1 /* $OpenBSD: ieee80211_node.c,v 1.126 2018/02/06 22:14:52 phessler Exp $ */ 2 /* $NetBSD: ieee80211_node.c,v 1.14 2004/05/09 09:18:47 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2008 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bridge.h" 34 35 #include <sys/param.h> 36 #include <sys/systm.h> 37 #include <sys/mbuf.h> 38 #include <sys/malloc.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/sysctl.h> 45 #include <sys/tree.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 51 #include <netinet/in.h> 52 #include <netinet/if_ether.h> 53 54 #if NBRIDGE > 0 55 #include <net/if_bridge.h> 56 #endif 57 58 #include <net80211/ieee80211_var.h> 59 #include <net80211/ieee80211_priv.h> 60 61 struct ieee80211_node *ieee80211_node_alloc(struct ieee80211com *); 62 void ieee80211_node_free(struct ieee80211com *, struct ieee80211_node *); 63 void ieee80211_node_copy(struct ieee80211com *, struct ieee80211_node *, 64 const struct ieee80211_node *); 65 void ieee80211_choose_rsnparams(struct ieee80211com *); 66 u_int8_t ieee80211_node_getrssi(struct ieee80211com *, 67 const struct ieee80211_node *); 68 int ieee80211_node_checkrssi(struct ieee80211com *, 69 const struct ieee80211_node *); 70 void ieee80211_setup_node(struct ieee80211com *, struct ieee80211_node *, 71 const u_int8_t *); 72 void ieee80211_free_node(struct ieee80211com *, struct ieee80211_node *); 73 void ieee80211_ba_del(struct ieee80211_node *); 74 struct ieee80211_node *ieee80211_alloc_node_helper(struct ieee80211com *); 75 void ieee80211_node_cleanup(struct ieee80211com *, struct ieee80211_node *); 76 void ieee80211_node_switch_bss(struct ieee80211com *, struct ieee80211_node *); 77 void ieee80211_node_join_bss(struct ieee80211com *, struct ieee80211_node *); 78 void ieee80211_needs_auth(struct ieee80211com *, struct ieee80211_node *); 79 #ifndef IEEE80211_STA_ONLY 80 void ieee80211_node_join_ht(struct ieee80211com *, struct ieee80211_node *); 81 void ieee80211_node_join_rsn(struct ieee80211com *, struct ieee80211_node *); 82 void ieee80211_node_join_11g(struct ieee80211com *, struct ieee80211_node *); 83 void ieee80211_node_leave_ht(struct ieee80211com *, struct ieee80211_node *); 84 void ieee80211_node_leave_rsn(struct ieee80211com *, struct ieee80211_node *); 85 void ieee80211_node_leave_11g(struct ieee80211com *, struct ieee80211_node *); 86 void ieee80211_inact_timeout(void *); 87 void ieee80211_node_cache_timeout(void *); 88 #endif 89 90 #ifndef IEEE80211_STA_ONLY 91 void 92 ieee80211_inact_timeout(void *arg) 93 { 94 struct ieee80211com *ic = arg; 95 struct ieee80211_node *ni, *next_ni; 96 int s; 97 98 s = splnet(); 99 for (ni = RBT_MIN(ieee80211_tree, &ic->ic_tree); 100 ni != NULL; ni = next_ni) { 101 next_ni = RBT_NEXT(ieee80211_tree, ni); 102 if (ni->ni_refcnt > 0) 103 continue; 104 if (ni->ni_inact < IEEE80211_INACT_MAX) 105 ni->ni_inact++; 106 } 107 splx(s); 108 109 timeout_add_sec(&ic->ic_inact_timeout, IEEE80211_INACT_WAIT); 110 } 111 112 void 113 ieee80211_node_cache_timeout(void *arg) 114 { 115 struct ieee80211com *ic = arg; 116 117 ieee80211_clean_nodes(ic, 1); 118 timeout_add_sec(&ic->ic_node_cache_timeout, IEEE80211_CACHE_WAIT); 119 } 120 #endif 121 122 void 123 ieee80211_node_attach(struct ifnet *ifp) 124 { 125 struct ieee80211com *ic = (void *)ifp; 126 #ifndef IEEE80211_STA_ONLY 127 int size; 128 #endif 129 130 RBT_INIT(ieee80211_tree, &ic->ic_tree); 131 ic->ic_node_alloc = ieee80211_node_alloc; 132 ic->ic_node_free = ieee80211_node_free; 133 ic->ic_node_copy = ieee80211_node_copy; 134 ic->ic_node_getrssi = ieee80211_node_getrssi; 135 ic->ic_node_checkrssi = ieee80211_node_checkrssi; 136 ic->ic_scangen = 1; 137 ic->ic_max_nnodes = ieee80211_cache_size; 138 139 if (ic->ic_max_aid == 0) 140 ic->ic_max_aid = IEEE80211_AID_DEF; 141 else if (ic->ic_max_aid > IEEE80211_AID_MAX) 142 ic->ic_max_aid = IEEE80211_AID_MAX; 143 #ifndef IEEE80211_STA_ONLY 144 size = howmany(ic->ic_max_aid, 32) * sizeof(u_int32_t); 145 ic->ic_aid_bitmap = malloc(size, M_DEVBUF, M_NOWAIT | M_ZERO); 146 if (ic->ic_aid_bitmap == NULL) { 147 /* XXX no way to recover */ 148 printf("%s: no memory for AID bitmap!\n", __func__); 149 ic->ic_max_aid = 0; 150 } 151 if (ic->ic_caps & (IEEE80211_C_HOSTAP | IEEE80211_C_IBSS)) { 152 ic->ic_tim_len = howmany(ic->ic_max_aid, 8); 153 ic->ic_tim_bitmap = malloc(ic->ic_tim_len, M_DEVBUF, 154 M_NOWAIT | M_ZERO); 155 if (ic->ic_tim_bitmap == NULL) { 156 printf("%s: no memory for TIM bitmap!\n", __func__); 157 ic->ic_tim_len = 0; 158 } else 159 ic->ic_set_tim = ieee80211_set_tim; 160 timeout_set(&ic->ic_rsn_timeout, 161 ieee80211_gtk_rekey_timeout, ic); 162 timeout_set(&ic->ic_inact_timeout, 163 ieee80211_inact_timeout, ic); 164 timeout_set(&ic->ic_node_cache_timeout, 165 ieee80211_node_cache_timeout, ic); 166 } 167 #endif 168 } 169 170 struct ieee80211_node * 171 ieee80211_alloc_node_helper(struct ieee80211com *ic) 172 { 173 struct ieee80211_node *ni; 174 if (ic->ic_nnodes >= ic->ic_max_nnodes) 175 ieee80211_clean_nodes(ic, 0); 176 if (ic->ic_nnodes >= ic->ic_max_nnodes) 177 return NULL; 178 ni = (*ic->ic_node_alloc)(ic); 179 return ni; 180 } 181 182 void 183 ieee80211_node_lateattach(struct ifnet *ifp) 184 { 185 struct ieee80211com *ic = (void *)ifp; 186 struct ieee80211_node *ni; 187 188 ni = ieee80211_alloc_node_helper(ic); 189 if (ni == NULL) 190 panic("unable to setup inital BSS node"); 191 ni->ni_chan = IEEE80211_CHAN_ANYC; 192 ic->ic_bss = ieee80211_ref_node(ni); 193 ic->ic_txpower = IEEE80211_TXPOWER_MAX; 194 #ifndef IEEE80211_STA_ONLY 195 mq_init(&ni->ni_savedq, IEEE80211_PS_MAX_QUEUE, IPL_NET); 196 #endif 197 } 198 199 void 200 ieee80211_node_detach(struct ifnet *ifp) 201 { 202 struct ieee80211com *ic = (void *)ifp; 203 204 if (ic->ic_bss != NULL) { 205 (*ic->ic_node_free)(ic, ic->ic_bss); 206 ic->ic_bss = NULL; 207 } 208 ieee80211_free_allnodes(ic); 209 #ifndef IEEE80211_STA_ONLY 210 free(ic->ic_aid_bitmap, M_DEVBUF, 211 howmany(ic->ic_max_aid, 32) * sizeof(u_int32_t)); 212 free(ic->ic_tim_bitmap, M_DEVBUF, ic->ic_tim_len); 213 timeout_del(&ic->ic_inact_timeout); 214 timeout_del(&ic->ic_node_cache_timeout); 215 timeout_del(&ic->ic_tkip_micfail_timeout); 216 #endif 217 timeout_del(&ic->ic_rsn_timeout); 218 } 219 220 /* 221 * AP scanning support. 222 */ 223 224 /* 225 * Initialize the active channel set based on the set 226 * of available channels and the current PHY mode. 227 */ 228 void 229 ieee80211_reset_scan(struct ifnet *ifp) 230 { 231 struct ieee80211com *ic = (void *)ifp; 232 233 memcpy(ic->ic_chan_scan, ic->ic_chan_active, 234 sizeof(ic->ic_chan_active)); 235 /* NB: hack, setup so next_scan starts with the first channel */ 236 if (ic->ic_bss != NULL && ic->ic_bss->ni_chan == IEEE80211_CHAN_ANYC) 237 ic->ic_bss->ni_chan = &ic->ic_channels[IEEE80211_CHAN_MAX]; 238 } 239 240 /* 241 * Begin an active scan. 242 */ 243 void 244 ieee80211_begin_scan(struct ifnet *ifp) 245 { 246 struct ieee80211com *ic = (void *)ifp; 247 248 if (ic->ic_scan_lock & IEEE80211_SCAN_LOCKED) 249 return; 250 ic->ic_scan_lock |= IEEE80211_SCAN_LOCKED; 251 252 /* 253 * In all but hostap mode scanning starts off in 254 * an active mode before switching to passive. 255 */ 256 #ifndef IEEE80211_STA_ONLY 257 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 258 #endif 259 { 260 ic->ic_flags |= IEEE80211_F_ASCAN; 261 ic->ic_stats.is_scan_active++; 262 } 263 #ifndef IEEE80211_STA_ONLY 264 else 265 ic->ic_stats.is_scan_passive++; 266 #endif 267 if (ifp->if_flags & IFF_DEBUG) 268 printf("%s: begin %s scan\n", ifp->if_xname, 269 (ic->ic_flags & IEEE80211_F_ASCAN) ? 270 "active" : "passive"); 271 272 /* 273 * Flush any previously seen AP's. Note that the latter 274 * assumes we don't act as both an AP and a station, 275 * otherwise we'll potentially flush state of stations 276 * associated with us. 277 */ 278 ieee80211_free_allnodes(ic); 279 280 /* 281 * Reset the current mode. Setting the current mode will also 282 * reset scan state. 283 */ 284 if (IFM_MODE(ic->ic_media.ifm_cur->ifm_media) == IFM_AUTO || 285 (ic->ic_caps & IEEE80211_C_SCANALLBAND)) 286 ic->ic_curmode = IEEE80211_MODE_AUTO; 287 ieee80211_setmode(ic, ic->ic_curmode); 288 289 ic->ic_scan_count = 0; 290 291 /* Scan the next channel. */ 292 ieee80211_next_scan(ifp); 293 } 294 295 /* 296 * Switch to the next channel marked for scanning. 