; 1515 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1516 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1517 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1518 } 1519 1520 return; 1521 } 1522 1523 #ifdef IEEE80211_DEBUG 1524 if (ieee80211_debug > 1 && 1525 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN || 1526 (ic->ic_flags & IEEE80211_F_BGSCAN))) { 1527 printf("%s: %s%s on chan %u (bss chan %u) ", 1528 __func__, (ni == NULL ? "new " : ""), 1529 isprobe ? "probe response" : "beacon", 1530 chan, bchan); 1531 ieee80211_print_essid(ssid + 2, ssid[1]); 1532 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1533 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1534 __func__, capinfo, bintval, erp); 1535 } 1536 #endif 1537 1538 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1539 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1540 if (ni == NULL) 1541 return; 1542 is_new = 1; 1543 } else 1544 is_new = 0; 1545 1546 if (htcaps) 1547 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1548 if (htop && !ieee80211_setup_htop(ni, htop + 2, htop[1], 1)) 1549 htop = NULL; /* invalid HTOP */ 1550 1551 ni->ni_dtimcount = dtim_count; 1552 ni->ni_dtimperiod = dtim_period; 1553 1554 /* 1555 * When operating in station mode, check for state updates 1556 * while we're associated. 1557 */ 1558 if (ic->ic_opmode == IEEE80211_M_STA && 1559 ic->ic_state == IEEE80211_S_RUN && 1560 ni->ni_state == IEEE80211_STA_BSS) { 1561 /* 1562 * Check if protection mode has changed since last beacon. 1563 */ 1564 if (ni->ni_erp != erp) { 1565 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1566 ether_sprintf((u_int8_t *)wh->i_addr2), 1567 ni->ni_erp, erp)); 1568 if (ic->ic_curmode == IEEE80211_MODE_11G && 1569 (erp & IEEE80211_ERP_USE_PROTECTION)) 1570 ic->ic_flags |= IEEE80211_F_USEPROT; 1571 else 1572 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1573 ic->ic_bss->ni_erp = erp; 1574 } 1575 if (htop && (ic->ic_bss->ni_flags & IEEE80211_NODE_HT)) { 1576 enum ieee80211_htprot htprot_last, htprot; 1577 htprot_last = 1578 ((ic->ic_bss->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) 1579 >> IEEE80211_HTOP1_PROT_SHIFT); 1580 htprot = ((ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> 1581 IEEE80211_HTOP1_PROT_SHIFT); 1582 if (htprot_last != htprot) { 1583 DPRINTF(("[%s] htprot change: was %d, now %d\n", 1584 ether_sprintf((u_int8_t *)wh->i_addr2), 1585 htprot_last, htprot)); 1586 ic->ic_stats.is_ht_prot_change++; 1587 ic->ic_bss->ni_htop1 = ni->ni_htop1; 1588 if (ic->ic_update_htprot) 1589 ic->ic_update_htprot(ic, ic->ic_bss); 1590 } 1591 } 1592 1593 /* 1594 * Check if AP short slot time setting has changed 1595 * since last beacon and give the driver a chance to 1596 * update the hardware. 1597 */ 1598 if ((ni->ni_capinfo ^ capinfo) & 1599 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1600 ieee80211_set_shortslottime(ic, 1601 ic->ic_curmode == IEEE80211_MODE_11A || 1602 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1603 } 1604 1605 /* 1606 * Reset management timer. If it is non-zero in RUN state, the 1607 * driver sent a probe request after a missed beacon event. 1608 * This probe response indicates the AP is still serving us 1609 * so don't allow ieee80211_watchdog() to move us into SCAN. 1610 */ 1611 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) 1612 ic->ic_mgt_timer = 0; 1613 } 1614 /* 1615 * We do not try to update EDCA parameters if QoS was not negotiated 1616 * with the AP at association time. 1617 */ 1618 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1619 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1620 if ((edcaie != NULL && 1621 ieee80211_parse_edca_params(ic, edcaie) == 0) || 1622 (wmmie != NULL && 1623 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 1624 ni->ni_flags |= IEEE80211_NODE_QOS; 1625 else 1626 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1627 } 1628 1629 if (ic->ic_state == IEEE80211_S_SCAN || 1630 (ic->ic_flags & IEEE80211_F_BGSCAN)) { 1631 struct ieee80211_rsnparams rsn, wpa; 1632 1633 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1634 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 1635 ni->ni_rsnakms = 0; 1636 ni->ni_supported_rsnakms = 0; 1637 ni->ni_rsnciphers = 0; 1638 ni->ni_rsngroupcipher = 0; 1639 ni->ni_rsngroupmgmtcipher = 0; 1640 ni->ni_rsncaps = 0; 1641 1642 if (rsnie != NULL && 1643 ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1644 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_RSN; 1645 ni->ni_supported_rsnakms |= rsn.rsn_akms; 1646 } 1647 if (wpaie != NULL && 1648 ieee80211_parse_wpa(ic, wpaie, &wpa) == 0) { 1649 ni->ni_supported_rsnprotos |= IEEE80211_PROTO_WPA; 1650 ni->ni_supported_rsnakms |= wpa.rsn_akms; 1651 } 1652 1653 /* 1654 * If the AP advertises both WPA and RSN IEs (WPA1+WPA2), 1655 * we only use the highest protocol version we support. 1656 */ 1657 if (rsnie != NULL && 1658 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_RSN) && 1659 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1660 if (ieee80211_save_ie(rsnie, &ni->ni_rsnie) == 0 1661 #ifndef IEEE80211_STA_ONLY 1662 && ic->ic_opmode != IEEE80211_M_HOSTAP 1663 #endif 1664 ) { 1665 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1666 ni->ni_rsnakms = rsn.rsn_akms; 1667 ni->ni_rsnciphers = rsn.rsn_ciphers; 1668 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1669 ni->ni_rsngroupmgmtcipher = 1670 rsn.rsn_groupmgmtcipher; 1671 ni->ni_rsncaps = rsn.rsn_caps; 1672 } 1673 } else if (wpaie != NULL && 1674 (ni->ni_supported_rsnprotos & IEEE80211_PROTO_WPA) && 1675 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1676 if (ieee80211_save_ie(wpaie, &ni->ni_rsnie) == 0 1677 #ifndef IEEE80211_STA_ONLY 1678 && ic->ic_opmode != IEEE80211_M_HOSTAP 1679 #endif 1680 ) { 1681 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1682 ni->ni_rsnakms = wpa.rsn_akms; 1683 ni->ni_rsnciphers = wpa.rsn_ciphers; 1684 ni->ni_rsngroupcipher = wpa.rsn_groupcipher; 1685 ni->ni_rsngroupmgmtcipher = 1686 wpa.rsn_groupmgmtcipher; 1687 ni->ni_rsncaps = wpa.rsn_caps; 1688 } 1689 } 1690 } 1691 1692 if (ssid[1] != 0 && ni->ni_essid[0] == '\0') { 1693 ni->ni_esslen = ssid[1]; 1694 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1695 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1696 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1697 } 1698 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1699 /* XXX validate channel # */ 1700 ni->ni_chan = &ic->ic_channels[chan]; 1701 if (ic->ic_state == IEEE80211_S_SCAN && 1702 IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) { 1703 /* 1704 * During a scan on 5Ghz, prefer RSSI measured for probe 1705 * response frames. i.e. don't allow beacons to lower the 1706 * measured RSSI. Some 5GHz APs send beacons with much 1707 * less Tx power than they use for probe responses. 