1 /* $OpenBSD: ieee80211_proto.c,v 1.74 2017/03/02 09:41:27 stsp Exp $ */ 2 /* $NetBSD: ieee80211_proto.c,v 1.8 2004/04/30 23:58:20 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2008, 2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 /* 34 * IEEE 802.11 protocol support. 35 */ 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/kernel.h> 41 #include <sys/socket.h> 42 #include <sys/sockio.h> 43 #include <sys/endian.h> 44 #include <sys/errno.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 52 #include <netinet/in.h> 53 #include <netinet/if_ether.h> 54 55 #include <net80211/ieee80211_var.h> 56 #include <net80211/ieee80211_priv.h> 57 58 const char * const ieee80211_mgt_subtype_name[] = { 59 "assoc_req", "assoc_resp", "reassoc_req", "reassoc_resp", 60 "probe_req", "probe_resp", "reserved#6", "reserved#7", 61 "beacon", "atim", "disassoc", "auth", 62 "deauth", "action", "action_noack", "reserved#15" 63 }; 64 const char * const ieee80211_state_name[IEEE80211_S_MAX] = { 65 "INIT", /* IEEE80211_S_INIT */ 66 "SCAN", /* IEEE80211_S_SCAN */ 67 "AUTH", /* IEEE80211_S_AUTH */ 68 "ASSOC", /* IEEE80211_S_ASSOC */ 69 "RUN" /* IEEE80211_S_RUN */ 70 }; 71 const char * const ieee80211_phymode_name[] = { 72 "auto", /* IEEE80211_MODE_AUTO */ 73 "11a", /* IEEE80211_MODE_11A */ 74 "11b", /* IEEE80211_MODE_11B */ 75 "11g", /* IEEE80211_MODE_11G */ 76 "11n", /* IEEE80211_MODE_11N */ 77 }; 78 79 int ieee80211_newstate(struct ieee80211com *, enum ieee80211_state, int); 80 81 void 82 ieee80211_proto_attach(struct ifnet *ifp) 83 { 84 struct ieee80211com *ic = (void *)ifp; 85 86 mq_init(&ic->ic_mgtq, IFQ_MAXLEN, IPL_NET); 87 mq_init(&ic->ic_pwrsaveq, IFQ_MAXLEN, IPL_NET); 88 89 ifp->if_hdrlen = sizeof(struct ieee80211_frame); 90 91 ic->ic_rtsthreshold = IEEE80211_RTS_DEFAULT; 92 ic->ic_fragthreshold = 2346; /* XXX not used yet */ 93 ic->ic_fixed_rate = -1; /* no fixed rate */ 94 ic->ic_fixed_mcs = -1; /* no fixed mcs */ 95 ic->ic_protmode = IEEE80211_PROT_CTSONLY; 96 97 /* protocol state change handler */ 98 ic->ic_newstate = ieee80211_newstate; 99 100 /* initialize management frame handlers */ 101 ic->ic_recv_mgmt = ieee80211_recv_mgmt; 102 ic->ic_send_mgmt = ieee80211_send_mgmt; 103 } 104 105 void 106 ieee80211_proto_detach(struct ifnet *ifp) 107 { 108 struct ieee80211com *ic = (void *)ifp; 109 110 mq_purge(&ic->ic_mgtq); 111 mq_purge(&ic->ic_pwrsaveq); 112 } 113 114 void 115 ieee80211_print_essid(const u_int8_t *essid, int len) 116 { 117 int i; 118 const u_int8_t *p; 119 120 if (len > IEEE80211_NWID_LEN) 121 len = IEEE80211_NWID_LEN; 122 /* determine printable or not */ 123 for (i = 0, p = essid; i < len; i++, p++) { 124 if (*p < ' ' || *p > 0x7e) 125 break; 126 } 127 if (i == len) { 128 printf("\""); 129 for (i = 0, p = essid; i < len; i++, p++) 130 printf("%c", *p); 131 printf("\""); 132 } else { 133 printf("0x"); 134 for (i = 0, p = essid; i < len; i++, p++) 135 printf("%02x", *p); 136 } 137 } 138 139 #ifdef IEEE80211_DEBUG 140 void 141 ieee80211_dump_pkt(const u_int8_t *buf, int len, int rate, int rssi) 142 { 143 struct ieee80211_frame *wh; 144 int i; 145 146 wh = (struct ieee80211_frame *)buf; 147 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 148 case IEEE80211_FC1_DIR_NODS: 149 printf("NODS %s", ether_sprintf(wh->i_addr2)); 150 printf("->%s", ether_sprintf(wh->i_addr1)); 151 printf("(%s)", ether_sprintf(wh->i_addr3)); 152 break; 153 case IEEE80211_FC1_DIR_TODS: 154 printf("TODS %s", ether_sprintf(wh->i_addr2)); 155 printf("->%s", ether_sprintf(wh->i_addr3)); 156 printf("(%s)", ether_sprintf(wh->i_addr1)); 157 break; 158 case IEEE80211_FC1_DIR_FROMDS: 159 printf("FRDS %s", ether_sprintf(wh->i_addr3)); 160 printf("->%s", ether_sprintf(wh->i_addr1)); 161 printf("(%s)", ether_sprintf(wh->i_addr2)); 