1 /* $OpenBSD: ieee80211_node.c,v 1.55 2009/01/29 17:19:10 damien Exp $ */ 2 /* $NetBSD: ieee80211_node.c,v 1.14 2004/05/09 09:18:47 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2008 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 #include "bridge.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/malloc.h> 40 #include <sys/kernel.h> 41 #include <sys/socket.h> 42 #include <sys/sockio.h> 43 #include <sys/endian.h> 44 #include <sys/errno.h> 45 #include <sys/proc.h> 46 #include <sys/sysctl.h> 47 #include <sys/tree.h> 48 49 #include <net/if.h> 50 #include <net/if_dl.h> 51 #include <net/if_media.h> 52 #include <net/if_arp.h> 53 #include <net/if_llc.h> 54 55 #if NBPFILTER > 0 56 #include <net/bpf.h> 57 #endif 58 59 #ifdef INET 60 #include <netinet/in.h> 61 #include <netinet/if_ether.h> 62 #endif 63 64 #if NBRIDGE > 0 65 #include <net/if_bridge.h> 66 #endif 67 68 #include <net80211/ieee80211_var.h> 69 #include <net80211/ieee80211_priv.h> 70 71 #include <dev/rndvar.h> 72 73 struct ieee80211_node *ieee80211_node_alloc(struct ieee80211com *); 74 void ieee80211_node_free(struct ieee80211com *, struct ieee80211_node *); 75 void ieee80211_node_copy(struct ieee80211com *, struct ieee80211_node *, 76 const struct ieee80211_node *); 77 void ieee80211_choose_rsnparams(struct ieee80211com *); 78 u_int8_t ieee80211_node_getrssi(struct ieee80211com *, 79 const struct ieee80211_node *); 80 void ieee80211_setup_node(struct ieee80211com *, struct ieee80211_node *, 81 const u_int8_t *); 82 void ieee80211_free_node(struct ieee80211com *, struct ieee80211_node *); 83 struct ieee80211_node *ieee80211_alloc_node_helper(struct ieee80211com *); 84 void ieee80211_node_cleanup(struct ieee80211com *, struct ieee80211_node *); 85 void ieee80211_needs_auth(struct ieee80211com *, struct ieee80211_node *); 86 #ifndef IEEE80211_STA_ONLY 87 #ifndef IEEE80211_NO_HT 88 void ieee80211_node_join_ht(struct ieee80211com *, struct ieee80211_node *); 89 #endif 90 void ieee80211_node_join_rsn(struct ieee80211com *, struct ieee80211_node *); 91 void ieee80211_node_join_11g(struct ieee80211com *, struct ieee80211_node *); 92 #ifndef IEEE80211_NO_HT 93 void ieee80211_node_leave_ht(struct ieee80211com *, struct ieee80211_node *); 94 #endif 95 void ieee80211_node_leave_rsn(struct ieee80211com *, struct ieee80211_node *); 96 void ieee80211_node_leave_11g(struct ieee80211com *, struct ieee80211_node *); 97 void ieee80211_set_tim(struct ieee80211com *, int, int); 98 #endif 99 100 #define M_80211_NODE M_DEVBUF 101 102 void 103 ieee80211_node_attach(struct ifnet *ifp) 104 { 105 struct ieee80211com *ic = (void *)ifp; 106 #ifndef IEEE80211_STA_ONLY 107 int size; 108 #endif 109 110 RB_INIT(&ic->ic_tree); 111 ic->ic_node_alloc = ieee80211_node_alloc; 112 ic->ic_node_free = ieee80211_node_free; 113 ic->ic_node_copy = ieee80211_node_copy; 114 ic->ic_node_getrssi = ieee80211_node_getrssi; 115 ic->ic_scangen = 1; 116 ic->ic_max_nnodes = ieee80211_cache_size; 117 118 if (ic->ic_max_aid == 0) 119 ic->ic_max_aid = IEEE80211_AID_DEF; 120 else if (ic->ic_max_aid > IEEE80211_AID_MAX) 121 ic->ic_max_aid = IEEE80211_AID_MAX; 122 #ifndef IEEE80211_STA_ONLY 123 size = howmany(ic->ic_max_aid, 32) * sizeof(u_int32_t); 124 ic->ic_aid_bitmap = malloc(size, M_DEVBUF, M_NOWAIT | M_ZERO); 125 if (ic->ic_aid_bitmap == NULL) { 126 /* XXX no way to recover */ 127 printf("%s: no memory for AID bitmap!\n", __func__); 128 ic->ic_max_aid = 0; 129 } 130 if (ic->ic_caps & (IEEE80211_C_HOSTAP | IEEE80211_C_IBSS)) { 131 ic->ic_tim_len = howmany(ic->ic_max_aid, 8); 132 ic->ic_tim_bitmap = malloc(ic->ic_tim_len, M_DEVBUF, 133 M_NOWAIT | M_ZERO); 134 if (ic->ic_tim_bitmap == NULL) { 135 printf("%s: no memory for TIM bitmap!\n", __func__); 136 ic->ic_tim_len = 0; 137 } else 138 ic->ic_set_tim = ieee80211_set_tim; 139 timeout_set(&ic->ic_rsn_timeout, 140 ieee80211_gtk_rekey_timeout, ic); 141 } 142 #endif 143 } 144 145 struct ieee80211_node * 146 ieee80211_alloc_node_helper(struct ieee80211com *ic) 147 { 148 struct ieee80211_node *ni; 149 if (ic->ic_nnodes >= ic->ic_max_nnodes) 150 ieee80211_clean_nodes(ic); 151 if (ic->ic_nnodes >= ic->ic_max_nnodes) 152 return NULL; 153 ni = (*ic->ic_node_alloc)(ic); 154 if (ni != NULL) 155 ic->ic_nnodes++; 156 return ni; 157 } 158 159 void 160 ieee80211_node_lateattach(struct ifnet *ifp) 161 { 162 struct ieee80211com *ic = (void *)ifp; 163 struct ieee80211_node *ni; 164 165 ni = ieee80211_alloc_node_helper(ic); 166 if (ni == NULL) 167 panic("unable to setup inital BSS node"); 168 ni->ni_chan = IEEE80211_CHAN_ANYC; 169 ic->ic_bss = ieee80211_ref_node(ni); 170 ic->ic_txpower = IEEE80211_TXPOWER_MAX; 171 } 172 173 void 174 ieee80211_node_detach(struct ifnet *ifp) 175 { 176 struct ieee80211com *ic = (void *)ifp; 177 178 if (ic->ic_bss != NULL) { 179 (*ic->ic_node_free)(ic, ic->ic_bss); 180 ic->ic_bss = NULL; 181 } 182 ieee80211_free_allnodes(ic); 183 #ifndef IEEE80211_STA_ONLY 184 if (ic->ic_aid_bitmap != NULL) 185 free(ic->ic_aid_bitmap, M_DEVBUF); 186 if (ic->ic_tim_bitmap != NULL) 187 free(ic->ic_tim_bitmap, M_DEVBUF); 188 #endif 189 timeout_del(&ic->ic_rsn_timeout); 190 } 191 192 /* 193 * AP scanning support. 194 */ 195 196 /* 197 * Initialize the active channel set based on the set 198 * of available channels and the current PHY mode. 199 */ 200 void 201 ieee80211_reset_scan(struct ifnet *ifp) 202 { 203 struct ieee80211com *ic = (void *)ifp; 204 205 memcpy(ic->ic_chan_scan, ic->ic_chan_active, 206 sizeof(ic->ic_chan_active)); 207 /* NB: hack, setup so next_scan starts with the first channel */ 208 if (ic->ic_bss != NULL && ic->ic_bss->ni_chan == IEEE80211_CHAN_ANYC) 209 ic->ic_bss->ni_chan = &ic->ic_channels[IEEE80211_CHAN_MAX]; 210 } 211 212 /* 213 * Begin an active scan. 214 */ 215 void 216 ieee80211_begin_scan(struct ifnet *ifp) 217 { 218 struct ieee80211com *ic = (void *)ifp; 219 220 if (ic->ic_scan_lock & IEEE80211_SCAN_LOCKED) 221 return; 222 ic->ic_scan_lock |= IEEE80211_SCAN_LOCKED; 223 224 /* 225 * In all but hostap mode scanning starts off in 226 * an active mode before switching to passive. 227 */ 228 #ifndef IEEE80211_STA_ONLY 229 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 230 #endif 231 { 232 ic->ic_flags |= IEEE80211_F_ASCAN; 233 ic->ic_stats.is_scan_active++; 234 } 235 #ifndef IEEE80211_STA_ONLY 236 else 237 ic->ic_stats.is_scan_passive++; 238 #endif 239 if (ifp->if_flags & IFF_DEBUG) 240 printf("%s: begin %s scan\n", ifp->if_xname, 241 (ic->ic_flags & IEEE80211_F_ASCAN) ? 