1 /* $OpenBSD: ieee80211_proto.c,v 1.80 2017/08/18 17:30:12 stsp Exp $ */ 2 /* $NetBSD: ieee80211_proto.c,v 1.8 2004/04/30 23:58:20 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2008, 2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 /* 34 * IEEE 802.11 protocol support. 35 */ 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/kernel.h> 41 #include <sys/socket.h> 42 #include <sys/sockio.h> 43 #include <sys/endian.h> 44 #include <sys/errno.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 52 #include <netinet/in.h> 53 #include <netinet/if_ether.h> 54 55 #include <net80211/ieee80211_var.h> 56 #include <net80211/ieee80211_priv.h> 57 58 const char * const ieee80211_mgt_subtype_name[] = { 59 "assoc_req", "assoc_resp", "reassoc_req", "reassoc_resp", 60 "probe_req", "probe_resp", "reserved#6", "reserved#7", 61 "beacon", "atim", "disassoc", "auth", 62 "deauth", "action", "action_noack", "reserved#15" 63 }; 64 const char * const ieee80211_state_name[IEEE80211_S_MAX] = { 65 "INIT", /* IEEE80211_S_INIT */ 66 "SCAN", /* IEEE80211_S_SCAN */ 67 "AUTH", /* IEEE80211_S_AUTH */ 68 "ASSOC", /* IEEE80211_S_ASSOC */ 69 "RUN" /* IEEE80211_S_RUN */ 70 }; 71 const char * const ieee80211_phymode_name[] = { 72 "auto", /* IEEE80211_MODE_AUTO */ 73 "11a", /* IEEE80211_MODE_11A */ 74 "11b", /* IEEE80211_MODE_11B */ 75 "11g", /* IEEE80211_MODE_11G */ 76 "11n", /* IEEE80211_MODE_11N */ 77 }; 78 79 void ieee80211_set_beacon_miss_threshold(struct ieee80211com *); 80 int ieee80211_newstate(struct ieee80211com *, enum ieee80211_state, int); 81 82 void 83 ieee80211_proto_attach(struct ifnet *ifp) 84 { 85 struct ieee80211com *ic = (void *)ifp; 86 87 mq_init(&ic->ic_mgtq, IFQ_MAXLEN, IPL_NET); 88 mq_init(&ic->ic_pwrsaveq, IFQ_MAXLEN, IPL_NET); 89 90 ifp->if_hdrlen = sizeof(struct ieee80211_frame); 91 92 ic->ic_rtsthreshold = IEEE80211_RTS_DEFAULT; 93 ic->ic_fragthreshold = 2346; /* XXX not used yet */ 94 ic->ic_fixed_rate = -1; /* no fixed rate */ 95 ic->ic_fixed_mcs = -1; /* no fixed mcs */ 96 ic->ic_protmode = IEEE80211_PROT_CTSONLY; 97 98 /* protocol state change handler */ 99 ic->ic_newstate = ieee80211_newstate; 100 101 /* initialize management frame handlers */ 102 ic->ic_recv_mgmt = ieee80211_recv_mgmt; 103 ic->ic_send_mgmt = ieee80211_send_mgmt; 104 } 105 106 void 107 ieee80211_proto_detach(struct ifnet *ifp) 108 { 109 struct ieee80211com *ic = (void *)ifp; 110 111 mq_purge(&ic->ic_mgtq); 112 mq_purge(&ic->ic_pwrsaveq); 113 } 114 115 void 116 ieee80211_print_essid(const u_int8_t *essid, int len) 117 { 118 int i; 119 const u_int8_t *p; 120 121 if (len > IEEE80211_NWID_LEN) 122 len = IEEE80211_NWID_LEN; 123 /* determine printable or not */ 124 for (i = 0, p = essid; i < len; i++, p++) { 125 if (*p < ' ' || *p > 0x7e) 126 break; 127 } 128 if (i == len) { 129 printf("\""); 130 for (i = 0, p = essid; i < len; i++, p++) 131 printf("%c", *p); 132 printf("\""); 133 } else { 134 printf("0x"); 135 for (i = 0, p = essid; i < len; i++, p++) 136 printf("%02x", *p); 137 } 138 } 139 140 #ifdef IEEE80211_DEBUG 141 void 142 ieee80211_dump_pkt(const u_int8_t *buf, int len, int rate, int rssi) 143 { 144 struct ieee80211_frame *wh; 145 int i; 146 147 wh = (struct ieee80211_frame *)buf; 148 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 149 case IEEE80211_FC1_DIR_NODS: 150 printf("NODS %s", ether_sprintf(wh->i_addr2)); 151 printf("->%s", ether_sprintf(wh->i_addr1)); 152 printf("(%s)", ether_sprintf(wh->i_addr3)); 153 break; 154 case IEEE80211_FC1_DIR_TODS: 155 printf("TODS %s", ether_sprintf(wh->i_addr2)); 156 printf("->%s", ether_sprintf(wh->i_addr3)); 157 printf("(%s)", ether_sprintf(wh->i_addr1)); 158 break; 159 case IEEE80211_FC1_DIR_FROMDS: 160 printf("FRDS %s", ether_sprintf(wh->i_addr3)); 161 printf("->%s", ether_sprintf(wh->i_addr1)); 162 printf("(%s)", ether_sprintf(wh->i_addr2)); 163 break; 164 case IEEE80211_FC1_DIR_DSTODS: 165 printf("DSDS %s", ether_sprintf((u_int8_t *)&wh[1])); 166 