1 /* $NetBSD: ieee80211_input.c,v 1.84 2016/05/14 13:35:40 mlelstv Exp $ */
2 /*-
3 * Copyright (c) 2001 Atsushi Onoe
4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * Alternatively, this software may be distributed under the terms of the
19 * GNU General Public License ("GPL") version 2 as published by the Free
20 * Software Foundation.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 #ifdef __FreeBSD__
36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
37 #endif
38 #ifdef __NetBSD__
39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.84 2016/05/14 13:35:40 mlelstv Exp $");
40 #endif
41
42 #ifdef _KERNEL_OPT
43 #include "opt_inet.h"
44 #endif
45
46 #ifdef __NetBSD__
47 #endif /* __NetBSD__ */
48
49 #include <sys/param.h>
50 #include <sys/systm.h>
51 #include <sys/mbuf.h>
52 #include <sys/malloc.h>
53 #include <sys/endian.h>
54 #include <sys/kernel.h>
55
56 #include <sys/socket.h>
57 #include <sys/sockio.h>
58 #include <sys/endian.h>
59 #include <sys/errno.h>
60 #include <sys/proc.h>
61 #include <sys/sysctl.h>
62
63 #include <net/if.h>
64 #include <net/if_media.h>
65 #include <net/if_arp.h>
66 #include <net/if_ether.h>
67 #include <net/if_llc.h>
68
69 #include <net80211/ieee80211_netbsd.h>
70 #include <net80211/ieee80211_var.h>
71
72 #include <net/bpf.h>
73
74 #ifdef INET
75 #include <netinet/in.h>
76 #include <net/if_ether.h>
77 #endif
78
79 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0};
80
81 #ifdef IEEE80211_DEBUG
82
83 /*
84 * Decide if a received management frame should be
85 * printed when debugging is enabled. This filters some
86 * of the less interesting frames that come frequently
87 * (e.g. beacons).
88 */
89 static __inline int
doprint(struct ieee80211com * ic,int subtype)90 doprint(struct ieee80211com *ic, int subtype)
91 {
92 switch (subtype) {
93 case IEEE80211_FC0_SUBTYPE_BEACON:
94 return (ic->ic_flags & IEEE80211_F_SCAN);
95 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
96 return (ic->ic_opmode == IEEE80211_M_IBSS);
97 }
98 return 1;
99 }
100
101 /*
102 * Emit a debug message about discarding a frame or information
103 * element. One format is for extracting the mac address from
104 * the frame header; the other is for when a header is not
105 * available or otherwise appropriate.
106 */
107 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \
108 if ((_ic)->ic_debug & (_m)) \
109 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\
110 } while (0)
111 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \
112 if ((_ic)->ic_debug & (_m)) \
113 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\
114 } while (0)
115 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \
116 if ((_ic)->ic_debug & (_m)) \
117 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\
118 } while (0)
119
120 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *,
121 const struct ieee80211_frame *);
122 static void ieee80211_discard_frame(struct ieee80211com *,
123 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
124 static void ieee80211_discard_ie(struct ieee80211com *,
125 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
126 static void ieee80211_discard_mac(struct ieee80211com *,
127 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type,
128 const char *fmt, ...);
129 #else
130 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...)
131 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...)
132 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...)
133 #endif /* IEEE80211_DEBUG */
134
135 static struct mbuf *ieee80211_defrag(struct ieee80211com *,
136 struct ieee80211_node *, struct mbuf *, int);
137 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int);
138 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
139 const u_int8_t *mac, int subtype, int arg);
140 static void ieee80211_deliver_data(struct ieee80211com *,
141 struct ieee80211_node *, struct mbuf *);
142 #ifndef IEEE80211_NO_HOSTAP
143 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable);
144 static void ieee80211_recv_pspoll(struct ieee80211com *,
145 struct ieee80211_node *, struct mbuf *);
146 #endif /* !IEEE80211_NO_HOSTAP */
147 static void ieee80211_update_adhoc_node(struct ieee80211com *,
148 struct ieee80211_node *, struct ieee80211_frame *,
149 struct ieee80211_scanparams *, int, u_int32_t);
150
151 /*
152 * Process a received frame. The node associated with the sender
153 * should be supplied. If nothing was found in the node table then
154 * the caller is assumed to supply a reference to ic_bss instead.
155 * The RSSI and a timestamp are also supplied. The RSSI data is used
156 * during AP scanning to select a AP to associate with; it can have
157 * any units so long as values have consistent units and higher values
158 * mean ``better signal''. The receive timestamp is currently not used
159 * by the 802.11 layer.
160 */
161 int
ieee80211_input(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni,int rssi,u_int32_t rstamp)162 ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
163 struct ieee80211_node *ni, int rssi, u_int32_t rstamp)
164 {
165 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
166 #define HAS_SEQ(type) ((type & 0x4) == 0)
167 struct ifnet *ifp = ic->ic_ifp;
168 struct ieee80211_frame *wh;
169 struct ieee80211_key *key;
170 struct ether_header *eh;
171 int hdrspace;
172 u_int8_t dir, type, subtype;
173 u_int8_t *bssid;
174 u_int16_t rxseq;
175
176 IASSERT(ni != NULL, ("null node"));
177 ni->ni_inact = ni->ni_inact_reload;
178
179 /* trim CRC here so WEP can find its own CRC at the end of packet. */
180 if (m->m_flags & M_HASFCS) {
181 m_adj(m, -IEEE80211_CRC_LEN);
182 m->m_flags &= ~M_HASFCS;
183 }
184 type = -1; /* undefined */
185 /*
186 * In monitor mode, send everything directly to bpf.
187 * XXX may want to include the CRC
188 */
189 if (ic->ic_opmode == IEEE80211_M_MONITOR)
190 goto out;
191
192 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
193 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
194 ni->ni_macaddr, NULL,
195 "too short (1): len %u", m->m_pkthdr.len);
196 ic->ic_stats.is_rx_tooshort++;
197 goto out;
198 }
199 /*
200 * Bit of a cheat here, we use a pointer for a 3-address
201 * frame format but don't reference fields past outside
202 * ieee80211_frame_min w/o first validating the data is
203 * present.
204 */
205 wh = mtod(m, struct ieee80211_frame *);
206
207 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
208 IEEE80211_FC0_VERSION_0) {
209 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
210 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
211 ic->ic_stats.is_rx_badversion++;
212 goto err;
213 }
214
215 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
216 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
217 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
218 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
219 switch (ic->ic_opmode) {
220 case IEEE80211_M_STA:
221 bssid = wh->i_addr2;
222 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
223 /* not interested in */
224 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
225 bssid, NULL, "%s", "not to bss");
226 ic->ic_stats.is_rx_wrongbss++;
227 goto out;
228 }
229
230 /* Filter out packets not directed to us in case the
231 * device is in promiscous mode
232 */
233 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
234 && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) {
235 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
236 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
237 ic->ic_myaddr, ":", wh->i_addr1, ":");
238 ic->ic_stats.is_rx_wrongbss++;
239 goto out;
240 }
241 break;
242 case IEEE80211_M_IBSS:
243 case IEEE80211_M_AHDEMO:
244 case IEEE80211_M_HOSTAP:
245 if (dir != IEEE80211_FC1_DIR_NODS)
246 bssid = wh->i_addr1;
247 else if (type == IEEE80211_FC0_TYPE_CTL)
248 bssid = wh->i_addr1;
249 else {
250 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
251 IEEE80211_DISCARD_MAC(ic,
252 IEEE80211_MSG_ANY, ni->ni_macaddr,
253 NULL, "too short (2): len %u",
254 m->m_pkthdr.len);
255 ic->ic_stats.is_rx_tooshort++;
256 goto out;
257 }
258 bssid = wh->i_addr3;
259 }
260 if (type != IEEE80211_FC0_TYPE_DATA)
261 break;
262 /*
263 * Data frame, validate the bssid.
264 */
265 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
266 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
267 /* not interested in */
268 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
269 bssid, NULL, "%s", "not to bss");
270 ic->ic_stats.is_rx_wrongbss++;
271 goto out;
272 }
273 /*
274 * For adhoc mode we cons up a node when it doesn't
275 * exist. This should probably done after an ACL check.
276 */
277 if (ni == ic->ic_bss &&
278 ic->ic_opmode != IEEE80211_M_HOSTAP &&
279 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
280 /*
281 * Fake up a node for this newly
282 * discovered member of the IBSS.
283 */
284 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
285 wh->i_addr2);
286 if (ni == NULL) {
287 /* NB: stat kept for alloc failure */
288 goto err;
289 }
290 }
291 break;
292 default:
293 goto out;
294 }
295 ni->ni_rssi = rssi;
296 ni->ni_rstamp = rstamp;
297 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA ||
298 !IEEE80211_IS_MULTICAST(wh->i_addr1))) {
299 u_int8_t tid, retry;
300 u_int16_t rxno, orxno;
301
302 if (ieee80211_has_qos(wh)) {
303 tid = ((struct ieee80211_qosframe *)wh)->
304 i_qos[0] & IEEE80211_QOS_TID;
305 if (TID_TO_WME_AC(tid) >= WME_AC_VI)
306 ic->ic_wme.wme_hipri_traffic++;
307 tid++;
308 } else
309 tid = 0;
310 rxseq = le16toh(*(u_int16_t *)wh->i_seq);
311 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY;
312 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
313 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT;
314 if (retry && (
315 (orxno == 4095 && rxno == orxno) ||
316 (orxno != 4095 &&
317 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid]))
318 )) {
319 /* duplicate, discard */
320 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
321 bssid, "duplicate",
322 "seqno <%u,%u> fragno <%u,%u> tid %u",
323 rxno,
324 orxno,
325 rxseq & IEEE80211_SEQ_FRAG_MASK,
326 ni->ni_rxseqs[tid] &
327 IEEE80211_SEQ_FRAG_MASK,
328 tid);
329 ic->ic_stats.is_rx_dup++;
330 IEEE80211_NODE_STAT(ni, rx_dup);
331 goto out;
332 }
333 ni->ni_rxseqs[tid] = rxseq;
334 }
335 }
336
337 switch (type) {
338 case IEEE80211_FC0_TYPE_DATA:
339 hdrspace = ieee80211_hdrspace(ic, wh);
340 if (m->m_len < hdrspace &&
341 (m = m_pullup(m, hdrspace)) == NULL) {
342 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
343 ni->ni_macaddr, NULL,
344 "data too short: expecting %u", hdrspace);
345 ic->ic_stats.is_rx_tooshort++;
346 goto out; /* XXX */
347 }
348 switch (ic->ic_opmode) {
349 case IEEE80211_M_STA:
350 if (dir != IEEE80211_FC1_DIR_FROMDS) {
351 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
352 wh, "data", "%s", "unknown dir 0x%x", dir);
353 ic->ic_stats.is_rx_wrongdir++;
354 goto out;
355 }
356 if ((ifp->if_flags & IFF_SIMPLEX) &&
357 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
358 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
359 /*
360 * In IEEE802.11 network, multicast packet
361 * sent from me is broadcasted from AP.
362 * It should be silently discarded for
363 * SIMPLEX interface.
364 */
365 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
366 wh, NULL, "%s", "multicast echo");
367 ic->ic_stats.is_rx_mcastecho++;
368 goto out;
369 }
370 break;
371 case IEEE80211_M_IBSS:
372 case IEEE80211_M_AHDEMO:
373 if (dir != IEEE80211_FC1_DIR_NODS) {
374 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
375 wh, "data", "%s", "unknown dir 0x%x", dir);
376 ic->ic_stats.is_rx_wrongdir++;
377 goto out;
378 }
379 /* XXX no power-save support */
380 break;
381 case IEEE80211_M_HOSTAP:
382 #ifndef IEEE80211_NO_HOSTAP
383 if (dir != IEEE80211_FC1_DIR_TODS) {
384 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
385 wh, "data", "%s", "unknown dir 0x%x", dir);
386 ic->ic_stats.is_rx_wrongdir++;
387 goto out;
388 }
389 /* check if source STA is associated */
390 if (ni == ic->ic_bss) {
391 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
392 wh, "data", "%s", "unknown src");
393 ieee80211_send_error(ic, ni, wh->i_addr2,
394 IEEE80211_FC0_SUBTYPE_DEAUTH,
395 IEEE80211_REASON_NOT_AUTHED);
396 ic->ic_stats.is_rx_notassoc++;
397 goto err;
398 }
399 if (ni->ni_associd == 0) {
400 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
401 wh, "data", "%s", "unassoc src");
402 IEEE80211_SEND_MGMT(ic, ni,
403 IEEE80211_FC0_SUBTYPE_DISASSOC,
404 IEEE80211_REASON_NOT_ASSOCED);
405 ic->ic_stats.is_rx_notassoc++;
406 goto err;
407 }
408
409 /*
410 * Check for power save state change.