242 "active" : "passive"); 243 244 /* 245 * Flush any previously seen AP's. Note that the latter 246 * assumes we don't act as both an AP and a station, 247 * otherwise we'll potentially flush state of stations 248 * associated with us. 249 */ 250 ieee80211_free_allnodes(ic); 251 252 /* 253 * Reset the current mode. Setting the current mode will also 254 * reset scan state. 255 */ 256 if (IFM_MODE(ic->ic_media.ifm_cur->ifm_media) == IFM_AUTO) 257 ic->ic_curmode = IEEE80211_MODE_AUTO; 258 ieee80211_setmode(ic, ic->ic_curmode); 259 260 ic->ic_scan_count = 0; 261 262 /* Scan the next channel. */ 263 ieee80211_next_scan(ifp); 264 } 265 266 /* 267 * Switch to the next channel marked for scanning. 268 */ 269 void 270 ieee80211_next_scan(struct ifnet *ifp) 271 { 272 struct ieee80211com *ic = (void *)ifp; 273 struct ieee80211_channel *chan; 274 275 chan = ic->ic_bss->ni_chan; 276 for (;;) { 277 if (++chan > &ic->ic_channels[IEEE80211_CHAN_MAX]) 278 chan = &ic->ic_channels[0]; 279 if (isset(ic->ic_chan_scan, ieee80211_chan2ieee(ic, chan))) { 280 /* 281 * Ignore channels marked passive-only 282 * during an active scan. 283 */ 284 if ((ic->ic_flags & IEEE80211_F_ASCAN) == 0 || 285 (chan->ic_flags & IEEE80211_CHAN_PASSIVE) == 0) 286 break; 287 } 288 if (chan == ic->ic_bss->ni_chan) { 289 ieee80211_end_scan(ifp); 290 return; 291 } 292 } 293 clrbit(ic->ic_chan_scan, ieee80211_chan2ieee(ic, chan)); 294 DPRINTF(("chan %d->%d\n", 295 ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan), 296 ieee80211_chan2ieee(ic, chan))); 297 ic->ic_bss->ni_chan = chan; 298 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 299 } 300 301 #ifndef IEEE80211_STA_ONLY 302 void 303 ieee80211_create_ibss(struct ieee80211com* ic, struct ieee80211_channel *chan) 304 { 305 struct ieee80211_node *ni; 306 struct ifnet *ifp = &ic->ic_if; 307 308 ni = ic->ic_bss; 309 if (ifp->if_flags & IFF_DEBUG) 310 printf("%s: creating ibss\n", ifp->if_xname); 311 ic->ic_flags |= IEEE80211_F_SIBSS; 312 ni->ni_chan = chan; 313 ni->ni_rates = ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 314 IEEE80211_ADDR_COPY(ni->ni_macaddr, ic->ic_myaddr); 315 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_myaddr); 316 if (ic->ic_opmode == IEEE80211_M_IBSS) { 317 if ((ic->ic_flags & IEEE80211_F_DESBSSID) != 0) 318 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_des_bssid); 319 else 320 ni->ni_bssid[0] |= 0x02; /* local bit for IBSS */ 321 } 322 ni->ni_esslen = ic->ic_des_esslen; 323 memcpy(ni->ni_essid, ic->ic_des_essid, ni->ni_esslen); 324 ni->ni_rssi = 0; 325 ni->ni_rstamp = 0; 326 memset(ni->ni_tstamp, 0, sizeof(ni->ni_tstamp)); 327 ni->ni_intval = ic->ic_lintval; 328 ni->ni_capinfo = IEEE80211_CAPINFO_IBSS; 329 if (ic->ic_flags & IEEE80211_F_WEPON) 330 ni->ni_capinfo |= IEEE80211_CAPINFO_PRIVACY; 331 if (ic->ic_flags & IEEE80211_F_RSNON) { 332 struct ieee80211_key *k; 333 334 /* initialize 256-bit global key counter to a random value */ 335 arc4random_buf(ic->ic_globalcnt, EAPOL_KEY_NONCE_LEN); 336 337 ni->ni_rsnprotos = ic->ic_rsnprotos; 338 ni->ni_rsnakms = ic->ic_rsnakms; 339 ni->ni_rsnciphers = ic->ic_rsnciphers; 340 ni->ni_rsngroupcipher = ic->ic_rsngroupcipher; 341 ni->ni_rsngroupmgmtcipher = ic->ic_rsngroupmgmtcipher; 342 ni->ni_rsncaps = 0; 343 if (ic->ic_caps & IEEE80211_C_MFP) { 344 ni->ni_rsncaps |= IEEE80211_RSNCAP_MFPC; 345 if (ic->ic_flags & IEEE80211_F_MFPR) 346 ni->ni_rsncaps |= IEEE80211_RSNCAP_MFPR; 347 } 348 349 ic->ic_def_txkey = 1; 350 k = &ic->ic_nw_keys[ic->ic_def_txkey]; 351 memset(k, 0, sizeof(*k)); 352 k->k_id = ic->ic_def_txkey; 353 k->k_cipher = ni->ni_rsngroupcipher; 354 k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX; 355 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 356 arc4random_buf(k->k_key, k->k_len); 357 (*ic->ic_set_key)(ic, ni, k); /* XXX */ 358 359 if (ic->ic_caps & IEEE80211_C_MFP) { 360 ic->ic_igtk_kid = 4; 361 k = &ic->ic_nw_keys[ic->ic_igtk_kid]; 362 memset(k, 0, sizeof(*k)); 363 k->k_id = ic->ic_igtk_kid; 364 k->k_cipher = ni->ni_rsngroupmgmtcipher; 365 k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX; 366 k->k_len = 16; 367 arc4random_buf(k->k_key, k->k_len); 368 (*ic->ic_set_key)(ic, ni, k); /* XXX */ 369 } 370 /* 371 * In HostAP mode, multicast traffic is sent using ic_bss 372 * as the Tx node, so mark our node as valid so we can send 373 * multicast frames using the group key we've just configured. 374 */ 375 ni->ni_port_valid = 1; 376 ni->ni_flags |= IEEE80211_NODE_TXPROT; 377 378 /* schedule a GTK/IGTK rekeying after 3600s */ 379 timeout_add_sec(&ic->ic_rsn_timeout, 3600); 380 } 381 ieee80211_new_state(ic, IEEE80211_S_RUN, -1); 382 } 383 #endif /* IEEE80211_STA_ONLY */ 384 385 int 386 ieee80211_match_bss(struct ieee80211com *ic, struct ieee80211_node *ni) 387 { 388 u_int8_t rate; 389 int fail; 390 391 fail = 0; 392 if (isclr(ic->ic_chan_active, ieee80211_chan2ieee(ic, ni->ni_chan))) 393 fail |= 0x01; 394 if (ic->ic_des_chan != IEEE80211_CHAN_ANYC && 395 ni->ni_chan != ic->ic_des_chan) 396 fail |= 0x01; 397 #ifndef IEEE80211_STA_ONLY 398 if (ic->ic_opmode == IEEE80211_M_IBSS) { 399 if ((ni->ni_capinfo & IEEE80211_CAPINFO_IBSS) == 0) 400 fail |= 0x02; 401 } else 402 #endif 403 { 404 if ((ni->ni_capinfo & IEEE80211_CAPINFO_ESS) == 0) 405 fail |= 0x02; 406 } 407 if (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON)) { 408 if ((ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) == 0) 409 fail |= 0x04; 410 } else { 411 if (ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) 412 fail |= 0x04; 413 } 414 415 rate = ieee80211_fix_rate(ic, ni, IEEE80211_F_DONEGO); 416 if (rate & IEEE80211_RATE_BASIC) 417 fail |= 0x08; 418 if (ic->ic_des_esslen != 0 && 419 (ni->ni_esslen != ic->ic_des_esslen || 420 memcmp(ni->ni_essid, ic->ic_des_essid, ic->ic_des_esslen) != 0)) 421 fail |= 0x10; 422 if ((ic->ic_flags & IEEE80211_F_DESBSSID) && 423 !IEEE80211_ADDR_EQ(ic->ic_des_bssid, ni->ni_bssid)) 424 fail |= 0x20; 425 426 if (ic->ic_flags & IEEE80211_F_RSNON) { 427 /* 428 * If at least one RSN IE field from the AP's RSN IE fails 429 * to overlap with any value the STA supports, the STA shall 430 * decline to associate with that AP. 431 */ 432 if ((ni->ni_rsnprotos & ic->ic_rsnprotos) == 0) 433 fail |= 0x40; 434 if ((ni->ni_rsnakms & ic->ic_rsnakms) == 0) 435 fail |= 0x40; 436 if ((ni->ni_rsnakms & ic->ic_rsnakms & 437 ~(IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK)) == 0) { 438 /* AP only supports PSK AKMPs */ 439 if (!