1 /* 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 * 32 * $FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.62.2.14 2006/09/02 15:16:12 sam Exp $ 33 * $DragonFly: src/sys/netproto/802_11/wlan/ieee80211_input.c,v 1.22 2008/03/04 13:48:40 sephe Exp $ 34 */ 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/malloc.h> 40 #include <sys/endian.h> 41 #include <sys/kernel.h> 42 #include <sys/serialize.h> 43 44 #include <sys/socket.h> 45 46 #include <net/if.h> 47 #include <net/if_arp.h> 48 #include <net/ifq_var.h> 49 #include <net/if_media.h> 50 #include <net/ethernet.h> 51 #include <net/if_llc.h> 52 #include <net/vlan/if_vlan_var.h> 53 54 #include <netproto/802_11/ieee80211_var.h> 55 56 #include <net/bpf.h> 57 58 #ifdef IEEE80211_DEBUG 59 #include <machine/stdarg.h> 60 61 /* 62 * Decide if a received management frame should be 63 * printed when debugging is enabled. This filters some 64 * of the less interesting frames that come frequently 65 * (e.g. beacons). 66 */ 67 static __inline int 68 doprint(struct ieee80211com *ic, int subtype) 69 { 70 switch (subtype) { 71 case IEEE80211_FC0_SUBTYPE_BEACON: 72 return (ic->ic_flags & IEEE80211_F_SCAN); 73 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 74 return (ic->ic_opmode == IEEE80211_M_IBSS); 75 } 76 return 1; 77 } 78 79 /* 80 * Emit a debug message about discarding a frame or information 81 * element. One format is for extracting the mac address from 82 * the frame header; the other is for when a header is not 83 * available or otherwise appropriate. 84 */ 85 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 86 if ((_ic)->ic_debug & (_m)) \ 87 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 88 } while (0) 89 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 90 if ((_ic)->ic_debug & (_m)) \ 91 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 92 } while (0) 93 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 94 if ((_ic)->ic_debug & (_m)) \ 95 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 96 } while (0) 97 98 static const uint8_t *ieee80211_getbssid(struct ieee80211com *, 99 const struct ieee80211_frame *); 100 static void ieee80211_discard_frame(struct ieee80211com *, 101 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 102 static void ieee80211_discard_ie(struct ieee80211com *, 103 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 104 static void ieee80211_discard_mac(struct ieee80211com *, 105 const uint8_t mac[IEEE80211_ADDR_LEN], const char *type, 106 const char *fmt, ...); 107 #else 108 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 109 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 110 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 111 #endif /* IEEE80211_DEBUG */ 112 113 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 114 struct ieee80211_node *, struct mbuf *, int); 115 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 116 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 117 const uint8_t *mac, int subtype, int arg); 118 static void ieee80211_deliver_data(struct ieee80211com *, 119 struct ieee80211_node *, struct mbuf *); 120 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 121 static void ieee80211_recv_pspoll(struct ieee80211com *, 122 struct ieee80211_node *, struct mbuf *); 123 124 /* 125 * Process a received frame. The node associated with the sender 126 * should be supplied. If nothing was found in the node table then 127 * the caller is assumed to supply a reference to ic_bss instead. 128 * The RSSI and a timestamp are also supplied. The RSSI data is used 129 * during AP scanning to select a AP to associate with; it can have 130 * any units so long as values have consistent units and higher values 131 * mean ``better signal''. The receive timestamp is currently not used 132 * by the 802.11 layer. 133 */ 134 int 135 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 136 struct ieee80211_node *ni, int rssi, uint32_t rstamp) 137 { 138 return ieee80211_input_withiv(ic, m, ni, rssi, rstamp, NULL); 139 } 140 141 int 142 ieee80211_input_withiv(struct ieee80211com *ic, struct mbuf *m, 143 struct ieee80211_node *ni, int rssi, uint32_t rstamp, 144 const struct ieee80211_crypto_iv *iv) 145 { 146 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 147 #define HAS_SEQ(type) ((type & 0x4) == 0) 148 struct ifnet *ifp = ic->ic_ifp; 149 struct ieee80211_frame *wh; 150 struct ieee80211_key *key; 151 struct ether_header *eh; 152 int hdrspace, need_tap; 153 uint8_t dir, type, subtype; 154 uint8_t *bssid; 155 uint16_t rxseq; 156 157 ASSERT_SERIALIZED(ifp->if_serializer); 158 159 KASSERT(ni != NULL, ("null node")); 160 ni->ni_inact = ni->ni_inact_reload; 161 162 need_tap = 1; /* mbuf need to be tapped */ 163 type = -1; /* undefined */ 164 /* 165 * In monitor mode, send everything directly to bpf. 166 * XXX may want to include the CRC 167 */ 168 if (ic->ic_opmode == IEEE80211_M_MONITOR) 169 goto out; 170 171 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 172 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 173 ni->ni_macaddr, NULL, 174 "too short (1): len %u", m->m_pkthdr.len); 175 ic->ic_stats.is_rx_tooshort++; 176 goto out; 177 } 178 /* 179 * Bit of a cheat here, we use a pointer for a 3-address 180 * frame format but don't reference fields past outside 181 * ieee80211_frame_min w/o first validating the data is 182 * present. 183 */ 184 wh = mtod(m, struct ieee80211_frame *); 185 186 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 187 IEEE80211_FC0_VERSION_0) { 188 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 189 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 190 ic->ic_stats.is_rx_badversion++; 191 goto err; 192 } 193 194 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 195 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 196 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 197 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 198 switch (ic->ic_opmode) { 199 case IEEE80211_M_STA: 200 bssid = wh->i_addr2; 201 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 202 /* not interested in */ 203 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 204 bssid, NULL, "%s", "not to bss"); 205 ic->ic_stats.is_rx_wrongbss++; 206 goto out; 207 } 208 break; 209 case IEEE80211_M_IBSS: 210 case IEEE80211_M_AHDEMO: 211 case IEEE80211_M_HOSTAP: 212 if (dir != IEEE80211_FC1_DIR_NODS) 213 bssid = wh->i_addr1; 214 else if (type == IEEE80211_FC0_TYPE_CTL) 215 bssid = wh->i_addr1; 216 else { 217 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 218 IEEE80211_DISCARD_MAC(ic, 219 IEEE80211_MSG_ANY, ni->ni_macaddr, 220 NULL, "too short (2): len %u", 221 m->m_pkthdr.len); 222 ic->ic_stats.is_rx_tooshort++; 223 goto out; 224 } 225 bssid = wh->i_addr3; 226 } 227 if (type != IEEE80211_FC0_TYPE_DATA) 228 break; 229 /* 230 * Data frame, validate the bssid. 231 */ 232 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 233 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 234 /* not interested in */ 235 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 236 bssid, NULL, "%s", "not to bss"); 237 ic->ic_stats.is_rx_wrongbss++; 238 goto out; 239 } 240 /* 241 * For adhoc mode we cons up a node when it doesn't 242 * exist. This should probably done after an ACL check. 243 */ 244 if (ni == ic->ic_bss && 245 ic->ic_opmode != IEEE80211_M_HOSTAP && 246 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 247 /* 248 * Fake up a node for this newly 249 * discovered member of the IBSS. 250 */ 251 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 252 wh->i_addr2); 253 if (ni == NULL) { 254 /* NB: stat kept for alloc failure */ 255 goto err; 256 } 257 } 258 break; 259 default: 260 goto out; 261 } 262 ni->ni_rssi = rssi; 263 ni->ni_rstamp = rstamp; 264 if (HAS_SEQ(type) && !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 265 uint8_t tid; 266 if (IEEE80211_QOS_HAS_SEQ(wh)) { 267 tid = ((struct ieee80211_qosframe *)wh)-> 268 i_qos[0] & IEEE80211_QOS_TID; 269 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 270 ic->ic_wme.wme_hipri_traffic++; 271 tid++; 272 } else 273 tid = 0; 274 rxseq = le16toh(*(uint16_t *)wh->i_seq); 275 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 276 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 277 /* duplicate, discard */ 278 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 279 bssid, "duplicate", 280 "seqno <%u,%u> fragno <%u,%u> tid %u", 281 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 282 ni->ni_rxseqs[tid] >> 283 IEEE80211_SEQ_SEQ_SHIFT, 284 rxseq & IEEE80211_SEQ_FRAG_MASK, 285 ni->ni_rxseqs[tid] & 286 IEEE80211_SEQ_FRAG_MASK, 287 tid); 288 ic->ic_stats.is_rx_dup++; 289 IEEE80211_NODE_STAT(ni, rx_dup); 290 goto out; 291 } 292 ni->ni_rxseqs[tid] = rxseq; 293 } 294 } 295 296 switch (type) { 297 case IEEE80211_FC0_TYPE_DATA: 298 hdrspace = ieee80211_hdrspace(ic, wh); 299 if (m->m_len < hdrspace && 300 (m = m_pullup(m, hdrspace)) == NULL) { 301 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 302 ni->ni_macaddr, NULL, 303 "data too short: expecting %u", hdrspace); 304 ic->ic_stats.is_rx_tooshort++; 305 goto out; /* XXX */ 306 } 307 switch (ic->ic_opmode) { 308 case IEEE80211_M_STA: 309 if (dir != IEEE80211_FC1_DIR_FROMDS) { 310 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 311 wh, "data", "%s", "unknown dir 0x%x", dir); 312 ic->ic_stats.is_rx_wrongdir++; 313 goto out; 314 } 315 if ((ifp->if_flags & IFF_SIMPLEX) && 316 IEEE80211_IS_MULTICAST(wh->i_addr1) && 317 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 318 /* 319 * In IEEE802.11 network, multicast packet 320 * sent from me is broadcasted from AP. 321 * It should be silently discarded for 322 * SIMPLEX interface. 