411 */
412 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
413 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
414 ieee80211_node_pwrsave(ni,
415 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
416 #endif /* !IEEE80211_NO_HOSTAP */
417 break;
418 default:
419 /* XXX here to keep compiler happy */
420 goto out;
421 }
422
423 /*
424 * Handle privacy requirements. Note that we
425 * must not be preempted from here until after
426 * we (potentially) call ieee80211_crypto_demic;
427 * otherwise we may violate assumptions in the
428 * crypto cipher modules used to do delayed update
429 * of replay sequence numbers.
430 */
431 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
432 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
433 /*
434 * Discard encrypted frames when privacy is off.
435 */
436 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
437 wh, "WEP", "%s", "PRIVACY off");
438 ic->ic_stats.is_rx_noprivacy++;
439 IEEE80211_NODE_STAT(ni, rx_noprivacy);
440 goto out;
441 }
442 key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
443 if (key == NULL) {
444 /* NB: stats+msgs handled in crypto_decap */
445 IEEE80211_NODE_STAT(ni, rx_wepfail);
446 goto out;
447 }
448 wh = mtod(m, struct ieee80211_frame *);
449 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
450 } else {
451 key = NULL;
452 }
453
454 /*
455 * Next up, any fragmentation.
456 */
457 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
458 m = ieee80211_defrag(ic, ni, m, hdrspace);
459 if (m == NULL) {
460 /* Fragment dropped or frame not complete yet */
461 goto out;
462 }
463 }
464 wh = NULL; /* no longer valid, catch any uses */
465
466 /*
467 * Next strip any MSDU crypto bits.
468 */
469 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
470 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
471 ni->ni_macaddr, "data", "%s", "demic error");
472 IEEE80211_NODE_STAT(ni, rx_demicfail);
473 goto out;
474 }
475
476 /* copy to listener after decrypt */
477 bpf_mtap3(ic->ic_rawbpf, m);
478
479 /*
480 * Finally, strip the 802.11 header.
481 */
482 m = ieee80211_decap(ic, m, hdrspace);
483 if (m == NULL) {
484 /* don't count Null data frames as errors */
485 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA)
486 goto out;
487 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
488 ni->ni_macaddr, "data", "%s", "decap error");
489 ic->ic_stats.is_rx_decap++;
490 IEEE80211_NODE_STAT(ni, rx_decap);
491 goto err;
492 }
493 eh = mtod(m, struct ether_header *);
494 if (!ieee80211_node_is_authorized(ni)) {
495 /*
496 * Deny any non-PAE frames received prior to
497 * authorization. For open/shared-key
498 * authentication the port is mark authorized
499 * after authentication completes. For 802.1x
500 * the port is not marked authorized by the
501 * authenticator until the handshake has completed.
502 */
503 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
504 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
505 eh->ether_shost, "data",
506 "unauthorized port: ether type 0x%x len %u",
507 eh->ether_type, m->m_pkthdr.len);
508 ic->ic_stats.is_rx_unauth++;
509 IEEE80211_NODE_STAT(ni, rx_unauth);
510 goto err;
511 }
512 } else {
513 /*
514 * When denying unencrypted frames, discard
515 * any non-PAE frames received without encryption.
516 */
517 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
518 key == NULL &&
519 eh->ether_type != htons(ETHERTYPE_PAE)) {
520 /*
521 * Drop unencrypted frames.
522 */
523 ic->ic_stats.is_rx_unencrypted++;
524 IEEE80211_NODE_STAT(ni, rx_unencrypted);
525 goto out;
526 }
527 }
528 ifp->if_ipackets++;
529 IEEE80211_NODE_STAT(ni, rx_data);
530 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
531
532 ieee80211_deliver_data(ic, ni, m);
533 return IEEE80211_FC0_TYPE_DATA;
534
535 case IEEE80211_FC0_TYPE_MGT:
536 IEEE80211_NODE_STAT(ni, rx_mgmt);
537 if (dir != IEEE80211_FC1_DIR_NODS) {
538 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
539 wh, "data", "%s", "unknown dir 0x%x", dir);
540 ic->ic_stats.is_rx_wrongdir++;
541 goto err;
542 }
543 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
544 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
545 ni->ni_macaddr, "mgt", "too short: len %u",
546 m->m_pkthdr.len);
547 ic->ic_stats.is_rx_tooshort++;
548 goto out;
549 }
550 #ifdef IEEE80211_DEBUG
551 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
552 ieee80211_msg_dumppkts(ic)) {
553 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
554 ieee80211_mgt_subtype_name[subtype >>
555 IEEE80211_FC0_SUBTYPE_SHIFT],
556 ether_sprintf(wh->i_addr2), rssi);
557 }
558 #endif
559 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
560 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
561 /*
562 * Only shared key auth frames with a challenge
563 * should be encrypted, discard all others.
564 */
565 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
566 wh, ieee80211_mgt_subtype_name[subtype >>
567 IEEE80211_FC0_SUBTYPE_SHIFT],
568 "%s", "WEP set but not permitted");
569 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
570 goto out;
571 }
572 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
573 /*
574 * Discard encrypted frames when privacy is off.
575 */
576 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
577 wh, "mgt", "%s", "WEP set but PRIVACY off");
578 ic->ic_stats.is_rx_noprivacy++;
579 goto out;
580 }
581 hdrspace = ieee80211_hdrspace(ic, wh);
582 key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
583 if (key == NULL) {
584 /* NB: stats+msgs handled in crypto_decap */
585 goto out;
586 }
587 wh = mtod(m, struct ieee80211_frame *);
588 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
589 }
590 bpf_mtap3(ic->ic_rawbpf, m);
591 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp);
592 m_freem(m);
593 return type;
594
595 case IEEE80211_FC0_TYPE_CTL:
596 IEEE80211_NODE_STAT(ni, rx_ctrl);
597 ic->ic_stats.is_rx_ctl++;
598 #ifndef IEEE80211_NO_HOSTAP
599 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
600 switch (subtype) {
601 case IEEE80211_FC0_SUBTYPE_PS_POLL:
602 ieee80211_recv_pspoll(ic, ni, m);
603 break;
604 }
605 }
606 #endif /* !IEEE80211_NO_HOSTAP */
607 goto out;
608 default:
609 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
610 wh, NULL, "bad frame type 0x%x", type);
611 /* should not come here */
612 break;
613 }
614 err:
615 ifp->if_ierrors++;
616 out:
617 if (m != NULL) {
618 bpf_mtap3(ic->ic_rawbpf, m);
619 m_freem(m);
620 }
621 return type;
622 #undef SEQ_LEQ
623 }
624
625 /*
626 * This function reassemble fragments.
627 */
628 static struct mbuf *
ieee80211_defrag(struct ieee80211com * ic,struct ieee80211_node * ni,struct mbuf * m,int hdrspace)629 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni,
630 struct mbuf *m, int hdrspace)
631 {
632 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
633 struct ieee80211_frame *lwh;
634 u_int16_t rxseq;
635 u_int8_t fragno;
636 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
637 struct mbuf *mfrag;
638
639 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
640
641 rxseq = le16toh(*(u_int16_t *)wh->i_seq);
642 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
643
644 /* Quick way out, if there's nothing to defragment */
645 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
646 return m;
647
648 /*
649 * Remove frag to insure it doesn't get reaped by timer.
650 */
651 if (ni->ni_table == NULL) {
652 /*
653 * Should never happen. If the node is orphaned (not in
654 * the table) then input packets should not reach here.
655 * Otherwise, a concurrent request that yanks the table
656 * should be blocked by other interlocking and/or by first
657 * shutting the driver down. Regardless, be defensive
658 * here and just bail
659 */
660 /* XXX need msg+stat */
661 m_freem(m);
662 return NULL;
663 }
664 IEEE80211_NODE_LOCK(ni->ni_table);
665 mfrag = ni->ni_rxfrag[0];
666 ni->ni_rxfrag[0] = NULL;
667 IEEE80211_NODE_UNLOCK(ni->ni_table);
668
669 /*
670 * Validate new fragment is in order and
671 * related to the previous ones.
672 */
673 if (mfrag != NULL) {
674 u_int16_t last_rxseq;
675
676 lwh = mtod(mfrag, struct ieee80211_frame *);
677 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq);
678 /* NB: check seq # and frag together */
679 if (rxseq != last_rxseq+1 ||
680 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
681 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
682 /*
683 * Unrelated fragment or no space for it,
684 * clear current fragments.
685 */
686 m_freem(mfrag);
687 mfrag = NULL;
688 }
689 }
690
691 if (mfrag == NULL) {
692 if (fragno != 0) { /* !first fragment, discard */
693 IEEE80211_NODE_STAT(ni, rx_defrag);
694 m_freem(m);
695 return NULL;
696 }
697 mfrag = m;
698 } else { /* concatenate */
699 m_adj(m, hdrspace); /* strip header */
700 m_cat(mfrag, m);
701 /* NB: m_cat doesn't update the packet header */
702 mfrag->m_pkthdr.len += m->m_pkthdr.len;
703 /* track last seqnum and fragno */
704 lwh = mtod(mfrag, struct ieee80211_frame *);
705 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq;
706 }
707 if (more_frag) { /* more to come, save */
708 ni->ni_rxfragstamp = ticks;
709 ni->ni_rxfrag[0] = mfrag;
710 mfrag = NULL;
711 }
712 return mfrag;
713 }
714
715 static void
ieee80211_deliver_data(struct ieee80211com * ic,struct ieee80211_node * ni,struct mbuf * m)716 ieee80211_deliver_data(struct ieee80211com *ic,
717 struct ieee80211_node *ni, struct mbuf *m)
718 {
719 struct ether_header *eh = mtod(m, struct ether_header *);
720 struct ifnet *ifp = ic->ic_ifp;
721 int error;
722
723 /* perform as a bridge within the AP */
724 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
725 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
726 struct mbuf *m1 = NULL;
727
728 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
729 m1 = m_copypacket(m, M_DONTWAIT);
730 if (m1 == NULL)
731 ifp->if_oerrors++;
732 else
733 m1->m_flags |= M_MCAST;
734 } else {
735 /*
736 * Check if the destination is known; if so
737 * and the port is authorized dispatch directly.
738 */
739 struct ieee80211_node *sta =
740 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
741 if (sta != NULL) {
742 if (ieee80211_node_is_authorized(sta)) {
743 /*
744 * Beware of sending to ourself; this
745 * needs to happen via the normal
746 * input path.
747 */
748 if (sta != ic->ic_bss) {
749 m1 = m;
750 m = NULL;
751 }
752 } else {
753 ic->ic_stats.is_rx_unauth++;
754 IEEE80211_NODE_STAT(sta, rx_unauth);
755 }
756 ieee80211_free_node(sta);
757 }
758 }
759 if (m1 != NULL) {
760 int len;
761 #ifdef ALTQ
762 if (ALTQ_IS_ENABLED(&ifp->if_snd)) {
763 altq_etherclassify(&ifp->if_snd, m1);
764 }
765 #endif
766 len = m1->m_pkthdr.len;
767 IFQ_ENQUEUE(&ifp->if_snd, m1, error);
768 if (error) {
769 ifp->if_omcasts++;
770 m = NULL;
771 }
772 ifp->if_obytes += len;
773 }
774 }
775 if (m != NULL) {
776 /*
777 * XXX If we forward packet into transmitter of the AP,
778 * we don't need to duplicate for DLT_EN10MB.
779 */
780 bpf_mtap(ifp, m);
781
782 if (ni->ni_vlan != 0) {
783 /* attach vlan tag */
784 /* XXX goto err? */
785 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out);
786 }
787
788 /*
789 * XXX once ieee80211_input (or rxintr itself) runs in softint
790 * we have to change here too to use if_input.