297 */ 298 void 299 ieee80211_next_scan(struct ifnet *ifp) 300 { 301 struct ieee80211com *ic = (void *)ifp; 302 struct ieee80211_channel *chan; 303 304 chan = ic->ic_bss->ni_chan; 305 for (;;) { 306 if (++chan > &ic->ic_channels[IEEE80211_CHAN_MAX]) 307 chan = &ic->ic_channels[0]; 308 if (isset(ic->ic_chan_scan, ieee80211_chan2ieee(ic, chan))) { 309 /* 310 * Ignore channels marked passive-only 311 * during an active scan. 312 */ 313 if ((ic->ic_flags & IEEE80211_F_ASCAN) == 0 || 314 (chan->ic_flags & IEEE80211_CHAN_PASSIVE) == 0) 315 break; 316 } 317 if (chan == ic->ic_bss->ni_chan) { 318 ieee80211_end_scan(ifp); 319 return; 320 } 321 } 322 clrbit(ic->ic_chan_scan, ieee80211_chan2ieee(ic, chan)); 323 DPRINTF(("chan %d->%d\n", 324 ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan), 325 ieee80211_chan2ieee(ic, chan))); 326 ic->ic_bss->ni_chan = chan; 327 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 328 } 329 330 #ifndef IEEE80211_STA_ONLY 331 void 332 ieee80211_create_ibss(struct ieee80211com* ic, struct ieee80211_channel *chan) 333 { 334 struct ieee80211_node *ni; 335 struct ifnet *ifp = &ic->ic_if; 336 337 ni = ic->ic_bss; 338 if (ifp->if_flags & IFF_DEBUG) 339 printf("%s: creating ibss\n", ifp->if_xname); 340 ic->ic_flags |= IEEE80211_F_SIBSS; 341 ni->ni_chan = chan; 342 ni->ni_rates = ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 343 ni->ni_txrate = 0; 344 IEEE80211_ADDR_COPY(ni->ni_macaddr, ic->ic_myaddr); 345 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_myaddr); 346 if (ic->ic_opmode == IEEE80211_M_IBSS) { 347 if ((ic->ic_flags & IEEE80211_F_DESBSSID) != 0) 348 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_des_bssid); 349 else 350 ni->ni_bssid[0] |= 0x02; /* local bit for IBSS */ 351 } 352 ni->ni_esslen = ic->ic_des_esslen; 353 memcpy(ni->ni_essid, ic->ic_des_essid, ni->ni_esslen); 354 ni->ni_rssi = 0; 355 ni->ni_rstamp = 0; 356 memset(ni->ni_tstamp, 0, sizeof(ni->ni_tstamp)); 357 ni->ni_intval = ic->ic_lintval; 358 ni->ni_capinfo = IEEE80211_CAPINFO_IBSS; 359 if (ic->ic_flags & IEEE80211_F_WEPON) 360 ni->ni_capinfo |= IEEE80211_CAPINFO_PRIVACY; 361 if (ic->ic_flags & IEEE80211_F_HTON) { 362 const struct ieee80211_edca_ac_params *ac_qap; 363 struct ieee80211_edca_ac_params *ac; 364 int aci; 365 366 /* 367 * Default to non-member HT protection. This will be updated 368 * later based on the number of non-HT nodes in the node cache. 369 */ 370 ni->ni_htop1 = IEEE80211_HTPROT_NONMEMBER; 371 ic->ic_protmode = IEEE80211_PROT_RTSCTS; 372 373 /* Configure QoS EDCA parameters. */ 374 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 375 ac = &ic->ic_edca_ac[aci]; 376 ac_qap = &ieee80211_qap_edca_table[ic->ic_curmode][aci]; 377 ac->ac_acm = ac_qap->ac_acm; 378 ac->ac_aifsn = ac_qap->ac_aifsn; 379 ac->ac_ecwmin = ac_qap->ac_ecwmin; 380 ac->ac_ecwmax = ac_qap->ac_ecwmax; 381 ac->ac_txoplimit = ac_qap->ac_txoplimit; 382 } 383 if (ic->ic_updateedca) 384 (*ic->ic_updateedca)(ic); 385 } 386 if (ic->ic_flags & IEEE80211_F_RSNON) { 387 struct ieee80211_key *k; 388 389 /* initialize 256-bit global key counter to a random value */ 390 arc4random_buf(ic->ic_globalcnt, EAPOL_KEY_NONCE_LEN); 391 392 ni->ni_rsnprotos = ic->ic_rsnprotos; 393 ni->ni_rsnakms = ic->ic_rsnakms; 394 ni->ni_rsnciphers = ic->ic_rsnciphers; 395 ni->ni_rsngroupcipher = ic->ic_rsngroupcipher; 396 ni->ni_rsngroupmgmtcipher = ic->ic_rsngroupmgmtcipher; 397 ni->ni_rsncaps = 0; 398 if (ic->ic_caps & IEEE80211_C_MFP) { 399 ni->ni_rsncaps |= IEEE80211_RSNCAP_MFPC; 400 if (ic->ic_flags & IEEE80211_F_MFPR) 401 ni->ni_rsncaps |= IEEE80211_RSNCAP_MFPR; 402 } 403 404 ic->ic_def_txkey = 1; 405 ic->ic_flags &= ~IEEE80211_F_COUNTERM; 406 k = &ic->ic_nw_keys[ic->ic_def_txkey]; 407 memset(k, 0, sizeof(*k)); 408 k->k_id = ic->ic_def_txkey; 409 k->k_cipher = ni->ni_rsngroupcipher; 410 k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX; 411 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 412 arc4random_buf(k->k_key, k->k_len); 413 (*ic->ic_set_key)(ic, ni, k); /* XXX */ 414 415 if (ic->ic_caps & IEEE80211_C_MFP) { 416 ic->ic_igtk_kid = 4; 417 k = &ic->ic_nw_keys[ic->ic_igtk_kid]; 418 memset(k, 0, sizeof(*k)); 419 k->k_id = ic->ic_igtk_kid; 420 k->k_cipher = ni->ni_rsngroupmgmtcipher; 421 k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX; 422 k->k_len = 16; 423 arc4random_buf(k->k_key, k->k_len); 424 (*ic->ic_set_key)(ic, ni, k); /* XXX */ 425 } 426 /* 427 * In HostAP mode, multicast traffic is sent using ic_bss 428 * as the Tx node, so mark our node as valid so we can send 429 * multicast frames using the group key we've just configured. 430 */ 431 ni->ni_port_valid = 1; 432 ni->ni_flags |= IEEE80211_NODE_TXPROT; 433 434 /* schedule a GTK/IGTK rekeying after 3600s */ 435 timeout_add_sec(&ic->ic_rsn_timeout, 3600); 436 } 437 timeout_add_sec(&ic->ic_inact_timeout, IEEE80211_INACT_WAIT); 438 timeout_add_sec(&ic->ic_node_cache_timeout, IEEE80211_CACHE_WAIT); 439 ieee80211_new_state(ic, IEEE80211_S_RUN, -1); 440 } 441 #endif /* IEEE80211_STA_ONLY */ 442 443 int 444 ieee80211_match_bss(struct ieee80211com *ic, struct ieee80211_node *ni) 445 { 446 u_int8_t rate; 447 int fail; 448 449 fail = 0; 450 if (isclr(ic->ic_chan_active, ieee80211_chan2ieee(ic, ni->ni_chan))) 451 fail |= 0x01; 452 if (ic->ic_des_chan != IEEE80211_CHAN_ANYC && 453 ni->ni_chan != ic->ic_des_chan) 454 fail |= 0x01; 455 #ifndef IEEE80211_STA_ONLY 456 if (ic->ic_opmode == IEEE80211_M_IBSS) { 457 if ((ni->ni_capinfo & IEEE80211_CAPINFO_IBSS) == 0) 458 fail |= 0x02; 459 } else 460 #endif 461 { 462 if ((ni->ni_capinfo & IEEE80211_CAPINFO_ESS) == 0) 463 fail |= 0x02; 464 } 465 if (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON)) { 466 if ((ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) == 0) 467 fail |= 0x04; 468 } else { 469 if (ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) 470 fail |= 0x04; 471 } 472 473 rate = ieee80211_fix_rate(ic, ni, IEEE80211_F_DONEGO); 474 if (rate & IEEE80211_RATE_BASIC) 475 fail |= 0x08; 476 if (ic->ic_des_esslen != 0 && 477 (ni->ni_esslen != ic->ic_des_esslen || 478 memcmp(ni->ni_essid, ic->ic_des_essid, ic->ic_des_esslen) != 0)) 479 fail |= 0x10; 480 if ((ic->ic_flags & IEEE80211_F_DESBSSID) && 481 !IEEE80211_ADDR_EQ(ic->ic_des_bssid, ni->ni_bssid)) 482 fail |= 0x20; 483 484 if (ic->ic_flags & IEEE80211_F_RSNON) { 485 /* 486 * If at least one RSN IE field from the AP's RSN IE fails 487 * to overlap with any value the STA supports, the STA shall 488 * decline to associate with that AP. 489 */ 490 if ((ni->ni_rsnprotos & ic->ic_rsnprotos) == 0) 491 fail |= 0x40; 492 if ((ni->ni_rsnakms & ic->ic_rsnakms) == 0) 493 fail |= 0x40; 494 if ((ni->ni_rsnakms & ic->ic_rsnakms & 495 ~(IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK)) == 0) { 496 /* AP only supports PSK AKMPs */ 497 if (!(ic->ic_flags & IEEE80211_F_PSK)) 498 fail |= 0x40; 499 } 500 if (ni->ni_rsngroupcipher != IEEE80211_CIPHER_WEP40 && 501 ni->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 502 ni->ni_rsngroupcipher != IEEE80211_CIPHER_CCMP && 503 ni->ni_rsngroupcipher != IEEE80211_CIPHER_WEP104) 504 fail |= 0x40; 505 if ((ni->ni_rsnciphers & ic->ic_rsnciphers) == 0) 506 fail |= 0x40; 507 508 /* we only support BIP as the IGTK cipher */ 509 if ((ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 510 ni->ni_rsngroupmgmtcipher != IEEE80211_CIPHER_BIP) 511 fail |= 0x40; 512 513 /* we do not support MFP but AP requires it */ 514 if (!(ic->ic_caps & IEEE80211_C_MFP) && 515 (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPR)) 516 fail |= 0x40; 517 518 /* we require MFP but AP does not support it */ 519 if ((ic->ic_caps & IEEE80211_C_MFP) && 520 (ic->ic_flags & IEEE80211_F_MFPR) && 521 !(ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) 522 fail |= 0x40; 523 } 524 525 if (ic->ic_if.if_flags & IFF_DEBUG) { 526 printf(" %c %s%c", fail ? '-' : '+', 527 ether_sprintf(ni->ni_bssid), 528 fail & 0x20 ? '!' : ' '); 529 printf(" %3d%c", ieee80211_chan2ieee(ic, ni->ni_chan), 530 fail & 0x01 ? '!' : ' '); 531 printf(" %+4d", ni->ni_rssi); 532 printf(" %2dM%c", (rate & IEEE80211_RATE_VAL) / 2, 533 fail & 0x08 ? '!' : ' '); 534 printf(" %4s%c", 535 (ni->ni_capinfo & IEEE80211_CAPINFO_ESS) ? "ess" : 536 (ni->ni_capinfo & IEEE80211_CAPINFO_IBSS) ? "ibss" : 537 "????", 538 fail & 0x02 ? '!' : ' '); 539 printf(" %7s%c ", 540 (ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) ? 541 "privacy" : "no", 542 fail & 0x04 ? '!' : ' '); 543 printf(" %3s%c ", 544 (ic->ic_flags & IEEE80211_F_RSNON) ? 