323 */ 324 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 325 wh, NULL, "%s", "multicast echo"); 326 ic->ic_stats.is_rx_mcastecho++; 327 goto out; 328 } 329 break; 330 case IEEE80211_M_IBSS: 331 case IEEE80211_M_AHDEMO: 332 if (dir != IEEE80211_FC1_DIR_NODS) { 333 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 334 wh, "data", "%s", "unknown dir 0x%x", dir); 335 ic->ic_stats.is_rx_wrongdir++; 336 goto out; 337 } 338 /* XXX no power-save support */ 339 break; 340 case IEEE80211_M_HOSTAP: 341 if (dir != IEEE80211_FC1_DIR_TODS) { 342 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 343 wh, "data", "%s", "unknown dir 0x%x", dir); 344 ic->ic_stats.is_rx_wrongdir++; 345 goto out; 346 } 347 /* check if source STA is associated */ 348 if (ni == ic->ic_bss) { 349 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 350 wh, "data", "%s", "unknown src"); 351 ieee80211_send_error(ic, ni, wh->i_addr2, 352 IEEE80211_FC0_SUBTYPE_DEAUTH, 353 IEEE80211_REASON_NOT_AUTHED); 354 ic->ic_stats.is_rx_notassoc++; 355 goto err; 356 } 357 if (ni->ni_associd == 0) { 358 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 359 wh, "data", "%s", "unassoc src"); 360 IEEE80211_SEND_MGMT(ic, ni, 361 IEEE80211_FC0_SUBTYPE_DISASSOC, 362 IEEE80211_REASON_NOT_ASSOCED); 363 ic->ic_stats.is_rx_notassoc++; 364 goto err; 365 } 366 367 /* 368 * Check for power save state change. 369 */ 370 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 371 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 372 ieee80211_node_pwrsave(ni, 373 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 374 break; 375 default: 376 /* XXX here to keep compiler happy */ 377 goto out; 378 } 379 380 /* 381 * Handle privacy requirements. Note that we 382 * must not be preempted from here until after 383 * we (potentially) call ieee80211_crypto_demic; 384 * otherwise we may violate assumptions in the 385 * crypto cipher modules used to do delayed update 386 * of replay sequence numbers. 387 */ 388 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 389 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 390 /* 391 * Discard encrypted frames when privacy is off. 392 */ 393 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 394 wh, "WEP", "%s", "PRIVACY off"); 395 ic->ic_stats.is_rx_noprivacy++; 396 IEEE80211_NODE_STAT(ni, rx_noprivacy); 397 goto out; 398 } 399 if (iv == NULL) { 400 key = ieee80211_crypto_decap(ic, ni, m, 401 hdrspace); 402 } else { 403 key = ieee80211_crypto_update(ic, ni, iv, wh); 404 } 405 if (key == NULL) { 406 /* NB: stats+msgs handled in crypto_decap */ 407 IEEE80211_NODE_STAT(ni, rx_wepfail); 408 goto out; 409 } 410 wh = mtod(m, struct ieee80211_frame *); 411 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 412 } else { 413 key = NULL; 414 } 415 416 /* 417 * Next up, any fragmentation. 418 */ 419 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 420 m = ieee80211_defrag(ic, ni, m, hdrspace); 421 if (m == NULL) { 422 /* Fragment dropped or frame not complete yet */ 423 goto out; 424 } 425 } 426 wh = NULL; /* no longer valid, catch any uses */ 427 428 /* 429 * Next strip any MSDU crypto bits. 430 */ 431 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 432 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 433 ni->ni_macaddr, "data", "%s", "demic error"); 434 ic->ic_stats.is_rx_demicfail++; 435 IEEE80211_NODE_STAT(ni, rx_demicfail); 436 goto out; 437 } 438 439 /* copy to listener after decrypt */ 440 if (ic->ic_rawbpf) 441 bpf_mtap(ic->ic_rawbpf, m); 442 need_tap = 0; 443 444 /* 445 * Finally, strip the 802.11 header. 446 */ 447 m = ieee80211_decap(ic, m, hdrspace); 448 if (m == NULL) { 449 /* don't count Null data frames as errors */ 450 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 451 goto out; 452 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 453 ni->ni_macaddr, "data", "%s", "decap error"); 454 ic->ic_stats.is_rx_decap++; 455 IEEE80211_NODE_STAT(ni, rx_decap); 456 goto err; 457 } 458 eh = mtod(m, struct ether_header *); 459 if (!ieee80211_node_is_authorized(ni)) { 460 /* 461 * Deny any non-PAE frames received prior to 462 * authorization. For open/shared-key 463 * authentication the port is mark authorized 464 * after authentication completes. For 802.1x 465 * the port is not marked authorized by the 466 * authenticator until the handshake has completed. 467 */ 468 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 469 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 470 eh->ether_shost, "data", 471 "unauthorized port: ether type 0x%x len %u", 472 eh->ether_type, m->m_pkthdr.len); 473 ic->ic_stats.is_rx_unauth++; 474 IEEE80211_NODE_STAT(ni, rx_unauth); 475 goto err; 476 } 477 } else { 478 /* 479 * When denying unencrypted frames, discard 480 * any non-PAE frames received without encryption. 481 */ 482 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 483 key == NULL && 484 eh->ether_type != htons(ETHERTYPE_PAE)) { 485 /* 486 * Drop unencrypted frames. 487 */ 488 ic->ic_stats.is_rx_unencrypted++; 489 IEEE80211_NODE_STAT(ni, rx_unencrypted); 490 goto out; 491 } 492 } 493 ieee80211_deliver_data(ic, ni, m); 494 return IEEE80211_FC0_TYPE_DATA; 495 496 case IEEE80211_FC0_TYPE_MGT: 497 ic->ic_stats.is_rx_mgmt++; 498 IEEE80211_NODE_STAT(ni, rx_mgmt); 499 if (dir != IEEE80211_FC1_DIR_NODS) { 500 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 501 wh, "data", "%s", "unknown dir 0x%x", dir); 502 ic->ic_stats.is_rx_wrongdir++; 503 goto err; 504 } 505 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 506 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 507 ni->ni_macaddr, "mgt", "too short: len %u", 508 m->m_pkthdr.len); 509 ic->ic_stats.is_rx_tooshort++; 510 goto out; 511 } 512 #ifdef IEEE80211_DEBUG 513 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 514 ieee80211_msg_dumppkts(ic)) { 515 if_printf(ic->ic_ifp, "received %s from %6D rssi %d\n", 516 ieee80211_mgt_subtype_name[subtype >> 517 IEEE80211_FC0_SUBTYPE_SHIFT], 518 wh->i_addr2, ":", rssi); 519 } 520 #endif 521 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 522 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 523 /* 524 * Only shared key auth frames with a challenge 525 * should be encrypted, discard all others. 526 */ 527 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 528 wh, ieee80211_mgt_subtype_name[subtype >> 529 IEEE80211_FC0_SUBTYPE_SHIFT], 530 "%s", "WEP set but not permitted"); 531 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 532 goto out; 533 } 534 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 535 /* 536 * Discard encrypted frames when privacy is off. 537 */ 538 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 539 wh, "mgt", "%s", "WEP set but PRIVACY off"); 540 ic->ic_stats.is_rx_noprivacy++; 541 goto out; 542 } 543 if (iv == NULL) { 544 hdrspace = ieee80211_hdrspace(ic, wh); 545 key = ieee80211_crypto_decap(ic, ni, m, 546 hdrspace); 547 } else { 548 key = ieee80211_crypto_update(ic, ni, iv, wh); 549 } 550 if (key == NULL) { 551 /* NB: stats+msgs handled in crypto_decap */ 552 goto out; 553 } 554 wh = mtod(m, struct ieee80211_frame *); 555 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 556 } 557 if (ic->ic_rawbpf) 558 bpf_mtap(ic->ic_rawbpf, m); 559 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 560 m_freem(m); 561 return type; 562 563 case IEEE80211_FC0_TYPE_CTL: 564 IEEE80211_NODE_STAT(ni, rx_ctrl); 565 ic->ic_stats.is_rx_ctl++; 566 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 567 switch (subtype) { 568 case IEEE80211_FC0_SUBTYPE_PS_POLL: 569 ieee80211_recv_pspoll(ic, ni, m); 570 break; 571 } 572 } 573 goto out; 574 default: 575 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 576 wh, NULL, "bad frame type 0x%x", type); 577 /* should not come here */ 578 break; 579 } 580 err: 581 ifp->if_ierrors++; 582 out: 583 if (m != NULL) { 584 if (ic->ic_rawbpf && need_tap) 585 bpf_mtap(ic->ic_rawbpf, m); 586 m_freem(m); 587 } 588 return type; 589 #undef SEQ_LEQ 590 } 591 592 /* 593 * This function reassemble fragments. 594 */ 595 static struct mbuf * 596 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 597 struct mbuf *m, int hdrspace) 598 { 599 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 600 struct ieee80211_frame *lwh; 601 uint16_t rxseq; 602 uint8_t fragno; 603 uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 604 struct mbuf *mfrag; 605 606 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 607 608 rxseq = le16toh(*(uint16_t *)wh->i_seq); 609 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 610 611 /* Quick way out, if there's nothing to defragment */ 612 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 613 return m; 614 615 /* 616 * Remove frag to insure it doesn't get reaped by timer. 