1708 */ 1709 if (isprobe) 1710 ni->ni_rssi = rxi->rxi_rssi; 1711 else if (ni->ni_rssi < rxi->rxi_rssi) 1712 ni->ni_rssi = rxi->rxi_rssi; 1713 } else 1714 ni->ni_rssi = rxi->rxi_rssi; 1715 ni->ni_rstamp = rxi->rxi_tstamp; 1716 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1717 ni->ni_intval = bintval; 1718 ni->ni_capinfo = capinfo; 1719 ni->ni_erp = erp; 1720 /* NB: must be after ni_chan is setup */ 1721 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1722 #ifndef IEEE80211_STA_ONLY 1723 if (ic->ic_opmode == IEEE80211_M_IBSS && is_new && isprobe) { 1724 /* 1725 * Fake an association so the driver can setup it's 1726 * private state. The rate set has been setup above; 1727 * there is no handshake as in ap/station operation. 1728 */ 1729 if (ic->ic_newassoc) 1730 (*ic->ic_newassoc)(ic, ni, 1); 1731 } 1732 #endif 1733 } 1734 1735 #ifndef IEEE80211_STA_ONLY 1736 /*- 1737 * Probe request frame format: 1738 * [tlv] SSID 1739 * [tlv] Supported rates 1740 * [tlv] Extended Supported Rates (802.11g) 1741 * [tlv] HT Capabilities (802.11n) 1742 */ 1743 void 1744 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1745 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1746 { 1747 const struct ieee80211_frame *wh; 1748 const u_int8_t *frm, *efrm; 1749 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1750 u_int8_t rate; 1751 1752 if (ic->ic_opmode == IEEE80211_M_STA || 1753 ic->ic_state != IEEE80211_S_RUN) 1754 return; 1755 1756 wh = mtod(m, struct ieee80211_frame *); 1757 frm = (const u_int8_t *)&wh[1]; 1758 efrm = mtod(m, u_int8_t *) + m->m_len; 1759 1760 ssid = rates = xrates = htcaps = NULL; 1761 while (frm + 2 <= efrm) { 1762 if (frm + 2 + frm[1] > efrm) { 1763 ic->ic_stats.is_rx_elem_toosmall++; 1764 break; 1765 } 1766 switch (frm[0]) { 1767 case IEEE80211_ELEMID_SSID: 1768 ssid = frm; 1769 break; 1770 case IEEE80211_ELEMID_RATES: 1771 rates = frm; 1772 break; 1773 case IEEE80211_ELEMID_XRATES: 1774 xrates = frm; 1775 break; 1776 case IEEE80211_ELEMID_HTCAPS: 1777 htcaps = frm; 1778 break; 1779 } 1780 frm += 2 + frm[1]; 1781 } 1782 /* supported rates element is mandatory */ 1783 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1784 DPRINTF(("invalid supported rates element\n")); 1785 return; 1786 } 1787 /* SSID element is mandatory */ 1788 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1789 DPRINTF(("invalid SSID element\n")); 1790 return; 1791 } 1792 /* check that the specified SSID (if not wildcard) matches ours */ 1793 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1794 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1795 DPRINTF(("SSID mismatch\n")); 1796 ic->ic_stats.is_rx_ssidmismatch++; 1797 return; 1798 } 1799 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1800 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1801 DPRINTF(("wildcard SSID rejected")); 1802 ic->ic_stats.is_rx_ssidmismatch++; 1803 return; 1804 } 1805 1806 if (ni == ic->ic_bss) { 1807 ni = ieee80211_find_node(ic, wh->i_addr2); 1808 if (ni == NULL) 1809 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1810 if (ni == NULL) 1811 return; 1812 DPRINTF(("new probe req from %s\n", 1813 ether_sprintf((u_int8_t *)wh->i_addr2))); 1814 } 1815 ni->ni_rssi = rxi->rxi_rssi; 1816 ni->ni_rstamp = rxi->rxi_tstamp; 1817 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1818 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1819 IEEE80211_F_DODEL); 1820 if (rate & IEEE80211_RATE_BASIC) { 1821 DPRINTF(("rate mismatch for %s\n", 1822 ether_sprintf((u_int8_t *)wh->i_addr2))); 1823 return; 1824 } 1825 if (htcaps) 1826 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 1827 else 1828 ieee80211_clear_htcaps(ni); 1829 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1830 } 1831 #endif /* IEEE80211_STA_ONLY */ 1832 1833 /*- 1834 * Authentication frame format: 1835 * [2] Authentication algorithm number 1836 * [2] Authentication transaction sequence number 1837 * [2] Status code 1838 */ 1839 void 1840 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1841 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1842 { 1843 const struct ieee80211_frame *wh; 1844 const u_int8_t *frm; 1845 u_int16_t algo, seq, status; 1846 1847 /* make sure all mandatory fixed fields are present */ 1848 if (m->m_len < sizeof(*wh) + 6) { 1849 DPRINTF(("frame too short\n")); 1850 return; 1851 } 1852 wh = mtod(m, struct ieee80211_frame *); 1853 frm = (const u_int8_t *)&wh[1]; 1854 1855 algo = LE_READ_2(frm); frm += 2; 1856 seq = LE_READ_2(frm); frm += 2; 1857 status = LE_READ_2(frm); frm += 2; 1858 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1859 ether_sprintf((u_int8_t *)wh->i_addr2))); 1860 1861 /* only "open" auth mode is supported */ 1862 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1863 DPRINTF(("unsupported auth algorithm %d from %s\n", 1864 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1865 ic->ic_stats.is_rx_auth_unsupported++; 1866 #ifndef IEEE80211_STA_ONLY 1867 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1868 /* XXX hack to workaround calling convention */ 1869 IEEE80211_SEND_MGMT(ic, ni, 1870 IEEE80211_FC0_SUBTYPE_AUTH, 1871 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1872 } 1873 #endif 1874 return; 1875 } 1876 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1877 } 1878 1879 #ifndef IEEE80211_STA_ONLY 1880 /*- 1881 * (Re)Association request frame format: 1882 * [2] Capability information 1883 * [2] Listen interval 1884 * [6*] Current AP address (Reassociation only) 1885 * [tlv] SSID 1886 * [tlv] Supported rates 1887 * [tlv] Extended Supported Rates (802.11g) 1888 * [tlv] RSN (802.11i) 1889 * [tlv] QoS Capability (802.11e) 1890 * [tlv] HT