791 */
792 KASSERT(ifp->if_percpuq);
793 if_percpuq_enqueue(ifp->if_percpuq, m);
794 }
795 return;
796 out:
797 if (m != NULL) {
798 bpf_mtap3(ic->ic_rawbpf, m);
799 m_freem(m);
800 }
801 }
802
803 static struct mbuf *
ieee80211_decap(struct ieee80211com * ic,struct mbuf * m,int hdrlen)804 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
805 {
806 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */
807 struct ether_header *eh;
808 struct llc *llc;
809
810 if (m->m_len < hdrlen + sizeof(*llc) &&
811 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
812 /* XXX stat, msg */
813 return NULL;
814 }
815 memcpy(&wh, mtod(m, void *), hdrlen);
816 llc = (struct llc *)(mtod(m, char *) + hdrlen);
817 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
818 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
819 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
820 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
821 llc = NULL;
822 } else {
823 m_adj(m, hdrlen - sizeof(*eh));
824 }
825 eh = mtod(m, struct ether_header *);
826 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
827 case IEEE80211_FC1_DIR_NODS:
828 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
829 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
830 break;
831 case IEEE80211_FC1_DIR_TODS:
832 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
833 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
834 break;
835 case IEEE80211_FC1_DIR_FROMDS:
836 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
837 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
838 break;
839 case IEEE80211_FC1_DIR_DSTODS:
840 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
841 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
842 break;
843 }
844 #ifdef ALIGNED_POINTER
845 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) {
846 struct mbuf *n, *n0, **np;
847 char *newdata;
848 int off, pktlen;
849
850 n0 = NULL;
851 np = &n0;
852 off = 0;
853 pktlen = m->m_pkthdr.len;
854 while (pktlen > off) {
855 if (n0 == NULL) {
856 MGETHDR(n, M_DONTWAIT, MT_DATA);
857 if (n == NULL) {
858 m_freem(m);
859 return NULL;
860 }
861 M_MOVE_PKTHDR(n, m);
862 n->m_len = MHLEN;
863 } else {
864 MGET(n, M_DONTWAIT, MT_DATA);
865 if (n == NULL) {
866 m_freem(m);
867 m_freem(n0);
868 return NULL;
869 }
870 n->m_len = MLEN;
871 }
872 if (pktlen - off >= MINCLSIZE) {
873 MCLGET(n, M_DONTWAIT);
874 if (n->m_flags & M_EXT)
875 n->m_len = n->m_ext.ext_size;
876 }
877 if (n0 == NULL) {
878 newdata =
879 (char *)ALIGN(n->m_data + sizeof(*eh)) -
880 sizeof(*eh);
881 n->m_len -= newdata - n->m_data;
882 n->m_data = newdata;
883 }
884 if (n->m_len > pktlen - off)
885 n->m_len = pktlen - off;
886 m_copydata(m, off, n->m_len, mtod(n, void *));
887 off += n->m_len;
888 *np = n;
889 np = &n->m_next;
890 }
891 m_freem(m);
892 m = n0;
893 }
894 #endif /* ALIGNED_POINTER */
895 if (llc != NULL) {
896 eh = mtod(m, struct ether_header *);
897 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
898 }
899 return m;
900 }
901
902 /*
903 * Install received rate set information in the node's state block.
904 */
905 int
ieee80211_setup_rates(struct ieee80211_node * ni,const u_int8_t * rates,const u_int8_t * xrates,int flags)906 ieee80211_setup_rates(struct ieee80211_node *ni,
907 const u_int8_t *rates, const u_int8_t *xrates, int flags)
908 {
909 struct ieee80211com *ic = ni->ni_ic;
910 struct ieee80211_rateset *rs = &ni->ni_rates;
911
912 memset(rs, 0, sizeof(*rs));
913 rs->rs_nrates = rates[1];
914 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
915 if (xrates != NULL) {
916 u_int8_t nxrates;
917 /*
918 * Tack on 11g extended supported rate element.
919 */
920 nxrates = xrates[1];
921 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
922 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
923 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
924 "[%s] extended rate set too large;"
925 " only using %u of %u rates\n",
926 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]);
927 ic->ic_stats.is_rx_rstoobig++;
928 }
929 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
930 rs->rs_nrates += nxrates;
931 }
932 return ieee80211_fix_rate(ni, flags);
933 }
934
935 static void
ieee80211_auth_open(struct ieee80211com * ic,struct ieee80211_frame * wh,struct ieee80211_node * ni,int rssi,u_int32_t rstamp,u_int16_t seq,u_int16_t status)936 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
937 struct ieee80211_node *ni, int rssi, u_int32_t rstamp,
938 u_int16_t seq, u_int16_t status)
939 {
940
941 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
942 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
943 ni->ni_macaddr, "open auth",
944 "bad sta auth mode %u", ni->ni_authmode);
945 ic->ic_stats.is_rx_bad_auth++; /* XXX */
946 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
947 /* XXX hack to workaround calling convention */
948 ieee80211_send_error(ic, ni, wh->i_addr2,
949 IEEE80211_FC0_SUBTYPE_AUTH,
950 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
951 }
952 return;
953 }
954 switch (ic->ic_opmode) {
955 case IEEE80211_M_IBSS:
956 case IEEE80211_M_AHDEMO:
957 case IEEE80211_M_MONITOR:
958 /* should not come here */
959 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
960 ni->ni_macaddr, "open auth",
961 "bad operating mode %u", ic->ic_opmode);
962 break;
963
964 case IEEE80211_M_HOSTAP:
965 #ifndef IEEE80211_NO_HOSTAP
966 if (ic->ic_state != IEEE80211_S_RUN ||
967 seq != IEEE80211_AUTH_OPEN_REQUEST) {
968 ic->ic_stats.is_rx_bad_auth++;
969 return;
970 }
971 /* always accept open authentication requests */
972 if (ni == ic->ic_bss) {
973 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
974 if (ni == NULL)
975 return;
976 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
977 (void) ieee80211_ref_node(ni);
978 /*
979 * Mark the node as referenced to reflect that its
980 * reference count has been bumped to insure it remains
981 * after the transaction completes.
982 */
983 ni->ni_flags |= IEEE80211_NODE_AREF;
984
985 IEEE80211_SEND_MGMT(ic, ni,
986 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
987 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
988 "[%s] station authenticated (open)\n",
989 ether_sprintf(ni->ni_macaddr));
990 /*
991 * When 802.1x is not in use mark the port
992 * authorized at this point so traffic can flow.
993 */
994 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
995 ieee80211_node_authorize(ni);
996 #endif /* !IEEE80211_NO_HOSTAP */
997 break;
998
999 case IEEE80211_M_STA:
1000 if (ic->ic_state != IEEE80211_S_AUTH ||
1001 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1002 ic->ic_stats.is_rx_bad_auth++;
1003 return;
1004 }
1005 if (status != 0) {
1006 IEEE80211_DPRINTF(ic,
1007 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1008 "[%s] open auth failed (reason %d)\n",
1009 ether_sprintf(ni->ni_macaddr), status);
1010 /* XXX can this happen? */
1011 if (ni != ic->ic_bss)
1012 ni->ni_fails++;
1013 ic->ic_stats.is_rx_auth_fail++;
1014 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1015 } else
1016 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1017 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1018 break;
1019 }
1020 }
1021
1022 /*
1023 * Send a management frame error response to the specified
1024 * station. If ni is associated with the station then use
1025 * it; otherwise allocate a temporary node suitable for
1026 * transmitting the frame and then free the reference so
1027 * it will go away as soon as the frame has been transmitted.
1028 */
1029 static void
ieee80211_send_error(struct ieee80211com * ic,struct ieee80211_node * ni,const u_int8_t * mac,int subtype,int arg)1030 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1031 const u_int8_t *mac, int subtype, int arg)
1032 {
1033 int istmp;
1034
1035 if (ni == ic->ic_bss) {
1036 ni = ieee80211_tmp_node(ic, mac);
1037 if (ni == NULL) {
1038 /* XXX msg */
1039 return;
1040 }
1041 istmp = 1;
1042 } else
1043 istmp = 0;
1044 IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1045 if (istmp)
1046 ieee80211_free_node(ni);
1047 }
1048
1049 static int
alloc_challenge(struct ieee80211com * ic,struct ieee80211_node * ni)1050 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1051 {
1052 if (ni->ni_challenge == NULL)
1053 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN,
1054 M_DEVBUF, M_NOWAIT);
1055 if (ni->ni_challenge == NULL) {
1056 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1057 "[%s] shared key challenge alloc failed\n",
1058 ether_sprintf(ni->ni_macaddr));
1059 /* XXX statistic */
1060 }
1061 return (ni->ni_challenge != NULL);
1062 }
1063
1064 /* XXX TODO: add statistics */
1065 static void
ieee80211_auth_shared(struct ieee80211com * ic,struct ieee80211_frame * wh,u_int8_t * frm,u_int8_t * efrm,struct ieee80211_node * ni,int rssi,u_int32_t rstamp,u_int16_t seq,u_int16_t status)1066 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1067 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi,
1068 u_int32_t rstamp, u_int16_t seq, u_int16_t status)
1069 {
1070 u_int8_t *challenge;
1071 int estatus;
1072
1073 /*
1074 * NB: this can happen as we allow pre-shared key
1075 * authentication to be enabled w/o wep being turned
1076 * on so that configuration of these can be done
1077 * in any order. It may be better to enforce the
1078 * ordering in which case this check would just be
1079 * for sanity/consistency.
1080 */
1081 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1082 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1083 ni->ni_macaddr, "shared key auth",
1084 "%s", " PRIVACY is disabled");
1085 estatus = IEEE80211_STATUS_ALG;
1086 goto bad;
1087 }
1088 /*
1089 * Pre-shared key authentication is evil; accept
1090 * it only if explicitly configured (it is supported
1091 * mainly for compatibility with clients like OS X).
1092 */
1093 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1094 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1095 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1096 ni->ni_macaddr, "shared key auth",
1097 "bad sta auth mode %u", ni->ni_authmode);
1098 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1099 estatus = IEEE80211_STATUS_ALG;
1100 goto bad;
1101 }
1102
1103 challenge = NULL;
1104 if (frm + 1 < efrm) {
1105 if ((frm[1] + 2) > (efrm - frm)) {
1106 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1107 ni->ni_macaddr, "shared key auth",
1108 "ie %d/%d too long",
1109 frm[0], (frm[1] + 2) - (efrm - frm));
1110 ic->ic_stats.is_rx_bad_auth++;
1111 estatus = IEEE80211_STATUS_CHALLENGE;
1112 goto bad;
1113 }
1114 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1115 challenge = frm;
1116 frm += frm[1] + 2;
1117 }
1118 switch (seq) {
1119 case IEEE80211_AUTH_SHARED_CHALLENGE:
1120 case IEEE80211_AUTH_SHARED_RESPONSE:
1121 if (challenge == NULL) {
1122 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1123 ni->ni_macaddr, "shared key auth",
1124 "%s", "no challenge");
1125 ic->ic_stats.is_rx_bad_auth++;
1126 estatus = IEEE80211_STATUS_CHALLENGE;
1127 goto bad;
1128 }
1129 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1130 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1131 ni->ni_macaddr, "shared key auth",
1132 "bad challenge len %d", challenge[1]);
1133 ic->ic_stats.is_rx_bad_auth++;
1134 estatus = IEEE80211_STATUS_CHALLENGE;
1135 goto bad;
1136 }
1137 default:
1138 break;
1139 }
1140 switch (ic->ic_opmode) {
1141 case IEEE80211_M_MONITOR:
1142 case IEEE80211_M_AHDEMO:
1143 case IEEE80211_M_IBSS:
1144 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1145 ni->ni_macaddr, "shared key auth",
1146 "bad operating mode %u", ic->ic_opmode);
1147 return;
1148 case IEEE80211_M_HOSTAP:
1149 #ifndef IEEE80211_NO_HOSTAP
1150 {
1151 int allocbs;
1152 if (ic->ic_state != IEEE80211_S_RUN) {
1153 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1154 ni->ni_macaddr, "shared key auth",
1155 "bad state %u", ic->ic_state);
1156 estatus = IEEE80211_STATUS_ALG; /* XXX */
1157 goto bad;
1158 }
1159 switch (seq) {
1160 case IEEE80211_AUTH_SHARED_REQUEST:
1161 if (ni == ic->ic_bss) {
1162 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1163 if (ni == NULL) {
1164 /* NB: no way to return an error */
1165 return;
1166 }
1167 allocbs = 1;
1168 } else {
1169 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1170 (void) ieee80211_ref_node(ni);
1171 allocbs = 0;
1172 }
1173 /*
1174 * Mark the node as referenced to reflect that its
1175 * reference count has been bumped to insure it remains
1176 * after the transaction completes.