617 */ 618 if (ni->ni_table == NULL) { 619 /* 620 * Should never happen. If the node is orphaned (not in 621 * the table) then input packets should not reach here. 622 * Otherwise, a concurrent request that yanks the table 623 * should be blocked by other interlocking and/or by first 624 * shutting the driver down. Regardless, be defensive 625 * here and just bail 626 */ 627 /* XXX need msg+stat */ 628 m_freem(m); 629 return NULL; 630 } 631 mfrag = ni->ni_rxfrag[0]; 632 ni->ni_rxfrag[0] = NULL; 633 634 /* 635 * Validate new fragment is in order and 636 * related to the previous ones. 637 */ 638 if (mfrag != NULL) { 639 uint16_t last_rxseq; 640 641 lwh = mtod(mfrag, struct ieee80211_frame *); 642 last_rxseq = le16toh(*(uint16_t *)lwh->i_seq); 643 /* NB: check seq # and frag together */ 644 if (rxseq != last_rxseq+1 || 645 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 646 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 647 /* 648 * Unrelated fragment or no space for it, 649 * clear current fragments. 650 */ 651 m_freem(mfrag); 652 mfrag = NULL; 653 } 654 } 655 656 if (mfrag == NULL) { 657 if (fragno != 0) { /* !first fragment, discard */ 658 ic->ic_stats.is_rx_defrag++; 659 IEEE80211_NODE_STAT(ni, rx_defrag); 660 m_freem(m); 661 return NULL; 662 } 663 mfrag = m; 664 } else { /* concatenate */ 665 m_adj(m, hdrspace); /* strip header */ 666 m_cat(mfrag, m); 667 /* NB: m_cat doesn't update the packet header */ 668 mfrag->m_pkthdr.len += m->m_pkthdr.len; 669 /* track last seqnum and fragno */ 670 lwh = mtod(mfrag, struct ieee80211_frame *); 671 *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq; 672 } 673 if (more_frag) { /* more to come, save */ 674 ni->ni_rxfragstamp = ticks; 675 ni->ni_rxfrag[0] = mfrag; 676 mfrag = NULL; 677 } 678 return mfrag; 679 } 680 681 static void 682 ieee80211_deliver_data(struct ieee80211com *ic, 683 struct ieee80211_node *ni, struct mbuf *m) 684 { 685 struct ether_header *eh = mtod(m, struct ether_header *); 686 struct ifnet *ifp = ic->ic_ifp; 687 688 /* 689 * Do accounting. 690 */ 691 ifp->if_ipackets++; 692 IEEE80211_NODE_STAT(ni, rx_data); 693 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 694 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 695 m->m_flags |= M_MCAST; /* XXX M_BCAST? */ 696 IEEE80211_NODE_STAT(ni, rx_mcast); 697 } else { 698 IEEE80211_NODE_STAT(ni, rx_ucast); 699 } 700 701 /* perform as a bridge within the AP */ 702 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 703 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 704 struct mbuf *m1 = NULL; 705 706 if (m->m_flags & M_MCAST) { 707 m1 = m_dup(m, MB_DONTWAIT); 708 if (m1 == NULL) 709 ifp->if_oerrors++; 710 else 711 m1->m_flags |= M_MCAST; 712 } else { 713 /* 714 * Check if the destination is known; if so 715 * and the port is authorized dispatch directly. 716 */ 717 struct ieee80211_node *sta = 718 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 719 if (sta != NULL) { 720 if (ieee80211_node_is_authorized(sta)) { 721 /* 722 * Beware of sending to ourself; this 723 * needs to happen via the normal 724 * input path. 725 */ 726 if (sta != ic->ic_bss) { 727 m1 = m; 728 m = NULL; 729 } 730 } else { 731 ic->ic_stats.is_rx_unauth++; 732 IEEE80211_NODE_STAT(sta, rx_unauth); 733 } 734 ieee80211_free_node(sta); 735 } 736 } 737 if (m1 != NULL) { 738 /* XXX bypasses ALTQ */ 739 ifq_handoff(ifp, m1, NULL); 740 } 741 } 742 if (m != NULL) { 743 #ifdef FREEBSD_VLAN 744 if (ni->ni_vlan != 0) { 745 /* attach vlan tag */ 746 VLAN_INPUT_TAG_NEW(ifp, m, ni->ni_vlan); 747 if (m == NULL) 748 goto out; /* XXX goto err? */ 749 } 750 #endif 751 m->m_flags &= ~M_IEEE80211; 752 ifp->if_input(ifp, m); 753 } 754 return; 755 756 #ifdef FREEBSD_VLAN 757 out: 758 if (m != NULL) { 759 if (ic->ic_rawbpf) 760 bpf_mtap(ic->ic_rawbpf, m); 761 m_freem(m); 762 } 763 #endif 764 } 765 766 static struct mbuf * 767 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 768 { 769 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 770 struct ether_header *eh; 771 struct llc *llc; 772 773 if (m->m_len < hdrlen + sizeof(*llc) && 774 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 775 /* XXX stat, msg */ 776 return NULL; 777 } 778 memcpy(&wh, mtod(m, caddr_t), hdrlen); 779 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 780 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 781 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 782 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 783 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 784 llc = NULL; 785 } else { 786 m_adj(m, hdrlen - sizeof(*eh)); 787 } 788 eh = mtod(m, struct ether_header *); 789 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 790 case IEEE80211_FC1_DIR_NODS: 791 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 792 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 793 break; 794 case IEEE80211_FC1_DIR_TODS: 795 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 796 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 797 break; 798 case IEEE80211_FC1_DIR_FROMDS: 799 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 800 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 801 break; 802 case IEEE80211_FC1_DIR_DSTODS: 803 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 804 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 805 break; 806 } 807 #ifdef ALIGNED_POINTER 808 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) { 809 struct mbuf *n, *n0, **np; 810 caddr_t newdata; 811 int off, pktlen; 812 813 n0 = NULL; 814 np = &n0; 815 off = 0; 816 pktlen = m->m_pkthdr.len; 817 while (pktlen > off) { 818 if (n0 == NULL) { 819 MGETHDR(n, M_DONTWAIT, MT_DATA); 820 if (n == NULL) { 821 m_freem(m); 822 return NULL; 823 } 824 M_MOVE_PKTHDR(n, m); 825 n->m_len = MHLEN; 826 } else { 827 MGET(n, M_DONTWAIT, MT_DATA); 828 if (n == NULL) { 829 m_freem(m); 830 m_freem(n0); 831 return NULL; 832 } 833 n->m_len = MLEN; 834 } 835 if (pktlen - off >= MINCLSIZE) { 836 MCLGET(n, M_DONTWAIT); 837 if (n->m_flags & M_EXT) 838 n->m_len = n->m_ext.ext_size; 839 } 840 if (n0 == NULL) { 841 newdata = 842 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 843 sizeof(*eh); 844 n->m_len -= newdata - n->m_data; 845 n->m_data = newdata; 846 } 847 if (n->m_len > pktlen - off) 848 n->m_len = pktlen - off; 849 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 850 off += n->m_len; 851 *np = n; 852 np = &n->m_next; 853 } 854 m_freem(m); 855 m = n0; 856 } 857 #endif /* ALIGNED_POINTER */ 858 if (llc != NULL) { 859 eh = mtod(m, struct ether_header *); 860 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 861 } 862 return m; 863 } 864 865 /* 866 * Install received rate set information in the node's state block. 867 */ 868 int 869 ieee80211_setup_rates(struct ieee80211_node *ni, 870 const uint8_t *rates, const uint8_t *xrates, int flags, int join) 871 { 872 struct ieee80211com *ic = ni->ni_ic; 873 struct ieee80211_rateset *rs = &ni->ni_rates; 874 875 memset(rs, 0, sizeof(*rs)); 876 rs->rs_nrates = rates[1]; 877 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 878 if (xrates != NULL) { 879 uint8_t nxrates; 880 /* 881 * Tack on 11g extended supported rate element. 882 */ 883 nxrates = xrates[1]; 884 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 885 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 886 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 887 "[%6D] extended rate set too large;" 888 " only using %u of %u rates\n", 889 ni->ni_macaddr, ":", nxrates, xrates[1]); 890 ic->ic_stats.is_rx_rstoobig++; 891 } 892 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 893 rs->rs_nrates += nxrates; 894 } 895 return ieee80211_fix_rate(ni, flags, join); 896 } 897 898 static void 899 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 900 struct ieee80211_node *ni, int rssi, uint32_t rstamp, uint16_t seq, 901 uint16_t status) 902 { 903 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 904 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 905 ni->ni_macaddr, "open auth", 906 "bad sta auth mode %u", ni->ni_authmode); 907 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 908 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 909 /* 910 * Clear any challenge text that may be there if 911 * a previous shared key auth failed and then an 912 * open auth is attempted. 913 */ 914 if (ni->ni_challenge != NULL) { 915 FREE(ni->ni_challenge, M_DEVBUF); 916 ni->ni_challenge = NULL; 917 } 918 /* XXX hack to workaround calling convention */ 919 ieee80211_send_error(ic, ni, wh->i_addr2, 920 IEEE80211_FC0_SUBTYPE_AUTH, 921 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 922 } 923 return; 924 } 925 switch (ic->ic_opmode) { 926 case IEEE80211_M_IBSS: 927 case IEEE80211_M_AHDEMO: 928 case IEEE80211_M_MONITOR: 929 /* should not come here */ 930 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 931 ni->ni_macaddr, "open auth", 932 "bad operating mode %u", ic->ic_opmode); 933 break; 934 935 case IEEE80211_M_HOSTAP: 936 if (ic->ic_state != IEEE80211_S_RUN || 937 seq != IEEE80211_AUTH_OPEN_REQUEST) { 938 ic->ic_stats.is_rx_bad_auth++; 939 return; 940 } 941 /* always accept open authentication requests */ 942 if (ni == ic->ic_bss) { 943 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 944 if (ni == NULL) 945 return; 946 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 947 (void) ieee80211_ref_node(ni); 948 /* 949 * Mark the node as referenced to reflect that it's 950 * reference count has been bumped to insure it remains 951 * after the transaction completes. 