Capabilities (802.11n) 1891 */ 1892 void 1893 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1894 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1895 { 1896 const struct ieee80211_frame *wh; 1897 const u_int8_t *frm, *efrm; 1898 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1899 u_int16_t capinfo, bintval; 1900 int resp, status = 0; 1901 struct ieee80211_rsnparams rsn; 1902 u_int8_t rate; 1903 const u_int8_t *saveie = NULL; 1904 1905 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1906 ic->ic_state != IEEE80211_S_RUN) 1907 return; 1908 1909 /* make sure all mandatory fixed fields are present */ 1910 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1911 DPRINTF(("frame too short\n")); 1912 return; 1913 } 1914 wh = mtod(m, struct ieee80211_frame *); 1915 frm = (const u_int8_t *)&wh[1]; 1916 efrm = mtod(m, u_int8_t *) + m->m_len; 1917 1918 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1919 DPRINTF(("ignore other bss from %s\n", 1920 ether_sprintf((u_int8_t *)wh->i_addr2))); 1921 ic->ic_stats.is_rx_assoc_bss++; 1922 return; 1923 } 1924 capinfo = LE_READ_2(frm); frm += 2; 1925 bintval = LE_READ_2(frm); frm += 2; 1926 if (reassoc) { 1927 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1928 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1929 } else 1930 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1931 1932 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1933 while (frm + 2 <= efrm) { 1934 if (frm + 2 + frm[1] > efrm) { 1935 ic->ic_stats.is_rx_elem_toosmall++; 1936 break; 1937 } 1938 switch (frm[0]) { 1939 case IEEE80211_ELEMID_SSID: 1940 ssid = frm; 1941 break; 1942 case IEEE80211_ELEMID_RATES: 1943 rates = frm; 1944 break; 1945 case IEEE80211_ELEMID_XRATES: 1946 xrates = frm; 1947 break; 1948 case IEEE80211_ELEMID_RSN: 1949 rsnie = frm; 1950 break; 1951 case IEEE80211_ELEMID_QOS_CAP: 1952 break; 1953 case IEEE80211_ELEMID_HTCAPS: 1954 htcaps = frm; 1955 break; 1956 case IEEE80211_ELEMID_VENDOR: 1957 if (frm[1] < 4) { 1958 ic->ic_stats.is_rx_elem_toosmall++; 1959 break; 1960 } 1961 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1962 if (frm[5] == 1) 1963 wpaie = frm; 1964 } 1965 break; 1966 } 1967 frm += 2 + frm[1]; 1968 } 1969 /* supported rates element is mandatory */ 1970 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1971 DPRINTF(("invalid supported rates element\n")); 1972 return; 1973 } 1974 /* SSID element is mandatory */ 1975 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1976 DPRINTF(("invalid SSID element\n")); 1977 return; 1978 } 1979 /* check that the specified SSID matches ours */ 1980 if (ssid[1] != ic->ic_bss->ni_esslen || 1981 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1982 DPRINTF(("SSID mismatch\n")); 1983 ic->ic_stats.is_rx_ssidmismatch++; 1984 return; 1985 } 1986 1987 if (ni->ni_state != IEEE80211_STA_AUTH && 1988 ni->ni_state != IEEE80211_STA_ASSOC) { 1989 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1990 reassoc ? "re" : "", 1991 ether_sprintf((u_int8_t *)wh->i_addr2))); 1992 ni = ieee80211_find_node(ic, wh->i_addr2); 1993 if (ni == NULL) 1994 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1995 if (ni != NULL) { 1996 IEEE80211_SEND_MGMT(ic, ni, 1997 IEEE80211_FC0_SUBTYPE_DEAUTH, 1998 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1999 } 2000 ic->ic_stats.is_rx_assoc_notauth++; 2001 return; 2002 } 2003 2004 if (ni->ni_state == IEEE80211_STA_ASSOC && 2005 (ni->ni_flags & IEEE80211_NODE_MFP)) { 2006 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 2007 /* send a protected Disassociate frame */ 2008 IEEE80211_SEND_MGMT(ic, ni, 2009 IEEE80211_FC0_SUBTYPE_DISASSOC, 2010 IEEE80211_REASON_AUTH_EXPIRE); 2011 /* terminate the old SA */ 2012 ieee80211_node_leave(ic, ni); 2013 } else { 2014 /* reject the (Re)Association Request temporarily */ 2015 IEEE80211_SEND_MGMT(ic, ni, resp, 2016 IEEE80211_STATUS_TRY_AGAIN_LATER); 2017 /* start SA Query procedure if not already engaged */ 2018 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 2019 ieee80211_sa_query_request(ic, ni); 2020 /* do not modify association state */ 2021 } 2022 return; 2023 } 2024 2025 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 2026 ic->ic_stats.is_rx_assoc_capmismatch++; 2027 status = IEEE80211_STATUS_CAPINFO; 2028 goto end; 2029 } 2030 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2031 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2032 IEEE80211_F_DODEL); 2033 if (rate & IEEE80211_RATE_BASIC) { 2034 ic->ic_stats.is_rx_assoc_norate++; 2035 status = IEEE80211_STATUS_BASIC_RATE; 2036 goto end; 2037 } 2038 2039 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2040 ni->ni_supported_rsnprotos = IEEE80211_PROTO_NONE; 2041 ni->ni_rsnakms = 0; 2042 ni->ni_supported_rsnakms = 0; 2043 ni->ni_rsnciphers = 0; 2044 ni->ni_rsngroupcipher = 0; 2045 ni->ni_rsngroupmgmtcipher = 0; 2046 ni->ni_rsncaps = 0; 2047 2048 /* 2049 * A station should never include both a WPA and an RSN IE 2050 * in its (Re)Association Requests, but if it does, we only 2051 * consider the IE of the highest version of the protocol 2052 * that is allowed (ie RSN over WPA). 2053 */ 2054 if (rsnie != NULL) { 2055 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 2056 if (status != 0) 2057 goto end; 2058 ni->ni_supported_rsnprotos = IEEE80211_PROTO_RSN; 2059 ni->ni_supported_rsnakms = rsn.rsn_akms; 2060 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2061 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 2062 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 2063 saveie = rsnie; 2064 } 2065 } else if (wpaie != NULL) { 2066 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 2067 if (status != 0) 2068 goto end; 2069 ni->ni_supported_rsnprotos = IEEE80211_PROTO_WPA; 2070 ni->ni_supported_rsnakms = rsn.rsn_akms; 2071 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2072 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 2073 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 2074 saveie = wpaie; 2075 } 2076 } 2077 2078 if (ic->ic_flags & IEEE80211_F_RSNON) { 2079 if (ni->ni_rsnprotos == IEEE80211_PROTO_NONE) { 2080 /* 2081 * In an RSN, an AP shall not associate with STAs 2082 * that fail to include the RSN IE in the 2083 * (Re)Association Request. 