162 break; 163 case IEEE80211_FC1_DIR_DSTODS: 164 printf("DSDS %s", ether_sprintf((u_int8_t *)&wh[1])); 165 printf("->%s", ether_sprintf(wh->i_addr3)); 166 printf("(%s", ether_sprintf(wh->i_addr2)); 167 printf("->%s)", ether_sprintf(wh->i_addr1)); 168 break; 169 } 170 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { 171 case IEEE80211_FC0_TYPE_DATA: 172 printf(" data"); 173 break; 174 case IEEE80211_FC0_TYPE_MGT: 175 printf(" %s", ieee80211_mgt_subtype_name[ 176 (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) 177 >> IEEE80211_FC0_SUBTYPE_SHIFT]); 178 break; 179 default: 180 printf(" type#%d", wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK); 181 break; 182 } 183 if (wh->i_fc[1] & IEEE80211_FC1_WEP) 184 printf(" WEP"); 185 if (rate >= 0) 186 printf(" %d%sM", rate / 2, (rate & 1) ? ".5" : ""); 187 if (rssi >= 0) 188 printf(" +%d", rssi); 189 printf("\n"); 190 if (len > 0) { 191 for (i = 0; i < len; i++) { 192 if ((i & 1) == 0) 193 printf(" "); 194 printf("%02x", buf[i]); 195 } 196 printf("\n"); 197 } 198 } 199 #endif 200 201 int 202 ieee80211_fix_rate(struct ieee80211com *ic, struct ieee80211_node *ni, 203 int flags) 204 { 205 #define RV(v) ((v) & IEEE80211_RATE_VAL) 206 int i, j, ignore, error; 207 int okrate, badrate, fixedrate; 208 const struct ieee80211_rateset *srs; 209 struct ieee80211_rateset *nrs; 210 u_int8_t r; 211 212 /* 213 * If the fixed rate check was requested but no fixed rate has been 214 * defined then just remove the check. 215 */ 216 if ((flags & IEEE80211_F_DOFRATE) && ic->ic_fixed_rate == -1) 217 flags &= ~IEEE80211_F_DOFRATE; 218 219 error = 0; 220 okrate = badrate = fixedrate = 0; 221 srs = &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 222 nrs = &ni->ni_rates; 223 for (i = 0; i < nrs->rs_nrates; ) { 224 ignore = 0; 225 if (flags & IEEE80211_F_DOSORT) { 226 /* 227 * Sort rates. 228 */ 229 for (j = i + 1; j < nrs->rs_nrates; j++) { 230 if (RV(nrs->rs_rates[i]) > 231 RV(nrs->rs_rates[j])) { 232 r = nrs->rs_rates[i]; 233 nrs->rs_rates[i] = nrs->rs_rates[j]; 234 nrs->rs_rates[j] = r; 235 } 236 } 237 } 238 r = nrs->rs_rates[i] & IEEE80211_RATE_VAL; 239 badrate = r; 240 if (flags & IEEE80211_F_DOFRATE) { 241 /* 242 * Check fixed rate is included. 243 */ 244 if (r == RV(srs->rs_rates[ic->ic_fixed_rate])) 245 fixedrate = r; 246 } 247 if (flags & IEEE80211_F_DONEGO) { 248 /* 249 * Check against supported rates. 250 */ 251 for (j = 0; j < srs->rs_nrates; j++) { 252 if (r == RV(srs->rs_rates[j])) { 253 /* 254 * Overwrite with the supported rate 255 * value so any basic rate bit is set. 256 * This insures that response we send 257 * to stations have the necessary basic 258 * rate bit set. 259 */ 260 nrs->rs_rates[i] = srs->rs_rates[j]; 261 break; 262 } 263 } 264 if (j == srs->rs_nrates) { 265 /* 266 * A rate in the node's rate set is not 267 * supported. If this is a basic rate and we 268 * are operating as an AP then this is an error. 269 * Otherwise we just discard/ignore the rate. 270 * Note that this is important for 11b stations 271 * when they want to associate with an 11g AP. 272 */ 273 #ifndef IEEE80211_STA_ONLY 274 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 275 (nrs->rs_rates[i] & IEEE80211_RATE_BASIC)) 276 error++; 277 #endif 278 ignore++; 279 } 280 } 281 if (flags & IEEE80211_F_DODEL) { 282 /* 283 * Delete unacceptable rates. 284 */ 285 if (ignore) { 286 nrs->rs_nrates--; 287 for (j = i; j < nrs->rs_nrates; j++) 288 nrs->rs_rates[j] = nrs->rs_rates[j + 1]; 289 nrs->rs_rates[j] = 0; 290 continue; 291 } 292 } 293 if (!ignore) 294 okrate = nrs->rs_rates[i]; 295 i++; 296 } 297 if (okrate == 0 || error != 0 || 298 ((flags & IEEE80211_F_DOFRATE) && fixedrate == 0)) 299 return badrate | IEEE80211_RATE_BASIC; 300 else 301 return RV(okrate); 302 #undef RV 303 } 304 305 /* 306 * Reset 11g-related state. 