545 "rsn" : "no", 546 fail & 0x40 ? '!' : ' '); 547 ieee80211_print_essid(ni->ni_essid, ni->ni_esslen); 548 printf("%s\n", fail & 0x10 ? "!" : ""); 549 } 550 551 return fail; 552 } 553 554 struct ieee80211_node_switch_bss_arg { 555 u_int8_t cur_macaddr[IEEE80211_ADDR_LEN]; 556 u_int8_t sel_macaddr[IEEE80211_ADDR_LEN]; 557 }; 558 559 /* Implements ni->ni_unref_cb(). */ 560 void 561 ieee80211_node_switch_bss(struct ieee80211com *ic, struct ieee80211_node *ni) 562 { 563 struct ifnet *ifp = &ic->ic_if; 564 struct ieee80211_node_switch_bss_arg *sba = ni->ni_unref_arg; 565 struct ieee80211_node *curbs, *selbs; 566 567 splassert(IPL_NET); 568 569 if ((ic->ic_flags & IEEE80211_F_BGSCAN) == 0) { 570 free(sba, M_DEVBUF, sizeof(*sba)); 571 return; 572 } 573 574 ic->ic_xflags &= ~IEEE80211_F_TX_MGMT_ONLY; 575 576 selbs = ieee80211_find_node(ic, sba->sel_macaddr); 577 if (selbs == NULL) { 578 free(sba, M_DEVBUF, sizeof(*sba)); 579 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 580 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 581 return; 582 } 583 584 curbs = ieee80211_find_node(ic, sba->cur_macaddr); 585 if (curbs == NULL) { 586 free(sba, M_DEVBUF, sizeof(*sba)); 587 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 588 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 589 return; 590 } 591 592 if (ifp->if_flags & IFF_DEBUG) { 593 printf("%s: roaming from %s chan %d ", 594 ifp->if_xname, ether_sprintf(curbs->ni_macaddr), 595 ieee80211_chan2ieee(ic, curbs->ni_chan)); 596 printf("to %s chan %d\n", ether_sprintf(selbs->ni_macaddr), 597 ieee80211_chan2ieee(ic, selbs->ni_chan)); 598 } 599 ieee80211_node_newstate(curbs, IEEE80211_STA_CACHE); 600 ieee80211_node_join_bss(ic, selbs); /* frees arg and ic->ic_bss */ 601 } 602 603 void 604 ieee80211_node_join_bss(struct ieee80211com *ic, struct ieee80211_node *selbs) 605 { 606 enum ieee80211_phymode mode; 607 struct ieee80211_node *ni; 608 609 /* Reinitialize media mode and channels if needed. */ 610 mode = ieee80211_chan2mode(ic, selbs->ni_chan); 611 if (mode != ic->ic_curmode) 612 ieee80211_setmode(ic, mode); 613 614 (*ic->ic_node_copy)(ic, ic->ic_bss, selbs); 615 ni = ic->ic_bss; 616 617 ic->ic_curmode = ieee80211_chan2mode(ic, ni->ni_chan); 618 619 /* Make sure we send valid rates in an association request. */ 620 if (ic->ic_opmode == IEEE80211_M_STA) 621 ieee80211_fix_rate(ic, ni, 622 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 623 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 624 625 if (ic->ic_flags & IEEE80211_F_RSNON) 626 ieee80211_choose_rsnparams(ic); 627 else if (ic->ic_flags & IEEE80211_F_WEPON) 628 ni->ni_rsncipher = IEEE80211_CIPHER_USEGROUP; 629 630 ieee80211_node_newstate(selbs, IEEE80211_STA_BSS); 631 #ifndef IEEE80211_STA_ONLY 632 if (ic->ic_opmode == IEEE80211_M_IBSS) { 633 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 634 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 635 if (ni->ni_rates.rs_nrates == 0) { 636 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 637 return; 638 } 639 ieee80211_new_state(ic, IEEE80211_S_RUN, -1); 640 } else 641 #endif 642 { 643 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 644 ic->ic_opmode == IEEE80211_M_STA && 645 ic->ic_state == IEEE80211_S_RUN); 646 647 timeout_del(&ic->ic_bgscan_timeout); 648 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 649 650 /* 651 * After a background scan, we have now switched APs. 652 * Pretend we were just de-authed, which makes 653 * ieee80211_new_state() try to re-auth and thus send 654 * an AUTH frame to our newly selected AP. 655 */ 656 ieee80211_new_state(ic, IEEE80211_S_AUTH, 657 bgscan ? IEEE80211_FC0_SUBTYPE_DEAUTH : -1); 658 } 659 } 660 661 /* 662 * Complete a scan of potential channels. 663 */ 664 void 665 ieee80211_end_scan(struct ifnet *ifp) 666 { 667 struct ieee80211com *ic = (void *)ifp; 668 struct ieee80211_node *ni, *nextbs, *selbs = NULL, *curbs = NULL, 669 *selbs2 = NULL, *selbs5 = NULL; 670 int bgscan = ((ic->ic_flags & IEEE80211_F_BGSCAN) && 671 ic->ic_opmode == IEEE80211_M_STA && 672 ic->ic_state == IEEE80211_S_RUN); 673 uint8_t min_5ghz_rssi; 674 675 if (ifp->if_flags & IFF_DEBUG) 676 printf("%s: end %s scan\n", ifp->if_xname, 677 bgscan ? "background" : 678 ((ic->ic_flags & IEEE80211_F_ASCAN) ? 679 "active" : "passive")); 680 681 if (ic->ic_scan_count) 682 ic->ic_flags &= ~IEEE80211_F_ASCAN; 683 684 ni = RBT_MIN(ieee80211_tree, &ic->ic_tree); 685 686 #ifndef IEEE80211_STA_ONLY 687 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 688 /* XXX off stack? */ 689 u_char occupied[howmany(IEEE80211_CHAN_MAX, NBBY)]; 690 int i, fail; 691 692 /* 693 * The passive scan to look for existing AP's completed, 694 * select a channel to camp on. Identify the channels 695 * that already have one or more AP's and try to locate 696 * an unoccupied one. If that fails, pick a random 697 * channel from the active set. 698 */ 699 memset(occupied, 0, sizeof(occupied)); 700 RBT_FOREACH(ni, ieee80211_tree, &ic->ic_tree) 701 setbit(occupied, ieee80211_chan2ieee(ic, ni->ni_chan)); 702 for (i = 0; i < IEEE80211_CHAN_MAX; i++) 703 if (isset(ic->ic_chan_active, i) && isclr(occupied, i)) 704 break; 705 if (i == IEEE80211_CHAN_MAX) { 706 fail = arc4random() & 3; /* random 0-3 */ 707 for (i = 0; i < IEEE80211_CHAN_MAX; i++) 708 if (isset(ic->ic_chan_active, i) && fail-- == 0) 709 break; 710 } 711 ieee80211_create_ibss(ic, &ic->ic_channels[i]); 712 goto wakeup; 713 } 714 #endif 715 if (ni == NULL) { 716 DPRINTF(("no scan candidate\n")); 717 notfound: 718 719 #ifndef IEEE80211_STA_ONLY 720 if (ic->ic_opmode == IEEE80211_M_IBSS && 721 (ic->ic_flags & IEEE80211_F_IBSSON) && 722 ic->ic_des_esslen != 0) { 723 ieee80211_create_ibss(ic, ic->ic_ibss_chan); 724 goto wakeup; 725 } 726 #endif 727 /* 728 * Scan the next mode if nothing has been found. This 729 * is necessary if the device supports different 730 * incompatible modes in the same channel range, like 731 * like 11b and "pure" 11G mode. 732 * If the device scans all bands in one fell swoop, return 733 * current scan results to userspace regardless of mode. 734 * This will loop forever except for user-initiated scans. 735 */ 736 if (ieee80211_next_mode(ifp) == IEEE80211_MODE_AUTO || 737 (ic->ic_caps & IEEE80211_C_SCANALLBAND)) { 738 if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST && 739 ic->ic_scan_lock & IEEE80211_SCAN_RESUME) { 740 ic->ic_scan_lock = IEEE80211_SCAN_LOCKED; 741 /* Return from a user-initiated scan. */ 742 wakeup(&ic->ic_scan_lock); 743 } else if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST) 744 goto wakeup; 745 ic->ic_scan_count++; 746 } 747 748 /* 749 * Reset the list of channels to scan and start again. 750 */ 751 ieee80211_next_scan(ifp); 752 return; 753 } 754 755 for (; ni != NULL; ni = nextbs) { 756 nextbs = RBT_NEXT(ieee80211_tree, ni); 757 if (ni->ni_fails) { 758 /* 759 * The configuration of the access points may change 760 * during my scan. So delete the entry for the AP 761 * and retry to associate if there is another beacon. 762 */ 763 if (ni->ni_fails++ > 2) 764 ieee80211_free_node(ic, ni); 765 continue; 766 } 767 768 if (bgscan && ieee80211_node_cmp(ic->ic_bss, ni) == 0) 769 curbs = ni; 770 771 if (ieee80211_match_bss(ic, ni) != 0) 772 continue; 773 774 if (ic->ic_caps & IEEE80211_C_SCANALLBAND) { 775 if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan) && 776 (selbs2 == NULL || ni->ni_rssi > selbs2->ni_rssi)) 777 selbs2 = ni; 778 else if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan) && 779 (selbs5 == NULL || ni->ni_rssi > selbs5->ni_rssi)) 780 selbs5 = ni; 781 } else if (selbs == NULL || ni->ni_rssi > selbs->ni_rssi) 782 selbs = ni; 783 } 784 785 if (ic->ic_max_rssi) 786 min_5ghz_rssi = IEEE80211_RSSI_THRES_RATIO_5GHZ; 787 else 788 min_5ghz_rssi = (uint8_t)IEEE80211_RSSI_THRES_5GHZ; 789 790 /* 791 * Prefer a 5Ghz AP even if its RSSI is weaker than the best 2Ghz AP 792 * (as long as it meets the minimum RSSI threshold) since the 5Ghz band 793 * is usually less saturated. 794 */ 795 if (selbs5 && selbs5->ni_rssi > min_5ghz_rssi) 796 selbs = selbs5; 797 else if (selbs5 && selbs2) 798 selbs = (selbs5->ni_rssi >= selbs2->ni_rssi ? selbs5 : selbs2); 799 else if (selbs2) 800 selbs = selbs2; 801 else if (selbs5) 802 selbs = selbs5; 803 804 if (bgscan) { 805 struct ieee80211_node_switch_bss_arg *arg; 806 807 /* AP disappeared? Should not happen. */ 808 if (selbs == NULL || curbs == NULL) { 809 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 810 goto notfound; 811 } 812 813 /* 814 * After a background scan we might end up choosing the 815 * same AP again. Do not change ic->ic_bss in this case, 816 * and make background scans less frequent. 