1177 */
1178 ni->ni_flags |= IEEE80211_NODE_AREF;
1179 ni->ni_rssi = rssi;
1180 ni->ni_rstamp = rstamp;
1181 if (!alloc_challenge(ic, ni)) {
1182 /* NB: don't return error so they rexmit */
1183 return;
1184 }
1185 get_random_bytes(ni->ni_challenge,
1186 IEEE80211_CHALLENGE_LEN);
1187 IEEE80211_DPRINTF(ic,
1188 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1189 "[%s] shared key %sauth request\n",
1190 ether_sprintf(ni->ni_macaddr),
1191 allocbs ? "" : "re");
1192 break;
1193 case IEEE80211_AUTH_SHARED_RESPONSE:
1194 if (ni == ic->ic_bss) {
1195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1196 ni->ni_macaddr, "shared key response",
1197 "%s", "unknown station");
1198 /* NB: don't send a response */
1199 return;
1200 }
1201 if (ni->ni_challenge == NULL) {
1202 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1203 ni->ni_macaddr, "shared key response",
1204 "%s", "no challenge recorded");
1205 ic->ic_stats.is_rx_bad_auth++;
1206 estatus = IEEE80211_STATUS_CHALLENGE;
1207 goto bad;
1208 }
1209 if (memcmp(ni->ni_challenge, &challenge[2],
1210 challenge[1]) != 0) {
1211 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1212 ni->ni_macaddr, "shared key response",
1213 "%s", "challenge mismatch");
1214 ic->ic_stats.is_rx_auth_fail++;
1215 estatus = IEEE80211_STATUS_CHALLENGE;
1216 goto bad;
1217 }
1218 IEEE80211_DPRINTF(ic,
1219 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1220 "[%s] station authenticated (shared key)\n",
1221 ether_sprintf(ni->ni_macaddr));
1222 ieee80211_node_authorize(ni);
1223 break;
1224 default:
1225 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1226 ni->ni_macaddr, "shared key auth",
1227 "bad seq %d", seq);
1228 ic->ic_stats.is_rx_bad_auth++;
1229 estatus = IEEE80211_STATUS_SEQUENCE;
1230 goto bad;
1231 }
1232 IEEE80211_SEND_MGMT(ic, ni,
1233 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1234 }
1235 #endif /* !IEEE80211_NO_HOSTAP */
1236 break;
1237
1238 case IEEE80211_M_STA:
1239 if (ic->ic_state != IEEE80211_S_AUTH)
1240 return;
1241 switch (seq) {
1242 case IEEE80211_AUTH_SHARED_PASS:
1243 if (ni->ni_challenge != NULL) {
1244 free(ni->ni_challenge, M_DEVBUF);
1245 ni->ni_challenge = NULL;
1246 }
1247 if (status != 0) {
1248 IEEE80211_DPRINTF(ic,
1249 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1250 "[%s] shared key auth failed (reason %d)\n",
1251 ether_sprintf(ieee80211_getbssid(ic, wh)),
1252 status);
1253 /* XXX can this happen? */
1254 if (ni != ic->ic_bss)
1255 ni->ni_fails++;
1256 ic->ic_stats.is_rx_auth_fail++;
1257 return;
1258 }
1259 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1260 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1261 break;
1262 case IEEE80211_AUTH_SHARED_CHALLENGE:
1263 if (!alloc_challenge(ic, ni))
1264 return;
1265 /* XXX could optimize by passing recvd challenge */
1266 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1267 IEEE80211_SEND_MGMT(ic, ni,
1268 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1269 break;
1270 default:
1271 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1272 wh, "shared key auth", "bad seq %d", seq);
1273 ic->ic_stats.is_rx_bad_auth++;
1274 return;
1275 }
1276 break;
1277 }
1278 return;
1279 bad:
1280 #ifndef IEEE80211_NO_HOSTAP
1281 /*
1282 * Send an error response; but only when operating as an AP.
1283 */
1284 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1285 /* XXX hack to workaround calling convention */
1286 ieee80211_send_error(ic, ni, wh->i_addr2,
1287 IEEE80211_FC0_SUBTYPE_AUTH,
1288 (seq + 1) | (estatus<<16));
1289 } else if (ic->ic_opmode == IEEE80211_M_STA) {
1290 /*
1291 * Kick the state machine. This short-circuits
1292 * using the mgt frame timeout to trigger the
1293 * state transition.
1294 */
1295 if (ic->ic_state == IEEE80211_S_AUTH)
1296 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1297 }
1298 #else
1299 ;
1300 #endif /* !IEEE80211_NO_HOSTAP */
1301 }
1302
1303 /* Verify the existence and length of __elem or get out. */
1304 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
1305 if ((__elem) == NULL) { \
1306 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1307 wh, ieee80211_mgt_subtype_name[subtype >> \
1308 IEEE80211_FC0_SUBTYPE_SHIFT], \
1309 "%s", "no " #__elem ); \
1310 ic->ic_stats.is_rx_elem_missing++; \
1311 return; \
1312 } \
1313 if ((__elem)[1] > (__maxlen)) { \
1314 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1315 wh, ieee80211_mgt_subtype_name[subtype >> \
1316 IEEE80211_FC0_SUBTYPE_SHIFT], \
1317 "bad " #__elem " len %d", (__elem)[1]); \
1318 ic->ic_stats.is_rx_elem_toobig++; \
1319 return; \
1320 } \
1321 } while (0)
1322
1323 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
1324 if ((_len) < (_minlen)) { \
1325 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1326 wh, ieee80211_mgt_subtype_name[subtype >> \
1327 IEEE80211_FC0_SUBTYPE_SHIFT], \
1328 "%s", "ie too short"); \
1329 ic->ic_stats.is_rx_elem_toosmall++; \
1330 return; \
1331 } \
1332 } while (0)
1333
1334 #ifdef IEEE80211_DEBUG
1335 static void
ieee80211_ssid_mismatch(struct ieee80211com * ic,const char * tag,u_int8_t mac[IEEE80211_ADDR_LEN],u_int8_t * ssid)1336 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1337 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid)
1338 {
1339 printf("[%s] discard %s frame, ssid mismatch: ",
1340 ether_sprintf(mac), tag);
1341 ieee80211_print_essid(ssid + 2, ssid[1]);
1342 printf("\n");
1343 }
1344
1345 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1346 if ((_ssid)[1] != 0 && \
1347 ((_ssid)[1] != (_ni)->ni_esslen || \
1348 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1349 if (ieee80211_msg_input(ic)) \
1350 ieee80211_ssid_mismatch(ic, \
1351 ieee80211_mgt_subtype_name[subtype >> \
1352 IEEE80211_FC0_SUBTYPE_SHIFT], \
1353 wh->i_addr2, _ssid); \
1354 ic->ic_stats.is_rx_ssidmismatch++; \
1355 return; \
1356 } \
1357 } while (0)
1358 #else /* !IEEE80211_DEBUG */
1359 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1360 if ((_ssid)[1] != 0 && \
1361 ((_ssid)[1] != (_ni)->ni_esslen || \
1362 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1363 ic->ic_stats.is_rx_ssidmismatch++; \
1364 return; \
1365 } \
1366 } while (0)
1367 #endif /* !IEEE80211_DEBUG */
1368
1369 /* unaligned little endian access */
1370 #define LE_READ_2(p) \
1371 ((u_int16_t) \
1372 ((((const u_int8_t *)(p))[0] ) | \
1373 (((const u_int8_t *)(p))[1] << 8)))
1374 #define LE_READ_4(p) \
1375 ((u_int32_t) \
1376 ((((const u_int8_t *)(p))[0] ) | \
1377 (((const u_int8_t *)(p))[1] << 8) | \
1378 (((const u_int8_t *)(p))[2] << 16) | \
1379 (((const u_int8_t *)(p))[3] << 24)))
1380
1381 static __inline int
iswpaoui(const u_int8_t * frm)1382 iswpaoui(const u_int8_t *frm)
1383 {
1384 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1385 }
1386
1387 static __inline int
iswmeoui(const u_int8_t * frm)1388 iswmeoui(const u_int8_t *frm)
1389 {
1390 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1391 }
1392
1393 static __inline int
iswmeparam(const u_int8_t * frm)1394 iswmeparam(const u_int8_t *frm)
1395 {
1396 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1397 frm[6] == WME_PARAM_OUI_SUBTYPE;
1398 }
1399
1400 static __inline int
iswmeinfo(const u_int8_t * frm)1401 iswmeinfo(const u_int8_t *frm)
1402 {
1403 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1404 frm[6] == WME_INFO_OUI_SUBTYPE;
1405 }
1406
1407 /*
1408 * Convert a WPA cipher selector OUI to an internal
1409 * cipher algorithm. Where appropriate we also
1410 * record any key length.
1411 */
1412 static int
wpa_cipher(u_int8_t * sel,u_int8_t * keylen)1413 wpa_cipher(u_int8_t *sel, u_int8_t *keylen)
1414 {
1415 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1416 u_int32_t w = LE_READ_4(sel);
1417
1418 switch (w) {
1419 case WPA_SEL(WPA_CSE_NULL):
1420 return IEEE80211_CIPHER_NONE;
1421 case WPA_SEL(WPA_CSE_WEP40):
1422 if (keylen)
1423 *keylen = 40 / NBBY;
1424 return IEEE80211_CIPHER_WEP;
1425 case WPA_SEL(WPA_CSE_WEP104):
1426 if (keylen)
1427 *keylen = 104 / NBBY;
1428 return IEEE80211_CIPHER_WEP;
1429 case WPA_SEL(WPA_CSE_TKIP):
1430 return IEEE80211_CIPHER_TKIP;
1431 case WPA_SEL(WPA_CSE_CCMP):
1432 return IEEE80211_CIPHER_AES_CCM;
1433 }
1434 return 32; /* NB: so 1<< is discarded */
1435 #undef WPA_SEL
1436 }
1437
1438 /*
1439 * Convert a WPA key management/authentication algorithm
1440 * to an internal code.
1441 */
1442 static int
wpa_keymgmt(u_int8_t * sel)1443 wpa_keymgmt(u_int8_t *sel)
1444 {
1445 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1446 u_int32_t w = LE_READ_4(sel);
1447
1448 switch (w) {
1449 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1450 return WPA_ASE_8021X_UNSPEC;
1451 case WPA_SEL(WPA_ASE_8021X_PSK):
1452 return WPA_ASE_8021X_PSK;
1453 case WPA_SEL(WPA_ASE_NONE):
1454 return WPA_ASE_NONE;
1455 }
1456 return 0; /* NB: so is discarded */
1457 #undef WPA_SEL
1458 }
1459
1460 /*
1461 * Parse a WPA information element to collect parameters
1462 * and validate the parameters against what has been
1463 * configured for the system.
1464 */
1465 static int
ieee80211_parse_wpa(struct ieee80211com * ic,u_int8_t * frm,struct ieee80211_rsnparms * rsn,const struct ieee80211_frame * wh)1466 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm,
1467 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1468 {
1469 u_int8_t len = frm[1];
1470 u_int32_t w;
1471 int n;
1472
1473 /*
1474 * Check the length once for fixed parts: OUI, type,
1475 * version, mcast cipher, and 2 selector counts.
1476 * Other, variable-length data, must be checked separately.