(ic->ic_flags & IEEE80211_F_PSK)) 440 fail |= 0x40; 441 } 442 if ((ni->ni_rsnciphers & ic->ic_rsnciphers) == 0) 443 fail |= 0x40; 444 445 /* we only support BIP as the IGTK cipher */ 446 if ((ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 447 ni->ni_rsngroupmgmtcipher != IEEE80211_CIPHER_BIP) 448 fail |= 0x40; 449 450 /* we do not support MFP but AP requires it */ 451 if (!(ic->ic_caps & IEEE80211_C_MFP) && 452 (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPR)) 453 fail |= 0x40; 454 455 /* we require MFP but AP does not support it */ 456 if ((ic->ic_caps & IEEE80211_C_MFP) && 457 (ic->ic_flags & IEEE80211_F_MFPR) && 458 !(ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) 459 fail |= 0x40; 460 } 461 462 #ifdef IEEE80211_DEBUG 463 if (ic->ic_if.if_flags & IFF_DEBUG) { 464 printf(" %c %s", fail ? '-' : '+', 465 ether_sprintf(ni->ni_macaddr)); 466 printf(" %s%c", ether_sprintf(ni->ni_bssid), 467 fail & 0x20 ? '!' : ' '); 468 printf(" %3d%c", ieee80211_chan2ieee(ic, ni->ni_chan), 469 fail & 0x01 ? '!' : ' '); 470 printf(" %+4d", ni->ni_rssi); 471 printf(" %2dM%c", (rate & IEEE80211_RATE_VAL) / 2, 472 fail & 0x08 ? '!' : ' '); 473 printf(" %4s%c", 474 (ni->ni_capinfo & IEEE80211_CAPINFO_ESS) ? "ess" : 475 (ni->ni_capinfo & IEEE80211_CAPINFO_IBSS) ? "ibss" : 476 "????", 477 fail & 0x02 ? '!' : ' '); 478 printf(" %7s%c ", 479 (ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) ? 480 "privacy" : "no", 481 fail & 0x04 ? '!' : ' '); 482 printf(" %3s%c ", 483 (ic->ic_flags & IEEE80211_F_RSNON) ? 484 "rsn" : "no", 485 fail & 0x40 ? '!' : ' '); 486 ieee80211_print_essid(ni->ni_essid, ni->ni_esslen); 487 printf("%s\n", fail & 0x10 ? "!" : ""); 488 } 489 #endif 490 return fail; 491 } 492 493 /* 494 * Complete a scan of potential channels. 495 */ 496 void 497 ieee80211_end_scan(struct ifnet *ifp) 498 { 499 struct ieee80211com *ic = (void *)ifp; 500 struct ieee80211_node *ni, *nextbs, *selbs; 501 502 if (ifp->if_flags & IFF_DEBUG) 503 printf("%s: end %s scan\n", ifp->if_xname, 504 (ic->ic_flags & IEEE80211_F_ASCAN) ? 505 "active" : "passive"); 506 507 if (ic->ic_scan_count) 508 ic->ic_flags &= ~IEEE80211_F_ASCAN; 509 510 ni = RB_MIN(ieee80211_tree, &ic->ic_tree); 511 512 #ifndef IEEE80211_STA_ONLY 513 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 514 /* XXX off stack? */ 515 u_char occupied[howmany(IEEE80211_CHAN_MAX, NBBY)]; 516 int i, fail; 517 518 /* 519 * The passive scan to look for existing AP's completed, 520 * select a channel to camp on. Identify the channels 521 * that already have one or more AP's and try to locate 522 * an unnoccupied one. If that fails, pick a random 523 * channel from the active set. 524 */ 525 RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) 526 setbit(occupied, ieee80211_chan2ieee(ic, ni->ni_chan)); 527 for (i = 0; i < IEEE80211_CHAN_MAX; i++) 528 if (isset(ic->ic_chan_active, i) && isclr(occupied, i)) 529 break; 530 if (i == IEEE80211_CHAN_MAX) { 531 fail = arc4random() & 3; /* random 0-3 */ 532 for (i = 0; i < IEEE80211_CHAN_MAX; i++) 533 if (isset(ic->ic_chan_active, i) && fail-- == 0) 534 break; 535 } 536 ieee80211_create_ibss(ic, &ic->ic_channels[i]); 537 goto wakeup; 538 } 539 #endif 540 if (ni == NULL) { 541 DPRINTF(("no scan candidate\n")); 542 notfound: 543 544 #ifndef IEEE80211_STA_ONLY 545 if (ic->ic_opmode == IEEE80211_M_IBSS && 546 (ic->ic_flags & IEEE80211_F_IBSSON) && 547 ic->ic_des_esslen != 0) { 548 ieee80211_create_ibss(ic, ic->ic_ibss_chan); 549 goto wakeup; 550 } 551 #endif 552 /* 553 * Scan the next mode if nothing has been found. This 554 * is necessary if the device supports different 555 * incompatible modes in the same channel range, like 556 * like 11b and "pure" 11G mode. This will loop 557 * forever except for user-initiated scans. 558 */ 559 if (ieee80211_next_mode(ifp) == IEEE80211_MODE_AUTO) { 560 if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST && 561 ic->ic_scan_lock & IEEE80211_SCAN_RESUME) { 562 ic->ic_scan_lock = IEEE80211_SCAN_LOCKED; 563 /* Return from an user-initiated scan */ 564 wakeup(&ic->ic_scan_lock); 565 } else if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST) 566 goto wakeup; 567 ic->ic_scan_count++; 568 } 569 570 /* 571 * Reset the list of channels to scan and start again. 572 */ 573 ieee80211_next_scan(ifp); 574 return; 575 } 576 selbs = NULL; 577 578 for (; ni != NULL; ni = nextbs) { 579 nextbs = RB_NEXT(ieee80211_tree, &ic->ic_tree, ni); 580 if (ni->ni_fails) { 581 /* 582 * The configuration of the access points may change 583 * during my scan. So delete the entry for the AP 584 * and retry to associate if there is another beacon. 585 */ 586 if (ni->ni_fails++ > 2) 587 ieee80211_free_node(ic, ni); 588 continue; 589 } 590 if (ieee80211_match_bss(ic, ni) == 0) { 591 if (selbs == NULL) 592 selbs = ni; 593 else if (ni->ni_rssi > selbs->ni_rssi) 594 selbs = ni; 595 } 596 } 597 if (selbs == NULL) 598 goto notfound; 599 (*ic->ic_node_copy)(ic, ic->ic_bss, selbs); 600 ni = ic->ic_bss; 601 602 /* 603 * Set the erp state (mostly the slot time) to deal with 604 * the auto-select case; this should be redundant if the 605 * mode is locked. 606 */ 607 ic->ic_curmode = ieee80211_chan2mode(ic, ni->ni_chan); 608 ieee80211_reset_erp(ic); 609 610 if (ic->ic_flags & IEEE80211_F_RSNON) 611 ieee80211_choose_rsnparams(ic); 612 else if (ic->ic_flags & IEEE80211_F_WEPON) 613 ni->ni_rsncipher = IEEE80211_CIPHER_USEGROUP; 614 615 ieee80211_node_newstate(selbs, IEEE80211_STA_BSS); 616 #ifndef IEEE80211_STA_ONLY 617 if (ic->ic_opmode == IEEE80211_M_IBSS) { 618 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 619 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 620 if (ni->ni_rates.rs_nrates == 0) 621 goto notfound; 622 ieee80211_new_state(ic, IEEE80211_S_RUN, -1); 623 } else 624 #endif 625 ieee80211_new_state(ic, IEEE80211_S_AUTH, -1); 626 627 wakeup: 628 if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST) { 629 /* Return from an user-initiated scan */ 630 wakeup(&ic->ic_scan_lock); 631 } 632 633 ic->ic_scan_lock = IEEE80211_SCAN_UNLOCKED; 634 } 635 636 /* 637 * Autoselect the best RSN parameters (protocol, AKMP, pairwise cipher...) 