952 */ 953 ni->ni_flags |= IEEE80211_NODE_AREF; 954 955 IEEE80211_SEND_MGMT(ic, ni, 956 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 957 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 958 "[%6D] station authenticated (open)\n", 959 ni->ni_macaddr, ":"); 960 /* 961 * When 802.1x is not in use mark the port 962 * authorized at this point so traffic can flow. 963 */ 964 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 965 ieee80211_node_authorize(ni); 966 break; 967 968 case IEEE80211_M_STA: 969 if (ic->ic_state != IEEE80211_S_AUTH || 970 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 971 ic->ic_stats.is_rx_bad_auth++; 972 return; 973 } 974 if (status != 0) { 975 IEEE80211_DPRINTF(ic, 976 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 977 "[%6D] open auth failed (reason %d)\n", 978 ni->ni_macaddr, ":", status); 979 /* XXX can this happen? */ 980 if (ni != ic->ic_bss) 981 ni->ni_fails++; 982 ic->ic_stats.is_rx_auth_fail++; 983 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 984 } else 985 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 986 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 987 break; 988 } 989 } 990 991 /* 992 * Send a management frame error response to the specified 993 * station. If ni is associated with the station then use 994 * it; otherwise allocate a temporary node suitable for 995 * transmitting the frame and then free the reference so 996 * it will go away as soon as the frame has been transmitted. 997 */ 998 static void 999 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1000 const uint8_t *mac, int subtype, int arg) 1001 { 1002 int istmp; 1003 1004 if (ni == ic->ic_bss) { 1005 ni = ieee80211_tmp_node(ic, mac); 1006 if (ni == NULL) { 1007 /* XXX msg */ 1008 return; 1009 } 1010 istmp = 1; 1011 } else 1012 istmp = 0; 1013 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1014 if (istmp) 1015 ieee80211_free_node(ni); 1016 } 1017 1018 static int 1019 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1020 { 1021 if (ni->ni_challenge == NULL) 1022 MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN, 1023 M_DEVBUF, M_NOWAIT); 1024 if (ni->ni_challenge == NULL) { 1025 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1026 "[%6D] shared key challenge alloc failed\n", 1027 ni->ni_macaddr, ":"); 1028 /* XXX statistic */ 1029 } 1030 return (ni->ni_challenge != NULL); 1031 } 1032 1033 /* XXX TODO: add statistics */ 1034 static void 1035 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1036 uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni, int rssi, 1037 uint32_t rstamp, uint16_t seq, uint16_t status) 1038 { 1039 uint8_t *challenge; 1040 int allocbs, estatus; 1041 1042 /* 1043 * NB: this can happen as we allow pre-shared key 1044 * authentication to be enabled w/o wep being turned 1045 * on so that configuration of these can be done 1046 * in any order. It may be better to enforce the 1047 * ordering in which case this check would just be 1048 * for sanity/consistency. 1049 */ 1050 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1051 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1052 ni->ni_macaddr, "shared key auth", 1053 "%s", " PRIVACY is disabled"); 1054 estatus = IEEE80211_STATUS_ALG; 1055 goto bad; 1056 } 1057 /* 1058 * Pre-shared key authentication is evil; accept 1059 * it only if explicitly configured (it is supported 1060 * mainly for compatibility with clients like OS X). 1061 */ 1062 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1063 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1064 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1065 ni->ni_macaddr, "shared key auth", 1066 "bad sta auth mode %u", ni->ni_authmode); 1067 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1068 estatus = IEEE80211_STATUS_ALG; 1069 goto bad; 1070 } 1071 1072 challenge = NULL; 1073 if (frm + 1 < efrm) { 1074 if ((frm[1] + 2) > (efrm - frm)) { 1075 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1076 ni->ni_macaddr, "shared key auth", 1077 "ie %d/%d too long", 1078 frm[0], (frm[1] + 2) - (efrm - frm)); 1079 ic->ic_stats.is_rx_bad_auth++; 1080 estatus = IEEE80211_STATUS_CHALLENGE; 1081 goto bad; 1082 } 1083 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1084 challenge = frm; 1085 frm += frm[1] + 2; 1086 } 1087 switch (seq) { 1088 case IEEE80211_AUTH_SHARED_CHALLENGE: 1089 case IEEE80211_AUTH_SHARED_RESPONSE: 1090 if (challenge == NULL) { 1091 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1092 ni->ni_macaddr, "shared key auth", 1093 "%s", "no challenge"); 1094 ic->ic_stats.is_rx_bad_auth++; 1095 estatus = IEEE80211_STATUS_CHALLENGE; 1096 goto bad; 1097 } 1098 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1099 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1100 ni->ni_macaddr, "shared key auth", 1101 "bad challenge len %d", challenge[1]); 1102 ic->ic_stats.is_rx_bad_auth++; 1103 estatus = IEEE80211_STATUS_CHALLENGE; 1104 goto bad; 1105 } 1106 default: 1107 break; 1108 } 1109 switch (ic->ic_opmode) { 1110 case IEEE80211_M_MONITOR: 1111 case IEEE80211_M_AHDEMO: 1112 case IEEE80211_M_IBSS: 1113 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1114 ni->ni_macaddr, "shared key auth", 1115 "bad operating mode %u", ic->ic_opmode); 1116 return; 1117 case IEEE80211_M_HOSTAP: 1118 if (ic->ic_state != IEEE80211_S_RUN) { 1119 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1120 ni->ni_macaddr, "shared key auth", 1121 "bad state %u", ic->ic_state); 1122 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1123 goto bad; 1124 } 1125 switch (seq) { 1126 case IEEE80211_AUTH_SHARED_REQUEST: 1127 if (ni == ic->ic_bss) { 1128 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1129 if (ni == NULL) { 1130 /* NB: no way to return an error */ 1131 return; 1132 } 1133 allocbs = 1; 1134 } else { 1135 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1136 (void) ieee80211_ref_node(ni); 1137 allocbs = 0; 1138 } 1139 /* 1140 * Mark the node as referenced to reflect that it's 1141 * reference count has been bumped to insure it remains 1142 * after the transaction completes. 1143 */ 1144 ni->ni_flags |= IEEE80211_NODE_AREF; 1145 ni->ni_rssi = rssi; 1146 ni->ni_rstamp = rstamp; 1147 if (!alloc_challenge(ic, ni)) { 1148 /* NB: don't return error so they rexmit */ 1149 return; 1150 } 1151 get_random_bytes(ni->ni_challenge, 1152 IEEE80211_CHALLENGE_LEN); 1153 IEEE80211_DPRINTF(ic, 1154 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1155 "[%6D] shared key %sauth request\n", 1156 ni->ni_macaddr, ":", 1157 allocbs ? "" : "re"); 1158 break; 1159 case IEEE80211_AUTH_SHARED_RESPONSE: 1160 if (ni == ic->ic_bss) { 1161 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1162 ni->ni_macaddr, "shared key response", 1163 "%s", "unknown station"); 1164 /* NB: don't send a response */ 1165 return; 1166 } 1167 if (ni->ni_challenge == NULL) { 1168 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1169 ni->ni_macaddr, "shared key response", 1170 "%s", "no challenge recorded"); 1171 ic->ic_stats.is_rx_bad_auth++; 1172 estatus = IEEE80211_STATUS_CHALLENGE; 1173 goto bad; 1174 } 1175 if (memcmp(ni->ni_challenge, &challenge[2], 1176 challenge[1]) != 0) { 1177 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1178 ni->ni_macaddr, "shared key response", 1179 "%s", "challenge mismatch"); 1180 ic->ic_stats.is_rx_auth_fail++; 1181 estatus = IEEE80211_STATUS_CHALLENGE; 1182 goto bad; 1183 } 1184 IEEE80211_DPRINTF(ic, 1185 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1186 "[%6D] station authenticated (shared key)\n", 1187 ni->ni_macaddr, ":"); 1188 ieee80211_node_authorize(ni); 1189 break; 1190 default: 1191 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1192 ni->ni_macaddr, "shared key auth", 1193 "bad seq %d", seq); 1194 ic->ic_stats.is_rx_bad_auth++; 1195 estatus = IEEE80211_STATUS_SEQUENCE; 1196 goto bad; 1197 } 1198 IEEE80211_SEND_MGMT(ic, ni, 1199 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1200 break; 1201 1202 case IEEE80211_M_STA: 1203 if (ic->ic_state != IEEE80211_S_AUTH) 1204 return; 1205 switch (seq) { 1206 case IEEE80211_AUTH_SHARED_PASS: 1207 if (ni->ni_challenge != NULL) { 1208 FREE(ni->ni_challenge, M_DEVBUF); 1209 ni->ni_challenge = NULL; 1210 } 1211 if (status != 0) { 1212 IEEE80211_DPRINTF(ic, 1213 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1214 "[%6D] shared key auth failed (reason %d)\n", 1215 ieee80211_getbssid(ic, wh), ":", status); 1216 /* XXX can this happen? */ 1217 if (ni != ic->ic_bss) 1218 ni->ni_fails++; 1219 ic->ic_stats.is_rx_auth_fail++; 1220 return; 1221 } 1222 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1223 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1224 break; 1225 case IEEE80211_AUTH_SHARED_CHALLENGE: 1226 if (!alloc_challenge(ic, ni)) 1227 return; 1228 /* XXX could optimize by passing recvd challenge */ 1229 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1230 IEEE80211_SEND_MGMT(ic, ni, 1231 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1232 break; 1233 default: 1234 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1235 wh, "shared key auth", "bad seq %d", seq); 1236 ic->ic_stats.is_rx_bad_auth++; 1237 return; 1238 } 1239 break; 1240 } 1241 return; 1242 bad: 1243 /* 1244 * Send an error response; but only when operating as an AP. 1245 */ 1246 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1247 /* XXX hack to workaround calling convention */ 1248 ieee80211_send_error(ic, ni, wh->i_addr2, 1249 IEEE80211_FC0_SUBTYPE_AUTH, 1250 (seq + 1) | (estatus<<16)); 1251 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1252 /* 1253 * Kick the state machine. This short-circuits 1254 * using the mgt frame timeout to trigger the 1255 * state transition. 