2084 */ 2085 status = IEEE80211_STATUS_IE_INVALID; 2086 goto end; 2087 } 2088 /* 2089 * The initiating STA's RSN IE shall include one authentication 2090 * and pairwise cipher suite among those advertised by the 2091 * targeted AP. It shall also specify the group cipher suite 2092 * specified by the targeted AP. 2093 */ 2094 if (rsn.rsn_nakms != 1 || 2095 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2096 status = IEEE80211_STATUS_BAD_AKMP; 2097 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2098 goto end; 2099 } 2100 if (rsn.rsn_nciphers != 1 || 2101 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2102 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2103 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2104 goto end; 2105 } 2106 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2107 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2108 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2109 goto end; 2110 } 2111 2112 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2113 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2114 status = IEEE80211_STATUS_MFP_POLICY; 2115 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2116 goto end; 2117 } 2118 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2119 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2120 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2121 /* STA advertises an invalid setting */ 2122 status = IEEE80211_STATUS_MFP_POLICY; 2123 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2124 goto end; 2125 } 2126 /* 2127 * A STA that has associated with Management Frame Protection 2128 * enabled shall not use cipher suite pairwise selector WEP40, 2129 * WEP104, TKIP, or "Use Group cipher suite". 2130 */ 2131 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2132 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2133 rsn.rsn_groupmgmtcipher != 2134 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2135 status = IEEE80211_STATUS_MFP_POLICY; 2136 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2137 goto end; 2138 } 2139 2140 /* 2141 * Disallow new associations using TKIP if countermeasures 2142 * are active. 2143 */ 2144 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2145 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2146 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2147 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2148 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2149 goto end; 2150 } 2151 2152 /* everything looks fine, save IE and parameters */ 2153 if (saveie == NULL || 2154 ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2155 status = IEEE80211_STATUS_TOOMANY; 2156 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2157 goto end; 2158 } 2159 ni->ni_rsnakms = rsn.rsn_akms; 2160 ni->ni_rsnciphers = rsn.rsn_ciphers; 2161 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2162 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2163 ni->ni_rsncaps = rsn.rsn_caps; 2164 2165 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2166 struct ieee80211_pmk *pmk = NULL; 2167 const u_int8_t *pmkid = rsn.rsn_pmkids; 2168 /* 2169 * Check if we have a cached PMK entry matching one 2170 * of the PMKIDs specified in the RSN IE. 2171 */ 2172 while (rsn.rsn_npmkids-- > 0) { 2173 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2174 if (pmk != NULL) 2175 break; 2176 pmkid += IEEE80211_PMKID_LEN; 2177 } 2178 if (pmk != NULL) { 2179 memcpy(ni->ni_pmk, pmk->pmk_key, 2180 IEEE80211_PMK_LEN); 2181 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2182 IEEE80211_PMKID_LEN); 2183 ni->ni_flags |= IEEE80211_NODE_PMK; 2184 } 2185 } 2186 } 2187 2188 ni->ni_rssi = rxi->rxi_rssi; 2189 ni->ni_rstamp = rxi->rxi_tstamp; 2190 ni->ni_intval = bintval; 2191 ni->ni_capinfo = capinfo; 2192 ni->ni_chan = ic->ic_bss->ni_chan; 2193 if (htcaps) 2194 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2195 else 2196 ieee80211_clear_htcaps(ni); 2197 end: 2198 if (status != 0) { 2199 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2200 ieee80211_node_leave(ic, ni); 2201 } else 2202 ieee80211_node_join(ic, ni, resp); 2203 } 2204 #endif /* IEEE80211_STA_ONLY */ 2205 2206 /*- 2207 * (Re)Association response frame format: 2208 * [2] Capability information 2209 * [2] Status code 2210 * [2] Association ID (AID) 2211 * [tlv] Supported rates 2212 * [tlv] Extended Supported Rates (802.11g) 2213 * [tlv] EDCA Parameter Set (802.11e) 2214 * [tlv] HT Capabilities (802.11n) 2215 * [tlv] HT Operation (802.11n) 2216 */ 2217 void 2218 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2219 struct ieee80211_node *ni, int reassoc) 2220 { 2221 struct ifnet *ifp = &ic->ic_if; 2222 const struct ieee80211_frame *wh; 2223 const u_int8_t *frm, *efrm; 2224 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2225 u_int16_t capinfo, status, associd; 2226 u_int8_t rate; 2227 2228 if (ic->ic_opmode != IEEE80211_M_STA || 2229 ic->ic_state != IEEE80211_S_ASSOC) { 2230 ic->ic_stats.is_rx_mgtdiscard++; 2231 return; 2232 } 2233 2234 /* make sure all mandatory fixed fields are present */ 2235 if (m->m_len < sizeof(*wh) + 6) { 2236 DPRINTF(("frame too short\n")); 2237 return; 2238 } 2239 wh = mtod(m, struct ieee80211_frame *); 2240 frm = (const u_int8_t *)&wh[1]; 2241 efrm = mtod(m, u_int8_t *) + m->m_len; 2242 2243 capinfo = LE_READ_2(frm); frm += 2; 2244 status = LE_READ_2(frm); frm += 2; 2245 if (status != IEEE80211_STATUS_SUCCESS) { 2246 if (ifp->if_flags & IFF_DEBUG) 2247 printf("%s: %sassociation failed (status %d)" 2248 " for %s\n", ifp->if_xname, 2249 reassoc ? "re" : "", 2250 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2251 if (ni != ic->ic_bss) 2252 ni->ni_fails++; 2253 ic->ic_stats.is_rx_auth_fail++; 2254 return; 2255 } 2256 associd = LE_READ_2(frm); frm += 2; 2257 2258 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2259 while (frm + 2 <= efrm) { 2260 if (frm + 2 + frm[1] > efrm) { 2261 ic->ic_stats.is_rx_elem_toosmall++; 2262 break; 2263 } 2264 switch (frm[0]) { 2265 case IEEE80211_ELEMID_RATES: 2266 rates = frm; 2267 break; 2268 case IEEE80211_ELEMID_XRATES: 2269 xrates = frm; 2270 break; 2271 case IEEE80211_ELEMID_EDCAPARMS: 2272 edcaie = frm; 2273 break; 2274 case IEEE80211_ELEMID_HTCAPS: 2275 htcaps = frm; 2276 break; 2277 