638 * that are supported by both peers (STA mode only). 639 */ 640 void 641 ieee80211_choose_rsnparams(struct ieee80211com *ic) 642 { 643 struct ieee80211_node *ni = ic->ic_bss; 644 struct ieee80211_pmk *pmk; 645 646 /* filter out unsupported protocol versions */ 647 ni->ni_rsnprotos &= ic->ic_rsnprotos; 648 /* prefer RSN (aka WPA2) over WPA */ 649 if (ni->ni_rsnprotos & IEEE80211_PROTO_RSN) 650 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 651 else 652 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 653 654 /* filter out unsupported AKMPs */ 655 ni->ni_rsnakms &= ic->ic_rsnakms; 656 /* prefer SHA-256 based AKMPs */ 657 if ((ic->ic_flags & IEEE80211_F_PSK) && (ni->ni_rsnakms & 658 (IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK))) { 659 /* AP supports PSK AKMP and a PSK is configured */ 660 if (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK) 661 ni->ni_rsnakms = IEEE80211_AKM_SHA256_PSK; 662 else 663 ni->ni_rsnakms = IEEE80211_AKM_PSK; 664 } else { 665 if (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X) 666 ni->ni_rsnakms = IEEE80211_AKM_SHA256_8021X; 667 else 668 ni->ni_rsnakms = IEEE80211_AKM_8021X; 669 /* check if we have a cached PMK for this AP */ 670 if (ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 671 (pmk = ieee80211_pmksa_find(ic, ni, NULL)) != NULL) { 672 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 673 IEEE80211_PMKID_LEN); 674 ni->ni_flags |= IEEE80211_NODE_PMKID; 675 } 676 } 677 678 /* filter out unsupported pairwise ciphers */ 679 ni->ni_rsnciphers &= ic->ic_rsnciphers; 680 /* prefer CCMP over TKIP */ 681 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) 682 ni->ni_rsnciphers = IEEE80211_CIPHER_CCMP; 683 else 684 ni->ni_rsnciphers = IEEE80211_CIPHER_TKIP; 685 ni->ni_rsncipher = ni->ni_rsnciphers; 686 687 /* use MFP if we both support it */ 688 if ((ic->ic_caps & IEEE80211_C_MFP) && 689 (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) 690 ni->ni_flags |= IEEE80211_NODE_MFP; 691 } 692 693 int 694 ieee80211_get_rate(struct ieee80211com *ic) 695 { 696 u_int8_t (*rates)[IEEE80211_RATE_MAXSIZE]; 697 int rate; 698 699 rates = &ic->ic_bss->ni_rates.rs_rates; 700 701 if (ic->ic_fixed_rate != -1) 702 rate = (*rates)[ic->ic_fixed_rate]; 703 else if (ic->ic_state == IEEE80211_S_RUN) 704 rate = (*rates)[ic->ic_bss->ni_txrate]; 705 else 706 rate = 0; 707 708 return rate & IEEE80211_RATE_VAL; 709 } 710 711 struct ieee80211_node * 712 ieee80211_node_alloc(struct ieee80211com *ic) 713 { 714 return malloc(sizeof(struct ieee80211_node), M_80211_NODE, 715 M_NOWAIT | M_ZERO); 716 } 717 718 void 719 ieee80211_node_cleanup(struct ieee80211com *ic, struct ieee80211_node *ni) 720 { 721 if (ni->ni_rsnie != NULL) { 722 free(ni->ni_rsnie, M_DEVBUF); 723 ni->ni_rsnie = NULL; 724 } 725 } 726 727 void 728 ieee80211_node_free(struct ieee80211com *ic, struct ieee80211_node *ni) 729 { 730 ieee80211_node_cleanup(ic, ni); 731 free(ni, M_80211_NODE); 732 } 733 734 void 735 ieee80211_node_copy(struct ieee80211com *ic, 736 struct ieee80211_node *dst, const struct ieee80211_node *src) 737 { 738 ieee80211_node_cleanup(ic, dst); 739 *dst = *src; 740 dst->ni_rsnie = NULL; 741 if (src->ni_rsnie != NULL) 742 ieee80211_save_ie(src->ni_rsnie, &dst->ni_rsnie); 743 } 744 745 u_int8_t 746 ieee80211_node_getrssi(struct ieee80211com *ic, 747 const struct ieee80211_node *ni) 748 { 749 return ni->ni_rssi; 750 } 751 752 void 753 ieee80211_setup_node(struct ieee80211com *ic, 754 struct ieee80211_node *ni, const u_int8_t *macaddr) 755 { 756 int s; 757 758 DPRINTF(("%s\n", ether_sprintf((u_int8_t *)macaddr))); 759 IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr); 760 ieee80211_node_newstate(ni, IEEE80211_STA_CACHE); 761 762 ni->ni_ic = ic; /* back-pointer */ 763 #ifndef IEEE80211_STA_ONLY 764 IFQ_SET_MAXLEN(&ni->ni_savedq, IEEE80211_PS_MAX_QUEUE); 765 timeout_set(&ni->ni_eapol_to, ieee80211_eapol_timeout, ni); 766 timeout_set(&ni->ni_sa_query_to, ieee80211_sa_query_timeout, ni); 767 #endif 768 769 /* 770 * Note we don't enable the inactive timer when acting 771 * as a station. Nodes created in this mode represent 772 * AP's identified while scanning. If we time them out 773 * then several things happen: we can't return the data 774 * to users to show the list of AP's we encountered, and 775 * more importantly, we'll incorrectly deauthenticate 776 * ourself because the inactivity timer will kick us off. 777 */ 778 s = splnet(); 779 if (ic->ic_opmode != IEEE80211_M_STA && 780 RB_EMPTY(&ic->ic_tree)) 781 ic->ic_inact_timer = IEEE80211_INACT_WAIT; 782 RB_INSERT(ieee80211_tree, &ic->ic_tree, ni); 783 splx(s); 784 } 785 786 struct ieee80211_node * 787 ieee80211_alloc_node(struct ieee80211com *ic, const u_int8_t *macaddr) 788 { 789 struct ieee80211_node *ni = ieee80211_alloc_node_helper(ic); 790 if (ni != NULL) 791 ieee80211_setup_node(ic, ni, macaddr); 792 else 793 ic->ic_stats.is_rx_nodealloc++; 794 return ni; 795 } 796 797 struct ieee80211_node * 798 ieee80211_dup_bss(struct ieee80211com *ic, const u_int8_t *macaddr) 799 { 800 struct ieee80211_node *ni = ieee80211_alloc_node_helper(ic); 801 if (ni != NULL) { 802 ieee80211_setup_node(ic, ni, macaddr); 803 /* 804 * Inherit from ic_bss. 805 */ 806 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 807 ni->ni_chan = ic->ic_bss->ni_chan; 808 } else 809 ic->ic_stats.is_rx_nodealloc++; 810 return ni; 811 } 812 813 struct ieee80211_node * 814 ieee80211_find_node(struct ieee80211com *ic, const u_int8_t *macaddr) 815 { 816 struct ieee80211_node *ni; 817 int cmp; 818 819 /* similar to RB_FIND except we compare keys, not nodes */ 820 ni = RB_ROOT(&ic->ic_tree); 821 while (ni != NULL) { 822 cmp = memcmp(macaddr, ni->ni_macaddr, IEEE80211_ADDR_LEN); 823 if (cmp < 0) 824 ni = RB_LEFT(ni, ni_node); 825 else if (cmp > 0) 826 ni = RB_RIGHT(ni, ni_node); 827 else 828 break; 829 } 830 return ni; 831 } 832 833 /* 834 * Return a reference to the appropriate node for sending 835 * a data frame. This handles node discovery in adhoc networks. 836 * 837 * Drivers will call this, so increase the reference count before 838 * returning the node. 839 */ 840 struct ieee80211_node * 841 ieee80211_find_txnode(struct ieee80211com *ic, const u_int8_t *macaddr) 842 { 843 #ifndef IEEE80211_STA_ONLY 844 struct ieee80211_node *ni; 845 int s; 846 #endif 847 848 /* 849 * The destination address should be in the node table 850 * unless we are operating in station mode or this is a 851 * multicast/broadcast frame. 