printf("->%s", ether_sprintf(wh->i_addr3)); 167 printf("(%s", ether_sprintf(wh->i_addr2)); 168 printf("->%s)", ether_sprintf(wh->i_addr1)); 169 break; 170 } 171 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { 172 case IEEE80211_FC0_TYPE_DATA: 173 printf(" data"); 174 break; 175 case IEEE80211_FC0_TYPE_MGT: 176 printf(" %s", ieee80211_mgt_subtype_name[ 177 (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) 178 >> IEEE80211_FC0_SUBTYPE_SHIFT]); 179 break; 180 default: 181 printf(" type#%d", wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK); 182 break; 183 } 184 if (wh->i_fc[1] & IEEE80211_FC1_WEP) 185 printf(" WEP"); 186 if (rate >= 0) 187 printf(" %d%sM", rate / 2, (rate & 1) ? ".5" : ""); 188 if (rssi >= 0) 189 printf(" +%d", rssi); 190 printf("\n"); 191 if (len > 0) { 192 for (i = 0; i < len; i++) { 193 if ((i & 1) == 0) 194 printf(" "); 195 printf("%02x", buf[i]); 196 } 197 printf("\n"); 198 } 199 } 200 #endif 201 202 int 203 ieee80211_fix_rate(struct ieee80211com *ic, struct ieee80211_node *ni, 204 int flags) 205 { 206 #define RV(v) ((v) & IEEE80211_RATE_VAL) 207 int i, j, ignore, error; 208 int okrate, badrate, fixedrate; 209 const struct ieee80211_rateset *srs; 210 struct ieee80211_rateset *nrs; 211 u_int8_t r; 212 213 /* 214 * If the fixed rate check was requested but no fixed rate has been 215 * defined then just remove the check. 216 */ 217 if ((flags & IEEE80211_F_DOFRATE) && ic->ic_fixed_rate == -1) 218 flags &= ~IEEE80211_F_DOFRATE; 219 220 error = 0; 221 okrate = badrate = fixedrate = 0; 222 srs = &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 223 nrs = &ni->ni_rates; 224 for (i = 0; i < nrs->rs_nrates; ) { 225 ignore = 0; 226 if (flags & IEEE80211_F_DOSORT) { 227 /* 228 * Sort rates. 229 */ 230 for (j = i + 1; j < nrs->rs_nrates; j++) { 231 if (RV(nrs->rs_rates[i]) > 232 RV(nrs->rs_rates[j])) { 233 r = nrs->rs_rates[i]; 234 nrs->rs_rates[i] = nrs->rs_rates[j]; 235 nrs->rs_rates[j] = r; 236 } 237 } 238 } 239 r = nrs->rs_rates[i] & IEEE80211_RATE_VAL; 240 badrate = r; 241 if (flags & IEEE80211_F_DOFRATE) { 242 /* 243 * Check fixed rate is included. 244 */ 245 if (r == RV(srs->rs_rates[ic->ic_fixed_rate])) 246 fixedrate = r; 247 } 248 if (flags & IEEE80211_F_DONEGO) { 249 /* 250 * Check against supported rates. 251 */ 252 for (j = 0; j < srs->rs_nrates; j++) { 253 if (r == RV(srs->rs_rates[j])) { 254 /* 255 * Overwrite with the supported rate 256 * value so any basic rate bit is set. 257 * This insures that response we send 258 * to stations have the necessary basic 259 * rate bit set. 260 */ 261 nrs->rs_rates[i] = srs->rs_rates[j]; 262 break; 263 } 264 } 265 if (j == srs->rs_nrates) { 266 /* 267 * A rate in the node's rate set is not 268 * supported. If this is a basic rate and we 269 * are operating as an AP then this is an error. 270 * Otherwise we just discard/ignore the rate. 271 * Note that this is important for 11b stations 272 * when they want to associate with an 11g AP. 273 */ 274 #ifndef IEEE80211_STA_ONLY 275 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 276 (nrs->rs_rates[i] & IEEE80211_RATE_BASIC)) 277 error++; 278 #endif 279 ignore++; 280 } 281 } 282 if (flags & IEEE80211_F_DODEL) { 283 /* 284 * Delete unacceptable rates. 285 */ 286 if (ignore) { 287 nrs->rs_nrates--; 288 for (j = i; j < nrs->rs_nrates; j++) 289 nrs->rs_rates[j] = nrs->rs_rates[j + 1]; 290 nrs->rs_rates[j] = 0; 291 continue; 292 } 293 } 294 if (!ignore) 295 okrate = nrs->rs_rates[i]; 296 i++; 297 } 298 if (okrate == 0 || error != 0 || 299 ((flags & IEEE80211_F_DOFRATE) && fixedrate == 0)) 300 return badrate | IEEE80211_RATE_BASIC; 301 else 302 return RV(okrate); 303 #undef RV 304 } 305 306 /* 307 * Reset 11g-related state. 