case IEEE80211_ELEMID_HTOP: 2278 htop = frm; 2279 break; 2280 case IEEE80211_ELEMID_VENDOR: 2281 if (frm[1] < 4) { 2282 ic->ic_stats.is_rx_elem_toosmall++; 2283 break; 2284 } 2285 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2286 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2287 wmmie = frm; 2288 } 2289 break; 2290 } 2291 frm += 2 + frm[1]; 2292 } 2293 /* supported rates element is mandatory */ 2294 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2295 DPRINTF(("invalid supported rates element\n")); 2296 return; 2297 } 2298 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2299 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2300 IEEE80211_F_DODEL); 2301 if (rate & IEEE80211_RATE_BASIC) { 2302 DPRINTF(("rate mismatch for %s\n", 2303 ether_sprintf((u_int8_t *)wh->i_addr2))); 2304 ic->ic_stats.is_rx_assoc_norate++; 2305 return; 2306 } 2307 ni->ni_capinfo = capinfo; 2308 ni->ni_associd = associd; 2309 if (edcaie != NULL || wmmie != NULL) { 2310 /* force update of EDCA parameters */ 2311 ic->ic_edca_updtcount = -1; 2312 2313 if ((edcaie != NULL && 2314 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2315 (wmmie != NULL && 2316 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2317 ni->ni_flags |= IEEE80211_NODE_QOS; 2318 else /* for Reassociation */ 2319 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2320 } 2321 if (htcaps) 2322 ieee80211_setup_htcaps(ni, htcaps + 2, htcaps[1]); 2323 if (htop) 2324 ieee80211_setup_htop(ni, htop + 2, htop[1], 0); 2325 ieee80211_ht_negotiate(ic, ni); 2326 2327 /* Hop into 11n mode after associating to an HT AP in a non-11n mode. */ 2328 if (ni->ni_flags & IEEE80211_NODE_HT) 2329 ieee80211_setmode(ic, IEEE80211_MODE_11N); 2330 else 2331 ieee80211_setmode(ic, ieee80211_chan2mode(ic, ni->ni_chan)); 2332 /* 2333 * Reset the erp state (mostly the slot time) now that 2334 * our operating mode has been nailed down. 2335 */ 2336 ieee80211_reset_erp(ic); 2337 2338 /* 2339 * Configure state now that we are associated. 2340 */ 2341 if (ic->ic_curmode == IEEE80211_MODE_11A || 2342 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2343 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2344 else 2345 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2346 2347 ieee80211_set_shortslottime(ic, 2348 ic->ic_curmode == IEEE80211_MODE_11A || 2349 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2350 /* 2351 * Honor ERP protection. 2352 */ 2353 if ((ic->ic_curmode == IEEE80211_MODE_11G || 2354 (ic->ic_curmode == IEEE80211_MODE_11N && 2355 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))) && 2356 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2357 ic->ic_flags |= IEEE80211_F_USEPROT; 2358 else 2359 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2360 /* 2361 * If not an RSNA, mark the port as valid, otherwise wait for 2362 * 802.1X authentication and 4-way handshake to complete.. 2363 */ 2364 if (ic->ic_flags & IEEE80211_F_RSNON) { 2365 /* XXX ic->ic_mgt_timer = 5; */ 2366 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 2367 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2368 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2369 2370 ieee80211_new_state(ic, IEEE80211_S_RUN, 2371 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2372 } 2373 2374 /*- 2375 * Deauthentication frame format: 2376 * [2] Reason code 2377 */ 2378 void 2379 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2380 struct ieee80211_node *ni) 2381 { 2382 const struct ieee80211_frame *wh; 2383 const u_int8_t *frm; 2384 u_int16_t reason; 2385 2386 /* make sure all mandatory fixed fields are present */ 2387 if (m->m_len < sizeof(*wh) + 2) { 2388 DPRINTF(("frame too short\n")); 2389 return; 2390 } 2391 wh = mtod(m, struct ieee80211_frame *); 2392 frm = (const u_int8_t *)&wh[1]; 2393 2394 reason = LE_READ_2(frm); 2395 2396 ic->ic_stats.is_rx_deauth++; 2397 switch (ic->ic_opmode) { 2398 case IEEE80211_M_STA: { 2399 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2400 ic->ic_state == IEEE80211_S_RUN); 2401 if (!bgscan) /* ignore deauth during bgscan */ 2402 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2403 IEEE80211_FC0_SUBTYPE_DEAUTH); 2404 } 2405 break; 2406 #ifndef IEEE80211_STA_ONLY 2407 case IEEE80211_M_HOSTAP: 2408 if (ni != ic->ic_bss) { 2409 if (ic->ic_if.if_flags & IFF_DEBUG) 2410 printf("%s: station %s deauthenticated " 2411 "by peer (reason %d)\n", 2412 ic->ic_if.if_xname, 2413 ether_sprintf(ni->ni_macaddr), 2414 reason); 2415 ieee80211_node_leave(ic, ni); 2416 } 2417 break; 2418 #endif 2419 default: 2420 break; 2421 } 2422 } 2423 2424 /*- 2425 * Disassociation frame format: 2426 * [2] Reason code 2427 */ 2428 void 2429 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2430 struct ieee80211_node *ni) 2431 { 2432 const struct ieee80211_frame *wh; 2433 const u_int8_t *frm; 2434 u_int16_t reason; 2435 2436 /* make sure all mandatory fixed fields are present */ 2437 if (m->m_len < sizeof(*wh) + 2) { 2438 DPRINTF(("frame too short\n")); 2439 return; 2440 } 2441 wh = mtod(m, struct ieee80211_frame *); 2442 frm = (const u_int8_t *)&wh[1]; 2443 2444 reason = LE_READ_2(frm); 2445 2446 ic->ic_stats.is_rx_disassoc++; 2447 switch (ic->ic_opmode) { 2448 case IEEE80211_M_STA: { 2449 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 2450 ic->ic_state == IEEE80211_S_RUN); 2451 if (!bgscan) /* ignore disassoc during bgscan */ 2452 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2453 IEEE80211_FC0_SUBTYPE_DISASSOC); 2454 } 2455 break; 2456 #ifndef IEEE80211_STA_ONLY 2457 case IEEE80211_M_HOSTAP: 2458 if (ni != ic->ic_bss) { 2459 if (ic->ic_if.if_flags & IFF_DEBUG) 2460 printf("%s: station %s disassociated " 2461 "by peer (reason %d)\n", 2462 ic->ic_if.if_xname, 2463 ether_sprintf(ni->ni_macaddr), 2464 reason); 2465 ieee80211_node_leave(ic, ni); 2466 } 2467 break; 2468 #endif 2469 default: 2470 break; 2471 } 2472 } 2473 2474 /*- 2475 * ADDBA Request frame format: 2476 * [1] Category 2477 * [1] Action 2478 * [1] Dialog Token 2479 * [2] Block Ack Parameter Set 2480 * [2] Block Ack Timeout Value 2481 * [2] Block Ack Starting Sequence Control 2482 */ 2483 void 2484 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2485 struct ieee80211_node *ni) 2486 { 2487 const struct