817 */ 818 if (selbs == curbs) { 819 if (ic->ic_bgscan_fail < IEEE80211_BGSCAN_FAIL_MAX) 820 ic->ic_bgscan_fail++; 821 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 822 goto wakeup; 823 } 824 825 arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT | M_ZERO); 826 if (arg == NULL) { 827 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 828 goto wakeup; 829 } 830 831 ic->ic_bgscan_fail = 0; 832 833 /* 834 * We are going to switch APs. 835 * Queue a de-auth frame addressed to our current AP. 836 */ 837 if (IEEE80211_SEND_MGMT(ic, ic->ic_bss, 838 IEEE80211_FC0_SUBTYPE_DEAUTH, 839 IEEE80211_REASON_AUTH_LEAVE) != 0) { 840 ic->ic_flags &= ~IEEE80211_F_BGSCAN; 841 goto wakeup; 842 } 843 844 /* Prevent dispatch of additional data frames to hardware. */ 845 ic->ic_xflags |= IEEE80211_F_TX_MGMT_ONLY; 846 847 /* 848 * Install a callback which will switch us to the new AP once 849 * all dispatched frames have been processed by hardware. 850 */ 851 IEEE80211_ADDR_COPY(arg->cur_macaddr, curbs->ni_macaddr); 852 IEEE80211_ADDR_COPY(arg->sel_macaddr, selbs->ni_macaddr); 853 ic->ic_bss->ni_unref_arg = arg; 854 ic->ic_bss->ni_unref_arg_size = sizeof(*arg); 855 ic->ic_bss->ni_unref_cb = ieee80211_node_switch_bss; 856 /* F_BGSCAN flag gets cleared in ieee80211_node_join_bss(). */ 857 goto wakeup; 858 } else if (selbs == NULL) 859 goto notfound; 860 861 ieee80211_node_join_bss(ic, selbs); 862 863 wakeup: 864 if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST) { 865 /* Return from a user-initiated scan. */ 866 wakeup(&ic->ic_scan_lock); 867 } 868 869 ic->ic_scan_lock = IEEE80211_SCAN_UNLOCKED; 870 } 871 872 /* 873 * Autoselect the best RSN parameters (protocol, AKMP, pairwise cipher...) 874 * that are supported by both peers (STA mode only). 875 */ 876 void 877 ieee80211_choose_rsnparams(struct ieee80211com *ic) 878 { 879 struct ieee80211_node *ni = ic->ic_bss; 880 struct ieee80211_pmk *pmk; 881 882 /* filter out unsupported protocol versions */ 883 ni->ni_rsnprotos &= ic->ic_rsnprotos; 884 /* prefer RSN (aka WPA2) over WPA */ 885 if (ni->ni_rsnprotos & IEEE80211_PROTO_RSN) 886 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 887 else 888 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 889 890 /* filter out unsupported AKMPs */ 891 ni->ni_rsnakms &= ic->ic_rsnakms; 892 /* prefer SHA-256 based AKMPs */ 893 if ((ic->ic_flags & IEEE80211_F_PSK) && (ni->ni_rsnakms & 894 (IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK))) { 895 /* AP supports PSK AKMP and a PSK is configured */ 896 if (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK) 897 ni->ni_rsnakms = IEEE80211_AKM_SHA256_PSK; 898 else 899 ni->ni_rsnakms = IEEE80211_AKM_PSK; 900 } else { 901 if (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X) 902 ni->ni_rsnakms = IEEE80211_AKM_SHA256_8021X; 903 else 904 ni->ni_rsnakms = IEEE80211_AKM_8021X; 905 /* check if we have a cached PMK for this AP */ 906 if (ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 907 (pmk = ieee80211_pmksa_find(ic, ni, NULL)) != NULL) { 908 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 909 IEEE80211_PMKID_LEN); 910 ni->ni_flags |= IEEE80211_NODE_PMKID; 911 } 912 } 913 914 /* filter out unsupported pairwise ciphers */ 915 ni->ni_rsnciphers &= ic->ic_rsnciphers; 916 /* prefer CCMP over TKIP */ 917 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) 918 ni->ni_rsnciphers = IEEE80211_CIPHER_CCMP; 919 else 920 ni->ni_rsnciphers = IEEE80211_CIPHER_TKIP; 921 ni->ni_rsncipher = ni->ni_rsnciphers; 922 923 /* use MFP if we both support it */ 924 if ((ic->ic_caps & IEEE80211_C_MFP) && 925 (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) 926 ni->ni_flags |= IEEE80211_NODE_MFP; 927 } 928 929 int 930 ieee80211_get_rate(struct ieee80211com *ic) 931 { 932 u_int8_t (*rates)[IEEE80211_RATE_MAXSIZE]; 933 int rate; 934 935 rates = &ic->ic_bss->ni_rates.rs_rates; 936 937 if (ic->ic_fixed_rate != -1) 938 rate = (*rates)[ic->ic_fixed_rate]; 939 else if (ic->ic_state == IEEE80211_S_RUN) 940 rate = (*rates)[ic->ic_bss->ni_txrate]; 941 else 942 rate = 0; 943 944 return rate & IEEE80211_RATE_VAL; 945 } 946 947 struct ieee80211_node * 948 ieee80211_node_alloc(struct ieee80211com *ic) 949 { 950 return malloc(sizeof(struct ieee80211_node), M_DEVBUF, 951 M_NOWAIT | M_ZERO); 952 } 953 954 void 955 ieee80211_node_cleanup(struct ieee80211com *ic, struct ieee80211_node *ni) 956 { 957 if (ni->ni_rsnie != NULL) { 958 free(ni->ni_rsnie, M_DEVBUF, 2 + ni->ni_rsnie[1]); 959 ni->ni_rsnie = NULL; 960 } 961 ieee80211_ba_del(ni); 962 free(ni->ni_unref_arg, M_DEVBUF, ni->ni_unref_arg_size); 963 ni->ni_unref_arg = NULL; 964 ni->ni_unref_arg_size = 0; 965 } 966 967 void 968 ieee80211_node_free(struct ieee80211com *ic, struct ieee80211_node *ni) 969 { 970 ieee80211_node_cleanup(ic, ni); 971 free(ni, M_DEVBUF, 0); 972 } 973 974 void 975 ieee80211_node_copy(struct ieee80211com *ic, 976 struct ieee80211_node *dst, const struct ieee80211_node *src) 977 { 978 ieee80211_node_cleanup(ic, dst); 979 *dst = *src; 980 dst->ni_rsnie = NULL; 981 if (src->ni_rsnie != NULL) 982 ieee80211_save_ie(src->ni_rsnie, &dst->ni_rsnie); 983 } 984 985 u_int8_t 986 ieee80211_node_getrssi(struct ieee80211com *ic, 987 const struct ieee80211_node *ni) 988 { 989 return ni->ni_rssi; 990 } 991 992 int 993 ieee80211_node_checkrssi(struct ieee80211com *ic, 994 const struct ieee80211_node *ni) 995 { 996 uint8_t thres; 997 998 if (ni->ni_chan == IEEE80211_CHAN_ANYC) 999 return 0; 1000 1001 if (ic->ic_max_rssi) { 1002 thres = (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) ? 1003 IEEE80211_RSSI_THRES_RATIO_2GHZ : 1004 IEEE80211_RSSI_THRES_RATIO_5GHZ; 1005 return ((ni->ni_rssi * 100) / ic->ic_max_rssi >= thres); 1006 } 1007 1008 thres = (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) ? 1009 IEEE80211_RSSI_THRES_2GHZ : 1010 IEEE80211_RSSI_THRES_5GHZ; 1011 return (ni->ni_rssi >= (u_int8_t)thres); 1012 } 1013 1014 void 1015 ieee80211_setup_node(struct ieee80211com *ic, 1016 struct ieee80211_node *ni, const u_int8_t *macaddr) 1017 { 1018 int s; 1019 1020 DPRINTF(("%s\n", ether_sprintf((u_int8_t *)macaddr))); 1021 IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr); 1022 ieee80211_node_newstate(ni, IEEE80211_STA_CACHE); 1023 1024 ni->ni_ic = ic; /* back-pointer */ 1025 #ifndef IEEE80211_STA_ONLY 1026 mq_init(&ni->ni_savedq, IEEE80211_PS_MAX_QUEUE, IPL_NET); 1027 timeout_set(&ni->ni_eapol_to, ieee80211_eapol_timeout, ni); 1028 timeout_set(&ni->ni_sa_query_to, ieee80211_sa_query_timeout, ni); 1029 #endif 1030 s = splnet(); 1031 RBT_INSERT(ieee80211_tree, &ic->ic_tree, ni); 1032 ic->ic_nnodes++; 1033 splx(s); 1034 } 1035 1036 struct ieee80211_node * 1037 ieee80211_alloc_node(struct ieee80211com *ic, const u_int8_t *macaddr) 1038 { 1039 struct ieee80211_node *ni = ieee80211_alloc_node_helper(ic); 1040 if (ni != NULL) 1041 ieee80211_setup_node(ic, ni, macaddr); 1042 else 1043 ic->ic_stats.is_rx_nodealloc++; 1044 return ni; 1045 } 1046 1047 struct ieee80211_node * 1048 ieee80211_dup_bss(struct ieee80211com *ic, const u_int8_t *macaddr) 1049 { 1050 struct ieee80211_node *ni = ieee80211_alloc_node_helper(ic); 1051 if (ni != NULL) { 1052 ieee80211_setup_node(ic, ni, macaddr); 1053 /* 1054 * Inherit from ic_bss. 1055 */ 1056 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 1057 ni->ni_chan = ic->ic_bss->ni_chan; 1058 } else 1059 ic->ic_stats.is_rx_nodealloc++; 1060 return ni; 1061 } 1062 1063 struct ieee80211_node * 1064 ieee80211_find_node(struct ieee80211com *ic, const u_int8_t *macaddr) 1065 { 1066 struct ieee80211_node *ni; 1067 int cmp; 1068 1069 /* similar to RBT_FIND except we compare keys, not nodes */ 1070 ni = RBT_ROOT(ieee80211_tree, &ic->ic_tree); 1071 while (ni != NULL) { 1072 cmp = memcmp(macaddr, ni->ni_macaddr, IEEE80211_ADDR_LEN); 1073 if (cmp < 0) 1074 ni = RBT_LEFT(ieee80211_tree, ni); 1075 else if (cmp > 0) 1076 ni = RBT_RIGHT(ieee80211_tree, ni); 1077 else 1078 break; 1079 } 1080 return ni; 1081 } 1082 1083 /* 1084 * Return a reference to the appropriate node for sending 1085 * a data frame. This handles node discovery in adhoc networks. 1086 * 1087 * Drivers will call this, so increase the reference count before 1088 * returning the node. 1089 */ 1090 struct ieee80211_node * 1091 ieee80211_find_txnode(struct ieee80211com *ic, const u_int8_t *macaddr) 1092 { 1093 #ifndef IEEE80211_STA_ONLY 1094 struct ieee80211_node *ni; 1095 int s; 1096 #endif 1097 1098 /* 1099 * The destination address should be in the node table 1100 * unless we are operating in station mode or this is a 1101 * multicast/broadcast frame. 