1256 */ 1257 if (ic->ic_state == IEEE80211_S_AUTH) 1258 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1259 } 1260 } 1261 1262 /* Verify the existence and length of __elem or get out. */ 1263 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1264 if ((__elem) == NULL) { \ 1265 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1266 wh, ieee80211_mgt_subtype_name[subtype >> \ 1267 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1268 "%s", "no " #__elem ); \ 1269 ic->ic_stats.is_rx_elem_missing++; \ 1270 return; \ 1271 } \ 1272 if ((__elem)[1] > (__maxlen)) { \ 1273 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1274 wh, ieee80211_mgt_subtype_name[subtype >> \ 1275 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1276 "bad " #__elem " len %d", (__elem)[1]); \ 1277 ic->ic_stats.is_rx_elem_toobig++; \ 1278 return; \ 1279 } \ 1280 } while (0) 1281 1282 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1283 if ((_len) < (_minlen)) { \ 1284 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1285 wh, ieee80211_mgt_subtype_name[subtype >> \ 1286 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1287 "%s", "ie too short"); \ 1288 ic->ic_stats.is_rx_elem_toosmall++; \ 1289 return; \ 1290 } \ 1291 } while (0) 1292 1293 #ifdef IEEE80211_DEBUG 1294 static void 1295 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1296 uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid) 1297 { 1298 kprintf("[%6D] discard %s frame, ssid mismatch: ", mac, ":", tag); 1299 ieee80211_print_essid(ssid + 2, ssid[1]); 1300 kprintf("\n"); 1301 } 1302 1303 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1304 if ((_ssid)[1] != 0 && \ 1305 ((_ssid)[1] != (_ni)->ni_esslen || \ 1306 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1307 if (ieee80211_msg_input(ic)) \ 1308 ieee80211_ssid_mismatch(ic, \ 1309 ieee80211_mgt_subtype_name[subtype >> \ 1310 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1311 wh->i_addr2, _ssid); \ 1312 ic->ic_stats.is_rx_ssidmismatch++; \ 1313 return; \ 1314 } \ 1315 } while (0) 1316 #else /* !IEEE80211_DEBUG */ 1317 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1318 if ((_ssid)[1] != 0 && \ 1319 ((_ssid)[1] != (_ni)->ni_esslen || \ 1320 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1321 ic->ic_stats.is_rx_ssidmismatch++; \ 1322 return; \ 1323 } \ 1324 } while (0) 1325 #endif /* !IEEE80211_DEBUG */ 1326 1327 /* unalligned little endian access */ 1328 #define LE_READ_2(p) \ 1329 ((uint16_t) \ 1330 ((((const uint8_t *)(p))[0] ) | \ 1331 (((const uint8_t *)(p))[1] << 8))) 1332 #define LE_READ_4(p) \ 1333 ((uint32_t) \ 1334 ((((const uint8_t *)(p))[0] ) | \ 1335 (((const uint8_t *)(p))[1] << 8) | \ 1336 (((const uint8_t *)(p))[2] << 16) | \ 1337 (((const uint8_t *)(p))[3] << 24))) 1338 1339 static int __inline 1340 iswpaoui(const uint8_t *frm) 1341 { 1342 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1343 } 1344 1345 static int __inline 1346 iswmeoui(const uint8_t *frm) 1347 { 1348 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1349 } 1350 1351 static int __inline 1352 iswmeparam(const uint8_t *frm) 1353 { 1354 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1355 frm[6] == WME_PARAM_OUI_SUBTYPE; 1356 } 1357 1358 static int __inline 1359 iswmeinfo(const uint8_t *frm) 1360 { 1361 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1362 frm[6] == WME_INFO_OUI_SUBTYPE; 1363 } 1364 1365 static int __inline 1366 isatherosoui(const uint8_t *frm) 1367 { 1368 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1369 } 1370 1371 /* 1372 * Convert a WPA cipher selector OUI to an internal 1373 * cipher algorithm. Where appropriate we also 1374 * record any key length. 1375 */ 1376 static int 1377 wpa_cipher(uint8_t *sel, uint8_t *keylen) 1378 { 1379 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1380 uint32_t w = LE_READ_4(sel); 1381 1382 switch (w) { 1383 case WPA_SEL(WPA_CSE_NULL): 1384 return IEEE80211_CIPHER_NONE; 1385 case WPA_SEL(WPA_CSE_WEP40): 1386 if (keylen) 1387 *keylen = 40 / NBBY; 1388 return IEEE80211_CIPHER_WEP; 1389 case WPA_SEL(WPA_CSE_WEP104): 1390 if (keylen) 1391 *keylen = 104 / NBBY; 1392 return IEEE80211_CIPHER_WEP; 1393 case WPA_SEL(WPA_CSE_TKIP): 1394 return IEEE80211_CIPHER_TKIP; 1395 case WPA_SEL(WPA_CSE_CCMP): 1396 return IEEE80211_CIPHER_AES_CCM; 1397 } 1398 return 32; /* NB: so 1<< is discarded */ 1399 #undef WPA_SEL 1400 } 1401 1402 /* 1403 * Convert a WPA key management/authentication algorithm 1404 * to an internal code. 1405 */ 1406 static int 1407 wpa_keymgmt(uint8_t *sel) 1408 { 1409 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1410 uint32_t w = LE_READ_4(sel); 1411 1412 switch (w) { 1413 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1414 return WPA_ASE_8021X_UNSPEC; 1415 case WPA_SEL(WPA_ASE_8021X_PSK): 1416 return WPA_ASE_8021X_PSK; 1417 case WPA_SEL(WPA_ASE_NONE): 1418 return WPA_ASE_NONE; 1419 } 1420 return 0; /* NB: so is discarded */ 1421 #undef WPA_SEL 1422 } 1423 1424 /* 1425 * Parse a WPA information element to collect parameters 1426 * and validate the parameters against what has been 1427 * configured for the system. 1428 */ 1429 static int 1430 ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm, 1431 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1432 { 1433 uint8_t len = frm[1]; 1434 uint32_t w; 1435 int n; 1436 1437 /* 1438 * Check the length once for fixed parts: OUI, type, 1439 * version, mcast cipher, and 2 selector counts. 1440 * Other, variable-length data, must be checked separately. 1441 */ 1442 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1443 IEEE80211_DISCARD_IE(ic, 1444 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1445 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1446 return IEEE80211_REASON_IE_INVALID; 1447 } 1448 if (len < 14) { 1449 IEEE80211_DISCARD_IE(ic, 1450 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1451 wh, "WPA", "too short, len %u", len); 1452 return IEEE80211_REASON_IE_INVALID; 1453 } 1454 frm += 6, len -= 4; /* NB: len is payload only */ 1455 /* NB: iswapoui already validated the OUI and type */ 1456 w = LE_READ_2(frm); 1457 if (w != WPA_VERSION) { 1458 IEEE80211_DISCARD_IE(ic, 1459 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1460 wh, "WPA", "bad version %u", w); 1461 return IEEE80211_REASON_IE_INVALID; 1462 } 1463 frm += 2, len -= 2; 1464 1465 /* multicast/group cipher */ 1466 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1467 if (w != rsn->rsn_mcastcipher) { 1468 IEEE80211_DISCARD_IE(ic, 1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1470 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1471 w, rsn->rsn_mcastcipher); 1472 return IEEE80211_REASON_IE_INVALID; 1473 } 1474 frm += 4, len -= 4; 1475 1476 /* unicast ciphers */ 1477 n = LE_READ_2(frm); 1478 frm += 2, len -= 2; 1479 if (len < n*4+2) { 1480 IEEE80211_DISCARD_IE(ic, 1481 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1482 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1483 len, n); 1484 return IEEE80211_REASON_IE_INVALID; 1485 } 1486 w = 0; 1487 for (; n > 0; n--) { 1488 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1489 frm += 4, len -= 4; 1490 } 1491 w &= rsn->rsn_ucastcipherset; 1492 if (w == 0) { 1493 IEEE80211_DISCARD_IE(ic, 1494 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1495 wh, "WPA", "%s", "ucast cipher set empty"); 1496 return IEEE80211_REASON_IE_INVALID; 1497 } 1498 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1499 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1500 else 1501 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1502 1503 /* key management algorithms */ 1504 n = LE_READ_2(frm); 1505 frm += 2, len -= 2; 1506 if (len < n*4) { 1507 IEEE80211_DISCARD_IE(ic, 1508 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1509 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1510 len, n); 1511 return IEEE80211_REASON_IE_INVALID; 1512 } 1513 w = 0; 1514 for (; n > 0; n--) { 1515 w |= wpa_keymgmt(frm); 1516 frm += 4, len -= 4; 1517 } 1518 w &= rsn->rsn_keymgmtset; 1519 if (w == 0) { 1520 IEEE80211_DISCARD_IE(ic, 1521 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1522 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1523 return IEEE80211_REASON_IE_INVALID; 1524 } 1525 if (w & WPA_ASE_8021X_UNSPEC) 1526 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1527 else 1528 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1529 1530 if (len > 2) /* optional capabilities */ 1531 rsn->rsn_caps = LE_READ_2(frm); 1532 1533 return 0; 1534 } 1535 1536 /* 1537 * Convert an RSN cipher selector OUI to an internal 1538 * cipher algorithm. Where appropriate we also 1539 * record any key length. 