1477 */
1478 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1479 IEEE80211_DISCARD_IE(ic,
1480 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1481 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1482 return IEEE80211_REASON_IE_INVALID;
1483 }
1484 if (len < 14) {
1485 IEEE80211_DISCARD_IE(ic,
1486 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1487 wh, "WPA", "too short, len %u", len);
1488 return IEEE80211_REASON_IE_INVALID;
1489 }
1490 frm += 6, len -= 4; /* NB: len is payload only */
1491 /* NB: iswapoui already validated the OUI and type */
1492 w = LE_READ_2(frm);
1493 if (w != WPA_VERSION) {
1494 IEEE80211_DISCARD_IE(ic,
1495 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1496 wh, "WPA", "bad version %u", w);
1497 return IEEE80211_REASON_IE_INVALID;
1498 }
1499 frm += 2, len -= 2;
1500
1501 /* multicast/group cipher */
1502 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1503 if (w != rsn->rsn_mcastcipher) {
1504 IEEE80211_DISCARD_IE(ic,
1505 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1506 wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1507 w, rsn->rsn_mcastcipher);
1508 return IEEE80211_REASON_IE_INVALID;
1509 }
1510 frm += 4, len -= 4;
1511
1512 /* unicast ciphers */
1513 n = LE_READ_2(frm);
1514 frm += 2, len -= 2;
1515 if (len < n*4+2) {
1516 IEEE80211_DISCARD_IE(ic,
1517 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1518 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1519 len, n);
1520 return IEEE80211_REASON_IE_INVALID;
1521 }
1522 w = 0;
1523 for (; n > 0; n--) {
1524 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1525 frm += 4, len -= 4;
1526 }
1527 w &= rsn->rsn_ucastcipherset;
1528 if (w == 0) {
1529 IEEE80211_DISCARD_IE(ic,
1530 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1531 wh, "WPA", "%s", "ucast cipher set empty");
1532 return IEEE80211_REASON_IE_INVALID;
1533 }
1534 if (w & (1<<IEEE80211_CIPHER_TKIP))
1535 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1536 else
1537 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1538
1539 /* key management algorithms */
1540 n = LE_READ_2(frm);
1541 frm += 2, len -= 2;
1542 if (len < n*4) {
1543 IEEE80211_DISCARD_IE(ic,
1544 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1545 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1546 len, n);
1547 return IEEE80211_REASON_IE_INVALID;
1548 }
1549 w = 0;
1550 for (; n > 0; n--) {
1551 w |= wpa_keymgmt(frm);
1552 frm += 4, len -= 4;
1553 }
1554 w &= rsn->rsn_keymgmtset;
1555 if (w == 0) {
1556 IEEE80211_DISCARD_IE(ic,
1557 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1558 wh, "WPA", "%s", "no acceptable key mgmt alg");
1559 return IEEE80211_REASON_IE_INVALID;
1560 }
1561 if (w & WPA_ASE_8021X_UNSPEC)
1562 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1563 else
1564 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1565
1566 if (len > 2) /* optional capabilities */
1567 rsn->rsn_caps = LE_READ_2(frm);
1568
1569 return 0;
1570 }
1571
1572 /*
1573 * Convert an RSN cipher selector OUI to an internal
1574 * cipher algorithm. Where appropriate we also
1575 * record any key length.
1576 */
1577 static int
rsn_cipher(u_int8_t * sel,u_int8_t * keylen)1578 rsn_cipher(u_int8_t *sel, u_int8_t *keylen)
1579 {
1580 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1581 u_int32_t w = LE_READ_4(sel);
1582
1583 switch (w) {
1584 case RSN_SEL(RSN_CSE_NULL):
1585 return IEEE80211_CIPHER_NONE;
1586 case RSN_SEL(RSN_CSE_WEP40):
1587 if (keylen)
1588 *keylen = 40 / NBBY;
1589 return IEEE80211_CIPHER_WEP;
1590 case RSN_SEL(RSN_CSE_WEP104):
1591 if (keylen)
1592 *keylen = 104 / NBBY;
1593 return IEEE80211_CIPHER_WEP;
1594 case RSN_SEL(RSN_CSE_TKIP):
1595 return IEEE80211_CIPHER_TKIP;
1596 case RSN_SEL(RSN_CSE_CCMP):
1597 return IEEE80211_CIPHER_AES_CCM;
1598 case RSN_SEL(RSN_CSE_WRAP):
1599 return IEEE80211_CIPHER_AES_OCB;
1600 }
1601 return 32; /* NB: so 1<< is discarded */
1602 #undef WPA_SEL
1603 }
1604
1605 /*
1606 * Convert an RSN key management/authentication algorithm
1607 * to an internal code.
1608 */
1609 static int
rsn_keymgmt(u_int8_t * sel)1610 rsn_keymgmt(u_int8_t *sel)
1611 {
1612 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1613 u_int32_t w = LE_READ_4(sel);
1614
1615 switch (w) {
1616 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1617 return RSN_ASE_8021X_UNSPEC;
1618 case RSN_SEL(RSN_ASE_8021X_PSK):
1619 return RSN_ASE_8021X_PSK;
1620 case RSN_SEL(RSN_ASE_NONE):
1621 return RSN_ASE_NONE;
1622 }
1623 return 0; /* NB: so is discarded */
1624 #undef RSN_SEL
1625 }
1626
1627 /*
1628 * Parse a WPA/RSN information element to collect parameters
1629 * and validate the parameters against what has been
1630 * configured for the system.
1631 */
1632 static int
ieee80211_parse_rsn(struct ieee80211com * ic,u_int8_t * frm,struct ieee80211_rsnparms * rsn,const struct ieee80211_frame * wh)1633 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm,
1634 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1635 {
1636 u_int8_t len = frm[1];
1637 u_int32_t w;
1638 int n;
1639
1640 /*
1641 * Check the length once for fixed parts:
1642 * version, mcast cipher, and 2 selector counts.
1643 * Other, variable-length data, must be checked separately.
1644 */
1645 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1646 IEEE80211_DISCARD_IE(ic,
1647 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1648 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1649 return IEEE80211_REASON_IE_INVALID;
1650 }
1651 if (len < 10) {
1652 IEEE80211_DISCARD_IE(ic,
1653 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1654 wh, "RSN", "too short, len %u", len);
1655 return IEEE80211_REASON_IE_INVALID;
1656 }
1657 frm += 2;
1658 w = LE_READ_2(frm);
1659 if (w != RSN_VERSION) {
1660 IEEE80211_DISCARD_IE(ic,
1661 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1662 wh, "RSN", "bad version %u", w);
1663 return IEEE80211_REASON_IE_INVALID;
1664 }
1665 frm += 2, len -= 2;
1666
1667 /* multicast/group cipher */
1668 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1669 if (w != rsn->rsn_mcastcipher) {
1670 IEEE80211_DISCARD_IE(ic,
1671 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1672 wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1673 w, rsn->rsn_mcastcipher);
1674 return IEEE80211_REASON_IE_INVALID;
1675 }
1676 frm += 4, len -= 4;
1677
1678 /* unicast ciphers */
1679 n = LE_READ_2(frm);
1680 frm += 2, len -= 2;
1681 if (len < n*4+2) {
1682 IEEE80211_DISCARD_IE(ic,
1683 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1684 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1685 len, n);
1686 return IEEE80211_REASON_IE_INVALID;
1687 }
1688 w = 0;
1689 for (; n > 0; n--) {
1690 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1691 frm += 4, len -= 4;
1692 }
1693 w &= rsn->rsn_ucastcipherset;
1694 if (w == 0) {
1695 IEEE80211_DISCARD_IE(ic,
1696 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1697 wh, "RSN", "%s", "ucast cipher set empty");
1698 return IEEE80211_REASON_IE_INVALID;
1699 }
1700 if (w & (1<<IEEE80211_CIPHER_TKIP))
1701 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1702 else
1703 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1704
1705 /* key management algorithms */
1706 n = LE_READ_2(frm);
1707 frm += 2, len -= 2;
1708 if (len < n*4) {
1709 IEEE80211_DISCARD_IE(ic,
1710 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1711 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1712 len, n);
1713 return IEEE80211_REASON_IE_INVALID;
1714 }
1715 w = 0;
1716 for (; n > 0; n--) {
1717 w |= rsn_keymgmt(frm);
1718 frm += 4, len -= 4;
1719 }
1720 w &= rsn->rsn_keymgmtset;
1721 if (w == 0) {
1722 IEEE80211_DISCARD_IE(ic,
1723 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1724 wh, "RSN", "%s", "no acceptable key mgmt alg");
1725 return IEEE80211_REASON_IE_INVALID;
1726 }
1727 if (w & RSN_ASE_8021X_UNSPEC)
1728 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1729 else
1730 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1731
1732 /* optional RSN capabilities */
1733 if (len > 2)
1734 rsn->rsn_caps = LE_READ_2(frm);
1735 /* XXXPMKID */
1736
1737 return 0;
1738 }
1739
1740 static int
ieee80211_parse_wmeparams(struct ieee80211com * ic,u_int8_t * frm,const struct ieee80211_frame * wh)1741 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm,
1742 const struct ieee80211_frame *wh)
1743 {
1744 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1745 struct ieee80211_wme_state *wme = &ic->ic_wme;
1746 u_int len = frm[1], qosinfo;
1747 int i;
1748
1749 if (len < sizeof(struct ieee80211_wme_param)-2) {
1750 IEEE80211_DISCARD_IE(ic,
1751 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1752 wh, "WME", "too short, len %u", len);
1753 return -1;
1754 }
1755 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)];
1756 qosinfo &= WME_QOSINFO_COUNT;
1757 /* XXX do proper check for wraparound */
1758 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1759 return 0;
1760 frm += offsetof(struct ieee80211_wme_param, params_acParams);
1761 for (i = 0; i < WME_NUM_AC; i++) {
1762 struct wmeParams *wmep =
1763 &wme->wme_wmeChanParams.cap_wmeParams[i];
1764 /* NB: ACI not used */
1765 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1766 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1767 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1768 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1769 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1770 frm += 4;
1771 }
1772 wme->wme_wmeChanParams.cap_info = qosinfo;
1773 return 1;
1774 #undef MS
1775 }
1776
1777 void
ieee80211_saveie(u_int8_t ** iep,const u_int8_t * ie)1778 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie)
1779 {
1780 u_int ielen = ie[1]+2;
1781 /*
1782 * Record information element for later use.
1783 */
1784 if (*iep == NULL || (*iep)[1] != ie[1]) {
1785 if (*iep != NULL)
1786 free(*iep, M_DEVBUF);
1787 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT);
1788 }
1789 if (*iep != NULL)
1790 memcpy(*iep, ie, ielen);
1791 /* XXX note failure */
1792 }
1793
1794 static void
ieee80211_update_adhoc_node(struct ieee80211com * ic,struct ieee80211_node * ni,struct ieee80211_frame * wh,struct ieee80211_scanparams * scan,int rssi,u_int32_t rstamp)1795 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni,
1796 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi,
1797 u_int32_t rstamp)
1798 {
1799 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
1800 /*
1801 * Create a new entry in the neighbor table.
1802 * Records the TSF.
1803 */
1804 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL)
1805 return;
1806 } else if (ni->ni_capinfo == 0) {
1807 /*
1808 * Initialize a node that was "faked up." Records
1809 * the TSF.
1810 *
1811 * No need to check for a change of BSSID: ni could
1812 * not have been the IBSS (ic_bss)
1813 */
1814 ieee80211_init_neighbor(ic, ni, wh, scan, 0);
1815 } else {
1816 /* Record TSF for potential resync. */
1817 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp));
1818 }
1819
1820 ni->ni_rssi = rssi;
1821 ni->ni_rstamp = rstamp;
1822
1823 /* Mark a neighbor's change of BSSID. */
1824 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid))
1825 return;
1826
1827 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
1828
1829 if (ni != ic->ic_bss)
1830 return;
1831 else if (ic->ic_flags & IEEE80211_F_DESBSSID) {
1832 /*
1833 * Now, ni does not represent a network we
1834 * want to belong to, so start a scan.
1835 */
1836 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1837 return;
1838 } else {
1839 /*
1840 * A RUN->RUN transition lets the driver
1841 * reprogram its BSSID filter.
1842 *
1843 * No need to SCAN, we already belong to
1844 * an IBSS that meets our criteria: channel,
1845 * SSID, etc. It could be harmful to scan,
1846 * too: if a scan does not detect nodes
1847 * belonging to my current IBSS, then we
1848 * will create a new IBSS at the end of
1849 * the scan, needlessly splitting the
1850 * network.
1851 */
1852 ieee80211_new_state(ic, IEEE80211_S_RUN, 0);
1853 }
1854 }
1855
1856 void
ieee80211_recv_mgmt(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_node * ni,int subtype,int rssi,u_int32_t rstamp)1857 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
1858 struct ieee80211_node *ni,
1859 int subtype, int rssi, u_int32_t rstamp)
1860 {
1861 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1862 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1863 struct ieee80211_frame *wh;
1864 u_int8_t *frm, *efrm;
1865 u_int8_t *ssid, *rates, *xrates, *wpa, *wme;
1866 int reassoc, resp, allocbs;
1867 u_int8_t rate;
1868
1869 wh = mtod(m0, struct ieee80211_frame *);
1870 frm = (u_int8_t *)&wh[1];
1871 efrm = mtod(m0, u_int8_t *) + m0->m_len;
1872 switch (subtype) {
1873 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1874 case IEEE80211_FC0_SUBTYPE_BEACON: {
1875 struct ieee80211_scanparams scan;
1876
1877 /*
1878 * We process beacon/probe response frames:
1879 * o when scanning, or
1880 * o station mode when associated (to collect state
1881 * updates such as 802.11g slot time), or
1882 * o adhoc mode (to discover neighbors)
1883 * Frames otherwise received are discarded.