1102 */ 1103 if (ic->ic_opmode == IEEE80211_M_STA || IEEE80211_IS_MULTICAST(macaddr)) 1104 return ieee80211_ref_node(ic->ic_bss); 1105 1106 #ifndef IEEE80211_STA_ONLY 1107 s = splnet(); 1108 ni = ieee80211_find_node(ic, macaddr); 1109 splx(s); 1110 if (ni == NULL) { 1111 if (ic->ic_opmode != IEEE80211_M_IBSS && 1112 ic->ic_opmode != IEEE80211_M_AHDEMO) 1113 return NULL; 1114 1115 /* 1116 * Fake up a node; this handles node discovery in 1117 * adhoc mode. Note that for the driver's benefit 1118 * we we treat this like an association so the driver 1119 * has an opportunity to setup its private state. 1120 * 1121 * XXX need better way to handle this; issue probe 1122 * request so we can deduce rate set, etc. 1123 */ 1124 if ((ni = ieee80211_dup_bss(ic, macaddr)) == NULL) 1125 return NULL; 1126 /* XXX no rate negotiation; just dup */ 1127 ni->ni_rates = ic->ic_bss->ni_rates; 1128 ni->ni_txrate = 0; 1129 if (ic->ic_newassoc) 1130 (*ic->ic_newassoc)(ic, ni, 1); 1131 } 1132 return ieee80211_ref_node(ni); 1133 #else 1134 return NULL; /* can't get there */ 1135 #endif /* IEEE80211_STA_ONLY */ 1136 } 1137 1138 /* 1139 * It is usually desirable to process a Rx packet using its sender's 1140 * node-record instead of the BSS record. 1141 * 1142 * - AP mode: keep a node-record for every authenticated/associated 1143 * station *in the BSS*. For future use, we also track neighboring 1144 * APs, since they might belong to the same ESS. APs in the same 1145 * ESS may bridge packets to each other, forming a Wireless 1146 * Distribution System (WDS). 1147 * 1148 * - IBSS mode: keep a node-record for every station *in the BSS*. 1149 * Also track neighboring stations by their beacons/probe responses. 1150 * 1151 * - monitor mode: keep a node-record for every sender, regardless 1152 * of BSS. 1153 * 1154 * - STA mode: the only available node-record is the BSS record, 1155 * ic->ic_bss. 1156 * 1157 * Of all the 802.11 Control packets, only the node-records for 1158 * RTS packets node-record can be looked up. 1159 * 1160 * Return non-zero if the packet's node-record is kept, zero 1161 * otherwise. 1162 */ 1163 static __inline int 1164 ieee80211_needs_rxnode(struct ieee80211com *ic, 1165 const struct ieee80211_frame *wh, const u_int8_t **bssid) 1166 { 1167 int monitor, rc = 0; 1168 1169 monitor = (ic->ic_opmode == IEEE80211_M_MONITOR); 1170 1171 *bssid = NULL; 1172 1173 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { 1174 case IEEE80211_FC0_TYPE_CTL: 1175 if (!monitor) 1176 break; 1177 return (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == 1178 IEEE80211_FC0_SUBTYPE_RTS; 1179 case IEEE80211_FC0_TYPE_MGT: 1180 *bssid = wh->i_addr3; 1181 switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) { 1182 case IEEE80211_FC0_SUBTYPE_BEACON: 1183 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1184 break; 1185 default: 1186 #ifndef IEEE80211_STA_ONLY 1187 if (ic->ic_opmode == IEEE80211_M_STA) 1188 break; 1189 rc = IEEE80211_ADDR_EQ(*bssid, ic->ic_bss->ni_bssid) || 1190 IEEE80211_ADDR_EQ(*bssid, etherbroadcastaddr); 1191 #endif 1192 break; 1193 } 1194 break; 1195 case IEEE80211_FC0_TYPE_DATA: 1196 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 1197 case IEEE80211_FC1_DIR_NODS: 1198 *bssid = wh->i_addr3; 1199 #ifndef IEEE80211_STA_ONLY 1200 if (ic->ic_opmode == IEEE80211_M_IBSS || 1201 ic->ic_opmode == IEEE80211_M_AHDEMO) 1202 rc = IEEE80211_ADDR_EQ(*bssid, 1203 ic->ic_bss->ni_bssid); 1204 #endif 1205 break; 1206 case IEEE80211_FC1_DIR_TODS: 1207 *bssid = wh->i_addr1; 1208 #ifndef IEEE80211_STA_ONLY 1209 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 1210 rc = IEEE80211_ADDR_EQ(*bssid, 1211 ic->ic_bss->ni_bssid); 1212 #endif 1213 break; 1214 case IEEE80211_FC1_DIR_FROMDS: 1215 case IEEE80211_FC1_DIR_DSTODS: 1216 *bssid = wh->i_addr2; 1217 #ifndef IEEE80211_STA_ONLY 1218 rc = (ic->ic_opmode == IEEE80211_M_HOSTAP); 1219 #endif 1220 break; 1221 } 1222 break; 1223 } 1224 return monitor || rc; 1225 } 1226 1227 /* 1228 * Drivers call this, so increase the reference count before returning 1229 * the node. 1230 */ 1231 struct ieee80211_node * 1232 ieee80211_find_rxnode(struct ieee80211com *ic, 1233 const struct ieee80211_frame *wh) 1234 { 1235 static const u_int8_t zero[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 1236 struct ieee80211_node *ni; 1237 const u_int8_t *bssid; 1238 int s; 1239 1240 if (!ieee80211_needs_rxnode(ic, wh, &bssid)) 1241 return ieee80211_ref_node(ic->ic_bss); 1242 1243 s = splnet(); 1244 ni = ieee80211_find_node(ic, wh->i_addr2); 1245 splx(s); 1246 1247 if (ni != NULL) 1248 return ieee80211_ref_node(ni); 1249 #ifndef IEEE80211_STA_ONLY 1250 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 1251 return ieee80211_ref_node(ic->ic_bss); 1252 #endif 1253 /* XXX see remarks in ieee80211_find_txnode */ 1254 /* XXX no rate negotiation; just dup */ 1255 if ((ni = ieee80211_dup_bss(ic, wh->i_addr2)) == NULL) 1256 return ieee80211_ref_node(ic->ic_bss); 1257 1258 IEEE80211_ADDR_COPY(ni->ni_bssid, (bssid != NULL) ? bssid : zero); 1259 1260 ni->ni_rates = ic->ic_bss->ni_rates; 1261 ni->ni_txrate = 0; 1262 if (ic->ic_newassoc) 1263 (*ic->ic_newassoc)(ic, ni, 1); 1264 1265 DPRINTF(("faked-up node %p for %s\n", ni, 1266 ether_sprintf((u_int8_t *)wh->i_addr2))); 1267 1268 return ieee80211_ref_node(ni); 1269 } 1270 1271 struct ieee80211_node * 1272 ieee80211_find_node_for_beacon(struct ieee80211com *ic, 1273 const u_int8_t *macaddr, const struct ieee80211_channel *chan, 1274 const char *ssid, u_int8_t rssi) 1275 { 1276 struct ieee80211_node *ni, *keep = NULL; 1277 int s, score = 0; 1278 1279 if ((ni = ieee80211_find_node(ic, macaddr)) != NULL) { 1280 s = splnet(); 1281 1282 if (ni->ni_chan != chan && ni->ni_rssi >= rssi) 1283 score++; 1284 if (ssid[1] == 0 && ni->ni_esslen != 0) 1285 score++; 1286 if (score > 0) 1287 keep = ni; 1288 1289 splx(s); 1290 } 1291 1292 return (keep); 1293 } 1294 1295 void 1296 ieee80211_ba_del(struct ieee80211_node *ni) 1297 { 1298 int tid; 1299 1300 for (tid = 0; tid < nitems(ni->ni_rx_ba); tid++) { 1301 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1302 if (ba->ba_state != IEEE80211_BA_INIT) { 1303 if (timeout_pending(&ba->ba_to)) 1304 timeout_del(&ba->ba_to); 1305 if (timeout_pending(&ba->ba_gap_to)) 1306 timeout_del(&ba->ba_gap_to); 1307 ba->ba_state = IEEE80211_BA_INIT; 1308 } 1309 } 1310 1311 for (tid = 0; tid < nitems(ni->ni_tx_ba); tid++) { 1312 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1313 if (ba->ba_state != IEEE80211_BA_INIT) { 1314 if (timeout_pending(&ba->ba_to)) 1315 timeout_del(&ba->ba_to); 1316 ba->ba_state = IEEE80211_BA_INIT; 1317 } 1318 } 1319 } 1320 1321 void 1322 ieee80211_free_node(struct ieee80211com *ic, struct ieee80211_node *ni) 1323 { 1324 if (ni == ic->ic_bss) 1325 panic("freeing bss node"); 1326 1327 splassert(IPL_NET); 1328 1329 DPRINTF(("%s\n", ether_sprintf(ni->ni_macaddr))); 1330 #ifndef IEEE80211_STA_ONLY 1331 timeout_del(&ni->ni_eapol_to); 1332 timeout_del(&ni->ni_sa_query_to); 1333 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1334 #endif 1335 ieee80211_ba_del(ni); 1336 RBT_REMOVE(ieee80211_tree, &ic->ic_tree, ni); 1337 ic->ic_nnodes--; 1338 #ifndef IEEE80211_STA_ONLY 1339 if (mq_purge(&ni->ni_savedq) > 0) { 1340 if (ic->ic_set_tim != NULL) 1341 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 1342 } 1343 #endif 1344 (*ic->ic_node_free)(ic, ni); 1345 /* TBD indicate to drivers that a new node can be allocated */ 1346 } 1347 1348 void 1349 ieee80211_release_node(struct ieee80211com *ic, struct ieee80211_node *ni) 1350 { 1351 int s; 1352 1353 DPRINTF(("%s refcnt %u\n", ether_sprintf(ni->ni_macaddr), 1354 ni->ni_refcnt)); 1355 s = splnet(); 1356 if (ieee80211_node_decref(ni) == 0) { 1357 if (ni->ni_unref_cb) { 1358 (*ni->ni_unref_cb)(ic, ni); 1359 ni->ni_unref_cb = NULL; 1360 /* Freed by callback if necessary: */ 1361 ni->ni_unref_arg = NULL; 1362 ni->ni_unref_arg_size = 0; 1363 } 1364 if (ni->ni_state == IEEE80211_STA_COLLECT) 1365 ieee80211_free_node(ic, ni); 1366 } 1367 splx(s); 1368 } 1369 1370 void 1371 ieee80211_free_allnodes(struct ieee80211com *ic) 1372 { 1373 struct ieee80211_node *ni; 1374 int s; 1375 1376 DPRINTF(("freeing all nodes\n")); 1377 s = splnet(); 1378 while ((ni = RBT_MIN(ieee80211_tree, &ic->ic_tree)) != NULL) 1379 ieee80211_free_node(ic, ni); 1380 splx(s); 1381 1382 if (ic->ic_bss != NULL) 1383 ieee80211_node_cleanup(ic, ic->ic_bss); /* for station mode */ 1384 } 1385 1386 void 1387 ieee80211_clean_cached(struct ieee80211com *ic) 1388 { 1389 struct ieee80211_node *ni, *next_ni; 1390 int s; 1391 1392 s = splnet(); 1393 for (ni = RBT_MIN(ieee80211_tree, &ic->ic_tree); 1394 ni != NULL; ni = next_ni) { 1395 next_ni = RBT_NEXT(ieee80211_tree, ni); 1396 if (ni->ni_state == IEEE80211_STA_CACHE) 1397 ieee80211_free_node(ic, ni); 1398 } 1399 splx(s); 1400 } 1401 /* 1402 * Timeout inactive nodes. 