1540 */ 1541 static int 1542 rsn_cipher(uint8_t *sel, uint8_t *keylen) 1543 { 1544 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1545 uint32_t w = LE_READ_4(sel); 1546 1547 switch (w) { 1548 case RSN_SEL(RSN_CSE_NULL): 1549 return IEEE80211_CIPHER_NONE; 1550 case RSN_SEL(RSN_CSE_WEP40): 1551 if (keylen) 1552 *keylen = 40 / NBBY; 1553 return IEEE80211_CIPHER_WEP; 1554 case RSN_SEL(RSN_CSE_WEP104): 1555 if (keylen) 1556 *keylen = 104 / NBBY; 1557 return IEEE80211_CIPHER_WEP; 1558 case RSN_SEL(RSN_CSE_TKIP): 1559 return IEEE80211_CIPHER_TKIP; 1560 case RSN_SEL(RSN_CSE_CCMP): 1561 return IEEE80211_CIPHER_AES_CCM; 1562 case RSN_SEL(RSN_CSE_WRAP): 1563 return IEEE80211_CIPHER_AES_OCB; 1564 } 1565 return 32; /* NB: so 1<< is discarded */ 1566 #undef WPA_SEL 1567 } 1568 1569 /* 1570 * Convert an RSN key management/authentication algorithm 1571 * to an internal code. 1572 */ 1573 static int 1574 rsn_keymgmt(uint8_t *sel) 1575 { 1576 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1577 uint32_t w = LE_READ_4(sel); 1578 1579 switch (w) { 1580 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1581 return RSN_ASE_8021X_UNSPEC; 1582 case RSN_SEL(RSN_ASE_8021X_PSK): 1583 return RSN_ASE_8021X_PSK; 1584 case RSN_SEL(RSN_ASE_NONE): 1585 return RSN_ASE_NONE; 1586 } 1587 return 0; /* NB: so is discarded */ 1588 #undef RSN_SEL 1589 } 1590 1591 /* 1592 * Parse a WPA/RSN information element to collect parameters 1593 * and validate the parameters against what has been 1594 * configured for the system. 1595 */ 1596 static int 1597 ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm, 1598 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1599 { 1600 uint8_t len = frm[1]; 1601 uint32_t w; 1602 int n; 1603 1604 /* 1605 * Check the length once for fixed parts: 1606 * version, mcast cipher, and 2 selector counts. 1607 * Other, variable-length data, must be checked separately. 1608 */ 1609 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1610 IEEE80211_DISCARD_IE(ic, 1611 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1612 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1613 return IEEE80211_REASON_IE_INVALID; 1614 } 1615 if (len < 10) { 1616 IEEE80211_DISCARD_IE(ic, 1617 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1618 wh, "RSN", "too short, len %u", len); 1619 return IEEE80211_REASON_IE_INVALID; 1620 } 1621 frm += 2; 1622 w = LE_READ_2(frm); 1623 if (w != RSN_VERSION) { 1624 IEEE80211_DISCARD_IE(ic, 1625 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1626 wh, "RSN", "bad version %u", w); 1627 return IEEE80211_REASON_IE_INVALID; 1628 } 1629 frm += 2, len -= 2; 1630 1631 /* multicast/group cipher */ 1632 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1633 if (w != rsn->rsn_mcastcipher) { 1634 IEEE80211_DISCARD_IE(ic, 1635 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1636 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1637 w, rsn->rsn_mcastcipher); 1638 return IEEE80211_REASON_IE_INVALID; 1639 } 1640 frm += 4, len -= 4; 1641 1642 /* unicast ciphers */ 1643 n = LE_READ_2(frm); 1644 frm += 2, len -= 2; 1645 if (len < n*4+2) { 1646 IEEE80211_DISCARD_IE(ic, 1647 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1648 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1649 len, n); 1650 return IEEE80211_REASON_IE_INVALID; 1651 } 1652 w = 0; 1653 for (; n > 0; n--) { 1654 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1655 frm += 4, len -= 4; 1656 } 1657 w &= rsn->rsn_ucastcipherset; 1658 if (w == 0) { 1659 IEEE80211_DISCARD_IE(ic, 1660 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1661 wh, "RSN", "%s", "ucast cipher set empty"); 1662 return IEEE80211_REASON_IE_INVALID; 1663 } 1664 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1665 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1666 else 1667 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1668 1669 /* key management algorithms */ 1670 n = LE_READ_2(frm); 1671 frm += 2, len -= 2; 1672 if (len < n*4) { 1673 IEEE80211_DISCARD_IE(ic, 1674 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1675 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1676 len, n); 1677 return IEEE80211_REASON_IE_INVALID; 1678 } 1679 w = 0; 1680 for (; n > 0; n--) { 1681 w |= rsn_keymgmt(frm); 1682 frm += 4, len -= 4; 1683 } 1684 w &= rsn->rsn_keymgmtset; 1685 if (w == 0) { 1686 IEEE80211_DISCARD_IE(ic, 1687 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1688 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1689 return IEEE80211_REASON_IE_INVALID; 1690 } 1691 if (w & RSN_ASE_8021X_UNSPEC) 1692 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1693 else 1694 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1695 1696 /* optional RSN capabilities */ 1697 if (len > 2) 1698 rsn->rsn_caps = LE_READ_2(frm); 1699 /* XXXPMKID */ 1700 1701 return 0; 1702 } 1703 1704 static int 1705 ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm, 1706 const struct ieee80211_frame *wh) 1707 { 1708 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1709 struct ieee80211_wme_state *wme = &ic->ic_wme; 1710 u_int len = frm[1], qosinfo; 1711 int i; 1712 1713 if (len < sizeof(struct ieee80211_wme_param)-2) { 1714 IEEE80211_DISCARD_IE(ic, 1715 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1716 wh, "WME", "too short, len %u", len); 1717 return -1; 1718 } 1719 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1720 qosinfo &= WME_QOSINFO_COUNT; 1721 /* XXX do proper check for wraparound */ 1722 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1723 return 0; 1724 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1725 for (i = 0; i < WME_NUM_AC; i++) { 1726 struct wmeParams *wmep = 1727 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1728 /* NB: ACI not used */ 1729 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1730 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1731 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1732 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1733 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1734 frm += 4; 1735 } 1736 wme->wme_wmeChanParams.cap_info = qosinfo; 1737 return 1; 1738 #undef MS 1739 } 1740 1741 void 1742 ieee80211_saveie(uint8_t **iep, const uint8_t *ie) 1743 { 1744 u_int ielen = ie[1]+2; 1745 /* 1746 * Record information element for later use. 1747 */ 1748 if (*iep == NULL || (*iep)[1] != ie[1]) { 1749 if (*iep != NULL) 1750 FREE(*iep, M_DEVBUF); 1751 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1752 } 1753 if (*iep != NULL) 1754 memcpy(*iep, ie, ielen); 1755 /* XXX note failure */ 1756 } 1757 1758 /* XXX find a better place for definition */ 1759 struct l2_update_frame { 1760 struct ether_header eh; 1761 uint8_t dsap; 1762 uint8_t ssap; 1763 uint8_t control; 1764 uint8_t xid[3]; 1765 } __packed; 1766 1767 /* 1768 * Deliver a TGf L2UF frame on behalf of a station. 1769 * This primes any bridge when the station is roaming 1770 * between ap's on the same wired network. 1771 */ 1772 static void 1773 ieee80211_deliver_l2uf(struct ieee80211_node *ni) 1774 { 1775 struct ieee80211com *ic = ni->ni_ic; 1776 struct ifnet *ifp = ic->ic_ifp; 1777 struct mbuf *m; 1778 struct l2_update_frame *l2uf; 1779 struct ether_header *eh; 1780 1781 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1782 if (m == NULL) { 1783 IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni, 1784 "%s", "no mbuf for l2uf frame"); 1785 ic->ic_stats.is_rx_nobuf++; /* XXX not right */ 1786 return; 1787 } 1788 l2uf = mtod(m, struct l2_update_frame *); 1789 eh = &l2uf->eh; 1790 /* dst: Broadcast address */ 1791 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr); 1792 /* src: associated STA */ 1793 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr); 1794 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh)); 1795 1796 l2uf->dsap = 0; 1797 l2uf->ssap = 0; 1798 l2uf->control = 0xf5; 1799 l2uf->xid[0] = 0x81; 1800 l2uf->xid[1] = 0x80; 1801 l2uf->xid[2] = 0x00; 1802 1803 m->m_pkthdr.len = m->m_len = sizeof(*l2uf); 1804 m->m_pkthdr.rcvif = ifp; 1805 ieee80211_deliver_data(ic, ni, m); 1806 } 1807 1808 void 1809 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1810 struct ieee80211_node *ni, 1811 int subtype, int rssi, uint32_t rstamp) 1812 { 1813 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1814 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1815 struct ieee80211_frame *wh; 1816 uint8_t *frm, *efrm; 1817 uint8_t *ssid, *rates, *xrates, *wpa, *wme; 1818 int reassoc, resp; 1819 uint8_t rate; 1820 1821 wh = mtod(m0, struct ieee80211_frame *); 1822 frm = (uint8_t *)&wh[1]; 1823 efrm = mtod(m0, uint8_t *) + m0->m_len; 1824 switch (subtype) { 1825 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1826 case IEEE80211_FC0_SUBTYPE_BEACON: { 1827 struct ieee80211_scanparams scan; 1828 1829 /* 1830 * We process beacon/probe response frames: 1831 * o when scanning, or 1832 * o station mode when associated (to collect state 1833 * updates such as 802.11g slot time), or 1834 * o adhoc mode (to discover neighbors) 1835 * Frames otherwise received are discarded. 