1884 */
1885 if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
1886 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
1887 ic->ic_opmode == IEEE80211_M_IBSS)) {
1888 ic->ic_stats.is_rx_mgtdiscard++;
1889 return;
1890 }
1891 /*
1892 * beacon/probe response frame format
1893 * [8] time stamp
1894 * [2] beacon interval
1895 * [2] capability information
1896 * [tlv] ssid
1897 * [tlv] supported rates
1898 * [tlv] country information
1899 * [tlv] parameter set (FH/DS)
1900 * [tlv] erp information
1901 * [tlv] extended supported rates
1902 * [tlv] WME
1903 * [tlv] WPA or RSN
1904 */
1905 IEEE80211_VERIFY_LENGTH(efrm - frm, 12);
1906 memset(&scan, 0, sizeof(scan));
1907 scan.tstamp = frm; frm += 8;
1908 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2;
1909 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2;
1910 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan);
1911 scan.chan = scan.bchan;
1912
1913 while (frm < efrm) {
1914 switch (*frm) {
1915 case IEEE80211_ELEMID_SSID:
1916 scan.ssid = frm;
1917 break;
1918 case IEEE80211_ELEMID_RATES:
1919 scan.rates = frm;
1920 break;
1921 case IEEE80211_ELEMID_COUNTRY:
1922 scan.country = frm;
1923 break;
1924 case IEEE80211_ELEMID_FHPARMS:
1925 if (ic->ic_phytype == IEEE80211_T_FH) {
1926 scan.fhdwell = LE_READ_2(&frm[2]);
1927 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]);
1928 scan.fhindex = frm[6];
1929 }
1930 break;
1931 case IEEE80211_ELEMID_DSPARMS:
1932 /*
1933 * XXX hack this since depending on phytype
1934 * is problematic for multi-mode devices.
1935 */
1936 if (ic->ic_phytype != IEEE80211_T_FH)
1937 scan.chan = frm[2];
1938 break;
1939 case IEEE80211_ELEMID_TIM:
1940 /* XXX ATIM? */
1941 scan.tim = frm;
1942 scan.timoff = frm - mtod(m0, u_int8_t *);
1943 break;
1944 case IEEE80211_ELEMID_IBSSPARMS:
1945 break;
1946 case IEEE80211_ELEMID_XRATES:
1947 scan.xrates = frm;
1948 break;
1949 case IEEE80211_ELEMID_ERP:
1950 if (frm[1] != 1) {
1951 IEEE80211_DISCARD_IE(ic,
1952 IEEE80211_MSG_ELEMID, wh, "ERP",
1953 "bad len %u", frm[1]);
1954 ic->ic_stats.is_rx_elem_toobig++;
1955 break;
1956 }
1957 scan.erp = frm[2];
1958 break;
1959 case IEEE80211_ELEMID_RSN:
1960 scan.wpa = frm;
1961 break;
1962 case IEEE80211_ELEMID_VENDOR:
1963 if (iswpaoui(frm))
1964 scan.wpa = frm;
1965 else if (iswmeparam(frm) || iswmeinfo(frm))
1966 scan.wme = frm;
1967 /* XXX Atheros OUI support */
1968 break;
1969 default:
1970 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
1971 wh, "unhandled",
1972 "id %u, len %u", *frm, frm[1]);
1973 ic->ic_stats.is_rx_elem_unknown++;
1974 break;
1975 }
1976 frm += frm[1] + 2;
1977 }
1978 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
1979 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
1980 if (
1981 #if IEEE80211_CHAN_MAX < 255
1982 scan.chan > IEEE80211_CHAN_MAX ||
1983 #endif
1984 isclr(ic->ic_chan_active, scan.chan)) {
1985 IEEE80211_DISCARD(ic,
1986 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
1987 wh, ieee80211_mgt_subtype_name[subtype >>
1988 IEEE80211_FC0_SUBTYPE_SHIFT],
1989 "invalid channel %u", scan.chan);
1990 ic->ic_stats.is_rx_badchan++;
1991 return;
1992 }
1993 if (scan.chan != scan.bchan &&
1994 ic->ic_phytype != IEEE80211_T_FH) {
1995 /*
1996 * Frame was received on a channel different from the
1997 * one indicated in the DS params element id;
1998 * silently discard it.
1999 *
2000 * NB: this can happen due to signal leakage.
2001 * But we should take it for FH phy because
2002 * the rssi value should be correct even for
2003 * different hop pattern in FH.
2004 */
2005 IEEE80211_DISCARD(ic,
2006 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2007 wh, ieee80211_mgt_subtype_name[subtype >>
2008 IEEE80211_FC0_SUBTYPE_SHIFT],
2009 "for off-channel %u", scan.chan);
2010 ic->ic_stats.is_rx_chanmismatch++;
2011 return;
2012 }
2013 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
2014 scan.bintval <= IEEE80211_BINTVAL_MAX)) {
2015 IEEE80211_DISCARD(ic,
2016 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2017 wh, ieee80211_mgt_subtype_name[subtype >>
2018 IEEE80211_FC0_SUBTYPE_SHIFT],
2019 "bogus beacon interval", scan.bintval);
2020 ic->ic_stats.is_rx_badbintval++;
2021 return;
2022 }
2023
2024 if (ni != ic->ic_bss) {
2025 ni = ieee80211_refine_node_for_beacon(ic, ni,
2026 &ic->ic_channels[scan.chan], scan.ssid);
2027 }
2028 /*
2029 * Count frame now that we know it's to be processed.
2030 */
2031 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2032 ic->ic_stats.is_rx_beacon++; /* XXX remove */
2033 IEEE80211_NODE_STAT(ni, rx_beacons);
2034 } else
2035 IEEE80211_NODE_STAT(ni, rx_proberesp);
2036
2037 /*
2038 * When operating in station mode, check for state updates.
2039 * Be careful to ignore beacons received while doing a
2040 * background scan. We consider only 11g/WMM stuff right now.
2041 */
2042 if (ic->ic_opmode == IEEE80211_M_STA &&
2043 ni->ni_associd != 0 &&
2044 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2045 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2046 /* record tsf of last beacon */
2047 memcpy(ni->ni_tstamp.data, scan.tstamp,
2048 sizeof(ni->ni_tstamp));
2049 if (ni->ni_erp != scan.erp) {
2050 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2051 "[%s] erp change: was 0x%x, now 0x%x\n",
2052 ether_sprintf(wh->i_addr2),
2053 ni->ni_erp, scan.erp);
2054 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2055 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2056 ic->ic_flags |= IEEE80211_F_USEPROT;
2057 else
2058 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2059 ni->ni_erp = scan.erp;
2060 /* XXX statistic */
2061 }
2062 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2063 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2064 "[%s] capabilities change: before 0x%x,"
2065 " now 0x%x\n",
2066 ether_sprintf(wh->i_addr2),
2067 ni->ni_capinfo, scan.capinfo);
2068 /*
2069 * NB: we assume short preamble doesn't
2070 * change dynamically
2071 */
2072 ieee80211_set_shortslottime(ic,
2073 ic->ic_curmode == IEEE80211_MODE_11A ||
2074 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2075 ni->ni_capinfo = scan.capinfo;
2076 /* XXX statistic */
2077 }
2078 if (scan.wme != NULL &&
2079 (ni->ni_flags & IEEE80211_NODE_QOS) &&
2080 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0)
2081 ieee80211_wme_updateparams(ic);
2082 if (scan.tim != NULL) {
2083 struct ieee80211_tim_ie *ie =
2084 (struct ieee80211_tim_ie *) scan.tim;
2085
2086 ni->ni_dtim_count = ie->tim_count;
2087 ni->ni_dtim_period = ie->tim_period;
2088 }
2089 if (ic->ic_flags & IEEE80211_F_SCAN)
2090 ieee80211_add_scan(ic, &scan, wh,
2091 subtype, rssi, rstamp);
2092 ic->ic_bmiss_count = 0;
2093 return;
2094 }
2095 /*
2096 * If scanning, just pass information to the scan module.
2097 */
2098 if (ic->ic_flags & IEEE80211_F_SCAN) {
2099 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2100 /*
2101 * Actively scanning a channel marked passive;
2102 * send a probe request now that we know there
2103 * is 802.11 traffic present.
2104 *
2105 * XXX check if the beacon we recv'd gives
2106 * us what we need and suppress the probe req
2107 */
2108 ieee80211_probe_curchan(ic, 1);
2109 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2110 }
2111 ieee80211_add_scan(ic, &scan, wh,
2112 subtype, rssi, rstamp);
2113 return;
2114 }
2115 if (scan.capinfo & IEEE80211_CAPINFO_IBSS)
2116 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi,
2117 rstamp);
2118 break;
2119 }
2120
2121 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2122 if (ic->ic_opmode == IEEE80211_M_STA ||
2123 ic->ic_state != IEEE80211_S_RUN) {
2124 ic->ic_stats.is_rx_mgtdiscard++;
2125 return;
2126 }
2127 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2128 /* frame must be directed */
2129 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */
2130 return;
2131 }
2132
2133 /*
2134 * prreq frame format
2135 * [tlv] ssid
2136 * [tlv] supported rates
2137 * [tlv] extended supported rates
2138 */
2139 ssid = rates = xrates = NULL;
2140 while (frm < efrm) {
2141 switch (*frm) {
2142 case IEEE80211_ELEMID_SSID:
2143 ssid = frm;
2144 break;
2145 case IEEE80211_ELEMID_RATES:
2146 rates = frm;
2147 break;
2148 case IEEE80211_ELEMID_XRATES:
2149 xrates = frm;
2150 break;
2151 }
2152 frm += frm[1] + 2;
2153 }
2154 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2155 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2156 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2157 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2158 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2159 wh, ieee80211_mgt_subtype_name[subtype >>
2160 IEEE80211_FC0_SUBTYPE_SHIFT],
2161 "%s", "no ssid with ssid suppression enabled");
2162 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2163 return;
2164 }
2165
2166 if (ni == ic->ic_bss) {
2167 if (ic->ic_opmode != IEEE80211_M_IBSS)
2168 ni = ieee80211_tmp_node(ic, wh->i_addr2);
2169 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr))
2170 ;
2171 else {
2172 /*
2173 * XXX Cannot tell if the sender is operating
2174 * in ibss mode. But we need a new node to
2175 * send the response so blindly add them to the
2176 * neighbor table.
2177 */
2178 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2179 wh->i_addr2);
2180 }
2181 if (ni == NULL)
2182 return;
2183 allocbs = 1;
2184 } else
2185 allocbs = 0;
2186 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2187 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2));
2188 ni->ni_rssi = rssi;
2189 ni->ni_rstamp = rstamp;
2190 rate = ieee80211_setup_rates(ni, rates, xrates,
2191 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE
2192 | IEEE80211_R_DONEGO | IEEE80211_R_DODEL);
2193 if (rate & IEEE80211_RATE_BASIC) {
2194 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2195 wh, ieee80211_mgt_subtype_name[subtype >>
2196 IEEE80211_FC0_SUBTYPE_SHIFT],
2197 "%s", "recv'd rate set invalid");
2198 } else {
2199 IEEE80211_SEND_MGMT(ic, ni,
2200 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2201 }
2202 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) {
2203 /* reclaim immediately */
2204 ieee80211_free_node(ni);
2205 }
2206 break;
2207
2208 case IEEE80211_FC0_SUBTYPE_AUTH: {
2209 u_int16_t algo, seq, status;
2210 /*
2211 * auth frame format
2212 * [2] algorithm
2213 * [2] sequence
2214 * [2] status
2215 * [tlv*] challenge
2216 */
2217 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2218 algo = le16toh(*(u_int16_t *)frm);
2219 seq = le16toh(*(u_int16_t *)(frm + 2));
2220 status = le16toh(*(u_int16_t *)(frm + 4));
2221 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2222 "[%s] recv auth frame with algorithm %d seq %d\n",
2223 ether_sprintf(wh->i_addr2), algo, seq);
2224 /*
2225 * Consult the ACL policy module if setup.