ieee80211_frame *wh; 2488 const u_int8_t *frm; 2489 struct ieee80211_rx_ba *ba; 2490 u_int16_t params, ssn, bufsz, timeout; 2491 u_int8_t token, tid; 2492 int err = 0; 2493 2494 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2495 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2496 ether_sprintf(ni->ni_macaddr))); 2497 return; 2498 } 2499 if (m->m_len < sizeof(*wh) + 9) { 2500 DPRINTF(("frame too short\n")); 2501 return; 2502 } 2503 /* MLME-ADDBA.indication */ 2504 wh = mtod(m, struct ieee80211_frame *); 2505 frm = (const u_int8_t *)&wh[1]; 2506 2507 token = frm[2]; 2508 params = LE_READ_2(&frm[3]); 2509 tid = ((params & IEEE80211_ADDBA_TID_MASK) >> 2510 IEEE80211_ADDBA_TID_SHIFT); 2511 bufsz = (params & IEEE80211_ADDBA_BUFSZ_MASK) >> 2512 IEEE80211_ADDBA_BUFSZ_SHIFT; 2513 timeout = LE_READ_2(&frm[5]); 2514 ssn = LE_READ_2(&frm[7]) >> 4; 2515 2516 ba = &ni->ni_rx_ba[tid]; 2517 /* check if we already have a Block Ack agreement for this RA/TID */ 2518 if (ba->ba_state == IEEE80211_BA_AGREED) { 2519 /* XXX should we update the timeout value? */ 2520 /* reset Block Ack inactivity timer */ 2521 if (ba->ba_timeout_val != 0) 2522 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2523 2524 /* check if it's a Protected Block Ack agreement */ 2525 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2526 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2527 return; /* not a PBAC, ignore */ 2528 2529 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2530 if (SEQ_LT(ba->ba_winstart, ssn)) 2531 ieee80211_ba_move_window(ic, ni, tid, ssn); 2532 return; 2533 } 2534 2535 /* if PBAC required but RA does not support it, refuse request */ 2536 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2537 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2538 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) 2539 goto refuse; 2540 /* 2541 * If the TID for which the Block Ack agreement is requested is 2542 * configured with a no-ACK policy, refuse the agreement. 2543 */ 2544 if (ic->ic_tid_noack & (1 << tid)) 2545 goto refuse; 2546 2547 /* check that we support the requested Block Ack Policy */ 2548 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2549 !(params & IEEE80211_ADDBA_BA_POLICY)) 2550 goto refuse; 2551 2552 /* setup Block Ack agreement */ 2553 ba->ba_state = IEEE80211_BA_INIT; 2554 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2555 ba->ba_ni = ni; 2556 ba->ba_token = token; 2557 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2558 timeout_set(&ba->ba_gap_to, ieee80211_input_ba_gap_timeout, ba); 2559 ba->ba_winsize = bufsz; 2560 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2561 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2562 ba->ba_params = (params & IEEE80211_ADDBA_BA_POLICY); 2563 ba->ba_params |= ((ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 2564 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU); 2565 ba->ba_winstart = ssn; 2566 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2567 /* allocate and setup our reordering buffer */ 2568 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2569 M_DEVBUF, M_NOWAIT | M_ZERO); 2570 if (ba->ba_buf == NULL) 2571 goto refuse; 2572 2573 ba->ba_head = 0; 2574 2575 /* notify drivers of this new Block Ack agreement */ 2576 if (ic->ic_ampdu_rx_start != NULL) 2577 err = ic->ic_ampdu_rx_start(ic, ni, tid); 2578 if (err == EBUSY) { 2579 /* driver will accept or refuse agreement when done */ 2580 return; 2581 } else if (err) { 2582 /* driver failed to setup, rollback */ 2583 ieee80211_addba_req_refuse(ic, ni, tid); 2584 } else 2585 ieee80211_addba_req_accept(ic, ni, tid); 2586 return; 2587 2588 refuse: 2589 /* MLME-ADDBA.response */ 2590 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2591 IEEE80211_ACTION_ADDBA_RESP, 2592 IEEE80211_STATUS_REFUSED << 16 | token << 8 | tid); 2593 } 2594 2595 void 2596 ieee80211_addba_req_accept(struct ieee80211com *ic, struct ieee80211_node *ni, 2597 uint8_t tid) 2598 { 2599 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2600 2601 ba->ba_state = IEEE80211_BA_AGREED; 2602 ic->ic_stats.is_ht_rx_ba_agreements++; 2603 /* start Block Ack inactivity timer */ 2604 if (ba->ba_timeout_val != 0) 2605 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2606 2607 /* MLME-ADDBA.response */ 2608 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2609 IEEE80211_ACTION_ADDBA_RESP, 2610 IEEE80211_STATUS_SUCCESS << 16 | ba->ba_token << 8 | tid); 2611 } 2612 2613 void 2614 ieee80211_addba_req_refuse(struct ieee80211com *ic, struct ieee80211_node *ni, 2615 uint8_t tid) 2616 { 2617 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2618 2619 free(ba->ba_buf, M_DEVBUF, 2620 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2621 ba->ba_buf = NULL; 2622 2623 /* MLME-ADDBA.response */ 2624 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2625 IEEE80211_ACTION_ADDBA_RESP, 2626 IEEE80211_STATUS_REFUSED << 16 | ba->ba_token << 8 | tid); 2627 } 2628 2629 /*- 2630 * ADDBA Response frame format: 2631 * [1] Category 2632 * [1] Action 2633 * [1] Dialog Token 2634 * [2] Status Code 2635 * [2] Block Ack Parameter Set 2636 * [2] Block Ack Timeout Value 2637 */ 2638 void 2639 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2640 struct ieee80211_node *ni) 2641 { 2642 const struct ieee80211_frame *wh; 2643 const u_int8_t *frm; 2644 struct ieee80211_tx_ba *ba; 2645 u_int16_t status, params, bufsz, timeout; 2646 u_int8_t token, tid; 2647 2648 if (m->m_len < sizeof(*wh) + 9) { 2649 DPRINTF(("frame too short\n")); 2650 return; 2651 } 2652 wh = mtod(m, struct ieee80211_frame *); 2653 frm = (const u_int8_t *)&wh[1]; 2654 2655 token = frm[2]; 2656 status = LE_READ_2(&frm[3]); 2657 params = LE_READ_2(&frm[5]); 2658 tid = (params >> 2) & 0xf; 2659 bufsz = (params >> 6) & 0x3ff; 2660 timeout = LE_READ_2(&frm[7]); 2661 2662 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2663 ether_sprintf(ni->ni_macaddr), tid, status)); 2664 2665 /* 2666 * Ignore if no ADDBA request has been sent for this RA/TID or 2667 * if we already have a Block Ack agreement. 