1836 */ 1837 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1838 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1839 ic->ic_opmode == IEEE80211_M_IBSS)) { 1840 ic->ic_stats.is_rx_mgtdiscard++; 1841 return; 1842 } 1843 /* 1844 * beacon/probe response frame format 1845 * [8] time stamp 1846 * [2] beacon interval 1847 * [2] capability information 1848 * [tlv] ssid 1849 * [tlv] supported rates 1850 * [tlv] country information 1851 * [tlv] parameter set (FH/DS) 1852 * [tlv] erp information 1853 * [tlv] extended supported rates 1854 * [tlv] WME 1855 * [tlv] WPA or RSN 1856 */ 1857 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1858 memset(&scan, 0, sizeof(scan)); 1859 scan.tstamp = frm; frm += 8; 1860 scan.bintval = le16toh(*(uint16_t *)frm); frm += 2; 1861 scan.capinfo = le16toh(*(uint16_t *)frm); frm += 2; 1862 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1863 scan.chan = scan.bchan; 1864 1865 while (efrm - frm > 1) { 1866 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 1867 switch (*frm) { 1868 case IEEE80211_ELEMID_SSID: 1869 scan.ssid = frm; 1870 break; 1871 case IEEE80211_ELEMID_RATES: 1872 scan.rates = frm; 1873 break; 1874 case IEEE80211_ELEMID_COUNTRY: 1875 scan.country = frm; 1876 break; 1877 case IEEE80211_ELEMID_FHPARMS: 1878 if (ic->ic_phytype == IEEE80211_T_FH) { 1879 scan.fhdwell = LE_READ_2(&frm[2]); 1880 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1881 scan.fhindex = frm[6]; 1882 } 1883 break; 1884 case IEEE80211_ELEMID_DSPARMS: 1885 /* 1886 * XXX hack this since depending on phytype 1887 * is problematic for multi-mode devices. 1888 */ 1889 if (ic->ic_phytype != IEEE80211_T_FH) 1890 scan.chan = frm[2]; 1891 break; 1892 case IEEE80211_ELEMID_TIM: 1893 /* XXX ATIM? */ 1894 scan.tim = frm; 1895 scan.timoff = frm - mtod(m0, uint8_t *); 1896 break; 1897 case IEEE80211_ELEMID_IBSSPARMS: 1898 break; 1899 case IEEE80211_ELEMID_XRATES: 1900 scan.xrates = frm; 1901 break; 1902 case IEEE80211_ELEMID_ERP: 1903 if (frm[1] != 1) { 1904 IEEE80211_DISCARD_IE(ic, 1905 IEEE80211_MSG_ELEMID, wh, "ERP", 1906 "bad len %u", frm[1]); 1907 ic->ic_stats.is_rx_elem_toobig++; 1908 break; 1909 } 1910 scan.erp = frm[2]; 1911 break; 1912 case IEEE80211_ELEMID_RSN: 1913 scan.wpa = frm; 1914 break; 1915 case IEEE80211_ELEMID_VENDOR: 1916 if (iswpaoui(frm)) 1917 scan.wpa = frm; 1918 else if (iswmeparam(frm) || iswmeinfo(frm)) 1919 scan.wme = frm; 1920 /* XXX Atheros OUI support */ 1921 break; 1922 default: 1923 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1924 wh, "unhandled", 1925 "id %u, len %u", *frm, frm[1]); 1926 ic->ic_stats.is_rx_elem_unknown++; 1927 break; 1928 } 1929 frm += frm[1] + 2; 1930 } 1931 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1932 if (scan.xrates != NULL) { 1933 IEEE80211_VERIFY_ELEMENT(scan.xrates, 1934 IEEE80211_RATE_MAXSIZE - scan.rates[1]); 1935 } 1936 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1937 if ( 1938 #if IEEE80211_CHAN_MAX < 255 1939 scan.chan > IEEE80211_CHAN_MAX || 1940 #endif 1941 isclr(ic->ic_chan_active, scan.chan)) { 1942 IEEE80211_DISCARD(ic, 1943 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1944 wh, ieee80211_mgt_subtype_name[subtype >> 1945 IEEE80211_FC0_SUBTYPE_SHIFT], 1946 "invalid channel %u", scan.chan); 1947 ic->ic_stats.is_rx_badchan++; 1948 return; 1949 } 1950 if (scan.chan != scan.bchan && 1951 ic->ic_phytype != IEEE80211_T_FH) { 1952 if ((ic->ic_caps_ext & IEEE80211_CEXT_AUTOSCAN) && 1953 (ic->ic_flags & IEEE80211_F_SCAN) && 1954 isset(ic->ic_chan_active, scan.chan)) { 1955 ieee80211_set_scanchan(ic, 1956 &ic->ic_channels[scan.chan]); 1957 scan.bchan = scan.chan; 1958 } else { 1959 /* 1960 * Frame was received on a channel different 1961 * from the one indicated in the DS params 1962 * element id; silently discard it. 1963 * 1964 * NB: this can happen due to signal leakage. 1965 * But we should take it for FH phy because 1966 * the rssi value should be correct even for 1967 * different hop pattern in FH. 1968 */ 1969 IEEE80211_DISCARD(ic, 1970 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1971 wh, ieee80211_mgt_subtype_name[subtype >> 1972 IEEE80211_FC0_SUBTYPE_SHIFT], 1973 "for off-channel %u", scan.chan); 1974 ic->ic_stats.is_rx_chanmismatch++; 1975 return; 1976 } 1977 } 1978 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 1979 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 1980 IEEE80211_DISCARD(ic, 1981 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1982 wh, ieee80211_mgt_subtype_name[subtype >> 1983 IEEE80211_FC0_SUBTYPE_SHIFT], 1984 "bogus beacon interval", scan.bintval); 1985 ic->ic_stats.is_rx_badbintval++; 1986 return; 1987 } 1988 1989 /* 1990 * Count frame now that we know it's to be processed. 1991 */ 1992 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1993 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1994 IEEE80211_NODE_STAT(ni, rx_beacons); 1995 } else 1996 IEEE80211_NODE_STAT(ni, rx_proberesp); 1997 1998 /* 1999 * When operating in station mode, check for state updates. 2000 * Be careful to ignore beacons received while doing a 2001 * background scan. We consider only 11g/WMM stuff right now. 2002 */ 2003 if (ic->ic_opmode == IEEE80211_M_STA && 2004 ni->ni_associd != 0 && 2005 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2006 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2007 int update_shpreamble = 0; 2008 2009 /* record tsf of last beacon */ 2010 memcpy(ni->ni_tstamp.data, scan.tstamp, 2011 sizeof(ni->ni_tstamp)); 2012 /* count beacon frame for s/w bmiss handling */ 2013 ic->ic_swbmiss_count++; 2014 ic->ic_bmiss_count = 0; 2015 if (ni->ni_erp != scan.erp) { 2016 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2017 "[%6D] erp change: was 0x%x, now 0x%x\n", 2018 wh->i_addr2, ":", ni->ni_erp, scan.erp); 2019 if (ic->ic_curmode == IEEE80211_MODE_11G && 2020 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2021 ic->ic_flags |= IEEE80211_F_USEPROT; 2022 else 2023 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2024 2025 if ((ni->ni_erp ^ scan.erp) & IEEE80211_ERP_LONG_PREAMBLE) 2026 update_shpreamble = 1; 2027 2028 ni->ni_erp = scan.erp; 2029 /* XXX statistic */ 2030 } 2031 if (ni->ni_capinfo != scan.capinfo) { 2032 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2033 "[%6D] capabilities change: before 0x%x," 2034 " now 0x%x\n", 2035 wh->i_addr2, ":", 2036 ni->ni_capinfo, scan.capinfo); 2037 2038 if ((ni->ni_capinfo ^ scan.capinfo) & 2039 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2040 ieee80211_set_shortslottime(ic, 2041 ic->ic_curmode == IEEE80211_MODE_11A || 2042 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2043 } 2044 2045 if ((ni->ni_capinfo ^ scan.capinfo) & 2046 IEEE80211_CAPINFO_SHORT_PREAMBLE) 2047 update_shpreamble = 1; 2048 2049 ni->ni_capinfo = scan.capinfo; 2050 /* XXX statistic */ 2051 } 2052 2053 if (update_shpreamble) 2054 ieee80211_update_shpreamble(ic, ni); 2055 2056 if (scan.wme != NULL && 2057 (ni->ni_flags & IEEE80211_NODE_QOS) && 2058 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2059 ieee80211_wme_updateparams(ic); 2060 if (scan.tim != NULL) { 2061 struct ieee80211_tim_ie *ie = 2062 (struct ieee80211_tim_ie *) scan.tim; 2063 2064 ni->ni_dtim_count = ie->tim_count; 2065 ni->ni_dtim_period = ie->tim_period; 2066 } 2067 if (ic->ic_flags & IEEE80211_F_SCAN) 2068 ieee80211_add_scan(ic, &scan, wh, 2069 subtype, rssi, rstamp); 2070 return; 2071 } 2072 /* 2073 * If scanning, just pass information to the scan module. 2074 */ 2075 if (ic->ic_flags & IEEE80211_F_SCAN) { 2076 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2077 /* 2078 * Actively scanning a channel marked passive; 2079 * send a probe request now that we know there 2080 * is 802.11 traffic present. 2081 * 2082 * XXX check if the beacon we recv'd gives 2083 * us what we need and suppress the probe req 2084 */ 2085 ieee80211_probe_curchan(ic, 1); 2086 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2087 } 2088 ieee80211_add_scan(ic, &scan, wh, 2089 subtype, rssi, rstamp); 2090 return; 2091 } 2092 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 2093 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2094 /* 2095 * Create a new entry in the neighbor table. 2096 */ 2097 ni = ieee80211_add_neighbor(ic, wh, &scan); 2098 } else if (ni->ni_capinfo == 0) { 2099 /* 2100 * Update faked node created on transmit. 2101 * Note this also updates the tsf. 2102 */ 2103 ieee80211_init_neighbor(ni, wh, &scan); 2104 } else { 2105 /* 2106 * Record tsf for potential resync. 2107 */ 2108 memcpy(ni->ni_tstamp.data, scan.tstamp, 2109 sizeof(ni->ni_tstamp)); 2110 } 2111 if (ni != NULL) { 2112 ni->ni_rssi = rssi; 2113 ni->ni_rstamp = rstamp; 2114 } 2115 } 2116 break; 2117 } 2118 2119 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 2120 int is_tmpnode; 2121 2122 if (ic->ic_opmode == IEEE80211_M_STA || 2123 ic->ic_state != IEEE80211_S_RUN) { 2124 ic->ic_stats.is_rx_mgtdiscard++; 2125 return; 2126 } 2127 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2128 /* frame must be directed */ 2129 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2130 return; 2131 } 2132 2133 /* 2134 * prreq frame format 2135 * [tlv] ssid 2136 * [tlv] supported rates 2137 * [tlv] extended supported rates 2138 */ 2139 ssid = rates = xrates = NULL; 2140 while (efrm - frm > 1) { 2141 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2142 switch (*frm) { 2143 case IEEE80211_ELEMID_SSID: 2144 ssid = frm; 2145 break; 2146 case IEEE80211_ELEMID_RATES: 2147 rates = frm; 2148 break; 2149 case IEEE80211_ELEMID_XRATES: 2150 xrates = frm; 2151 break; 2152 } 2153 frm += frm[1] + 2; 2154 } 2155 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2156 if (xrates != NULL) { 2157 IEEE80211_VERIFY_ELEMENT(xrates, 2158 IEEE80211_RATE_MAXSIZE - rates[1]); 2159 } 2160 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2161 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2162 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2163 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2164 wh, ieee80211_mgt_subtype_name[subtype >> 2165 IEEE80211_FC0_SUBTYPE_SHIFT], 2166 "%s", "no ssid with ssid suppression enabled"); 2167 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2168 return; 2169 } 2170 2171 is_tmpnode = 0; 2172 if (ni == ic->ic_bss) { 2173 if (ic->ic_opmode != IEEE80211_M_IBSS) { 2174 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2175 is_tmpnode = 1; 2176 } else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2177 /* 2178 * XXX Cannot tell if the sender is operating 2179 * in ibss mode. But we need a new node to 2180 * send the response so blindly add them to the 2181 * neighbor table. 