852 */ 853 if (ic->ic_opmode == IEEE80211_M_STA || IEEE80211_IS_MULTICAST(macaddr)) 854 return ieee80211_ref_node(ic->ic_bss); 855 856 #ifndef IEEE80211_STA_ONLY 857 s = splnet(); 858 ni = ieee80211_find_node(ic, macaddr); 859 splx(s); 860 if (ni == NULL) { 861 if (ic->ic_opmode != IEEE80211_M_IBSS && 862 ic->ic_opmode != IEEE80211_M_AHDEMO) 863 return NULL; 864 865 /* 866 * Fake up a node; this handles node discovery in 867 * adhoc mode. Note that for the driver's benefit 868 * we we treat this like an association so the driver 869 * has an opportunity to setup its private state. 870 * 871 * XXX need better way to handle this; issue probe 872 * request so we can deduce rate set, etc. 873 */ 874 if ((ni = ieee80211_dup_bss(ic, macaddr)) == NULL) 875 return NULL; 876 /* XXX no rate negotiation; just dup */ 877 ni->ni_rates = ic->ic_bss->ni_rates; 878 if (ic->ic_newassoc) 879 (*ic->ic_newassoc)(ic, ni, 1); 880 } 881 return ieee80211_ref_node(ni); 882 #else 883 return NULL; /* can't get there */ 884 #endif /* IEEE80211_STA_ONLY */ 885 } 886 887 /* 888 * It is usually desirable to process a Rx packet using its sender's 889 * node-record instead of the BSS record. 890 * 891 * - AP mode: keep a node-record for every authenticated/associated 892 * station *in the BSS*. For future use, we also track neighboring 893 * APs, since they might belong to the same ESS. APs in the same 894 * ESS may bridge packets to each other, forming a Wireless 895 * Distribution System (WDS). 896 * 897 * - IBSS mode: keep a node-record for every station *in the BSS*. 898 * Also track neighboring stations by their beacons/probe responses. 899 * 900 * - monitor mode: keep a node-record for every sender, regardless 901 * of BSS. 902 * 903 * - STA mode: the only available node-record is the BSS record, 904 * ic->ic_bss. 905 * 906 * Of all the 802.11 Control packets, only the node-records for 907 * RTS packets node-record can be looked up. 908 * 909 * Return non-zero if the packet's node-record is kept, zero 910 * otherwise. 911 */ 912 static __inline int 913 ieee80211_needs_rxnode(struct ieee80211com *ic, 914 const struct ieee80211_frame *wh, const u_int8_t **bssid) 915 { 916 int monitor, rc = 0; 917 918 monitor = (ic->ic_opmode == IEEE80211_M_MONITOR); 919 920 *bssid = NULL; 921 922 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { 923 case IEEE80211_FC0_TYPE_CTL: 924 if (!monitor) 925 break; 926 return (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == 927 IEEE80211_FC0_SUBTYPE_RTS; 928 case IEEE80211_FC0_TYPE_MGT: 929 *bssid = wh->i_addr3; 930 switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) { 931 case IEEE80211_FC0_SUBTYPE_BEACON: 932 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 933 rc = 1; 934 break; 935 default: 936 #ifndef IEEE80211_STA_ONLY 937 if (ic->ic_opmode == IEEE80211_M_STA) 938 break; 939 rc = IEEE80211_ADDR_EQ(*bssid, ic->ic_bss->ni_bssid) || 940 IEEE80211_ADDR_EQ(*bssid, etherbroadcastaddr); 941 #endif 942 break; 943 } 944 break; 945 case IEEE80211_FC0_TYPE_DATA: 946 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 947 case IEEE80211_FC1_DIR_NODS: 948 *bssid = wh->i_addr3; 949 #ifndef IEEE80211_STA_ONLY 950 if (ic->ic_opmode == IEEE80211_M_IBSS || 951 ic->ic_opmode == IEEE80211_M_AHDEMO) 952 rc = IEEE80211_ADDR_EQ(*bssid, 953 ic->ic_bss->ni_bssid); 954 #endif 955 break; 956 case IEEE80211_FC1_DIR_TODS: 957 *bssid = wh->i_addr1; 958 #ifndef IEEE80211_STA_ONLY 959 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 960 rc = IEEE80211_ADDR_EQ(*bssid, 961 ic->ic_bss->ni_bssid); 962 #endif 963 break; 964 case IEEE80211_FC1_DIR_FROMDS: 965 case IEEE80211_FC1_DIR_DSTODS: 966 *bssid = wh->i_addr2; 967 #ifndef IEEE80211_STA_ONLY 968 rc = (ic->ic_opmode == IEEE80211_M_HOSTAP); 969 #endif 970 break; 971 } 972 break; 973 } 974 return monitor || rc; 975 } 976 977 /* 978 * Drivers call this, so increase the reference count before returning 979 * the node. 980 */ 981 struct ieee80211_node * 982 ieee80211_find_rxnode(struct ieee80211com *ic, 983 const struct ieee80211_frame *wh) 984 { 985 static const u_int8_t zero[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 986 struct ieee80211_node *ni; 987 const u_int8_t *bssid; 988 int s; 989 990 if (!ieee80211_needs_rxnode(ic, wh, &bssid)) 991 return ieee80211_ref_node(ic->ic_bss); 992 993 s = splnet(); 994 ni = ieee80211_find_node(ic, wh->i_addr2); 995 splx(s); 996 997 if (ni != NULL) 998 return ieee80211_ref_node(ni); 999 #ifndef IEEE80211_STA_ONLY 1000 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 1001 return ieee80211_ref_node(ic->ic_bss); 1002 #endif 1003 /* XXX see remarks in ieee80211_find_txnode */ 1004 /* XXX no rate negotiation; just dup */ 1005 if ((ni = ieee80211_dup_bss(ic, wh->i_addr2)) == NULL) 1006 return ieee80211_ref_node(ic->ic_bss); 1007 1008 IEEE80211_ADDR_COPY(ni->ni_bssid, (bssid != NULL) ? bssid : zero); 1009 1010 ni->ni_rates = ic->ic_bss->ni_rates; 1011 if (ic->ic_newassoc) 1012 (*ic->ic_newassoc)(ic, ni, 1); 1013 1014 DPRINTF(("faked-up node %p for %s\n", ni, 1015 ether_sprintf((u_int8_t *)wh->i_addr2))); 1016 1017 return ieee80211_ref_node(ni); 1018 } 1019 1020 struct ieee80211_node * 1021 ieee80211_find_node_for_beacon(struct ieee80211com *ic, 1022 const u_int8_t *macaddr, const struct ieee80211_channel *chan, 1023 const char *ssid, u_int8_t rssi) 1024 { 1025 struct ieee80211_node *ni, *keep = NULL; 1026 int s, score = 0; 1027 1028 if ((ni = ieee80211_find_node(ic, macaddr)) != NULL) { 1029 s = splnet(); 1030 1031 if (ni->ni_chan != chan && ni->ni_rssi >= rssi) 1032 score++; 1033 if (ssid[1] == 0 && ni->ni_esslen != 0) 1034 score++; 1035 if (score > 0) 1036 keep = ni; 1037 1038 splx(s); 1039 } 1040 1041 return (keep); 1042 } 1043 1044 void 1045 ieee80211_free_node(struct ieee80211com *ic, struct ieee80211_node *ni) 1046 { 1047 if (ni == ic->ic_bss) 1048 panic("freeing bss node"); 1049 1050 DPRINTF(("%s\n", ether_sprintf(ni->ni_macaddr))); 1051 #ifndef IEEE80211_STA_ONLY 1052 timeout_del(&ni->ni_eapol_to); 1053 timeout_del(&ni->ni_sa_query_to); 1054 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1055 #endif 1056 RB_REMOVE(ieee80211_tree, &ic->ic_tree, ni); 1057 ic->ic_nnodes--; 1058 #ifndef IEEE80211_STA_ONLY 1059 if (!IF_IS_EMPTY(&ni->ni_savedq)) { 1060 IF_PURGE(&ni->ni_savedq); 1061 if (ic->ic_set_tim != NULL) 1062 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 1063 } 1064 #endif 1065 if (RB_EMPTY(&ic->ic_tree)) 1066 ic->ic_inact_timer = 0; 1067 (*ic->ic_node_free)(ic, ni); 1068 /* TBD indicate to drivers that a new node can be allocated */ 1069 } 1070 1071 void 1072 ieee80211_release_node(struct ieee80211com *ic, struct ieee80211_node *ni) 1073 { 1074 int s; 1075 1076 DPRINTF(("%s refcnt %d\n", ether_sprintf(ni->ni_macaddr), 1077 ni->ni_refcnt)); 1078 if (ieee80211_node_decref(ni) == 0 && 1079 ni->ni_state == IEEE80211_STA_COLLECT) { 1080 s = splnet(); 1081 ieee80211_free_node(ic, ni); 1082 splx(s); 1083 } 1084 } 1085 1086 void 1087 ieee80211_free_allnodes(struct ieee80211com *ic) 1088 { 1089 struct ieee80211_node *ni; 1090 int s; 1091 1092 DPRINTF(("freeing all nodes\n")); 1093 s = splnet(); 1094 while ((ni = RB_MIN(ieee80211_tree, &ic->ic_tree)) != NULL) 1095 ieee80211_free_node(ic, ni); 1096 splx(s); 1097 1098 if (ic->ic_bss != NULL) 1099 ieee80211_node_cleanup(ic, ic->ic_bss); /* for station mode */ 1100 } 1101 1102 /* 1103 * Timeout inactive nodes. 1104 */ 1105 void 1106 ieee80211_clean_nodes(struct ieee80211com *ic) 1107 { 1108 struct ieee80211_node *ni, *next_ni; 1109 u_int gen = ic->ic_scangen++; /* NB: ok 'cuz single-threaded*/ 1110 int s; 1111 1112 s = splnet(); 1113 for (ni = RB_MIN(ieee80211_tree, &ic->ic_tree); 1114 ni != NULL; ni = next_ni) { 1115 next_ni = RB_NEXT(ieee80211_tree, &ic->ic_tree, ni); 1116 if (ic->ic_nnodes <= ic->ic_max_nnodes) 1117 break; 1118 if (ni->ni_scangen == gen) /* previously handled */ 1119 continue; 1120 ni->ni_scangen = gen; 1121 if (ni->ni_refcnt > 0) 1122 continue; 1123 DPRINTF(("station %s purged from LRU cache\n", 1124 ether_sprintf(ni->ni_macaddr))); 1125 /* 1126 * Send a deauthenticate frame. 1127 */ 1128 #ifndef IEEE80211_STA_ONLY 1129 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1130 splx(s); 1131 IEEE80211_SEND_MGMT(ic, ni, 1132 IEEE80211_FC0_SUBTYPE_DEAUTH, 1133 IEEE80211_REASON_AUTH_EXPIRE); 1134 s = splnet(); 1135 ieee80211_node_leave(ic, ni); 1136 } else 1137 #endif 1138 ieee80211_free_node(ic, ni); 1139 ic->ic_stats.is_node_timeout++; 1140 } 1141 splx(s); 1142 } 1143 1144 void 1145 ieee80211_iterate_nodes(struct ieee80211com *ic, ieee80211_iter_func *f, 1146 void *arg) 1147 { 1148 struct ieee80211_node *ni; 1149 int s; 1150 1151 s = splnet(); 1152 RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) 1153 (*f)(arg, ni); 1154 splx(s); 1155 } 1156 1157 /* 1158 * Install received rate set information in the node's state block. 1159 */ 1160 int 1161 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 1162 const u_int8_t *rates, const u_int8_t *xrates, int flags) 1163 { 1164 struct ieee80211_rateset *rs = &ni->ni_rates; 1165 1166 memset(rs, 0, sizeof(*rs)); 1167 rs->rs_nrates = rates[1]; 1168 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 1169 if (xrates != NULL) { 1170 u_int8_t nxrates; 1171 /* 1172 * Tack on 11g extended supported rate element. 1173 */ 1174 nxrates = xrates[1]; 1175 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 1176 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 1177 DPRINTF(("extended rate set too large; " 1178 "only using %u of %u rates\n", 1179 nxrates, xrates[1])); 1180 ic->ic_stats.is_rx_rstoobig++; 1181 } 1182 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 1183 rs->rs_nrates += nxrates; 1184 } 1185 return ieee80211_fix_rate(ic, ni, flags); 1186 } 1187 1188 #ifndef IEEE80211_STA_ONLY 1189 /* 1190 * Check if the specified node supports ERP. 1191 */ 1192 int 1193 ieee80211_iserp_sta(const struct ieee80211_node *ni) 1194 { 1195 #define N(a) (sizeof (a) / sizeof (a)[0]) 1196 static const u_int8_t rates[] = { 2, 4, 11, 22, 12, 24, 48 }; 1197 const struct ieee80211_rateset *rs = &ni->ni_rates; 1198 int i, j; 1199 1200 /* 1201 * A STA supports ERP operation if it includes all the Clause 19 1202 * mandatory rates in its supported rate set. 1203 */ 1204 for (i = 0; i < N(rates); i++) { 1205 for (j = 0; j < rs->rs_nrates; j++) { 1206 if ((rs->rs_rates[j] & IEEE80211_RATE_VAL) == rates[i]) 1207 break; 1208 } 1209 if (j == rs->rs_nrates) 1210 return 0; 1211 } 1212 return 1; 1213 #undef N 1214 } 1215 1216 /* 1217 * This function is called to notify the 802.1X PACP machine that a new 1218 * 802.1X port is enabled and must be authenticated. For 802.11, a port 1219 * becomes enabled whenever a STA successfully completes Open System 1220 * authentication with an AP. 1221 */ 1222 void 1223 ieee80211_needs_auth(struct ieee80211com *ic, struct ieee80211_node *ni) 1224 { 1225 /* 1226 * XXX this could be done via the route socket of via a dedicated 1227 * EAP socket or another kernel->userland notification mechanism. 1228 * The notification should include the MAC address (ni_macaddr). 1229 */ 1230 } 1231 1232 #ifndef IEEE80211_NO_HT 1233 /* 1234 * Handle an HT STA joining an HT network. 1235 */ 1236 void 1237 ieee80211_node_join_ht(struct ieee80211com *ic, struct ieee80211_node *ni) 1238 { 1239 /* TBD */ 1240 } 1241 #endif /* !IEEE80211_NO_HT */ 1242 1243 /* 1244 * Handle a station joining an RSN network. 1245 */ 1246 void 1247 ieee80211_node_join_rsn(struct ieee80211com *ic, struct ieee80211_node *ni) 1248 { 1249 DPRINTF(("station %s associated using proto %d akm 0x%x " 1250 "cipher 0x%x groupcipher 0x%x\n", ether_sprintf(ni->ni_macaddr), 1251 ni->ni_rsnprotos, ni->ni_rsnakms, ni->ni_rsnciphers, 1252 ni->ni_rsngroupcipher)); 1253 1254 ni->ni_rsn_state = RSNA_AUTHENTICATION; 1255 ic->ic_rsnsta++; 1256 1257 ni->ni_key_count = 0; 1258 ni->ni_port_valid = 0; 1259 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 1260 ni->ni_replaycnt = -1; /* XXX */ 1261 ni->ni_rsn_retries = 0; 1262 ni->ni_rsncipher = ni->ni_rsnciphers; 1263 1264 ni->ni_rsn_state = RSNA_AUTHENTICATION_2; 1265 1266 /* generate a new authenticator nonce (ANonce) */ 1267 arc4random_buf(ni->ni_nonce, EAPOL_KEY_NONCE_LEN); 1268 1269 if (!ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 1270 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 1271 ni->ni_flags |= IEEE80211_NODE_PMK; 1272 (void)ieee80211_send_4way_msg1(ic, ni); 1273 } else if (ni->ni_flags & IEEE80211_NODE_PMK) { 1274 /* skip 802.1X auth if a cached PMK was found */ 1275 (void)ieee80211_send_4way_msg1(ic, ni); 1276 } else { 1277 /* no cached PMK found, needs full 802.1X auth */ 1278 ieee80211_needs_auth(ic, ni); 1279 } 1280 } 1281 1282 /* 1283 * Handle a station joining an 11g network. 