2668 */ 2669 ba = &ni->ni_tx_ba[tid]; 2670 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2671 DPRINTF(("no matching ADDBA req found\n")); 2672 return; 2673 } 2674 if (token != ba->ba_token) { 2675 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2676 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2677 return; 2678 } 2679 /* we got an ADDBA Response matching our request, stop timeout */ 2680 timeout_del(&ba->ba_to); 2681 2682 if (status != IEEE80211_STATUS_SUCCESS) { 2683 /* MLME-ADDBA.confirm(Failure) */ 2684 ba->ba_state = IEEE80211_BA_INIT; 2685 return; 2686 } 2687 /* MLME-ADDBA.confirm(Success) */ 2688 ba->ba_state = IEEE80211_BA_AGREED; 2689 ic->ic_stats.is_ht_tx_ba_agreements++; 2690 2691 /* notify drivers of this new Block Ack agreement */ 2692 if (ic->ic_ampdu_tx_start != NULL) 2693 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2694 2695 /* start Block Ack inactivity timeout */ 2696 if (ba->ba_timeout_val != 0) 2697 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2698 } 2699 2700 /*- 2701 * DELBA frame format: 2702 * [1] Category 2703 * [1] Action 2704 * [2] DELBA Parameter Set 2705 * [2] Reason Code 2706 */ 2707 void 2708 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2709 struct ieee80211_node *ni) 2710 { 2711 const struct ieee80211_frame *wh; 2712 const u_int8_t *frm; 2713 u_int16_t params, reason; 2714 u_int8_t tid; 2715 int i; 2716 2717 if (m->m_len < sizeof(*wh) + 6) { 2718 DPRINTF(("frame too short\n")); 2719 return; 2720 } 2721 wh = mtod(m, struct ieee80211_frame *); 2722 frm = (const u_int8_t *)&wh[1]; 2723 2724 params = LE_READ_2(&frm[2]); 2725 reason = LE_READ_2(&frm[4]); 2726 tid = params >> 12; 2727 2728 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2729 ether_sprintf(ni->ni_macaddr), tid, reason)); 2730 2731 if (params & IEEE80211_DELBA_INITIATOR) { 2732 /* MLME-DELBA.indication(Originator) */ 2733 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2734 2735 if (ba->ba_state != IEEE80211_BA_AGREED) { 2736 DPRINTF(("no matching Block Ack agreement\n")); 2737 return; 2738 } 2739 /* notify drivers of the end of the Block Ack agreement */ 2740 if (ic->ic_ampdu_rx_stop != NULL) 2741 ic->ic_ampdu_rx_stop(ic, ni, tid); 2742 2743 ba->ba_state = IEEE80211_BA_INIT; 2744 /* stop Block Ack inactivity timer */ 2745 timeout_del(&ba->ba_to); 2746 timeout_del(&ba->ba_gap_to); 2747 2748 if (ba->ba_buf != NULL) { 2749 /* free all MSDUs stored in reordering buffer */ 2750 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2751 m_freem(ba->ba_buf[i].m); 2752 /* free reordering buffer */ 2753 free(ba->ba_buf, M_DEVBUF, 2754 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 2755 ba->ba_buf = NULL; 2756 } 2757 } else { 2758 /* MLME-DELBA.indication(Recipient) */ 2759 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2760 2761 if (ba->ba_state != IEEE80211_BA_AGREED) { 2762 DPRINTF(("no matching Block Ack agreement\n")); 2763 return; 2764 } 2765 /* notify drivers of the end of the Block Ack agreement */ 2766 if (ic->ic_ampdu_tx_stop != NULL) 2767 ic->ic_ampdu_tx_stop(ic, ni, tid); 2768 2769 ba->ba_state = IEEE80211_BA_INIT; 2770 /* stop Block Ack inactivity timer */ 2771 timeout_del(&ba->ba_to); 2772 } 2773 } 2774 2775 /*- 2776 * SA Query Request frame format: 2777 * [1] Category 2778 * [1] Action 2779 * [2] Transaction Identifier 2780 */ 2781 void 2782 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2783 struct ieee80211_node *ni) 2784 { 2785 const struct ieee80211_frame *wh; 2786 const u_int8_t *frm; 2787 2788 if (ic->ic_opmode != IEEE80211_M_STA || 2789 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2790 DPRINTF(("unexpected SA Query req from %s\n", 2791 ether_sprintf(ni->ni_macaddr))); 2792 return; 2793 } 2794 if (m->m_len < sizeof(*wh) + 4) { 2795 DPRINTF(("frame too short\n")); 2796 return; 2797 } 2798 wh = mtod(m, struct ieee80211_frame *); 2799 frm = (const u_int8_t *)&wh[1]; 2800 2801 /* MLME-SAQuery.indication */ 2802 2803 /* save Transaction Identifier for SA Query Response */ 2804 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2805 2806 /* MLME-SAQuery.response */ 2807 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2808 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2809 } 2810 2811 #ifndef IEEE80211_STA_ONLY 2812 /*- 2813 * SA Query Response frame format: 2814 * [1] Category 2815 * [1] Action 2816 * [2] Transaction Identifier 2817 */ 2818 void 2819 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2820 struct ieee80211_node *ni) 2821 { 2822 const struct ieee80211_frame *wh; 2823 const u_int8_t *frm; 2824 2825 /* ignore if we're not engaged in an SA Query with that STA */ 2826 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2827 DPRINTF(("unexpected SA Query resp from %s\n", 2828 ether_sprintf(ni->ni_macaddr))); 2829 return; 2830 } 2831 if (m->m_len < sizeof(*wh) + 4) { 2832 DPRINTF(("frame too short\n")); 2833 return; 2834 } 2835 wh = mtod(m, struct ieee80211_frame *); 2836 frm = (const u_int8_t *)&wh[1]; 2837 2838 /* check that Transaction Identifier matches */ 2839 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2840 DPRINTF(("transaction identifier does not match\n")); 2841 return; 2842 } 2843 /* MLME-SAQuery.confirm */ 2844 timeout_del(&ni->ni_sa_query_to); 2845 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2846 } 2847 #endif 2848 2849 /*- 2850 * Action frame format: 2851 * [1] Category 2852 * [1] Action 2853 */ 2854 void 2855 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2856 struct ieee80211_node *ni) 2857 { 2858 const struct ieee80211_frame *wh; 2859 const u_int8_t *frm; 2860 2861 if (m->m_len < sizeof(*wh) + 2) { 2862 DPRINTF(("frame too short\n")); 2863 return; 2864 } 2865 wh = mtod(m, struct ieee80211_frame *); 2866 frm = (const u_int8_t *)&wh[1]; 2867 2868 switch (frm[0]) { 2869 case IEEE80211_CATEG_BA: 2870 switch (frm[1]) { 2871 case IEEE80211_ACTION_ADDBA_REQ: 2872 ieee80211_recv_addba_req(ic, m, ni); 2873 break; 2874 case IEEE80211_ACTION_ADDBA_RESP: 2875 ieee80211_recv_addba_resp(ic, m, ni); 2876 break; 2877 case IEEE80211_ACTION_DELBA: 2878 ieee80211_recv_delba(ic, m, ni); 2879 break; 2880 } 2881 break; 2882 case IEEE80211_CATEG_SA_QUERY: 2883 switch (frm[1]) { 2884 case IEEE80211_ACTION_SA_QUERY_REQ: 2885 ieee80211_recv_sa_query_req(ic, m, ni); 2886 break; 2887 #ifndef IEEE80211_STA_ONLY 2888 case IEEE80211_ACTION_SA_QUERY_RESP: 2889 ieee80211_recv_sa_query_resp(ic, m, ni); 2890 break; 2891 #endif 2892 } 