307 */ 308 void 309 ieee80211_reset_erp(struct ieee80211com *ic) 310 { 311 ic->ic_flags &= ~IEEE80211_F_USEPROT; 312 313 ieee80211_set_shortslottime(ic, 314 ic->ic_curmode == IEEE80211_MODE_11A || 315 (ic->ic_curmode == IEEE80211_MODE_11N && 316 IEEE80211_IS_CHAN_5GHZ(ic->ic_ibss_chan)) 317 #ifndef IEEE80211_STA_ONLY 318 || 319 ((ic->ic_curmode == IEEE80211_MODE_11G || 320 (ic->ic_curmode == IEEE80211_MODE_11N && 321 IEEE80211_IS_CHAN_2GHZ(ic->ic_ibss_chan))) && 322 ic->ic_opmode == IEEE80211_M_HOSTAP && 323 (ic->ic_caps & IEEE80211_C_SHSLOT)) 324 #endif 325 ); 326 327 if (ic->ic_curmode == IEEE80211_MODE_11A || 328 (ic->ic_curmode == IEEE80211_MODE_11N && 329 IEEE80211_IS_CHAN_5GHZ(ic->ic_ibss_chan)) || 330 (ic->ic_caps & IEEE80211_C_SHPREAMBLE)) 331 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 332 else 333 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 334 } 335 336 /* 337 * Set the short slot time state and notify the driver. 338 */ 339 void 340 ieee80211_set_shortslottime(struct ieee80211com *ic, int on) 341 { 342 if (on) 343 ic->ic_flags |= IEEE80211_F_SHSLOT; 344 else 345 ic->ic_flags &= ~IEEE80211_F_SHSLOT; 346 347 /* notify the driver */ 348 if (ic->ic_updateslot != NULL) 349 ic->ic_updateslot(ic); 350 } 351 352 /* 353 * This function is called by the 802.1X PACP machine (via an ioctl) when 354 * the transmit key machine (4-Way Handshake for 802.11) should run. 355 */ 356 int 357 ieee80211_keyrun(struct ieee80211com *ic, u_int8_t *macaddr) 358 { 359 struct ieee80211_node *ni = ic->ic_bss; 360 #ifndef IEEE80211_STA_ONLY 361 struct ieee80211_pmk *pmk; 362 #endif 363 364 /* STA must be associated or AP must be ready */ 365 if (ic->ic_state != IEEE80211_S_RUN || 366 !(ic->ic_flags & IEEE80211_F_RSNON)) 367 return ENETDOWN; 368 369 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 370 #ifndef IEEE80211_STA_ONLY 371 if (ic->ic_opmode == IEEE80211_M_STA) 372 #endif 373 return 0; /* supplicant only, do nothing */ 374 375 #ifndef IEEE80211_STA_ONLY 376 /* find the STA with which we must start the key exchange */ 377 if ((ni = ieee80211_find_node(ic, macaddr)) == NULL) { 378 DPRINTF(("no node found for %s\n", ether_sprintf(macaddr))); 379 return EINVAL; 380 } 381 /* check that the STA is in the correct state */ 382 if (ni->ni_state != IEEE80211_STA_ASSOC || 383 ni->ni_rsn_state != RSNA_AUTHENTICATION_2) { 384 DPRINTF(("unexpected in state %d\n", ni->ni_rsn_state)); 385 return EINVAL; 386 } 387 ni->ni_rsn_state = RSNA_INITPMK; 388 389 /* make sure a PMK is available for this STA, otherwise deauth it */ 390 if ((pmk = ieee80211_pmksa_find(ic, ni, NULL)) == NULL) { 391 DPRINTF(("no PMK available for %s\n", ether_sprintf(macaddr))); 392 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 393 IEEE80211_REASON_AUTH_LEAVE); 394 ieee80211_node_leave(ic, ni); 395 return EINVAL; 396 } 397 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 398 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, IEEE80211_PMKID_LEN); 399 ni->ni_flags |= IEEE80211_NODE_PMK; 400 401 /* initiate key exchange (4-Way Handshake) with STA */ 402 return ieee80211_send_4way_msg1(ic, ni); 403 #endif /* IEEE80211_STA_ONLY */ 404 } 405 406 #ifndef IEEE80211_STA_ONLY 407 /* 408 * Initiate a group key handshake with a node. 409 */ 410 static void 411 ieee80211_node_gtk_rekey(void *arg, struct ieee80211_node *ni) 412 { 413 struct ieee80211com *ic = arg; 414 415 if (ni->ni_state != IEEE80211_STA_ASSOC || 416 ni->ni_rsn_gstate != RSNA_IDLE) 417 return; 418 419 /* initiate a group key handshake with STA */ 420 ni->ni_flags |= IEEE80211_NODE_REKEY; 421 if (ieee80211_send_group_msg1(ic, ni) != 0) 422 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 423 } 424 425 /* 426 * This function is called in HostAP mode when the group key needs to be 427 * changed. 