1284 */ 1285 void 1286 ieee80211_node_join_11g(struct ieee80211com *ic, struct ieee80211_node *ni) 1287 { 1288 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 1289 /* 1290 * Joining STA doesn't support short slot time. We must 1291 * disable the use of short slot time for all other associated 1292 * STAs and give the driver a chance to reconfigure the 1293 * hardware. 1294 */ 1295 if (++ic->ic_longslotsta == 1) { 1296 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1297 ieee80211_set_shortslottime(ic, 0); 1298 } 1299 DPRINTF(("[%s] station needs long slot time, count %d\n", 1300 ether_sprintf(ni->ni_macaddr), ic->ic_longslotsta)); 1301 } 1302 1303 if (!ieee80211_iserp_sta(ni)) { 1304 /* 1305 * Joining STA is non-ERP. 1306 */ 1307 ic->ic_nonerpsta++; 1308 1309 DPRINTF(("[%s] station is non-ERP, %d non-ERP " 1310 "stations associated\n", ether_sprintf(ni->ni_macaddr), 1311 ic->ic_nonerpsta)); 1312 1313 /* must enable the use of protection */ 1314 if (ic->ic_protmode != IEEE80211_PROT_NONE) { 1315 DPRINTF(("enable use of protection\n")); 1316 ic->ic_flags |= IEEE80211_F_USEPROT; 1317 } 1318 1319 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 1320 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 1321 } else 1322 ni->ni_flags |= IEEE80211_NODE_ERP; 1323 } 1324 1325 void 1326 ieee80211_node_join(struct ieee80211com *ic, struct ieee80211_node *ni, 1327 int resp) 1328 { 1329 int newassoc; 1330 1331 if (ni->ni_associd == 0) { 1332 u_int16_t aid; 1333 1334 /* 1335 * It would be clever to search the bitmap 1336 * more efficiently, but this will do for now. 1337 */ 1338 for (aid = 1; aid < ic->ic_max_aid; aid++) { 1339 if (!IEEE80211_AID_ISSET(aid, 1340 ic->ic_aid_bitmap)) 1341 break; 1342 } 1343 if (aid >= ic->ic_max_aid) { 1344 IEEE80211_SEND_MGMT(ic, ni, resp, 1345 IEEE80211_REASON_ASSOC_TOOMANY); 1346 ieee80211_node_leave(ic, ni); 1347 return; 1348 } 1349 ni->ni_associd = aid | 0xc000; 1350 IEEE80211_AID_SET(ni->ni_associd, ic->ic_aid_bitmap); 1351 newassoc = 1; 1352 if (ic->ic_curmode == IEEE80211_MODE_11G) 1353 ieee80211_node_join_11g(ic, ni); 1354 } else 1355 newassoc = 0; 1356 1357 DPRINTF(("station %s %s associated at aid %d\n", 1358 ether_sprintf(ni->ni_macaddr), newassoc ? "newly" : "already", 1359 ni->ni_associd & ~0xc000)); 1360 1361 /* give driver a chance to setup state like ni_txrate */ 1362 if (ic->ic_newassoc) 1363 (*ic->ic_newassoc)(ic, ni, newassoc); 1364 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_SUCCESS); 1365 ieee80211_node_newstate(ni, IEEE80211_STA_ASSOC); 1366 1367 if (!(ic->ic_flags & IEEE80211_F_RSNON)) { 1368 ni->ni_port_valid = 1; 1369 ni->ni_rsncipher = IEEE80211_CIPHER_USEGROUP; 1370 } else 1371 ieee80211_node_join_rsn(ic, ni); 1372 1373 #ifndef IEEE80211_NO_HT 1374 if (ni->ni_flags & IEEE80211_NODE_HT) 1375 ieee80211_node_join_ht(ic, ni); 1376 #endif 1377 1378 #if NBRIDGE > 0 1379 /* 1380 * If the parent interface belongs to a bridge, learn 1381 * the node's address dynamically on this interface. 1382 */ 1383 if (ic->ic_if.if_bridge != NULL) 1384 bridge_update(&ic->ic_if, 1385 (struct ether_addr *)ni->ni_macaddr, 0); 1386 #endif 1387 } 1388 1389 #ifndef IEEE80211_NO_HT 1390 /* 1391 * Handle an HT STA leaving an HT network. 1392 */ 1393 void 1394 ieee80211_node_leave_ht(struct ieee80211com *ic, struct ieee80211_node *ni) 1395 { 1396 struct ieee80211_rx_ba *ba; 1397 u_int8_t tid; 1398 int i; 1399 1400 /* free all Block Ack records */ 1401 for (tid = 0; tid < IEEE80211_NUM_TID; tid++) { 1402 ba = &ni->ni_rx_ba[tid]; 1403 if (ba->ba_buf != NULL) { 1404 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 1405 if (ba->ba_buf[i].m != NULL) 1406 m_freem(ba->ba_buf[i].m); 1407 free(ba->ba_buf, M_DEVBUF); 1408 ba->ba_buf = NULL; 1409 } 1410 } 1411 } 1412 #endif /* !IEEE80211_NO_HT */ 1413 1414 /* 1415 * Handle a station leaving an RSN network. 1416 */ 1417 void 1418 ieee80211_node_leave_rsn(struct ieee80211com *ic, struct ieee80211_node *ni) 1419 { 1420 ni->ni_rsn_state = RSNA_DISCONNECTED; 1421 ic->ic_rsnsta--; 1422 1423 ni->ni_rsn_state = RSNA_INITIALIZE; 1424 if ((ni->ni_flags & IEEE80211_NODE_REKEY) && 1425 --ic->ic_rsn_keydonesta == 0) 1426 ieee80211_setkeysdone(ic); 1427 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1428 1429 ni->ni_flags &= ~IEEE80211_NODE_PMK; 1430 ni->ni_rsn_gstate = RSNA_IDLE; 1431 1432 #ifndef IEEE80211_STA_ONLY 1433 timeout_del(&ni->ni_eapol_to); 1434 timeout_del(&ni->ni_sa_query_to); 1435 #endif 1436 ni->ni_rsn_retries = 0; 1437 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 1438 ni->ni_port_valid = 0; 1439 (*ic->ic_delete_key)(ic, ni, &ni->ni_pairwise_key); 1440 } 1441 1442 /* 1443 * Handle a station leaving an 11g network. 1444 */ 1445 void 1446 ieee80211_node_leave_11g(struct ieee80211com *ic, struct ieee80211_node *ni) 1447 { 1448 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 1449 #ifdef DIAGNOSTIC 1450 if (ic->ic_longslotsta == 0) { 1451 panic("bogus long slot station count %d", 1452 ic->ic_longslotsta); 1453 } 1454 #endif 1455 /* leaving STA did not support short slot time */ 1456 if (--ic->ic_longslotsta == 0) { 1457 /* 1458 * All associated STAs now support short slot time, so 1459 * enable this feature and give the driver a chance to 1460 * reconfigure the hardware. Notice that IBSS always 1461 * use a long slot time. 1462 */ 1463 if ((ic->ic_caps & IEEE80211_C_SHSLOT) && 1464 ic->ic_opmode != IEEE80211_M_IBSS) 1465 ieee80211_set_shortslottime(ic, 1); 1466 } 1467 DPRINTF(("[%s] long slot time station leaves, count %d\n", 1468 ether_sprintf(ni->ni_macaddr), ic->ic_longslotsta)); 1469 } 1470 1471 if (!(ni->ni_flags & IEEE80211_NODE_ERP)) { 1472 #ifdef DIAGNOSTIC 1473 if (ic->ic_nonerpsta == 0) { 1474 panic("bogus non-ERP station count %d\n", 1475 ic->ic_nonerpsta); 1476 } 1477 #endif 1478 /* leaving STA was non-ERP */ 1479 if (--ic->ic_nonerpsta == 0) { 1480 /* 1481 * All associated STAs are now ERP capable, disable use 1482 * of protection and re-enable short preamble support. 