308 */ 309 void 310 ieee80211_reset_erp(struct ieee80211com *ic) 311 { 312 ic->ic_flags &= ~IEEE80211_F_USEPROT; 313 314 ieee80211_set_shortslottime(ic, 315 ic->ic_curmode == IEEE80211_MODE_11A || 316 (ic->ic_curmode == IEEE80211_MODE_11N && 317 IEEE80211_IS_CHAN_5GHZ(ic->ic_ibss_chan)) 318 #ifndef IEEE80211_STA_ONLY 319 || 320 ((ic->ic_curmode == IEEE80211_MODE_11G || 321 (ic->ic_curmode == IEEE80211_MODE_11N && 322 IEEE80211_IS_CHAN_2GHZ(ic->ic_ibss_chan))) && 323 ic->ic_opmode == IEEE80211_M_HOSTAP && 324 (ic->ic_caps & IEEE80211_C_SHSLOT)) 325 #endif 326 ); 327 328 if (ic->ic_curmode == IEEE80211_MODE_11A || 329 (ic->ic_curmode == IEEE80211_MODE_11N && 330 IEEE80211_IS_CHAN_5GHZ(ic->ic_ibss_chan)) || 331 (ic->ic_caps & IEEE80211_C_SHPREAMBLE)) 332 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 333 else 334 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 335 } 336 337 /* 338 * Set the short slot time state and notify the driver. 339 */ 340 void 341 ieee80211_set_shortslottime(struct ieee80211com *ic, int on) 342 { 343 if (on) 344 ic->ic_flags |= IEEE80211_F_SHSLOT; 345 else 346 ic->ic_flags &= ~IEEE80211_F_SHSLOT; 347 348 /* notify the driver */ 349 if (ic->ic_updateslot != NULL) 350 ic->ic_updateslot(ic); 351 } 352 353 /* 354 * This function is called by the 802.1X PACP machine (via an ioctl) when 355 * the transmit key machine (4-Way Handshake for 802.11) should run. 356 */ 357 int 358 ieee80211_keyrun(struct ieee80211com *ic, u_int8_t *macaddr) 359 { 360 struct ieee80211_node *ni = ic->ic_bss; 361 #ifndef IEEE80211_STA_ONLY 362 struct ieee80211_pmk *pmk; 363 #endif 364 365 /* STA must be associated or AP must be ready */ 366 if (ic->ic_state != IEEE80211_S_RUN || 367 !(ic->ic_flags & IEEE80211_F_RSNON)) 368 return ENETDOWN; 369 370 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 371 #ifndef IEEE80211_STA_ONLY 372 if (ic->ic_opmode == IEEE80211_M_STA) 373 #endif 374 return 0; /* supplicant only, do nothing */ 375 376 #ifndef IEEE80211_STA_ONLY 377 /* find the STA with which we must start the key exchange */ 378 if ((ni = ieee80211_find_node(ic, macaddr)) == NULL) { 379 DPRINTF(("no node found for %s\n", ether_sprintf(macaddr))); 380 return EINVAL; 381 } 382 /* check that the STA is in the correct state */ 383 if (ni->ni_state != IEEE80211_STA_ASSOC || 384 ni->ni_rsn_state != RSNA_AUTHENTICATION_2) { 385 DPRINTF(("unexpected in state %d\n", ni->ni_rsn_state)); 386 return EINVAL; 387 } 388 ni->ni_rsn_state = RSNA_INITPMK; 389 390 /* make sure a PMK is available for this STA, otherwise deauth it */ 391 if ((pmk = ieee80211_pmksa_find(ic, ni, NULL)) == NULL) { 392 DPRINTF(("no PMK available for %s\n", ether_sprintf(macaddr))); 393 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 394 IEEE80211_REASON_AUTH_LEAVE); 395 ieee80211_node_leave(ic, ni); 396 return EINVAL; 397 } 398 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 399 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, IEEE80211_PMKID_LEN); 400 ni->ni_flags |= IEEE80211_NODE_PMK; 401 402 /* initiate key exchange (4-Way Handshake) with STA */ 403 return ieee80211_send_4way_msg1(ic, ni); 404 #endif /* IEEE80211_STA_ONLY */ 405 } 406 407 #ifndef IEEE80211_STA_ONLY 408 /* 409 * Initiate a group key handshake with a node. 410 */ 411 static void 412 ieee80211_node_gtk_rekey(void *arg, struct ieee80211_node *ni) 413 { 414 struct ieee80211com *ic = arg; 415 416 if (ni->ni_state != IEEE80211_STA_ASSOC || 417 ni->ni_rsn_gstate != RSNA_IDLE) 418 return; 419 420 /* initiate a group key handshake with STA */ 421 ni->ni_flags |= IEEE80211_NODE_REKEY; 422 if (ieee80211_send_group_msg1(ic, ni) != 0) 423 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 424 } 425 426 /* 427 * This function is called in HostAP mode when the group key needs to be 428 * changed. 429 */ 430 void 431 ieee80211_setkeys(struct ieee80211com *ic) 432 { 433 struct ieee80211_key *k; 434 u_int8_t kid; 435 436 /* Swap(GM, GN) */ 437 kid = (ic->ic_def_txkey == 1) ? 2 : 1; 438 k = &ic->ic_nw_keys[kid]; 439 memset(k, 0, sizeof(*k)); 440 k->k_id = kid; 441 k->k_cipher = ic->ic_bss->ni_rsngroupcipher; 442 k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX; 443 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 444 arc4random_buf(k->k_key, k->k_len); 445 446 if (ic->ic_caps & IEEE80211_C_MFP) { 447 /* Swap(GM_igtk, GN_igtk) */ 448 kid = (ic->ic_igtk_kid == 4) ? 