428 */ 429 void 430 ieee80211_setkeys(struct ieee80211com *ic) 431 { 432 struct ieee80211_key *k; 433 u_int8_t kid; 434 435 /* Swap(GM, GN) */ 436 kid = (ic->ic_def_txkey == 1) ? 2 : 1; 437 k = &ic->ic_nw_keys[kid]; 438 memset(k, 0, sizeof(*k)); 439 k->k_id = kid; 440 k->k_cipher = ic->ic_bss->ni_rsngroupcipher; 441 k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX; 442 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 443 arc4random_buf(k->k_key, k->k_len); 444 445 if (ic->ic_caps & IEEE80211_C_MFP) { 446 /* Swap(GM_igtk, GN_igtk) */ 447 kid = (ic->ic_igtk_kid == 4) ? 5 : 4; 448 k = &ic->ic_nw_keys[kid]; 449 memset(k, 0, sizeof(*k)); 450 k->k_id = kid; 451 k->k_cipher = ic->ic_bss->ni_rsngroupmgmtcipher; 452 k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX; 453 k->k_len = 16; 454 arc4random_buf(k->k_key, k->k_len); 455 } 456 457 ieee80211_iterate_nodes(ic, ieee80211_node_gtk_rekey, ic); 458 } 459 460 /* 461 * The group key handshake has been completed with all associated stations. 462 */ 463 void 464 ieee80211_setkeysdone(struct ieee80211com *ic) 465 { 466 u_int8_t kid; 467 468 /* install GTK */ 469 kid = (ic->ic_def_txkey == 1) ? 2 : 1; 470 if ((*ic->ic_set_key)(ic, ic->ic_bss, &ic->ic_nw_keys[kid]) == 0) 471 ic->ic_def_txkey = kid; 472 473 if (ic->ic_caps & IEEE80211_C_MFP) { 474 /* install IGTK */ 475 kid = (ic->ic_igtk_kid == 4) ? 5 : 4; 476 if ((*ic->ic_set_key)(ic, ic->ic_bss, 477 &ic->ic_nw_keys[kid]) == 0) 478 ic->ic_igtk_kid = kid; 479 } 480 } 481 482 /* 483 * Group key lifetime has expired, update it. 484 */ 485 void 486 ieee80211_gtk_rekey_timeout(void *arg) 487 { 488 struct ieee80211com *ic = arg; 489 int s; 490 491 s = splnet(); 492 ieee80211_setkeys(ic); 493 splx(s); 494 495 /* re-schedule a GTK rekeying after 3600s */ 496 timeout_add_sec(&ic->ic_rsn_timeout, 3600); 497 } 498 499 void 500 ieee80211_sa_query_timeout(void *arg) 501 { 502 struct ieee80211_node *ni = arg; 503 struct ieee80211com *ic = ni->ni_ic; 504 int s; 505 506 s = splnet(); 507 if (++ni->ni_sa_query_count >= 3) { 508 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 509 ni->ni_flags |= IEEE80211_NODE_SA_QUERY_FAILED; 510 } else /* retry SA Query Request */ 511 ieee80211_sa_query_request(ic, ni); 512 splx(s); 513 } 514 515 /* 516 * Request that a SA Query Request frame be sent to a specified peer STA 517 * to which the STA is associated. 518 */ 519 void 520 ieee80211_sa_query_request(struct ieee80211com *ic, struct ieee80211_node *ni) 521 { 522 /* MLME-SAQuery.request */ 523 524 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 525 ni->ni_flags |= IEEE80211_NODE_SA_QUERY; 526 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY_FAILED; 527 ni->ni_sa_query_count = 0; 528 } 529 /* generate new Transaction Identifier */ 530 ni->ni_sa_query_trid++; 531 532 /* send SA Query Request */ 533 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 534 IEEE80211_ACTION_SA_QUERY_REQ, 0); 535 timeout_add_msec(&ni->ni_sa_query_to, 10); 536 } 537 #endif /* IEEE80211_STA_ONLY */ 538 539 void 540 ieee80211_ht_negotiate(struct ieee80211com *ic, struct ieee80211_node *ni) 541 { 542 int i; 543 544 ni->ni_flags &= ~IEEE80211_NODE_HT; 545 546 /* Check if we support HT. */ 547 if ((ic->ic_modecaps & (1 << IEEE80211_MODE_11N)) == 0) 548 return; 549 550 /* Check if HT support has been explicitly disabled. */ 551 if ((ic->ic_flags & IEEE80211_F_HTON) == 0) 552 return; 553 554 /* 555 * Check if the peer supports HT. 556 * Require at least one of the mandatory MCS. 557 * MCS 0-7 are mandatory but some APs have particular MCS disabled. 