1403 * 1404 * If called because of a cache timeout, which happens only in hostap and ibss 1405 * modes, clean all inactive cached or authenticated nodes but don't de-auth 1406 * any associated nodes. Also update HT protection settings. 1407 * 1408 * Else, this function is called because a new node must be allocated but the 1409 * node cache is full. In this case, return as soon as a free slot was made 1410 * available. If acting as hostap, clean cached nodes regardless of their 1411 * recent activity and also allow de-authing of authenticated nodes older 1412 * than one cache wait interval, and de-authing of inactive associated nodes. 1413 */ 1414 void 1415 ieee80211_clean_nodes(struct ieee80211com *ic, int cache_timeout) 1416 { 1417 struct ieee80211_node *ni, *next_ni; 1418 u_int gen = ic->ic_scangen++; /* NB: ok 'cuz single-threaded*/ 1419 int s; 1420 #ifndef IEEE80211_STA_ONLY 1421 int nnodes = 0, nonht = 0, nonhtassoc = 0; 1422 struct ifnet *ifp = &ic->ic_if; 1423 enum ieee80211_htprot htprot = IEEE80211_HTPROT_NONE; 1424 enum ieee80211_protmode protmode = IEEE80211_PROT_NONE; 1425 #endif 1426 1427 s = splnet(); 1428 for (ni = RBT_MIN(ieee80211_tree, &ic->ic_tree); 1429 ni != NULL; ni = next_ni) { 1430 next_ni = RBT_NEXT(ieee80211_tree, ni); 1431 if (!cache_timeout && ic->ic_nnodes < ic->ic_max_nnodes) 1432 break; 1433 if (ni->ni_scangen == gen) /* previously handled */ 1434 continue; 1435 #ifndef IEEE80211_STA_ONLY 1436 nnodes++; 1437 if ((ic->ic_flags & IEEE80211_F_HTON) && cache_timeout) { 1438 if (!ieee80211_node_supports_ht(ni)) { 1439 nonht++; 1440 if (ni->ni_state == IEEE80211_STA_ASSOC) 1441 nonhtassoc++; 1442 } 1443 } 1444 #endif 1445 ni->ni_scangen = gen; 1446 if (ni->ni_refcnt > 0) 1447 continue; 1448 #ifndef IEEE80211_STA_ONLY 1449 if ((ic->ic_opmode == IEEE80211_M_HOSTAP || 1450 ic->ic_opmode == IEEE80211_M_IBSS) && 1451 ic->ic_state == IEEE80211_S_RUN) { 1452 if (cache_timeout) { 1453 if (ni->ni_state != IEEE80211_STA_COLLECT && 1454 (ni->ni_state == IEEE80211_STA_ASSOC || 1455 ni->ni_inact < IEEE80211_INACT_MAX)) 1456 continue; 1457 } else { 1458 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1459 ((ni->ni_state == IEEE80211_STA_ASSOC && 1460 ni->ni_inact < IEEE80211_INACT_MAX) || 1461 (ni->ni_state == IEEE80211_STA_AUTH && 1462 ni->ni_inact == 0))) 1463 continue; 1464 1465 if (ic->ic_opmode == IEEE80211_M_IBSS && 1466 ni->ni_state != IEEE80211_STA_COLLECT && 1467 ni->ni_state != IEEE80211_STA_CACHE && 1468 ni->ni_inact < IEEE80211_INACT_MAX) 1469 continue; 1470 } 1471 } 1472 if (ifp->if_flags & IFF_DEBUG) 1473 printf("%s: station %s purged from node cache\n", 1474 ifp->if_xname, ether_sprintf(ni->ni_macaddr)); 1475 #endif 1476 /* 1477 * If we're hostap and the node is authenticated, send 1478 * a deauthentication frame. The node will be freed when 1479 * the driver calls ieee80211_release_node(). 1480 */ 1481 #ifndef IEEE80211_STA_ONLY 1482 nnodes--; 1483 if ((ic->ic_flags & IEEE80211_F_HTON) && cache_timeout) { 1484 if (!ieee80211_node_supports_ht(ni)) { 1485 nonht--; 1486 if (ni->ni_state == IEEE80211_STA_ASSOC) 1487 nonhtassoc--; 1488 } 1489 } 1490 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 1491 ni->ni_state >= IEEE80211_STA_AUTH && 1492 ni->ni_state != IEEE80211_STA_COLLECT) { 1493 IEEE80211_SEND_MGMT(ic, ni, 1494 IEEE80211_FC0_SUBTYPE_DEAUTH, 1495 IEEE80211_REASON_AUTH_EXPIRE); 1496 ieee80211_node_leave(ic, ni); 1497 } else 1498 #endif 1499 ieee80211_free_node(ic, ni); 1500 ic->ic_stats.is_node_timeout++; 1501 } 1502 1503 #ifndef IEEE80211_STA_ONLY 1504 if ((ic->ic_flags & IEEE80211_F_HTON) && cache_timeout) { 1505 /* Update HT protection settings. */ 1506 if (nonht) { 1507 protmode = IEEE80211_PROT_RTSCTS; 1508 if (nonhtassoc) 1509 htprot = IEEE80211_HTPROT_NONHT_MIXED; 1510 else 1511 htprot = IEEE80211_HTPROT_NONMEMBER; 1512 } 1513 if (ic->ic_bss->ni_htop1 != htprot) { 1514 ic->ic_bss->ni_htop1 = htprot; 1515 ic->ic_protmode = protmode; 1516 if (ic->ic_update_htprot) 1517 ic->ic_update_htprot(ic, ic->ic_bss); 1518 } 1519 } 1520 1521 /* 1522 * During a cache timeout we iterate over all nodes. 1523 * Check for node leaks by comparing the actual number of cached 1524 * nodes with the ic_nnodes count, which is maintained while adding 1525 * and removing nodes from the cache. 1526 */ 1527 if ((ifp->if_flags & IFF_DEBUG) && cache_timeout && 1528 nnodes != ic->ic_nnodes) 1529 printf("%s: number of cached nodes is %d, expected %d," 1530 "possible nodes leak\n", ifp->if_xname, nnodes, 1531 ic->ic_nnodes); 1532 #endif 1533 splx(s); 1534 } 1535 1536 void 1537 ieee80211_iterate_nodes(struct ieee80211com *ic, ieee80211_iter_func *f, 1538 void *arg) 1539 { 1540 struct ieee80211_node *ni; 1541 int s; 1542 1543 s = splnet(); 1544 RBT_FOREACH(ni, ieee80211_tree, &ic->ic_tree) 1545 (*f)(arg, ni); 1546 splx(s); 1547 } 1548 1549 1550 /* 1551 * Install received HT caps information in the node's state block. 1552 */ 1553 void 1554 ieee80211_setup_htcaps(struct ieee80211_node *ni, const uint8_t *data, 1555 uint8_t len) 1556 { 1557 uint16_t rxrate; 1558 1559 if (len != 26) 1560 return; 1561 1562 ni->ni_htcaps = (data[0] | (data[1] << 8)); 1563 ni->ni_ampdu_param = data[2]; 1564 1565 memcpy(ni->ni_rxmcs, &data[3], sizeof(ni->ni_rxmcs)); 1566 /* clear reserved bits */ 1567 clrbit(ni->ni_rxmcs, 77); 1568 clrbit(ni->ni_rxmcs, 78); 1569 clrbit(ni->ni_rxmcs, 79); 1570 1571 /* Max MCS Rx rate in 1Mb/s units (0 means "not specified"). */ 1572 rxrate = ((data[13] | (data[14]) << 8) & IEEE80211_MCS_RX_RATE_HIGH); 1573 if (rxrate < 1024) 1574 ni->ni_max_rxrate = rxrate; 1575 1576 ni->ni_tx_mcs_set = data[15]; 1577 ni->ni_htxcaps = (data[19] | (data[20] << 8)); 1578 ni->ni_txbfcaps = (data[21] | (data[22] << 8) | (data[23] << 16) | 1579 (data[24] << 24)); 1580 ni->ni_aselcaps = data[25]; 1581 } 1582 1583 #ifndef IEEE80211_STA_ONLY 1584 /* 1585 * Handle nodes switching from 11n into legacy modes. 1586 */ 1587 void 1588 ieee80211_clear_htcaps(struct ieee80211_node *ni) 1589 { 1590 ni->ni_htcaps = 0; 1591 ni->ni_ampdu_param = 0; 1592 memset(ni->ni_rxmcs, 0, sizeof(ni->ni_rxmcs)); 1593 ni->ni_max_rxrate = 0; 1594 ni->ni_tx_mcs_set = 0; 1595 ni->ni_htxcaps = 0; 1596 ni->ni_txbfcaps = 0; 1597 ni->ni_aselcaps = 0; 1598 1599 ni->ni_flags &= ~IEEE80211_NODE_HT; 1600 1601 } 1602 #endif 1603 1604 /* 1605 * Install received HT op information in the node's state block. 1606 */ 1607 int 1608 ieee80211_setup_htop(struct ieee80211_node *ni, const uint8_t *data, 1609 uint8_t len) 1610 { 1611 if (len != 22) 1612 return 0; 1613 1614 ni->ni_primary_chan = data[0]; /* XXX corresponds to ni_chan */ 1615 1616 ni->ni_htop0 = data[1]; 1617 ni->ni_htop1 = (data[2] | (data[3] << 8)); 1618 ni->ni_htop2 = (data[3] | (data[4] << 8)); 1619 1620 memcpy(ni->ni_basic_mcs, &data[6], sizeof(ni->ni_basic_mcs)); 1621 1622 return 1; 1623 } 1624 1625 /* 1626 * Install received rate set information in the node's state block. 1627 */ 1628 int 1629 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 1630 const u_int8_t *rates, const u_int8_t *xrates, int flags) 1631 { 1632 struct ieee80211_rateset *rs = &ni->ni_rates; 1633 1634 memset(rs, 0, sizeof(*rs)); 1635 rs->rs_nrates = rates[1]; 1636 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 1637 if (xrates != NULL) { 1638 u_int8_t nxrates; 1639 /* 1640 * Tack on 11g extended supported rate element. 