2226 */
2227 if (ic->ic_acl != NULL &&
2228 !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2229 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2230 wh, "auth", "%s", "disallowed by ACL");
2231 ic->ic_stats.is_rx_acl++;
2232 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2233 IEEE80211_SEND_MGMT(ic, ni,
2234 IEEE80211_FC0_SUBTYPE_AUTH,
2235 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2236 }
2237 return;
2238 }
2239 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2240 IEEE80211_DISCARD(ic,
2241 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2242 wh, "auth", "%s", "TKIP countermeasures enabled");
2243 ic->ic_stats.is_rx_auth_countermeasures++;
2244 #ifndef IEEE80211_NO_HOSTAP
2245 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2246 IEEE80211_SEND_MGMT(ic, ni,
2247 IEEE80211_FC0_SUBTYPE_AUTH,
2248 IEEE80211_REASON_MIC_FAILURE);
2249 }
2250 #endif /* !IEEE80211_NO_HOSTAP */
2251 return;
2252 }
2253 if (algo == IEEE80211_AUTH_ALG_SHARED)
2254 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2255 rstamp, seq, status);
2256 else if (algo == IEEE80211_AUTH_ALG_OPEN)
2257 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq,
2258 status);
2259 else {
2260 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2261 wh, "auth", "unsupported alg %d", algo);
2262 ic->ic_stats.is_rx_auth_unsupported++;
2263 #ifndef IEEE80211_NO_HOSTAP
2264 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2265 /* XXX not right */
2266 IEEE80211_SEND_MGMT(ic, ni,
2267 IEEE80211_FC0_SUBTYPE_AUTH,
2268 (seq+1) | (IEEE80211_STATUS_ALG<<16));
2269 }
2270 #endif /* !IEEE80211_NO_HOSTAP */
2271 return;
2272 }
2273 break;
2274 }
2275
2276 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2277 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2278 u_int16_t capinfo, lintval;
2279 struct ieee80211_rsnparms rsn;
2280 u_int8_t reason;
2281
2282 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2283 ic->ic_state != IEEE80211_S_RUN) {
2284 ic->ic_stats.is_rx_mgtdiscard++;
2285 return;
2286 }
2287
2288 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2289 reassoc = 1;
2290 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2291 } else {
2292 reassoc = 0;
2293 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2294 }
2295 /*
2296 * asreq frame format
2297 * [2] capability information
2298 * [2] listen interval
2299 * [6*] current AP address (reassoc only)
2300 * [tlv] ssid
2301 * [tlv] supported rates
2302 * [tlv] extended supported rates
2303 * [tlv] WPA or RSN
2304 */
2305 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4));
2306 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2307 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2308 wh, ieee80211_mgt_subtype_name[subtype >>
2309 IEEE80211_FC0_SUBTYPE_SHIFT],
2310 "%s", "wrong bssid");
2311 ic->ic_stats.is_rx_assoc_bss++;
2312 return;
2313 }
2314 capinfo = le16toh(*(u_int16_t *)frm); frm += 2;
2315 lintval = le16toh(*(u_int16_t *)frm); frm += 2;
2316 if (reassoc)
2317 frm += 6; /* ignore current AP info */
2318 ssid = rates = xrates = wpa = wme = NULL;
2319 while (frm < efrm) {
2320 switch (*frm) {
2321 case IEEE80211_ELEMID_SSID:
2322 ssid = frm;
2323 break;
2324 case IEEE80211_ELEMID_RATES:
2325 rates = frm;
2326 break;
2327 case IEEE80211_ELEMID_XRATES:
2328 xrates = frm;
2329 break;
2330 /* XXX verify only one of RSN and WPA ie's? */
2331 case IEEE80211_ELEMID_RSN:
2332 wpa = frm;
2333 break;
2334 case IEEE80211_ELEMID_VENDOR:
2335 if (iswpaoui(frm))
2336 wpa = frm;
2337 else if (iswmeinfo(frm))
2338 wme = frm;
2339 /* XXX Atheros OUI support */
2340 break;
2341 }
2342 frm += frm[1] + 2;
2343 }
2344 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2345 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2346 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2347
2348 if (ni == ic->ic_bss) {
2349 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2350 "[%s] deny %s request, sta not authenticated\n",
2351 ether_sprintf(wh->i_addr2),
2352 reassoc ? "reassoc" : "assoc");
2353 ieee80211_send_error(ic, ni, wh->i_addr2,
2354 IEEE80211_FC0_SUBTYPE_DEAUTH,
2355 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2356 ic->ic_stats.is_rx_assoc_notauth++;
2357 return;
2358 }
2359 /* assert right associstion security credentials */
2360 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) {
2361 IEEE80211_DPRINTF(ic,
2362 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2363 "[%s] no WPA/RSN IE in association request\n",
2364 ether_sprintf(wh->i_addr2));
2365 IEEE80211_SEND_MGMT(ic, ni,
2366 IEEE80211_FC0_SUBTYPE_DEAUTH,
2367 IEEE80211_REASON_RSN_REQUIRED);
2368 ieee80211_node_leave(ic, ni);
2369 /* XXX distinguish WPA/RSN? */
2370 ic->ic_stats.is_rx_assoc_badwpaie++;
2371 return;
2372 }
2373 if (wpa != NULL) {
2374 /*
2375 * Parse WPA information element. Note that
2376 * we initialize the param block from the node
2377 * state so that information in the IE overrides
2378 * our defaults. The resulting parameters are
2379 * installed below after the association is assured.
2380 */
2381 rsn = ni->ni_rsn;
2382 if (wpa[0] != IEEE80211_ELEMID_RSN)
2383 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh);
2384 else
2385 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh);
2386 if (reason != 0) {
2387 IEEE80211_SEND_MGMT(ic, ni,
2388 IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2389 ieee80211_node_leave(ic, ni);
2390 /* XXX distinguish WPA/RSN? */
2391 ic->ic_stats.is_rx_assoc_badwpaie++;
2392 return;
2393 }
2394 IEEE80211_DPRINTF(ic,
2395 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2396 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2397 ether_sprintf(wh->i_addr2),
2398 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
2399 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen,
2400 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen,
2401 rsn.rsn_keymgmt, rsn.rsn_caps);
2402 }
2403 /* discard challenge after association */
2404 if (ni->ni_challenge != NULL) {
2405 free(ni->ni_challenge, M_DEVBUF);
2406 ni->ni_challenge = NULL;
2407 }
2408 /* NB: 802.11 spec says to ignore station's privacy bit */
2409 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2410 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2411 "[%s] deny %s request, capability mismatch 0x%x\n",
2412 ether_sprintf(wh->i_addr2),
2413 reassoc ? "reassoc" : "assoc", capinfo);
2414 IEEE80211_SEND_MGMT(ic, ni, resp,
2415 IEEE80211_STATUS_CAPINFO);
2416 ieee80211_node_leave(ic, ni);
2417 ic->ic_stats.is_rx_assoc_capmismatch++;
2418 return;
2419 }
2420 rate = ieee80211_setup_rates(ni, rates, xrates,
2421 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE |
2422 IEEE80211_R_DONEGO | IEEE80211_R_DODEL);
2423 /*
2424 * If constrained to 11g-only stations reject an
2425 * 11b-only station. We cheat a bit here by looking
2426 * at the max negotiated xmit rate and assuming anyone
2427 * with a best rate <24Mb/s is an 11b station.
2428 */
2429 if ((rate & IEEE80211_RATE_BASIC) ||
2430 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) {
2431 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2432 "[%s] deny %s request, rate set mismatch\n",
2433 ether_sprintf(wh->i_addr2),
2434 reassoc ? "reassoc" : "assoc");
2435 IEEE80211_SEND_MGMT(ic, ni, resp,
2436 IEEE80211_STATUS_BASIC_RATE);
2437 ieee80211_node_leave(ic, ni);
2438 ic->ic_stats.is_rx_assoc_norate++;
2439 return;
2440 }
2441 ni->ni_rssi = rssi;
2442 ni->ni_rstamp = rstamp;
2443 ni->ni_intval = lintval;
2444 ni->ni_capinfo = capinfo;
2445 ni->ni_chan = ic->ic_bss->ni_chan;
2446 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2447 ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2448 if (wpa != NULL) {
2449 /*
2450 * Record WPA/RSN parameters for station, mark
2451 * node as using WPA and record information element
2452 * for applications that require it.
2453 */
2454 ni->ni_rsn = rsn;
2455 ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2456 } else if (ni->ni_wpa_ie != NULL) {
2457 /*
2458 * Flush any state from a previous association.
2459 */
2460 free(ni->ni_wpa_ie, M_DEVBUF);
2461 ni->ni_wpa_ie = NULL;
2462 }
2463 if (wme != NULL) {
2464 /*
2465 * Record WME parameters for station, mark node
2466 * as capable of QoS and record information
2467 * element for applications that require it.
2468 */
2469 ieee80211_saveie(&ni->ni_wme_ie, wme);
2470 ni->ni_flags |= IEEE80211_NODE_QOS;
2471 } else if (ni->ni_wme_ie != NULL) {
2472 /*
2473 * Flush any state from a previous association.
2474 */
2475 free(ni->ni_wme_ie, M_DEVBUF);
2476 ni->ni_wme_ie = NULL;
2477 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2478 }
2479 ieee80211_node_join(ic, ni, resp);
2480 break;
2481 }
2482
2483 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2484 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2485 u_int16_t capinfo, associd;
2486 u_int16_t status;
2487
2488 if (ic->ic_opmode != IEEE80211_M_STA ||
2489 ic->ic_state != IEEE80211_S_ASSOC) {
2490 ic->ic_stats.is_rx_mgtdiscard++;
2491 return;
2492 }
2493
2494 /*
2495 * asresp frame format
2496 * [2] capability information
2497 * [2] status
2498 * [2] association ID
2499 * [tlv] supported rates
2500 * [tlv] extended supported rates
2501 * [tlv] WME
2502 */
2503 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2504 ni = ic->ic_bss;
2505 capinfo = le16toh(*(u_int16_t *)frm);
2506 frm += 2;
2507 status = le16toh(*(u_int16_t *)frm);
2508 frm += 2;
2509 if (status != 0) {
2510 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2511 "[%s] %sassoc failed (reason %d)\n",
2512 ether_sprintf(wh->i_addr2),
2513 ISREASSOC(subtype) ? "re" : "", status);
2514 if (ni != ic->ic_bss) /* XXX never true? */
2515 ni->ni_fails++;
2516 ic->ic_stats.is_rx_auth_fail++; /* XXX */
2517 return;
2518 }
2519 associd = le16toh(*(u_int16_t *)frm);
2520 frm += 2;
2521
2522 rates = xrates = wpa = wme = NULL;
2523 while (frm < efrm) {
2524 switch (*frm) {
2525 case IEEE80211_ELEMID_RATES:
2526 rates = frm;
2527 break;
2528 case IEEE80211_ELEMID_XRATES:
2529 xrates = frm;
2530 break;
2531 case IEEE80211_ELEMID_VENDOR:
2532 if (iswmeoui(frm))
2533 wme = frm;
2534 /* XXX Atheros OUI support */
2535 break;
2536 }
2537 frm += frm[1] + 2;
2538 }
2539
2540 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2541 rate = ieee80211_setup_rates(ni, rates, xrates,
2542 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE |
2543 IEEE80211_R_DONEGO | IEEE80211_R_DODEL);
2544 if (rate & IEEE80211_RATE_BASIC) {
2545 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2546 "[%s] %sassoc failed (rate set mismatch)\n",
2547 ether_sprintf(wh->i_addr2),
2548 ISREASSOC(subtype) ? "re" : "");
2549 if (ni != ic->ic_bss) /* XXX never true? */
2550 ni->ni_fails++;
2551 ic->ic_stats.is_rx_assoc_norate++;
2552 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
2553 return;
2554 }
2555
2556 ni->ni_capinfo = capinfo;
2557 ni->ni_associd = associd;
2558 if (wme != NULL &&
2559 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
2560 ni->ni_flags |= IEEE80211_NODE_QOS;
2561 ieee80211_wme_updateparams(ic);
2562 } else
2563 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2564 /*
2565 * Configure state now that we are associated.
2566 *
2567 * XXX may need different/additional driver callbacks?
2568 */
2569 if (ic->ic_curmode == IEEE80211_MODE_11A ||
2570 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2571 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
2572 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
2573 } else {
2574 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2575 ic->ic_flags |= IEEE80211_F_USEBARKER;
2576 }
2577 ieee80211_set_shortslottime(ic,
2578 ic->ic_curmode == IEEE80211_MODE_11A ||
2579 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2580 /*
2581 * Honor ERP protection.
2582 *
2583 * NB: ni_erp should zero for non-11g operation.