558 */ 559 if ((ni->ni_rxmcs[0] & 0xff) == 0) { 560 ic->ic_stats.is_ht_nego_no_mandatory_mcs++; 561 return; 562 } 563 564 if (ic->ic_opmode == IEEE80211_M_STA) { 565 /* We must support the AP's basic MCS set. */ 566 for (i = 0; i < IEEE80211_HT_NUM_MCS; i++) { 567 if (isset(ni->ni_basic_mcs, i) && 568 !isset(ic->ic_sup_mcs, i)) { 569 ic->ic_stats.is_ht_nego_no_basic_mcs++; 570 return; 571 } 572 } 573 } 574 575 /* 576 * Don't allow group cipher (includes WEP) or TKIP 577 * for pairwise encryption (see 802.11-2012 11.1.6). 578 */ 579 if (ic->ic_flags & IEEE80211_F_WEPON) { 580 ic->ic_stats.is_ht_nego_bad_crypto++; 581 return; 582 } 583 if ((ic->ic_flags & IEEE80211_F_RSNON) && 584 (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP || 585 ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP)) { 586 ic->ic_stats.is_ht_nego_bad_crypto++; 587 return; 588 } 589 590 ni->ni_flags |= IEEE80211_NODE_HT; 591 } 592 593 void 594 ieee80211_tx_ba_timeout(void *arg) 595 { 596 struct ieee80211_tx_ba *ba = arg; 597 struct ieee80211_node *ni = ba->ba_ni; 598 struct ieee80211com *ic = ni->ni_ic; 599 u_int8_t tid; 600 int s; 601 602 ic->ic_stats.is_ht_tx_ba_timeout++; 603 604 s = splnet(); 605 if (ba->ba_state == IEEE80211_BA_REQUESTED) { 606 /* MLME-ADDBA.confirm(TIMEOUT) */ 607 ba->ba_state = IEEE80211_BA_INIT; 608 609 } else if (ba->ba_state == IEEE80211_BA_AGREED) { 610 /* Block Ack inactivity timeout */ 611 tid = ((caddr_t)ba - (caddr_t)ni->ni_tx_ba) / sizeof(*ba); 612 ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 613 1, tid); 614 } 615 splx(s); 616 } 617 618 void 619 ieee80211_rx_ba_timeout(void *arg) 620 { 621 struct ieee80211_rx_ba *ba = arg; 622 struct ieee80211_node *ni = ba->ba_ni; 623 struct ieee80211com *ic = ni->ni_ic; 624 u_int8_t tid; 625 int s; 626 627 ic->ic_stats.is_ht_rx_ba_timeout++; 628 629 s = splnet(); 630 631 /* Block Ack inactivity timeout */ 632 tid = ((caddr_t)ba - (caddr_t)ni->ni_rx_ba) / sizeof(*ba); 633 ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 0, tid); 634 635 splx(s); 636 } 637 638 /* 639 * Request initiation of Block Ack with the specified peer. 640 */ 641 int 642 ieee80211_addba_request(struct ieee80211com *ic, struct ieee80211_node *ni, 643 u_int16_t ssn, u_int8_t tid) 644 { 645 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 646 647 /* MLME-ADDBA.request */ 648 649 /* setup Block Ack */ 650 ba->ba_state = IEEE80211_BA_REQUESTED; 651 ba->ba_token = ic->ic_dialog_token++; 652 ba->ba_timeout_val = 0; 653 timeout_set(&ba->ba_to, ieee80211_tx_ba_timeout, ba); 654 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 655 ba->ba_winstart = ssn; 656 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 657 ba->ba_params = 658 (ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 659 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU; 660 if ((ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) == 0) 661 /* immediate BA */ 662 ba->ba_params |= IEEE80211_ADDBA_BA_POLICY; 663 664 timeout_add_sec(&ba->ba_to, 1); /* dot11ADDBAResponseTimeout */ 665 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 666 IEEE80211_ACTION_ADDBA_REQ, tid); 667 return 0; 668 } 669 670 /* 671 * Request the deletion of Block Ack with a peer. 672 */ 673 void 674 ieee80211_delba_request(struct ieee80211com *ic, struct ieee80211_node *ni, 675 u_int16_t reason, u_int8_t dir, u_int8_t tid) 676 { 677 /* MLME-DELBA.request */ 678 679 /* transmit a DELBA frame */ 680 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 681 IEEE80211_ACTION_DELBA, reason << 16 | dir << 8 | tid); 682 if (dir) { 683 /* MLME-DELBA.confirm(Originator) */ 684 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 685 686 if (ic->ic_ampdu_tx_stop != NULL) 687 ic->ic_ampdu_tx_stop(ic, ni, tid); 688 689 ba->ba_state = IEEE80211_BA_INIT; 690 /* stop Block Ack inactivity timer */ 691 timeout_del(&ba->ba_to); 