5 : 4; 449 k = &ic->ic_nw_keys[kid]; 450 memset(k, 0, sizeof(*k)); 451 k->k_id = kid; 452 k->k_cipher = ic->ic_bss->ni_rsngroupmgmtcipher; 453 k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX; 454 k->k_len = 16; 455 arc4random_buf(k->k_key, k->k_len); 456 } 457 458 ieee80211_iterate_nodes(ic, ieee80211_node_gtk_rekey, ic); 459 } 460 461 /* 462 * The group key handshake has been completed with all associated stations. 463 */ 464 void 465 ieee80211_setkeysdone(struct ieee80211com *ic) 466 { 467 u_int8_t kid; 468 469 /* install GTK */ 470 kid = (ic->ic_def_txkey == 1) ? 2 : 1; 471 if ((*ic->ic_set_key)(ic, ic->ic_bss, &ic->ic_nw_keys[kid]) == 0) 472 ic->ic_def_txkey = kid; 473 474 if (ic->ic_caps & IEEE80211_C_MFP) { 475 /* install IGTK */ 476 kid = (ic->ic_igtk_kid == 4) ? 5 : 4; 477 if ((*ic->ic_set_key)(ic, ic->ic_bss, 478 &ic->ic_nw_keys[kid]) == 0) 479 ic->ic_igtk_kid = kid; 480 } 481 } 482 483 /* 484 * Group key lifetime has expired, update it. 485 */ 486 void 487 ieee80211_gtk_rekey_timeout(void *arg) 488 { 489 struct ieee80211com *ic = arg; 490 int s; 491 492 s = splnet(); 493 ieee80211_setkeys(ic); 494 splx(s); 495 496 /* re-schedule a GTK rekeying after 3600s */ 497 timeout_add_sec(&ic->ic_rsn_timeout, 3600); 498 } 499 500 void 501 ieee80211_sa_query_timeout(void *arg) 502 { 503 struct ieee80211_node *ni = arg; 504 struct ieee80211com *ic = ni->ni_ic; 505 int s; 506 507 s = splnet(); 508 if (++ni->ni_sa_query_count >= 3) { 509 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 510 ni->ni_flags |= IEEE80211_NODE_SA_QUERY_FAILED; 511 } else /* retry SA Query Request */ 512 ieee80211_sa_query_request(ic, ni); 513 splx(s); 514 } 515 516 /* 517 * Request that a SA Query Request frame be sent to a specified peer STA 518 * to which the STA is associated. 519 */ 520 void 521 ieee80211_sa_query_request(struct ieee80211com *ic, struct ieee80211_node *ni) 522 { 523 /* MLME-SAQuery.request */ 524 525 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 526 ni->ni_flags |= IEEE80211_NODE_SA_QUERY; 527 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY_FAILED; 528 ni->ni_sa_query_count = 0; 529 } 530 /* generate new Transaction Identifier */ 531 ni->ni_sa_query_trid++; 532 533 /* send SA Query Request */ 534 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 535 IEEE80211_ACTION_SA_QUERY_REQ, 0); 536 timeout_add_msec(&ni->ni_sa_query_to, 10); 537 } 538 #endif /* IEEE80211_STA_ONLY */ 539 540 void 541 ieee80211_ht_negotiate(struct ieee80211com *ic, struct ieee80211_node *ni) 542 { 543 int i; 544 545 ni->ni_flags &= ~IEEE80211_NODE_HT; 546 547 /* Check if we support HT. */ 548 if ((ic->ic_modecaps & (1 << IEEE80211_MODE_11N)) == 0) 549 return; 550 551 /* Check if HT support has been explicitly disabled. */ 552 if ((ic->ic_flags & IEEE80211_F_HTON) == 0) 553 return; 554 555 /* 556 * Check if the peer supports HT. 557 * Require at least one of the mandatory MCS. 558 * MCS 0-7 are mandatory but some APs have particular MCS disabled. 559 */ 560 if ((ni->ni_rxmcs[0] & 0xff) == 0) { 561 ic->ic_stats.is_ht_nego_no_mandatory_mcs++; 562 return; 563 } 564 565 if (ic->ic_opmode == IEEE80211_M_STA) { 566 /* We must support the AP's basic MCS set. */ 567 for (i = 0; i < IEEE80211_HT_NUM_MCS; i++) { 568 if (isset(ni->ni_basic_mcs, i) && 569 !isset(ic->ic_sup_mcs, i)) { 570 ic->ic_stats.is_ht_nego_no_basic_mcs++; 571 return; 572 } 573 } 574 } 575 576 /* 577 * Don't allow group cipher (includes WEP) or TKIP 578 * for pairwise encryption (see 802.11-2012 11.1.6). 