2584 * XXX check ic_curmode anyway?
2585 */
2586 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2587 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2588 ic->ic_flags |= IEEE80211_F_USEPROT;
2589 else
2590 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2591 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2592 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n",
2593 ether_sprintf(wh->i_addr2),
2594 ISREASSOC(subtype) ? "re" : "",
2595 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
2596 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
2597 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
2598 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : ""
2599 );
2600 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
2601 break;
2602 }
2603
2604 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
2605 u_int16_t reason;
2606
2607 if (ic->ic_state == IEEE80211_S_SCAN) {
2608 ic->ic_stats.is_rx_mgtdiscard++;
2609 return;
2610 }
2611 /*
2612 * deauth frame format
2613 * [2] reason
2614 */
2615 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2616 reason = le16toh(*(u_int16_t *)frm);
2617 ic->ic_stats.is_rx_deauth++;
2618 IEEE80211_NODE_STAT(ni, rx_deauth);
2619
2620 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2621 /* Not intended for this station. */
2622 ic->ic_stats.is_rx_mgtdiscard++;
2623 break;
2624 }
2625 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2626 "[%s] recv deauthenticate (reason %d)\n",
2627 ether_sprintf(ni->ni_macaddr), reason);
2628 switch (ic->ic_opmode) {
2629 case IEEE80211_M_STA:
2630 ieee80211_new_state(ic, IEEE80211_S_AUTH,
2631 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2632 break;
2633 case IEEE80211_M_HOSTAP:
2634 #ifndef IEEE80211_NO_HOSTAP
2635 if (ni != ic->ic_bss)
2636 ieee80211_node_leave(ic, ni);
2637 #endif /* !IEEE80211_NO_HOSTAP */
2638 break;
2639 default:
2640 ic->ic_stats.is_rx_mgtdiscard++;
2641 break;
2642 }
2643 break;
2644 }
2645
2646 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2647 u_int16_t reason;
2648
2649 if (ic->ic_state != IEEE80211_S_RUN &&
2650 ic->ic_state != IEEE80211_S_ASSOC &&
2651 ic->ic_state != IEEE80211_S_AUTH) {
2652 ic->ic_stats.is_rx_mgtdiscard++;
2653 return;
2654 }
2655 /*
2656 * disassoc frame format
2657 * [2] reason
2658 */
2659 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2660 reason = le16toh(*(u_int16_t *)frm);
2661 ic->ic_stats.is_rx_disassoc++;
2662 IEEE80211_NODE_STAT(ni, rx_disassoc);
2663
2664 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2665 /* Not intended for this station. */
2666 ic->ic_stats.is_rx_mgtdiscard++;
2667 break;
2668 }
2669 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2670 "[%s] recv disassociate (reason %d)\n",
2671 ether_sprintf(ni->ni_macaddr), reason);
2672 switch (ic->ic_opmode) {
2673 case IEEE80211_M_STA:
2674 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
2675 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2676 break;
2677 case IEEE80211_M_HOSTAP:
2678 #ifndef IEEE80211_NO_HOSTAP
2679 if (ni != ic->ic_bss)
2680 ieee80211_node_leave(ic, ni);
2681 #endif /* !IEEE80211_NO_HOSTAP */
2682 break;
2683 default:
2684 ic->ic_stats.is_rx_mgtdiscard++;
2685 break;
2686 }
2687 break;
2688 }
2689 default:
2690 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2691 wh, "mgt", "subtype 0x%x not handled", subtype);
2692 ic->ic_stats.is_rx_badsubtype++;
2693 break;
2694 }
2695 #undef ISREASSOC
2696 #undef ISPROBE
2697 }
2698 #undef IEEE80211_VERIFY_LENGTH
2699 #undef IEEE80211_VERIFY_ELEMENT
2700
2701 #ifndef IEEE80211_NO_HOSTAP
2702 /*
2703 * Handle station power-save state change.
2704 */
2705 static void
ieee80211_node_pwrsave(struct ieee80211_node * ni,int enable)2706 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable)
2707 {
2708 struct ieee80211com *ic = ni->ni_ic;
2709 struct mbuf *m;
2710
2711 if (enable) {
2712 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0)
2713 ic->ic_ps_sta++;
2714 ni->ni_flags |= IEEE80211_NODE_PWR_MGT;
2715 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2716 "[%s] power save mode on, %u sta's in ps mode\n",
2717 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta);
2718 return;
2719 }
2720
2721 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT)
2722 ic->ic_ps_sta--;
2723 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT;
2724 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2725 "[%s] power save mode off, %u sta's in ps mode\n",
2726 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta);
2727 /* XXX if no stations in ps mode, flush mc frames */
2728
2729 /*
2730 * Flush queued unicast frames.
2731 */
2732 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) {
2733 if (ic->ic_set_tim != NULL)
2734 ic->ic_set_tim(ni, 0); /* just in case */
2735 return;
2736 }
2737 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2738 "[%s] flush ps queue, %u packets queued\n",
2739 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni));
2740 for (;;) {
2741 int qlen;
2742
2743 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2744 if (m == NULL)
2745 break;
2746 /*
2747 * If this is the last packet, turn off the TIM bit.
2748 * If there are more packets, set the more packets bit
2749 * in the mbuf so ieee80211_encap will mark the 802.11
2750 * head to indicate more data frames will follow.
2751 */
2752 if (qlen != 0)
2753 m->m_flags |= M_MORE_DATA;
2754 /* XXX need different driver interface */
2755 /* XXX bypasses q max */
2756 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
2757 }
2758 if (ic->ic_set_tim != NULL)
2759 ic->ic_set_tim(ni, 0);
2760 }
2761
2762 /*
2763 * Process a received ps-poll frame.
2764 */
2765 static void
ieee80211_recv_pspoll(struct ieee80211com * ic,struct ieee80211_node * ni,struct mbuf * m0)2766 ieee80211_recv_pspoll(struct ieee80211com *ic,
2767 struct ieee80211_node *ni, struct mbuf *m0)
2768 {
2769 struct ieee80211_frame_min *wh;
2770 struct mbuf *m;
2771 u_int16_t aid;
2772 int qlen;
2773
2774 wh = mtod(m0, struct ieee80211_frame_min *);
2775 if (ni->ni_associd == 0) {
2776 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2777 (struct ieee80211_frame *) wh, "ps-poll",
2778 "%s", "unassociated station");
2779 ic->ic_stats.is_ps_unassoc++;
2780 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2781 IEEE80211_REASON_NOT_ASSOCED);
2782 return;
2783 }
2784
2785 aid = le16toh(*(u_int16_t *)wh->i_dur);
2786 if (aid != ni->ni_associd) {
2787 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2788 (struct ieee80211_frame *) wh, "ps-poll",
2789 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2790 ni->ni_associd, aid);
2791 ic->ic_stats.is_ps_badaid++;
2792 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2793 IEEE80211_REASON_NOT_ASSOCED);
2794 return;
2795 }
2796
2797 /* Okay, take the first queued packet and put it out... */
2798 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2799 if (m == NULL) {
2800 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2801 "[%s] recv ps-poll, but queue empty\n",
2802 ether_sprintf(wh->i_addr2));
2803 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2804 ic->ic_stats.is_ps_qempty++; /* XXX node stat */
2805 if (ic->ic_set_tim != NULL)
2806 ic->ic_set_tim(ni, 0); /* just in case */
2807 return;
2808 }
2809 /*
2810 * If there are more packets, set the more packets bit
2811 * in the packet dispatched to the station; otherwise
2812 * turn off the TIM bit.
2813 */
2814 if (qlen != 0) {
2815 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2816 "[%s] recv ps-poll, send packet, %u still queued\n",
2817 ether_sprintf(ni->ni_macaddr), qlen);
2818 m->m_flags |= M_MORE_DATA;
2819 } else {
2820 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2821 "[%s] recv ps-poll, send packet, queue empty\n",
2822 ether_sprintf(ni->ni_macaddr));
2823 if (ic->ic_set_tim != NULL)
2824 ic->ic_set_tim(ni, 0);
2825 }
2826 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2827 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
2828 }
2829 #endif /* !IEEE80211_NO_HOSTAP */
2830
2831 #ifdef IEEE80211_DEBUG
2832 /*
2833 * Debugging support.
2834 */
2835
2836 /*
2837 * Return the bssid of a frame.
2838 */
2839 static const u_int8_t *
ieee80211_getbssid(struct ieee80211com * ic,const struct ieee80211_frame * wh)2840 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
2841 {
2842 if (ic->ic_opmode == IEEE80211_M_STA)
2843 return wh->i_addr2;
2844 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
2845 return wh->i_addr1;
2846 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
2847 return wh->i_addr1;
2848 return wh->i_addr3;
2849 }
2850
2851 void
ieee80211_note(struct ieee80211com * ic,const char * fmt,...)2852 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
2853 {
2854 char buf[128]; /* XXX */
2855 va_list ap;
2856
2857 va_start(ap, fmt);
2858 vsnprintf(buf, sizeof(buf), fmt, ap);
2859 va_end(ap);
2860
2861 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */
2862 }
2863
2864 void
ieee80211_note_frame(struct ieee80211com * ic,const struct ieee80211_frame * wh,const char * fmt,...)2865 ieee80211_note_frame(struct ieee80211com *ic,
2866 const struct ieee80211_frame *wh,
2867 const char *fmt, ...)
2868 {
2869 char buf[128]; /* XXX */
2870 va_list ap;
2871
2872 va_start(ap, fmt);
2873 vsnprintf(buf, sizeof(buf), fmt, ap);
2874 va_end(ap);
2875 if_printf(ic->ic_ifp, "[%s] %s\n",
2876 ether_sprintf(ieee80211_getbssid(ic, wh)), buf);
2877 }
2878
2879 void
ieee80211_note_mac(struct ieee80211com * ic,const u_int8_t mac[IEEE80211_ADDR_LEN],const char * fmt,...)2880 ieee80211_note_mac(struct ieee80211com *ic,
2881 const u_int8_t mac[IEEE80211_ADDR_LEN],
2882 const char *fmt, ...)
2883 {
2884 char buf[128]; /* XXX */
2885 va_list ap;
2886
2887 va_start(ap, fmt);
2888 vsnprintf(buf, sizeof(buf), fmt, ap);
2889 va_end(ap);
2890 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf);
2891 }
2892
2893 static void
ieee80211_discard_frame(struct ieee80211com * ic,const struct ieee80211_frame * wh,const char * type,const char * fmt,...)2894 ieee80211_discard_frame(struct ieee80211com *ic,
2895 const struct ieee80211_frame *wh,
2896 const char *type, const char *fmt, ...)
2897 {
2898 va_list ap;
2899
2900 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2901 ether_sprintf(ieee80211_getbssid(ic, wh)));
2902 if (type != NULL)
2903 printf("%s frame, ", type);
2904 else
2905 printf("frame, ");
2906 va_start(ap, fmt);
2907 vprintf(fmt, ap);
2908 va_end(ap);
2909 printf("\n");
2910 }
2911
2912 static void
ieee80211_discard_ie(struct ieee80211com * ic,const struct ieee80211_frame * wh,const char * type,const char * fmt,...)2913 ieee80211_discard_ie(struct ieee80211com *ic,
2914 const struct ieee80211_frame *wh,
2915 const char *type, const char *fmt, ...)
2916 {
2917 va_list ap;
2918
2919 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2920 ether_sprintf(ieee80211_getbssid(ic, wh)));
2921 if (type != NULL)
2922 printf("%s information element, ", type);
2923 else
2924 printf("information element, ");
2925 va_start(ap, fmt);
2926 vprintf(fmt, ap);
2927 va_end(ap);
2928 printf("\n");
2929 }
2930
2931 static void
ieee80211_discard_mac(struct ieee80211com * ic,const u_int8_t mac[IEEE80211_ADDR_LEN],const char * type,const char * fmt,...)2932 ieee80211_discard_mac(struct ieee80211com *ic,
2933 const u_int8_t mac[IEEE80211_ADDR_LEN],
2934 const char *type, const char *fmt, ...)
2935 {
2936 va_list ap;
2937
2938 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac));
2939 if (type != NULL)
2940 printf("%s frame, ", type);
2941 else
2942 printf("frame, ");
2943 va_start(ap, fmt);
2944 vprintf(fmt, ap);
2945 va_end(ap);
2946 printf("\n");
2947 }
2948 #endif /* IEEE80211_DEBUG */
2949