692 } else { 693 /* MLME-DELBA.confirm(Recipient) */ 694 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 695 int i; 696 697 if (ic->ic_ampdu_rx_stop != NULL) 698 ic->ic_ampdu_rx_stop(ic, ni, tid); 699 700 ba->ba_state = IEEE80211_BA_INIT; 701 /* stop Block Ack inactivity timer */ 702 timeout_del(&ba->ba_to); 703 timeout_del(&ba->ba_gap_to); 704 705 if (ba->ba_buf != NULL) { 706 /* free all MSDUs stored in reordering buffer */ 707 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 708 m_freem(ba->ba_buf[i].m); 709 /* free reordering buffer */ 710 free(ba->ba_buf, M_DEVBUF, 0); 711 ba->ba_buf = NULL; 712 } 713 } 714 } 715 716 void 717 ieee80211_auth_open(struct ieee80211com *ic, const struct ieee80211_frame *wh, 718 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, u_int16_t seq, 719 u_int16_t status) 720 { 721 struct ifnet *ifp = &ic->ic_if; 722 switch (ic->ic_opmode) { 723 #ifndef IEEE80211_STA_ONLY 724 case IEEE80211_M_IBSS: 725 if (ic->ic_state != IEEE80211_S_RUN || 726 seq != IEEE80211_AUTH_OPEN_REQUEST) { 727 DPRINTF(("discard auth from %s; state %u, seq %u\n", 728 ether_sprintf((u_int8_t *)wh->i_addr2), 729 ic->ic_state, seq)); 730 ic->ic_stats.is_rx_bad_auth++; 731 return; 732 } 733 ieee80211_new_state(ic, IEEE80211_S_AUTH, 734 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 735 736 /* In IBSS mode no (re)association frames are sent. */ 737 if (ic->ic_flags & IEEE80211_F_RSNON) 738 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 739 break; 740 741 case IEEE80211_M_AHDEMO: 742 /* should not come here */ 743 break; 744 745 case IEEE80211_M_HOSTAP: 746 if (ic->ic_state != IEEE80211_S_RUN || 747 seq != IEEE80211_AUTH_OPEN_REQUEST) { 748 DPRINTF(("discard auth from %s; state %u, seq %u\n", 749 ether_sprintf((u_int8_t *)wh->i_addr2), 750 ic->ic_state, seq)); 751 ic->ic_stats.is_rx_bad_auth++; 752 return; 753 } 754 if (ni == ic->ic_bss) { 755 ni = ieee80211_find_node(ic, wh->i_addr2); 756 if (ni == NULL) 757 ni = ieee80211_alloc_node(ic, wh->i_addr2); 758 if (ni == NULL) { 759 return; 760 } 761 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 762 ni->ni_rssi = rxi->rxi_rssi; 763 ni->ni_rstamp = rxi->rxi_tstamp; 764 ni->ni_chan = ic->ic_bss->ni_chan; 765 } 766 IEEE80211_SEND_MGMT(ic, ni, 767 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 768 if (ifp->if_flags & IFF_DEBUG) 769 printf("%s: station %s %s authenticated (open)\n", 770 ifp->if_xname, 771 ether_sprintf((u_int8_t *)ni->ni_macaddr), 772 ni->ni_state != IEEE80211_STA_CACHE ? 773 "newly" : "already"); 774 ieee80211_node_newstate(ni, IEEE80211_STA_AUTH); 775 break; 776 #endif /* IEEE80211_STA_ONLY */ 777 778 case IEEE80211_M_STA: 779 if (ic->ic_state != IEEE80211_S_AUTH || 780 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 781 ic->ic_stats.is_rx_bad_auth++; 782 DPRINTF(("discard auth from %s; state %u, seq %u\n", 783 ether_sprintf((u_int8_t *)wh->i_addr2), 784 ic->ic_state, seq)); 785 return; 786 } 787 if (ic->ic_flags & IEEE80211_F_RSNON) { 788 /* XXX not here! */ 789 ic->ic_bss->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 790 ic->ic_bss->ni_port_valid = 0; 791 ic->ic_bss->ni_replaycnt_ok = 0; 792 (*ic->ic_delete_key)(ic, ic->ic_bss, 793 &ic->ic_bss->ni_pairwise_key); 794 } 795 if (status != 0) { 796 if (ifp->if_flags & IFF_DEBUG) 797 printf("%s: open authentication failed " 798 "(reason %d) for %s\n", ifp->if_xname, 799 status, 800 ether_sprintf((u_int8_t *)wh->i_addr3)); 801 if (ni != ic->ic_bss) 802 ni->ni_fails++; 803 ic->ic_stats.is_rx_auth_fail++; 804 return; 805 } 806 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 807 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 808 break; 809 default: 810 break; 811 } 812 } 813 814 int 815 ieee80211_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, 