2893 break; 2894 default: 2895 DPRINTF(("action frame category %d not handled\n", frm[0])); 2896 break; 2897 } 2898 } 2899 2900 void 2901 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2902 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2903 { 2904 switch (subtype) { 2905 case IEEE80211_FC0_SUBTYPE_BEACON: 2906 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2907 break; 2908 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2909 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2910 break; 2911 #ifndef IEEE80211_STA_ONLY 2912 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2913 ieee80211_recv_probe_req(ic, m, ni, rxi); 2914 break; 2915 #endif 2916 case IEEE80211_FC0_SUBTYPE_AUTH: 2917 ieee80211_recv_auth(ic, m, ni, rxi); 2918 break; 2919 #ifndef IEEE80211_STA_ONLY 2920 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2921 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2922 break; 2923 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2924 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2925 break; 2926 #endif 2927 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2928 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2929 break; 2930 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2931 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2932 break; 2933 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2934 ieee80211_recv_deauth(ic, m, ni); 2935 break; 2936 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2937 ieee80211_recv_disassoc(ic, m, ni); 2938 break; 2939 case IEEE80211_FC0_SUBTYPE_ACTION: 2940 ieee80211_recv_action(ic, m, ni); 2941 break; 2942 default: 2943 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2944 subtype)); 2945 ic->ic_stats.is_rx_badsubtype++; 2946 break; 2947 } 2948 } 2949 2950 #ifndef IEEE80211_STA_ONLY 2951 /* 2952 * Process an incoming PS-Poll control frame (see 11.2). 2953 */ 2954 void 2955 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2956 struct ieee80211_node *ni) 2957 { 2958 struct ifnet *ifp = &ic->ic_if; 2959 struct ieee80211_frame_pspoll *psp; 2960 struct ieee80211_frame *wh; 2961 u_int16_t aid; 2962 2963 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2964 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2965 ni->ni_state != IEEE80211_STA_ASSOC) 2966 return; 2967 2968 if (m->m_len < sizeof(*psp)) { 2969 DPRINTF(("frame too short, len %u\n", m->m_len)); 2970 ic->ic_stats.is_rx_tooshort++; 2971 return; 2972 } 2973 psp = mtod(m, struct ieee80211_frame_pspoll *); 2974 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2975 DPRINTF(("discard pspoll frame to BSS %s\n", 2976 ether_sprintf(psp->i_bssid))); 2977 ic->ic_stats.is_rx_wrongbss++; 2978 return; 2979 } 2980 aid = letoh16(*(u_int16_t *)psp->i_aid); 2981 if (aid != ni->ni_associd) { 2982 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2983 ether_sprintf(psp->i_ta))); 2984 return; 2985 } 2986 2987 /* take the first queued frame and put it out.. */ 2988 m = mq_dequeue(&ni->ni_savedq); 2989 if (m == NULL) 2990 return; 2991 if (mq_empty(&ni->ni_savedq)) { 2992 /* last queued frame, turn off the TIM bit */ 2993 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2994 } else { 2995 /* more queued frames, set the more data bit */ 2996 wh = mtod(m, struct ieee80211_frame *); 2997 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2998 } 2999 mq_enqueue(&ic->ic_pwrsaveq, m); 3000 if_start(ifp); 3001 } 3002 #endif /* IEEE80211_STA_ONLY */ 3003 3004 /* 3005 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 3006 */ 3007 void 3008 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 3009 struct ieee80211_node *ni) 3010 { 3011 const struct ieee80211_frame_min *wh; 3012 const u_int8_t *frm; 3013 u_int16_t ctl, ssn; 3014 u_int8_t tid, ntids; 3015 3016 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 3017 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 3018 ether_sprintf(ni->ni_macaddr))); 3019 return; 3020 } 3021 if (m->m_len < sizeof(*wh) + 4) { 3022 DPRINTF(("frame too short\n")); 3023 return; 3024 } 3025 wh = mtod(m, struct ieee80211_frame_min *); 3026 frm = (const u_int8_t *)&wh[1]; 3027 3028 /* read BlockAckReq Control field */ 3029 ctl = LE_READ_2(&frm[0]); 3030 tid = ctl >> 12; 3031 3032 /* determine BlockAckReq frame variant */ 3033 if (ctl & IEEE80211_BA_MULTI_TID) { 3034 /* Multi-TID BlockAckReq variant (PSMP only) */ 3035 ntids = tid + 1; 3036 3037 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 3038 DPRINTF(("MTBAR frame too short\n")); 3039 return; 3040 } 3041 frm += 2; /* skip BlockAckReq Control field */ 3042 while (ntids-- > 0) { 3043 /* read MTBAR Information field */ 3044 tid = LE_READ_2(&frm[0]) >> 12; 3045 ssn = LE_READ_2(&frm[2]) >> 4; 3046 ieee80211_bar_tid(ic, ni, tid, ssn); 3047 frm += 4; 3048 } 3049 } else { 3050 /* Basic or Compressed BlockAckReq variants */ 3051 ssn = LE_READ_2(&frm[2]) >> 4; 3052 ieee80211_bar_tid(ic, ni, tid, ssn); 3053 } 3054 } 3055 3056 /* 3057 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 3058 * This is the common back-end for all BlockAckReq frame variants. 3059 */ 3060 void 3061 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 3062 u_int8_t tid, u_int16_t ssn) 3063 { 3064 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 3065 3066 /* check if we have a Block Ack agreement for RA/TID */ 3067 if (ba->ba_state != IEEE80211_BA_AGREED) { 3068 /* XXX not sure in PBAC case */ 3069 /* send a DELBA with reason code UNKNOWN-BA */ 3070 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 3071 IEEE80211_ACTION_DELBA, 3072 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 3073 return; 3074 } 3075 /* check if it is a Protected Block Ack agreement */ 3076 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 3077 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 3078 /* ADDBA Requests must be used in PBAC case */ 3079 if (SEQ_LT(ssn, ba->ba_winstart) || 3080 SEQ_LT(ba->ba_winend, ssn)) 3081 ic->ic_stats.is_pbac_errs++; 3082 return; /* PBAC, do not move window */ 3083 } 3084 /* reset Block Ack inactivity timer */ 3085 if (ba->ba_timeout_val != 0) 3086 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 3087 3088 if (SEQ_LT(ba->ba_winstart, ssn)) 3089 ieee80211_ba_move_window(ic, ni, tid, ssn); 3090 } 3091