1641 */ 1642 nxrates = xrates[1]; 1643 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 1644 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 1645 DPRINTF(("extended rate set too large; " 1646 "only using %u of %u rates\n", 1647 nxrates, xrates[1])); 1648 ic->ic_stats.is_rx_rstoobig++; 1649 } 1650 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 1651 rs->rs_nrates += nxrates; 1652 } 1653 return ieee80211_fix_rate(ic, ni, flags); 1654 } 1655 1656 #ifndef IEEE80211_STA_ONLY 1657 /* 1658 * Check if the specified node supports ERP. 1659 */ 1660 int 1661 ieee80211_iserp_sta(const struct ieee80211_node *ni) 1662 { 1663 static const u_int8_t rates[] = { 2, 4, 11, 22, 12, 24, 48 }; 1664 const struct ieee80211_rateset *rs = &ni->ni_rates; 1665 int i, j; 1666 1667 /* 1668 * A STA supports ERP operation if it includes all the Clause 19 1669 * mandatory rates in its supported rate set. 1670 */ 1671 for (i = 0; i < nitems(rates); i++) { 1672 for (j = 0; j < rs->rs_nrates; j++) { 1673 if ((rs->rs_rates[j] & IEEE80211_RATE_VAL) == rates[i]) 1674 break; 1675 } 1676 if (j == rs->rs_nrates) 1677 return 0; 1678 } 1679 return 1; 1680 } 1681 1682 /* 1683 * This function is called to notify the 802.1X PACP machine that a new 1684 * 802.1X port is enabled and must be authenticated. For 802.11, a port 1685 * becomes enabled whenever a STA successfully completes Open System 1686 * authentication with an AP. 1687 */ 1688 void 1689 ieee80211_needs_auth(struct ieee80211com *ic, struct ieee80211_node *ni) 1690 { 1691 /* 1692 * XXX this could be done via the route socket of via a dedicated 1693 * EAP socket or another kernel->userland notification mechanism. 1694 * The notification should include the MAC address (ni_macaddr). 1695 */ 1696 } 1697 1698 /* 1699 * Handle an HT STA joining an HT network. 1700 */ 1701 void 1702 ieee80211_node_join_ht(struct ieee80211com *ic, struct ieee80211_node *ni) 1703 { 1704 enum ieee80211_htprot; 1705 1706 /* Update HT protection setting. */ 1707 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0) { 1708 ic->ic_bss->ni_htop1 = IEEE80211_HTPROT_NONHT_MIXED; 1709 if (ic->ic_update_htprot) 1710 ic->ic_update_htprot(ic, ic->ic_bss); 1711 } 1712 } 1713 1714 /* 1715 * Handle a station joining an RSN network. 1716 */ 1717 void 1718 ieee80211_node_join_rsn(struct ieee80211com *ic, struct ieee80211_node *ni) 1719 { 1720 DPRINTF(("station %s associated using proto %d akm 0x%x " 1721 "cipher 0x%x groupcipher 0x%x\n", ether_sprintf(ni->ni_macaddr), 1722 ni->ni_rsnprotos, ni->ni_rsnakms, ni->ni_rsnciphers, 1723 ni->ni_rsngroupcipher)); 1724 1725 ni->ni_rsn_state = RSNA_AUTHENTICATION; 1726 1727 ni->ni_key_count = 0; 1728 ni->ni_port_valid = 0; 1729 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 1730 ni->ni_flags &= ~IEEE80211_NODE_RSN_NEW_PTK; 1731 ni->ni_replaycnt = -1; /* XXX */ 1732 ni->ni_rsn_retries = 0; 1733 ni->ni_rsncipher = ni->ni_rsnciphers; 1734 1735 ni->ni_rsn_state = RSNA_AUTHENTICATION_2; 1736 1737 /* generate a new authenticator nonce (ANonce) */ 1738 arc4random_buf(ni->ni_nonce, EAPOL_KEY_NONCE_LEN); 1739 1740 if (!ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 1741 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 1742 ni->ni_flags |= IEEE80211_NODE_PMK; 1743 (void)ieee80211_send_4way_msg1(ic, ni); 1744 } else if (ni->ni_flags & IEEE80211_NODE_PMK) { 1745 /* skip 802.1X auth if a cached PMK was found */ 1746 (void)ieee80211_send_4way_msg1(ic, ni); 1747 } else { 1748 /* no cached PMK found, needs full 802.1X auth */ 1749 ieee80211_needs_auth(ic, ni); 1750 } 1751 } 1752 1753 void 1754 ieee80211_count_longslotsta(void *arg, struct ieee80211_node *ni) 1755 { 1756 int *longslotsta = arg; 1757 1758 if (ni->ni_associd == 0 || ni->ni_state == IEEE80211_STA_COLLECT) 1759 return; 1760 1761 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) 1762 (*longslotsta)++; 1763 } 1764 1765 void 1766 ieee80211_count_nonerpsta(void *arg, struct ieee80211_node *ni) 1767 { 1768 int *nonerpsta = arg; 1769 1770 if (ni->ni_associd == 0 || ni->ni_state == IEEE80211_STA_COLLECT) 1771 return; 1772 1773 if (!ieee80211_iserp_sta(ni)) 1774 (*nonerpsta)++; 1775 } 1776 1777 void 1778 ieee80211_count_pssta(void *arg, struct ieee80211_node *ni) 1779 { 1780 int *pssta = arg; 1781 1782 if (ni->ni_associd == 0 || ni->ni_state == IEEE80211_STA_COLLECT) 1783 return; 1784 1785 if (ni->ni_pwrsave == IEEE80211_PS_DOZE) 1786 (*pssta)++; 1787 } 1788 1789 void 1790 ieee80211_count_rekeysta(void *arg, struct ieee80211_node *ni) 1791 { 1792 int *rekeysta = arg; 1793 1794 if (ni->ni_associd == 0 || ni->ni_state == IEEE80211_STA_COLLECT) 1795 return; 1796 1797 if (ni->ni_flags & IEEE80211_NODE_REKEY) 1798 (*rekeysta)++; 1799 } 1800 1801 /* 1802 * Handle a station joining an 11g network. 1803 */ 1804 void 1805 ieee80211_node_join_11g(struct ieee80211com *ic, struct ieee80211_node *ni) 1806 { 1807 int longslotsta = 0, nonerpsta = 0; 1808 1809 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 1810 /* 1811 * Joining STA doesn't support short slot time. We must 1812 * disable the use of short slot time for all other associated 1813 * STAs and give the driver a chance to reconfigure the 1814 * hardware. 1815 */ 1816 ieee80211_iterate_nodes(ic, 1817 ieee80211_count_longslotsta, &longslotsta); 1818 if (longslotsta == 1) { 1819 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1820 ieee80211_set_shortslottime(ic, 0); 1821 } 1822 DPRINTF(("[%s] station needs long slot time, count %d\n", 1823 ether_sprintf(ni->ni_macaddr), longslotsta)); 1824 } 1825 1826 if (!ieee80211_iserp_sta(ni)) { 1827 /* 1828 * Joining STA is non-ERP. 1829 */ 1830 ieee80211_iterate_nodes(ic, 1831 ieee80211_count_nonerpsta, &nonerpsta); 1832 DPRINTF(("[%s] station is non-ERP, %d non-ERP " 1833 "stations associated\n", ether_sprintf(ni->ni_macaddr), 1834 nonerpsta)); 1835 /* must enable the use of protection */ 1836 if (ic->ic_protmode != IEEE80211_PROT_NONE) { 1837 DPRINTF(("enable use of protection\n")); 1838 ic->ic_flags |= IEEE80211_F_USEPROT; 1839 } 1840 1841 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 1842 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 1843 } else 1844 ni->ni_flags |= IEEE80211_NODE_ERP; 1845 } 1846 1847 void 1848 ieee80211_node_join(struct ieee80211com *ic, struct ieee80211_node *ni, 1849 int resp) 1850 { 1851 int newassoc = (ni->ni_state != IEEE80211_STA_ASSOC); 1852 1853 if (ni->ni_associd == 0) { 1854 u_int16_t aid; 1855 1856 /* 1857 * It would be clever to search the bitmap 1858 * more efficiently, but this will do for now. 1859 */ 1860 for (aid = 1; aid < ic->ic_max_aid; aid++) { 1861 if (!IEEE80211_AID_ISSET(aid, 1862 ic->ic_aid_bitmap)) 1863 break; 1864 } 1865 if (aid >= ic->ic_max_aid) { 1866 IEEE80211_SEND_MGMT(ic, ni, resp, 1867 IEEE80211_REASON_ASSOC_TOOMANY); 1868 ieee80211_node_leave(ic, ni); 1869 return; 1870 } 1871 ni->ni_associd = aid | 0xc000; 1872 IEEE80211_AID_SET(ni->ni_associd, ic->ic_aid_bitmap); 1873 if (ic->ic_curmode == IEEE80211_MODE_11G || 1874 (ic->ic_curmode == IEEE80211_MODE_11N && 1875 IEEE80211_IS_CHAN_2GHZ(ic->ic_bss->ni_chan))) 1876 ieee80211_node_join_11g(ic, ni); 1877 } 1878 1879 DPRINTF(("station %s %s associated at aid %d\n", 1880 ether_sprintf(ni->ni_macaddr), newassoc ? "newly" : "already", 1881 ni->ni_associd & ~0xc000)); 1882 1883 ieee80211_ht_negotiate(ic, ni); 1884 if (ic->ic_flags & IEEE80211_F_HTON) 1885 ieee80211_node_join_ht(ic, ni); 1886 1887 /* give driver a chance to setup state like ni_txrate */ 1888 if (ic->ic_newassoc) 1889 (*ic->ic_newassoc)(ic, ni, newassoc); 1890 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_SUCCESS); 1891 ieee80211_node_newstate(ni, IEEE80211_STA_ASSOC); 1892 1893 if (!(ic->ic_flags & IEEE80211_F_RSNON)) { 1894 ni->ni_port_valid = 1; 1895 ni->ni_rsncipher = IEEE80211_CIPHER_USEGROUP; 1896 } else 1897 ieee80211_node_join_rsn(ic, ni); 1898 1899 #if NBRIDGE > 0 1900 /* 1901 * If the parent interface is a bridgeport, learn 1902 * the node's address dynamically on this interface. 1903 */ 1904 if (ic->ic_if.if_bridgeport != NULL) 1905 bridge_update(&ic->ic_if, 1906 (struct ether_addr *)ni->ni_macaddr, 0); 1907 #endif 1908 } 1909 1910 /* 1911 * Handle an HT STA leaving an HT network. 1912 */ 1913 void 1914 ieee80211_node_leave_ht(struct ieee80211com *ic, struct ieee80211_node *ni) 1915 { 1916 struct ieee80211_rx_ba *ba; 1917 u_int8_t tid; 1918 int i; 1919 1920 /* free all Block Ack records */ 1921 ieee80211_ba_del(ni); 1922 for (tid = 0; tid < IEEE80211_NUM_TID; tid++) { 1923 ba = &ni->ni_rx_ba[tid]; 1924 if (ba->ba_buf != NULL) { 1925 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 1926 m_freem(ba->ba_buf[i].m); 1927 free(ba->ba_buf, M_DEVBUF, 1928 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 1929 ba->ba_buf = NULL; 1930 } 1931 } 1932 1933 ieee80211_clear_htcaps(ni); 1934 } 1935 1936 /* 1937 * Handle a station leaving an RSN network. 