816 int mgt) 817 { 818 struct ifnet *ifp = &ic->ic_if; 819 struct ieee80211_node *ni; 820 enum ieee80211_state ostate; 821 u_int rate; 822 #ifndef IEEE80211_STA_ONLY 823 int s; 824 #endif 825 826 ostate = ic->ic_state; 827 DPRINTF(("%s -> %s\n", ieee80211_state_name[ostate], 828 ieee80211_state_name[nstate])); 829 ic->ic_state = nstate; /* state transition */ 830 ni = ic->ic_bss; /* NB: no reference held */ 831 if (ostate == IEEE80211_S_RUN) 832 ieee80211_set_link_state(ic, LINK_STATE_DOWN); 833 switch (nstate) { 834 case IEEE80211_S_INIT: 835 /* 836 * If mgt = -1, driver is already partway down, so do 837 * not send management frames. 838 */ 839 switch (ostate) { 840 case IEEE80211_S_INIT: 841 break; 842 case IEEE80211_S_RUN: 843 if (mgt == -1) 844 goto justcleanup; 845 switch (ic->ic_opmode) { 846 case IEEE80211_M_STA: 847 IEEE80211_SEND_MGMT(ic, ni, 848 IEEE80211_FC0_SUBTYPE_DISASSOC, 849 IEEE80211_REASON_ASSOC_LEAVE); 850 break; 851 #ifndef IEEE80211_STA_ONLY 852 case IEEE80211_M_HOSTAP: 853 s = splnet(); 854 RBT_FOREACH(ni, ieee80211_tree, &ic->ic_tree) { 855 if (ni->ni_state != IEEE80211_STA_ASSOC) 856 continue; 857 IEEE80211_SEND_MGMT(ic, ni, 858 IEEE80211_FC0_SUBTYPE_DISASSOC, 859 IEEE80211_REASON_ASSOC_LEAVE); 860 } 861 splx(s); 862 break; 863 #endif 864 default: 865 break; 866 } 867 /* FALLTHROUGH */ 868 case IEEE80211_S_ASSOC: 869 if (mgt == -1) 870 goto justcleanup; 871 switch (ic->ic_opmode) { 872 case IEEE80211_M_STA: 873 IEEE80211_SEND_MGMT(ic, ni, 874 IEEE80211_FC0_SUBTYPE_DEAUTH, 875 IEEE80211_REASON_AUTH_LEAVE); 876 break; 877 #ifndef IEEE80211_STA_ONLY 878 case IEEE80211_M_HOSTAP: 879 s = splnet(); 880 RBT_FOREACH(ni, ieee80211_tree, &ic->ic_tree) { 881 IEEE80211_SEND_MGMT(ic, ni, 882 IEEE80211_FC0_SUBTYPE_DEAUTH, 883 IEEE80211_REASON_AUTH_LEAVE); 884 } 885 splx(s); 886 break; 887 #endif 888 default: 889 break; 890 } 891 /* FALLTHROUGH */ 892 case IEEE80211_S_AUTH: 893 case IEEE80211_S_SCAN: 894 justcleanup: 895 #ifndef IEEE80211_STA_ONLY 896 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 897 timeout_del(&ic->ic_rsn_timeout); 898 #endif 899 ic->ic_mgt_timer = 0; 900 mq_purge(&ic->ic_mgtq); 901 mq_purge(&ic->ic_pwrsaveq); 902 ieee80211_free_allnodes(ic); 903 break; 904 } 905 ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE; 906 break; 907 case IEEE80211_S_SCAN: 908 ic->ic_flags &= ~IEEE80211_F_SIBSS; 909 /* initialize bss for probe request */ 910 IEEE80211_ADDR_COPY(ni->ni_macaddr, etherbroadcastaddr); 911 IEEE80211_ADDR_COPY(ni->ni_bssid, etherbroadcastaddr); 912 ni->ni_rates = ic->ic_sup_rates[ 913 ieee80211_chan2mode(ic, ni->ni_chan)]; 914 ni->ni_associd = 0; 915 ni->ni_rstamp = 0; 916 ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE; 917 switch (ostate) { 918 case IEEE80211_S_INIT: 919 #ifndef IEEE80211_STA_ONLY 920 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 921 ic->ic_des_chan != IEEE80211_CHAN_ANYC) { 922 /* 923 * AP operation and we already have a channel; 924 * bypass the scan and startup immediately. 925 */ 926 ieee80211_create_ibss(ic, ic->ic_des_chan); 927 } else 928 #endif 929 ieee80211_begin_scan(ifp); 930 break; 931 case IEEE80211_S_SCAN: 932 /* scan next */ 933 if (ic->ic_flags & IEEE80211_F_ASCAN) { 934 IEEE80211_SEND_MGMT(ic, ni, 935 IEEE80211_FC0_SUBTYPE_PROBE_REQ, 0); 936 } 937 break; 938 case IEEE80211_S_RUN: 939 /* beacon miss */ 940 if (ifp->if_flags & IFF_DEBUG) { 941 /* XXX bssid clobbered above */ 942 printf("%s: no recent beacons from %s;" 943 " rescanning\n", ifp->if_xname, 944 ether_sprintf(ic->ic_bss->ni_bssid)); 945 } 946 ieee80211_free_allnodes(ic); 947 /* FALLTHROUGH */ 948 case IEEE80211_S_AUTH: 949 case IEEE80211_S_ASSOC: 950 /* timeout restart scan */ 951 ni = ieee80211_find_node(ic, ic->ic_bss->ni_macaddr); 