579 */ 580 if (ic->ic_flags & IEEE80211_F_WEPON) { 581 ic->ic_stats.is_ht_nego_bad_crypto++; 582 return; 583 } 584 if ((ic->ic_flags & IEEE80211_F_RSNON) && 585 (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP || 586 ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP)) { 587 ic->ic_stats.is_ht_nego_bad_crypto++; 588 return; 589 } 590 591 ni->ni_flags |= IEEE80211_NODE_HT; 592 } 593 594 void 595 ieee80211_tx_ba_timeout(void *arg) 596 { 597 struct ieee80211_tx_ba *ba = arg; 598 struct ieee80211_node *ni = ba->ba_ni; 599 struct ieee80211com *ic = ni->ni_ic; 600 u_int8_t tid; 601 int s; 602 603 ic->ic_stats.is_ht_tx_ba_timeout++; 604 605 s = splnet(); 606 if (ba->ba_state == IEEE80211_BA_REQUESTED) { 607 /* MLME-ADDBA.confirm(TIMEOUT) */ 608 ba->ba_state = IEEE80211_BA_INIT; 609 610 } else if (ba->ba_state == IEEE80211_BA_AGREED) { 611 /* Block Ack inactivity timeout */ 612 tid = ((caddr_t)ba - (caddr_t)ni->ni_tx_ba) / sizeof(*ba); 613 ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 614 1, tid); 615 } 616 splx(s); 617 } 618 619 void 620 ieee80211_rx_ba_timeout(void *arg) 621 { 622 struct ieee80211_rx_ba *ba = arg; 623 struct ieee80211_node *ni = ba->ba_ni; 624 struct ieee80211com *ic = ni->ni_ic; 625 u_int8_t tid; 626 int s; 627 628 ic->ic_stats.is_ht_rx_ba_timeout++; 629 630 s = splnet(); 631 632 /* Block Ack inactivity timeout */ 633 tid = ((caddr_t)ba - (caddr_t)ni->ni_rx_ba) / sizeof(*ba); 634 ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 0, tid); 635 636 splx(s); 637 } 638 639 /* 640 * Request initiation of Block Ack with the specified peer. 641 */ 642 int 643 ieee80211_addba_request(struct ieee80211com *ic, struct ieee80211_node *ni, 644 u_int16_t ssn, u_int8_t tid) 645 { 646 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 647 648 /* MLME-ADDBA.request */ 649 650 /* setup Block Ack */ 651 ba->ba_state = IEEE80211_BA_REQUESTED; 652 ba->ba_token = ic->ic_dialog_token++; 653 ba->ba_timeout_val = 0; 654 timeout_set(&ba->ba_to, ieee80211_tx_ba_timeout, ba); 655 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 656 ba->ba_winstart = ssn; 657 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 658 ba->ba_params = 659 (ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 660 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU; 661 if ((ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) == 0) 662 /* immediate BA */ 663 ba->ba_params |= IEEE80211_ADDBA_BA_POLICY; 664 665 timeout_add_sec(&ba->ba_to, 1); /* dot11ADDBAResponseTimeout */ 666 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 667 IEEE80211_ACTION_ADDBA_REQ, tid); 668 return 0; 669 } 670 671 /* 672 * Request the deletion of Block Ack with a peer. 673 */ 674 void 675 ieee80211_delba_request(struct ieee80211com *ic, struct ieee80211_node *ni, 676 u_int16_t reason, u_int8_t dir, u_int8_t tid) 677 { 678 /* MLME-DELBA.request */ 679 680 /* transmit a DELBA frame */ 681 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 682 IEEE80211_ACTION_DELBA, reason << 16 | dir << 8 | tid); 683 if (dir) { 684 /* MLME-DELBA.confirm(Originator) */ 685 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 686 687 if (ic->ic_ampdu_tx_stop != NULL) 688 ic->ic_ampdu_tx_stop(ic, ni, tid); 689 690 ba->ba_state = IEEE80211_BA_INIT; 691 /* stop Block Ack inactivity timer */ 692 timeout_del(&ba->ba_to); 693 } else { 694 /* MLME-DELBA.confirm(Recipient) */ 695 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 696 int i; 697 698 if (ic->ic_ampdu_rx_stop != NULL) 699 ic->ic_ampdu_rx_stop(ic, ni, tid); 700 701 ba->ba_state = IEEE80211_BA_INIT; 702 /* stop Block Ack inactivity timer */ 703 timeout_del(&ba->ba_to); 704 timeout_del(&ba->ba_gap_to); 705 706 if (ba->ba_buf != NULL) { 707 /* free all MSDUs stored in reordering buffer */ 708 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 709 m_freem(ba->ba_buf[i].m); 710 /* free reordering buffer */ 711 free(ba->ba_buf, M_DEVBUF, 712 IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf)); 713 ba->ba_buf = NULL; 714 } 715 } 716 } 717 718 void 719 ieee80211_auth_open(struct ieee80211com *ic, const struct ieee80211_frame *wh, 720 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, u_int16_t seq, 721 u_int16_t status) 