1483 */ 1484 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1485 if (ic->ic_caps & IEEE80211_C_SHPREAMBLE) 1486 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 1487 } 1488 DPRINTF(("[%s] non-ERP station leaves, count %d\n", 1489 ether_sprintf(ni->ni_macaddr), ic->ic_nonerpsta)); 1490 } 1491 } 1492 1493 /* 1494 * Handle bookkeeping for station deauthentication/disassociation 1495 * when operating as an ap. 1496 */ 1497 void 1498 ieee80211_node_leave(struct ieee80211com *ic, struct ieee80211_node *ni) 1499 { 1500 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 1501 panic("not in ap mode, mode %u", ic->ic_opmode); 1502 /* 1503 * If node wasn't previously associated all 1504 * we need to do is reclaim the reference. 1505 */ 1506 if (ni->ni_associd == 0) 1507 return; 1508 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1509 ni->ni_associd = 0; 1510 1511 if (ni->ni_pwrsave == IEEE80211_PS_DOZE) 1512 ic->ic_pssta--; 1513 1514 if (ic->ic_flags & IEEE80211_F_RSNON) 1515 ieee80211_node_leave_rsn(ic, ni); 1516 1517 if (ic->ic_curmode == IEEE80211_MODE_11G) 1518 ieee80211_node_leave_11g(ic, ni); 1519 1520 #ifndef IEEE80211_NO_HT 1521 if (ni->ni_flags & IEEE80211_NODE_HT) 1522 ieee80211_node_leave_ht(ic, ni); 1523 #endif 1524 1525 ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT); 1526 1527 #if NBRIDGE > 0 1528 /* 1529 * If the parent interface belongs to a bridge, delete 1530 * any dynamically learned address for this node. 1531 */ 1532 if (ic->ic_if.if_bridge != NULL) 1533 bridge_update(&ic->ic_if, 1534 (struct ether_addr *)ni->ni_macaddr, 1); 1535 #endif 1536 } 1537 1538 static int 1539 ieee80211_do_slow_print(struct ieee80211com *ic, int *did_print) 1540 { 1541 static const struct timeval merge_print_intvl = { 1542 .tv_sec = 1, .tv_usec = 0 1543 }; 1544 if ((ic->ic_if.if_flags & IFF_LINK0) == 0) 1545 return 0; 1546 if (!*did_print && (ic->ic_if.if_flags & IFF_DEBUG) == 0 && 1547 !ratecheck(&ic->ic_last_merge_print, &merge_print_intvl)) 1548 return 0; 1549 1550 *did_print = 1; 1551 return 1; 1552 } 1553 1554 /* ieee80211_ibss_merge helps merge 802.11 ad hoc networks. The 1555 * convention, set by the Wireless Ethernet Compatibility Alliance 1556 * (WECA), is that an 802.11 station will change its BSSID to match 1557 * the "oldest" 802.11 ad hoc network, on the same channel, that 1558 * has the station's desired SSID. The "oldest" 802.11 network 1559 * sends beacons with the greatest TSF timestamp. 1560 * 1561 * Return ENETRESET if the BSSID changed, 0 otherwise. 1562 * 1563 * XXX Perhaps we should compensate for the time that elapses 1564 * between the MAC receiving the beacon and the host processing it 1565 * in ieee80211_ibss_merge. 1566 */ 1567 int 1568 ieee80211_ibss_merge(struct ieee80211com *ic, struct ieee80211_node *ni, 1569 u_int64_t local_tsft) 1570 { 1571 u_int64_t beacon_tsft; 1572 int did_print = 0, sign; 1573 union { 1574 u_int64_t word; 1575 u_int8_t tstamp[8]; 1576 } u; 1577 1578 /* ensure alignment */ 1579 (void)memcpy(&u, &ni->ni_tstamp[0], sizeof(u)); 1580 beacon_tsft = letoh64(u.word); 1581 1582 /* we are faster, let the other guy catch up */ 1583 if (beacon_tsft < local_tsft) 1584 sign = -1; 1585 else 1586 sign = 1; 1587 1588 if (IEEE80211_ADDR_EQ(ni->ni_bssid, ic->ic_bss->ni_bssid)) { 1589 if (!ieee80211_do_slow_print(ic, &did_print)) 1590 return 0; 1591 printf("%s: tsft offset %s%llu\n", ic->ic_if.if_xname, 1592 (sign < 0) ? "-" : "", 1593 (sign < 0) 1594 ? (local_tsft - beacon_tsft) 1595 : (beacon_tsft - local_tsft)); 1596 return 0; 1597 } 1598 1599 if (sign < 0) 1600 return 0; 1601 1602 if (ieee80211_match_bss(ic, ni) != 0) 1603 return 0; 1604 1605 if (ieee80211_do_slow_print(ic, &did_print)) { 1606 printf("%s: ieee80211_ibss_merge: bssid mismatch %s\n", 1607 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1608 printf("%s: my tsft %llu beacon tsft %llu\n", 1609 ic->ic_if.if_xname, local_tsft, beacon_tsft); 1610 printf("%s: sync TSF with %s\n", 1611 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 1612 } 1613 1614 ic->ic_flags &= ~IEEE80211_F_SIBSS; 1615 1616 /* negotiate rates with new IBSS */ 1617 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 1618 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1619 if (ni->ni_rates.rs_nrates == 0) { 1620 if (ieee80211_do_slow_print(ic, &did_print)) { 1621 printf("%s: rates mismatch, BSSID %s\n", 1622 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1623 } 1624 return 0; 1625 } 1626 1627 if (ieee80211_do_slow_print(ic, &did_print)) { 1628 printf("%s: sync BSSID %s -> ", 1629 ic->ic_if.if_xname, ether_sprintf(ic->ic_bss->ni_bssid)); 1630 printf("%s ", ether_sprintf(ni->ni_bssid)); 1631 printf("(from %s)\n", ether_sprintf(ni->ni_macaddr)); 1632 } 1633 1634 ieee80211_node_newstate(ni, IEEE80211_STA_BSS); 1635 (*ic->ic_node_copy)(ic, ic->ic_bss, ni); 1636 1637 return ENETRESET; 1638 } 1639 1640 void 1641 ieee80211_set_tim(struct ieee80211com *ic, int aid, int set) 1642 { 1643 if (set) 1644 setbit(ic->ic_tim_bitmap, aid & ~0xc000); 1645 else 1646 clrbit(ic->ic_tim_bitmap, aid & ~0xc000); 1647 } 1648 1649 /* 1650 * This function shall be called by drivers immediately after every DTIM. 1651 * Transmit all group addressed MSDUs buffered at the AP. 1652 */ 1653 void 1654 ieee80211_notify_dtim(struct ieee80211com *ic) 1655 { 1656 /* NB: group addressed MSDUs are buffered in ic_bss */ 1657 struct ieee80211_node *ni = ic->ic_bss; 1658 struct ifnet *ifp = &ic->ic_if; 1659 struct ieee80211_frame *wh; 1660 struct mbuf *m; 1661 1662 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 1663 1664 for (;;) { 1665 IF_DEQUEUE(&ni->ni_savedq, m); 1666 if (m == NULL) 1667 break; 1668 if (!IF_IS_EMPTY(&ni->ni_savedq)) { 1669 /* more queued frames, set the more data bit */ 1670 wh = mtod(m, struct ieee80211_frame *); 1671 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1672 } 1673 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 1674 (*ifp->if_start)(ifp); 1675 } 1676 /* XXX assumes everything has been sent */ 1677 ic->ic_tim_mcast_pending = 0; 1678 } 1679 #endif /* IEEE80211_STA_ONLY */ 1680 1681 /* 1682 * Compare nodes in the tree by lladdr 1683 */ 1684 int 1685 ieee80211_node_cmp(const struct ieee80211_node *b1, 1686 const struct ieee80211_node *b2) 1687 { 1688 return (memcmp(b1->ni_macaddr, b2->ni_macaddr, IEEE80211_ADDR_LEN)); 1689 } 1690 1691 /* 1692 * Generate red-black tree function logic 1693 */ 1694 RB_GENERATE(ieee80211_tree, ieee80211_node, ni_node, ieee80211_node_cmp); 1695