952 if (ni != NULL) 953 ni->ni_fails++; 954 ieee80211_begin_scan(ifp); 955 break; 956 } 957 break; 958 case IEEE80211_S_AUTH: 959 ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE; 960 switch (ostate) { 961 case IEEE80211_S_INIT: 962 DPRINTF(("invalid transition\n")); 963 break; 964 case IEEE80211_S_SCAN: 965 IEEE80211_SEND_MGMT(ic, ni, 966 IEEE80211_FC0_SUBTYPE_AUTH, 1); 967 break; 968 case IEEE80211_S_AUTH: 969 case IEEE80211_S_ASSOC: 970 switch (mgt) { 971 case IEEE80211_FC0_SUBTYPE_AUTH: 972 /* ??? */ 973 IEEE80211_SEND_MGMT(ic, ni, 974 IEEE80211_FC0_SUBTYPE_AUTH, 2); 975 break; 976 case IEEE80211_FC0_SUBTYPE_DEAUTH: 977 /* ignore and retry scan on timeout */ 978 break; 979 } 980 break; 981 case IEEE80211_S_RUN: 982 switch (mgt) { 983 case IEEE80211_FC0_SUBTYPE_AUTH: 984 IEEE80211_SEND_MGMT(ic, ni, 985 IEEE80211_FC0_SUBTYPE_AUTH, 2); 986 ic->ic_state = ostate; /* stay RUN */ 987 break; 988 case IEEE80211_FC0_SUBTYPE_DEAUTH: 989 /* try to reauth */ 990 IEEE80211_SEND_MGMT(ic, ni, 991 IEEE80211_FC0_SUBTYPE_AUTH, 1); 992 break; 993 } 994 break; 995 } 996 break; 997 case IEEE80211_S_ASSOC: 998 switch (ostate) { 999 case IEEE80211_S_INIT: 1000 case IEEE80211_S_SCAN: 1001 case IEEE80211_S_ASSOC: 1002 DPRINTF(("invalid transition\n")); 1003 break; 1004 case IEEE80211_S_AUTH: 1005 IEEE80211_SEND_MGMT(ic, ni, 1006 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 1007 break; 1008 case IEEE80211_S_RUN: 1009 IEEE80211_SEND_MGMT(ic, ni, 1010 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 1); 1011 break; 1012 } 1013 break; 1014 case IEEE80211_S_RUN: 1015 switch (ostate) { 1016 case IEEE80211_S_INIT: 1017 case IEEE80211_S_AUTH: 1018 case IEEE80211_S_RUN: 1019 DPRINTF(("invalid transition\n")); 1020 break; 1021 case IEEE80211_S_SCAN: /* adhoc/hostap mode */ 1022 case IEEE80211_S_ASSOC: /* infra mode */ 1023 if (ni->ni_txrate >= ni->ni_rates.rs_nrates) 1024 panic("%s: bogus xmit rate %u setup", 1025 __func__, ni->ni_txrate); 1026 if (ifp->if_flags & IFF_DEBUG) { 1027 printf("%s: %s with %s ssid ", 1028 ifp->if_xname, 1029 ic->ic_opmode == IEEE80211_M_STA ? 1030 "associated" : "synchronized", 1031 ether_sprintf(ni->ni_bssid)); 1032 ieee80211_print_essid(ic->ic_bss->ni_essid, 1033 ni->ni_esslen); 1034 rate = ni->ni_rates.rs_rates[ni->ni_txrate] & 1035 IEEE80211_RATE_VAL; 1036 printf(" channel %d", 1037 ieee80211_chan2ieee(ic, ni->ni_chan)); 1038 if (ni->ni_flags & IEEE80211_NODE_HT) 1039 printf(" start MCS %u", ni->ni_txmcs); 1040 else 1041 printf(" start %u%sMb", 1042 rate / 2, (rate & 1) ? ".5" : ""); 1043 printf(" %s preamble %s slot time%s%s\n", 1044 (ic->ic_flags & IEEE80211_F_SHPREAMBLE) ? 1045 "short" : "long", 1046 (ic->ic_flags & IEEE80211_F_SHSLOT) ? 1047 "short" : "long", 1048 (ic->ic_flags & IEEE80211_F_USEPROT) ? 1049 " protection enabled" : "", 1050 (ni->ni_flags & IEEE80211_NODE_HT) ? 1051 " HT enabled" : ""); 1052 } 1053 if (!(ic->ic_flags & IEEE80211_F_RSNON)) { 1054 /* 1055 * NB: When RSN is enabled, we defer setting 1056 * the link up until the port is valid. 1057 */ 1058 ieee80211_set_link_state(ic, LINK_STATE_UP); 1059 } 1060 ic->ic_mgt_timer = 0; 1061 if_start(ifp); 1062 break; 1063 } 1064 break; 1065 } 1066 return 0; 1067 } 1068 1069 void 1070 ieee80211_set_link_state(struct ieee80211com *ic, int nstate) 1071 { 1072 struct ifnet *ifp = &ic->ic_if; 1073 1074 switch (ic->ic_opmode) { 1075 #ifndef IEEE80211_STA_ONLY 1076 case IEEE80211_M_IBSS: 1077 case IEEE80211_M_HOSTAP: 1078 nstate = LINK_STATE_UNKNOWN; 1079 break; 1080 #endif 1081 case IEEE80211_M_MONITOR: 1082 nstate = LINK_STATE_DOWN; 1083 break; 1084 default: 1085 break; 1086 } 1087 if (nstate != ifp->if_link_state) { 1088 ifp->if_link_state = nstate; 1089 if_link_state_change(ifp); 1090 } 1091 } 1092