722 { 723 struct ifnet *ifp = &ic->ic_if; 724 switch (ic->ic_opmode) { 725 #ifndef IEEE80211_STA_ONLY 726 case IEEE80211_M_IBSS: 727 if (ic->ic_state != IEEE80211_S_RUN || 728 seq != IEEE80211_AUTH_OPEN_REQUEST) { 729 DPRINTF(("discard auth from %s; state %u, seq %u\n", 730 ether_sprintf((u_int8_t *)wh->i_addr2), 731 ic->ic_state, seq)); 732 ic->ic_stats.is_rx_bad_auth++; 733 return; 734 } 735 ieee80211_new_state(ic, IEEE80211_S_AUTH, 736 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 737 738 /* In IBSS mode no (re)association frames are sent. */ 739 if (ic->ic_flags & IEEE80211_F_RSNON) 740 ni->ni_rsn_supp_state = RSNA_SUPP_PTKSTART; 741 break; 742 743 case IEEE80211_M_AHDEMO: 744 /* should not come here */ 745 break; 746 747 case IEEE80211_M_HOSTAP: 748 if (ic->ic_state != IEEE80211_S_RUN || 749 seq != IEEE80211_AUTH_OPEN_REQUEST) { 750 DPRINTF(("discard auth from %s; state %u, seq %u\n", 751 ether_sprintf((u_int8_t *)wh->i_addr2), 752 ic->ic_state, seq)); 753 ic->ic_stats.is_rx_bad_auth++; 754 return; 755 } 756 if (ni == ic->ic_bss) { 757 ni = ieee80211_find_node(ic, wh->i_addr2); 758 if (ni == NULL) 759 ni = ieee80211_alloc_node(ic, wh->i_addr2); 760 if (ni == NULL) { 761 return; 762 } 763 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 764 ni->ni_rssi = rxi->rxi_rssi; 765 ni->ni_rstamp = rxi->rxi_tstamp; 766 ni->ni_chan = ic->ic_bss->ni_chan; 767 } 768 IEEE80211_SEND_MGMT(ic, ni, 769 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 770 if (ifp->if_flags & IFF_DEBUG) 771 printf("%s: station %s %s authenticated (open)\n", 772 ifp->if_xname, 773 ether_sprintf((u_int8_t *)ni->ni_macaddr), 774 ni->ni_state != IEEE80211_STA_CACHE ? 775 "newly" : "already"); 776 ieee80211_node_newstate(ni, IEEE80211_STA_AUTH); 777 break; 778 #endif /* IEEE80211_STA_ONLY */ 779 780 case IEEE80211_M_STA: 781 if (ic->ic_state != IEEE80211_S_AUTH || 782 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 783 ic->ic_stats.is_rx_bad_auth++; 784 DPRINTF(("discard auth from %s; state %u, seq %u\n", 785 ether_sprintf((u_int8_t *)wh->i_addr2), 786 ic->ic_state, seq)); 787 return; 788 } 789 if (ic->ic_flags & IEEE80211_F_RSNON) { 790 /* XXX not here! */ 791 ic->ic_bss->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 792 ic->ic_bss->ni_port_valid = 0; 793 ic->ic_bss->ni_replaycnt_ok = 0; 794 (*ic->ic_delete_key)(ic, ic->ic_bss, 795 &ic->ic_bss->ni_pairwise_key); 796 } 797 if (status != 0) { 798 if (ifp->if_flags & IFF_DEBUG) 799 printf("%s: open authentication failed " 800 "(reason %d) for %s\n", ifp->if_xname, 801 status, 802 ether_sprintf((u_int8_t *)wh->i_addr3)); 803 if (ni != ic->ic_bss) 804 ni->ni_fails++; 805 ic->ic_stats.is_rx_auth_fail++; 806 return; 807 } 808 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 809 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 810 break; 811 default: 812 break; 813 } 814 } 815 816 void 817 ieee80211_set_beacon_miss_threshold(struct ieee80211com *ic) 818 { 819 struct ifnet *ifp = &ic->ic_if; 820 821 /* 822 * Scale the missed beacon counter threshold to the AP's actual 823 * beacon interval. Give the AP at least 700 ms to time out and 824 * round up to ensure that at least one beacon may be missed. 825 */ 826 int btimeout = MIN(7 * ic->ic_bss->ni_intval, 700); 827 btimeout = MAX(btimeout, 2 * ic->ic_bss->ni_intval); 828 if (ic->ic_bss->ni_intval > 0) /* don't crash if interval is bogus */ 829 ic->ic_bmissthres = btimeout / ic->ic_bss->ni_intval; 830 831 if (ifp->if_flags & IFF_DEBUG) 832 printf("%s: missed beacon threshold set to %d beacons, " 833 "beacon interval is %u TU\n", ifp->if_xname, 834 ic->ic_bmissthres, ic->ic_bss->ni_intval); 835 } 836 837 int 838 ieee80211_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, 839 int mgt) 840 { 841 struct ifnet *ifp = &ic->ic_if; 842 struct ieee80211_node *ni; 843 enum ieee80211_state ostate; 844 u_int rate; 845 #ifndef IEEE80211_STA_ONLY 846 int s; 847 #endif 848 849 ostate = ic->ic_state; 850 if (ifp->if_flags & IFF_DEBUG) 851 printf("%s: %s -> %s\n", ifp->if_xname, 852 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 853 ic->ic_state = nstate; /* state transition */ 854 ni = ic->ic_bss; /* NB: no reference held */ 855 ieee80211_set_link_state(ic, LINK_STATE_DOWN); 856 switch (nstate) { 857 case IEEE80211_S_INIT: 858 /* 859 * If mgt = -1, driver is already partway down, so do 860 * not send management frames. 