1938 */ 1939 void 1940 ieee80211_node_leave_rsn(struct ieee80211com *ic, struct ieee80211_node *ni) 1941 { 1942 int rekeysta = 0; 1943 1944 ni->ni_rsn_state = RSNA_DISCONNECTED; 1945 1946 ni->ni_rsn_state = RSNA_INITIALIZE; 1947 if (ni->ni_flags & IEEE80211_NODE_REKEY) { 1948 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1949 ieee80211_iterate_nodes(ic, 1950 ieee80211_count_rekeysta, &rekeysta); 1951 if (rekeysta == 0) 1952 ieee80211_setkeysdone(ic); 1953 } 1954 ni->ni_flags &= ~IEEE80211_NODE_PMK; 1955 ni->ni_rsn_gstate = RSNA_IDLE; 1956 1957 timeout_del(&ni->ni_eapol_to); 1958 timeout_del(&ni->ni_sa_query_to); 1959 1960 ni->ni_rsn_retries = 0; 1961 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 1962 ni->ni_port_valid = 0; 1963 (*ic->ic_delete_key)(ic, ni, &ni->ni_pairwise_key); 1964 } 1965 1966 /* 1967 * Handle a station leaving an 11g network. 1968 */ 1969 void 1970 ieee80211_node_leave_11g(struct ieee80211com *ic, struct ieee80211_node *ni) 1971 { 1972 int longslotsta = 0, nonerpsta = 0; 1973 1974 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 1975 /* leaving STA did not support short slot time */ 1976 ieee80211_iterate_nodes(ic, 1977 ieee80211_count_longslotsta, &longslotsta); 1978 if (longslotsta == 1) { 1979 /* 1980 * All associated STAs now support short slot time, so 1981 * enable this feature and give the driver a chance to 1982 * reconfigure the hardware. Notice that IBSS always 1983 * use a long slot time. 1984 */ 1985 if ((ic->ic_caps & IEEE80211_C_SHSLOT) && 1986 ic->ic_opmode != IEEE80211_M_IBSS) 1987 ieee80211_set_shortslottime(ic, 1); 1988 } 1989 DPRINTF(("[%s] long slot time station leaves, count %d\n", 1990 ether_sprintf(ni->ni_macaddr), longslotsta)); 1991 } 1992 1993 if (!(ni->ni_flags & IEEE80211_NODE_ERP)) { 1994 /* leaving STA was non-ERP */ 1995 ieee80211_iterate_nodes(ic, 1996 ieee80211_count_nonerpsta, &nonerpsta); 1997 if (nonerpsta == 1) { 1998 /* 1999 * All associated STAs are now ERP capable, disable use 2000 * of protection and re-enable short preamble support. 2001 */ 2002 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2003 if (ic->ic_caps & IEEE80211_C_SHPREAMBLE) 2004 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2005 } 2006 DPRINTF(("[%s] non-ERP station leaves, count %d\n", 2007 ether_sprintf(ni->ni_macaddr), nonerpsta)); 2008 } 2009 } 2010 2011 /* 2012 * Handle bookkeeping for station deauthentication/disassociation 2013 * when operating as an ap. 2014 */ 2015 void 2016 ieee80211_node_leave(struct ieee80211com *ic, struct ieee80211_node *ni) 2017 { 2018 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 2019 panic("not in ap mode, mode %u", ic->ic_opmode); 2020 2021 if (ni->ni_state == IEEE80211_STA_COLLECT) 2022 return; 2023 /* 2024 * If node wasn't previously associated all we need to do is 2025 * reclaim the reference. 2026 */ 2027 if (ni->ni_associd == 0) { 2028 ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT); 2029 return; 2030 } 2031 2032 if (ni->ni_pwrsave == IEEE80211_PS_DOZE) 2033 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 2034 2035 if (mq_purge(&ni->ni_savedq) > 0) { 2036 if (ic->ic_set_tim != NULL) 2037 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2038 } 2039 2040 if (ic->ic_flags & IEEE80211_F_RSNON) 2041 ieee80211_node_leave_rsn(ic, ni); 2042 2043 if (ic->ic_curmode == IEEE80211_MODE_11G || 2044 (ic->ic_curmode == IEEE80211_MODE_11N && 2045 IEEE80211_IS_CHAN_2GHZ(ic->ic_bss->ni_chan))) 2046 ieee80211_node_leave_11g(ic, ni); 2047 2048 if (ni->ni_flags & IEEE80211_NODE_HT) 2049 ieee80211_node_leave_ht(ic, ni); 2050 2051 if (ic->ic_node_leave != NULL) 2052 (*ic->ic_node_leave)(ic, ni); 2053 2054 ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT); 2055 2056 #if NBRIDGE > 0 2057 /* 2058 * If the parent interface is a bridgeport, delete 2059 * any dynamically learned address for this node. 2060 */ 2061 if (ic->ic_if.if_bridgeport != NULL) 2062 bridge_update(&ic->ic_if, 2063 (struct ether_addr *)ni->ni_macaddr, 1); 2064 #endif 2065 } 2066 2067 static int 2068 ieee80211_do_slow_print(struct ieee80211com *ic, int *did_print) 2069 { 2070 static const struct timeval merge_print_intvl = { 2071 .tv_sec = 1, .tv_usec = 0 2072 }; 2073 if ((ic->ic_if.if_flags & IFF_LINK0) == 0) 2074 return 0; 2075 if (!*did_print && (ic->ic_if.if_flags & IFF_DEBUG) == 0 && 2076 !ratecheck(&ic->ic_last_merge_print, &merge_print_intvl)) 2077 return 0; 2078 2079 *did_print = 1; 2080 return 1; 2081 } 2082 2083 /* ieee80211_ibss_merge helps merge 802.11 ad hoc networks. The 2084 * convention, set by the Wireless Ethernet Compatibility Alliance 2085 * (WECA), is that an 802.11 station will change its BSSID to match 2086 * the "oldest" 802.11 ad hoc network, on the same channel, that 2087 * has the station's desired SSID. The "oldest" 802.11 network 2088 * sends beacons with the greatest TSF timestamp. 2089 * 2090 * Return ENETRESET if the BSSID changed, 0 otherwise. 2091 * 2092 * XXX Perhaps we should compensate for the time that elapses 2093 * between the MAC receiving the beacon and the host processing it 2094 * in ieee80211_ibss_merge. 2095 */ 2096 int 2097 ieee80211_ibss_merge(struct ieee80211com *ic, struct ieee80211_node *ni, 2098 u_int64_t local_tsft) 2099 { 2100 u_int64_t beacon_tsft; 2101 int did_print = 0, sign; 2102 union { 2103 u_int64_t word; 2104 u_int8_t tstamp[8]; 2105 } u; 2106 2107 /* ensure alignment */ 2108 (void)memcpy(&u, &ni->ni_tstamp[0], sizeof(u)); 2109 beacon_tsft = letoh64(u.word); 2110 2111 /* we are faster, let the other guy catch up */ 2112 if (beacon_tsft < local_tsft) 2113 sign = -1; 2114 else 2115 sign = 1; 2116 2117 if (IEEE80211_ADDR_EQ(ni->ni_bssid, ic->ic_bss->ni_bssid)) { 2118 if (!ieee80211_do_slow_print(ic, &did_print)) 2119 return 0; 2120 printf("%s: tsft offset %s%llu\n", ic->ic_if.if_xname, 2121 (sign < 0) ? "-" : "", 2122 (sign < 0) 2123 ? (local_tsft - beacon_tsft) 2124 : (beacon_tsft - local_tsft)); 2125 return 0; 2126 } 2127 2128 if (sign < 0) 2129 return 0; 2130 2131 if (ieee80211_match_bss(ic, ni) != 0) 2132 return 0; 2133 2134 if (ieee80211_do_slow_print(ic, &did_print)) { 2135 printf("%s: ieee80211_ibss_merge: bssid mismatch %s\n", 2136 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 2137 printf("%s: my tsft %llu beacon tsft %llu\n", 2138 ic->ic_if.if_xname, local_tsft, beacon_tsft); 2139 printf("%s: sync TSF with %s\n", 2140 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 2141 } 2142 2143 ic->ic_flags &= ~IEEE80211_F_SIBSS; 2144 2145 /* negotiate rates with new IBSS */ 2146 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 2147 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2148 if (ni->ni_rates.rs_nrates == 0) { 2149 if (ieee80211_do_slow_print(ic, &did_print)) { 2150 printf("%s: rates mismatch, BSSID %s\n", 2151 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 2152 } 2153 return 0; 2154 } 2155 2156 if (ieee80211_do_slow_print(ic, &did_print)) { 2157 printf("%s: sync BSSID %s -> ", 2158 ic->ic_if.if_xname, ether_sprintf(ic->ic_bss->ni_bssid)); 2159 printf("%s ", ether_sprintf(ni->ni_bssid)); 2160 printf("(from %s)\n", ether_sprintf(ni->ni_macaddr)); 2161 } 2162 2163 ieee80211_node_newstate(ni, IEEE80211_STA_BSS); 2164 (*ic->ic_node_copy)(ic, ic->ic_bss, ni); 2165 2166 return ENETRESET; 2167 } 2168 2169 void 2170 ieee80211_set_tim(struct ieee80211com *ic, int aid, int set) 2171 { 2172 if (set) 2173 setbit(ic->ic_tim_bitmap, aid & ~0xc000); 2174 else 2175 clrbit(ic->ic_tim_bitmap, aid & ~0xc000); 2176 } 2177 2178 /* 2179 * This function shall be called by drivers immediately after every DTIM. 2180 * Transmit all group addressed MSDUs buffered at the AP. 2181 */ 2182 void 2183 ieee80211_notify_dtim(struct ieee80211com *ic) 2184 { 2185 /* NB: group addressed MSDUs are buffered in ic_bss */ 2186 struct ieee80211_node *ni = ic->ic_bss; 2187 struct ifnet *ifp = &ic->ic_if; 2188 struct ieee80211_frame *wh; 2189 struct mbuf *m; 2190 2191 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 2192 2193 while ((m = mq_dequeue(&ni->ni_savedq)) != NULL) { 2194 if (!mq_empty(&ni->ni_savedq)) { 2195 /* more queued frames, set the more data bit */ 2196 wh = mtod(m, struct ieee80211_frame *); 2197 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2198 } 2199 mq_enqueue(&ic->ic_pwrsaveq, m); 2200 if_start(ifp); 2201 } 2202 /* XXX assumes everything has been sent */ 2203 ic->ic_tim_mcast_pending = 0; 2204 } 2205 #endif /* IEEE80211_STA_ONLY */ 2206 2207 /* 2208 * Compare nodes in the tree by lladdr 2209 */ 2210 int 2211 ieee80211_node_cmp(const struct ieee80211_node *b1, 2212 const struct ieee80211_node *b2) 2213 { 2214 return (memcmp(b1->ni_macaddr, b2->ni_macaddr, IEEE80211_ADDR_LEN)); 2215 } 2216 2217 /* 2218 * Generate red-black tree function logic 2219 */ 2220 RBT_GENERATE(ieee80211_tree, ieee80211_node, ni_node, ieee80211_node_cmp); 2221