861 */ 862 switch (ostate) { 863 case IEEE80211_S_INIT: 864 break; 865 case IEEE80211_S_RUN: 866 if (mgt == -1) 867 goto justcleanup; 868 switch (ic->ic_opmode) { 869 case IEEE80211_M_STA: 870 IEEE80211_SEND_MGMT(ic, ni, 871 IEEE80211_FC0_SUBTYPE_DISASSOC, 872 IEEE80211_REASON_ASSOC_LEAVE); 873 break; 874 #ifndef IEEE80211_STA_ONLY 875 case IEEE80211_M_HOSTAP: 876 s = splnet(); 877 RBT_FOREACH(ni, ieee80211_tree, &ic->ic_tree) { 878 if (ni->ni_state != IEEE80211_STA_ASSOC) 879 continue; 880 IEEE80211_SEND_MGMT(ic, ni, 881 IEEE80211_FC0_SUBTYPE_DISASSOC, 882 IEEE80211_REASON_ASSOC_LEAVE); 883 } 884 splx(s); 885 break; 886 #endif 887 default: 888 break; 889 } 890 /* FALLTHROUGH */ 891 case IEEE80211_S_ASSOC: 892 if (mgt == -1) 893 goto justcleanup; 894 switch (ic->ic_opmode) { 895 case IEEE80211_M_STA: 896 IEEE80211_SEND_MGMT(ic, ni, 897 IEEE80211_FC0_SUBTYPE_DEAUTH, 898 IEEE80211_REASON_AUTH_LEAVE); 899 break; 900 #ifndef IEEE80211_STA_ONLY 901 case IEEE80211_M_HOSTAP: 902 s = splnet(); 903 RBT_FOREACH(ni, ieee80211_tree, &ic->ic_tree) { 904 IEEE80211_SEND_MGMT(ic, ni, 905 IEEE80211_FC0_SUBTYPE_DEAUTH, 906 IEEE80211_REASON_AUTH_LEAVE); 907 } 908 splx(s); 909 break; 910 #endif 911 default: 912 break; 913 } 914 /* FALLTHROUGH */ 915 case IEEE80211_S_AUTH: 916 case IEEE80211_S_SCAN: 917 justcleanup: 918 #ifndef IEEE80211_STA_ONLY 919 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 920 timeout_del(&ic->ic_rsn_timeout); 921 #endif 922 ic->ic_mgt_timer = 0; 923 mq_purge(&ic->ic_mgtq); 924 mq_purge(&ic->ic_pwrsaveq); 925 ieee80211_free_allnodes(ic); 926 break; 927 } 928 ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE; 929 ieee80211_crypto_clear_groupkeys(ic); 930 break; 931 case IEEE80211_S_SCAN: 932 ic->ic_flags &= ~IEEE80211_F_SIBSS; 933 /* initialize bss for probe request */ 934 IEEE80211_ADDR_COPY(ni->ni_macaddr, etherbroadcastaddr); 935 IEEE80211_ADDR_COPY(ni->ni_bssid, etherbroadcastaddr); 936 ni->ni_rates = ic->ic_sup_rates[ 937 ieee80211_chan2mode(ic, ni->ni_chan)]; 938 ni->ni_associd = 0; 939 ni->ni_rstamp = 0; 940 ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE; 941 ieee80211_crypto_clear_groupkeys(ic); 942 switch (ostate) { 943 case IEEE80211_S_INIT: 944 #ifndef IEEE80211_STA_ONLY 945 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 946 ic->ic_des_chan != IEEE80211_CHAN_ANYC) { 947 /* 948 * AP operation and we already have a channel; 949 * bypass the scan and startup immediately. 950 */ 951 ieee80211_create_ibss(ic, ic->ic_des_chan); 952 } else 953 #endif 954 ieee80211_begin_scan(ifp); 955 break; 956 case IEEE80211_S_SCAN: 957 /* scan next */ 958 if (ic->ic_flags & IEEE80211_F_ASCAN) { 959 IEEE80211_SEND_MGMT(ic, ni, 960 IEEE80211_FC0_SUBTYPE_PROBE_REQ, 0); 961 } 962 break; 963 case IEEE80211_S_RUN: 964 /* beacon miss */ 965 if (ifp->if_flags & IFF_DEBUG) { 966 /* XXX bssid clobbered above */ 967 printf("%s: no recent beacons from %s;" 968 " rescanning\n", ifp->if_xname, 969 ether_sprintf(ic->ic_bss->ni_bssid)); 970 } 971 ieee80211_free_allnodes(ic); 972 /* FALLTHROUGH */ 973 case IEEE80211_S_AUTH: 974 case IEEE80211_S_ASSOC: 975 /* timeout restart scan */ 976 ni = ieee80211_find_node(ic, ic->ic_bss->ni_macaddr); 977 if (ni != NULL) 978 ni->ni_fails++; 979 ieee80211_begin_scan(ifp); 980 break; 981 } 982 break; 983 case IEEE80211_S_AUTH: 984 ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE; 985 ieee80211_crypto_clear_groupkeys(ic); 986 switch (ostate) { 987 case IEEE80211_S_INIT: 988 if (ifp->if_flags & IFF_DEBUG) 989 printf("%s: invalid transition %s -> %s", 990 ifp->if_xname, ieee80211_state_name[ostate], 991 ieee80211_state_name[nstate]); 992 break; 993 case IEEE80211_S_SCAN: 994 IEEE80211_SEND_MGMT(ic, ni, 995 IEEE80211_FC0_SUBTYPE_AUTH, 1); 996 break; 997 case IEEE80211_S_AUTH: 998 case IEEE80211_S_ASSOC: 999 switch (mgt) { 1000 case IEEE80211_FC0_SUBTYPE_AUTH: 1001 /* ??? */ 1002 IEEE80211_SEND_MGMT(ic, ni, 1003 IEEE80211_FC0_SUBTYPE_AUTH, 2); 1004 break; 1005 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1006 /* ignore and retry scan on timeout */ 1007 break; 1008 } 1009 break; 1010 case IEEE80211_S_RUN: 1011 switch (mgt) { 1012 case IEEE80211_FC0_SUBTYPE_AUTH: 1013 IEEE80211_SEND_MGMT(ic, ni, 1014 IEEE80211_FC0_SUBTYPE_AUTH, 2); 1015 ic->ic_state = ostate; /* stay RUN */ 1016 break; 1017 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1018 /* try to reauth */ 1019 IEEE80211_SEND_MGMT(ic, ni, 1020 IEEE80211_FC0_SUBTYPE_AUTH, 1); 1021 break; 1022 } 1023 break; 1024 } 1025 break; 1026 case IEEE80211_S_ASSOC: 1027 switch (ostate) { 1028 case IEEE80211_S_INIT: 1029 case IEEE80211_S_SCAN: 1030 case IEEE80211_S_ASSOC: 1031 if (ifp->if_flags & IFF_DEBUG) 1032 printf("%s: invalid transition %s -> %s", 1033 ifp->if_xname, ieee80211_state_name[ostate], 1034 ieee80211_state_name[nstate]); 1035 break; 1036 case IEEE80211_S_AUTH: 1037 IEEE80211_SEND_MGMT(ic, ni, 1038 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 1039 break; 1040 case IEEE80211_S_RUN: 1041 IEEE80211_SEND_MGMT(ic, ni, 1042 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 1); 1043 break; 1044 } 1045 break; 1046 case IEEE80211_S_RUN: 1047 switch (ostate) { 1048 case IEEE80211_S_INIT: 1049 case IEEE80211_S_AUTH: 1050 case IEEE80211_S_RUN: 1051 if (ifp->if_flags & IFF_DEBUG) 1052 printf("%s: invalid transition %s -> %s", 1053 ifp->if_xname, ieee80211_state_name[ostate], 1054 ieee80211_state_name[nstate]); 1055 break; 1056 case IEEE80211_S_SCAN: /* adhoc/hostap mode */ 1057 case IEEE80211_S_ASSOC: /* infra mode */ 1058 if (ni->ni_txrate >= ni->ni_rates.rs_nrates) 1059 panic("%s: bogus xmit rate %u setup", 1060 __func__, ni->ni_txrate); 1061 if (ifp->if_flags & IFF_DEBUG) { 1062 printf("%s: %s with %s ssid ", 1063 ifp->if_xname, 1064 ic->ic_opmode == IEEE80211_M_STA ? 1065 "associated" : "synchronized", 1066 ether_sprintf(ni->ni_bssid)); 1067 ieee80211_print_essid(ic->ic_bss->ni_essid, 1068 ni->ni_esslen); 1069 rate = ni->ni_rates.rs_rates[ni->ni_txrate] & 1070 IEEE80211_RATE_VAL; 1071 printf(" channel %d", 1072 ieee80211_chan2ieee(ic, ni->ni_chan)); 1073 if (ni->ni_flags & IEEE80211_NODE_HT) 1074 printf(" start MCS %u", ni->ni_txmcs); 1075 else 1076 printf(" start %u%sMb", 1077 rate / 2, (rate & 1) ? ".5" : ""); 1078 printf(" %s preamble %s slot time%s%s\n", 1079 (ic->ic_flags & IEEE80211_F_SHPREAMBLE) ? 1080 "short" : "long", 1081 (ic->ic_flags & IEEE80211_F_SHSLOT) ? 1082 "short" : "long", 1083 (ic->ic_flags & IEEE80211_F_USEPROT) ? 1084 " protection enabled" : "", 1085 (ni->ni_flags & IEEE80211_NODE_HT) ? 1086 " HT enabled" : ""); 1087 } 1088 if (!(ic->ic_flags & IEEE80211_F_RSNON)) { 1089 /* 1090 * NB: When RSN is enabled, we defer setting 1091 * the link up until the port is valid. 1092 */ 1093 ieee80211_set_link_state(ic, LINK_STATE_UP); 1094 } 1095 ic->ic_mgt_timer = 0; 1096 ieee80211_set_beacon_miss_threshold(ic); 1097 if_start(ifp); 1098 break; 1099 } 1100 break; 1101 } 1102 return 0; 1103 } 1104 1105 void 1106 ieee80211_set_link_state(struct ieee80211com *ic, int nstate) 1107 { 1108 struct ifnet *ifp = &ic->ic_if; 1109 1110 switch (ic->ic_opmode) { 1111 #ifndef IEEE80211_STA_ONLY 1112 case IEEE80211_M_IBSS: 1113 case IEEE80211_M_HOSTAP: 1114 nstate = LINK_STATE_UNKNOWN; 1115 break; 1116 #endif 1117 case IEEE80211_M_MONITOR: 1118 nstate = LINK_STATE_DOWN; 1119 break; 1120 default: 1121 break; 1122 } 1123 if (nstate != ifp->if_link_state) { 1124 ifp->if_link_state = nstate; 1125 if_link_state_change(ifp); 1126 } 1127 } 1128