2182 */ 2183 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2184 wh->i_addr2); 2185 } 2186 if (ni == NULL) 2187 return; 2188 } 2189 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2190 "[%6D] recv probe req\n", wh->i_addr2, ":"); 2191 ni->ni_rssi = rssi; 2192 ni->ni_rstamp = rstamp; 2193 2194 /* 2195 * Since temporary node's rate set will not be used, 2196 * there is no need to do rate negotiation for it. 2197 */ 2198 if (!is_tmpnode) { 2199 ieee80211_setup_rates(ni, rates, xrates, 2200 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2201 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 0); 2202 } 2203 2204 IEEE80211_SEND_MGMT(ic, ni, 2205 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2206 if (is_tmpnode) { 2207 /* 2208 * Temporary node created just to send a 2209 * response, reclaim immediately. 2210 */ 2211 ieee80211_free_node(ni); 2212 } 2213 break; 2214 } 2215 2216 case IEEE80211_FC0_SUBTYPE_AUTH: { 2217 uint16_t algo, seq, status; 2218 /* 2219 * auth frame format 2220 * [2] algorithm 2221 * [2] sequence 2222 * [2] status 2223 * [tlv*] challenge 2224 */ 2225 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2226 algo = le16toh(*(uint16_t *)frm); 2227 seq = le16toh(*(uint16_t *)(frm + 2)); 2228 status = le16toh(*(uint16_t *)(frm + 4)); 2229 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2230 "[%6D] recv auth frame with algorithm %d seq %d\n", 2231 wh->i_addr2, ":", algo, seq); 2232 /* 2233 * Consult the ACL policy module if setup. 2234 */ 2235 if (ic->ic_acl != NULL && 2236 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2237 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2238 wh, "auth", "%s", "disallowed by ACL"); 2239 ic->ic_stats.is_rx_acl++; 2240 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2241 IEEE80211_SEND_MGMT(ic, ni, 2242 IEEE80211_FC0_SUBTYPE_AUTH, 2243 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2244 } 2245 return; 2246 } 2247 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2248 IEEE80211_DISCARD(ic, 2249 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2250 wh, "auth", "%s", "TKIP countermeasures enabled"); 2251 ic->ic_stats.is_rx_auth_countermeasures++; 2252 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2253 IEEE80211_SEND_MGMT(ic, ni, 2254 IEEE80211_FC0_SUBTYPE_AUTH, 2255 IEEE80211_REASON_MIC_FAILURE); 2256 } 2257 return; 2258 } 2259 if (algo == IEEE80211_AUTH_ALG_SHARED) 2260 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2261 rstamp, seq, status); 2262 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2263 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2264 status); 2265 else { 2266 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2267 wh, "auth", "unsupported alg %d", algo); 2268 ic->ic_stats.is_rx_auth_unsupported++; 2269 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2270 /* XXX not right */ 2271 IEEE80211_SEND_MGMT(ic, ni, 2272 IEEE80211_FC0_SUBTYPE_AUTH, 2273 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2274 } 2275 return; 2276 } 2277 break; 2278 } 2279 2280 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2281 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2282 uint16_t capinfo, lintval; 2283 struct ieee80211_rsnparms rsn; 2284 uint8_t reason; 2285 2286 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2287 ic->ic_state != IEEE80211_S_RUN) { 2288 ic->ic_stats.is_rx_mgtdiscard++; 2289 return; 2290 } 2291 2292 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2293 reassoc = 1; 2294 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2295 } else { 2296 reassoc = 0; 2297 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2298 } 2299 /* 2300 * asreq frame format 2301 * [2] capability information 2302 * [2] listen interval 2303 * [6*] current AP address (reassoc only) 2304 * [tlv] ssid 2305 * [tlv] supported rates 2306 * [tlv] extended supported rates 2307 * [tlv] WPA or RSN 2308 */ 2309 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2310 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2311 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2312 wh, ieee80211_mgt_subtype_name[subtype >> 2313 IEEE80211_FC0_SUBTYPE_SHIFT], 2314 "%s", "wrong bssid"); 2315 ic->ic_stats.is_rx_assoc_bss++; 2316 return; 2317 } 2318 capinfo = le16toh(*(uint16_t *)frm); frm += 2; 2319 lintval = le16toh(*(uint16_t *)frm); frm += 2; 2320 if (reassoc) 2321 frm += 6; /* ignore current AP info */ 2322 ssid = rates = xrates = wpa = wme = NULL; 2323 while (efrm - frm > 1) { 2324 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2325 switch (*frm) { 2326 case IEEE80211_ELEMID_SSID: 2327 ssid = frm; 2328 break; 2329 case IEEE80211_ELEMID_RATES: 2330 rates = frm; 2331 break; 2332 case IEEE80211_ELEMID_XRATES: 2333 xrates = frm; 2334 break; 2335 /* XXX verify only one of RSN and WPA ie's? */ 2336 case IEEE80211_ELEMID_RSN: 2337 wpa = frm; 2338 break; 2339 case IEEE80211_ELEMID_VENDOR: 2340 if (iswpaoui(frm)) 2341 wpa = frm; 2342 else if (iswmeinfo(frm)) 2343 wme = frm; 2344 /* XXX Atheros OUI support */ 2345 break; 2346 } 2347 frm += frm[1] + 2; 2348 } 2349 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2350 if (xrates != NULL) { 2351 IEEE80211_VERIFY_ELEMENT(xrates, 2352 IEEE80211_RATE_MAXSIZE - rates[1]); 2353 } 2354 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2355 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2356 2357 if (ni == ic->ic_bss) { 2358 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2359 "[%6D] deny %s request, sta not authenticated\n", 2360 wh->i_addr2, ":", reassoc ? "reassoc" : "assoc"); 2361 ieee80211_send_error(ic, ni, wh->i_addr2, 2362 IEEE80211_FC0_SUBTYPE_DEAUTH, 2363 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2364 ic->ic_stats.is_rx_assoc_notauth++; 2365 return; 2366 } 2367 /* assert right associstion security credentials */ 2368 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2369 IEEE80211_DPRINTF(ic, 2370 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2371 "[%6D] no WPA/RSN IE in association request\n", 2372 wh->i_addr2, ":"); 2373 IEEE80211_SEND_MGMT(ic, ni, 2374 IEEE80211_FC0_SUBTYPE_DEAUTH, 2375 IEEE80211_REASON_RSN_REQUIRED); 2376 ieee80211_node_leave(ic, ni); 2377 /* XXX distinguish WPA/RSN? */ 2378 ic->ic_stats.is_rx_assoc_badwpaie++; 2379 return; 2380 } 2381 if (wpa != NULL) { 2382 /* 2383 * Parse WPA information element. Note that 2384 * we initialize the param block from the node 2385 * state so that information in the IE overrides 2386 * our defaults. The resulting parameters are 2387 * installed below after the association is assured. 2388 */ 2389 rsn = ni->ni_rsn; 2390 if (wpa[0] != IEEE80211_ELEMID_RSN) 2391 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2392 else 2393 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2394 if (reason != 0) { 2395 IEEE80211_SEND_MGMT(ic, ni, 2396 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2397 ieee80211_node_leave(ic, ni); 2398 /* XXX distinguish WPA/RSN? */ 2399 ic->ic_stats.is_rx_assoc_badwpaie++; 2400 return; 2401 } 2402 IEEE80211_DPRINTF(ic, 2403 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2404 "[%6D] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2405 wh->i_addr2, ":", 2406 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2407 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2408 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2409 rsn.rsn_keymgmt, rsn.rsn_caps); 2410 } 2411 /* discard challenge after association */ 2412 if (ni->ni_challenge != NULL) { 2413 FREE(ni->ni_challenge, M_DEVBUF); 2414 ni->ni_challenge = NULL; 2415 } 2416 /* NB: 802.11 spec says to ignore station's privacy bit */ 2417 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2418 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2419 "[%6D] deny %s request, capability mismatch 0x%x\n", 2420 wh->i_addr2, ":", 2421 reassoc ? "reassoc" : "assoc", capinfo); 2422 IEEE80211_SEND_MGMT(ic, ni, resp, 2423 IEEE80211_STATUS_CAPINFO); 2424 ieee80211_node_leave(ic, ni); 2425 ic->ic_stats.is_rx_assoc_capmismatch++; 2426 return; 2427 } 2428 rate = ieee80211_setup_rates(ni, rates, xrates, 2429 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2430 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 0); 2431 if (rate & IEEE80211_RATE_BASIC) { 2432 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2433 "[%6D] deny %s request, rate set mismatch\n", 2434 wh->i_addr2, ":", 2435 reassoc ? "reassoc" : "assoc"); 2436 IEEE80211_SEND_MGMT(ic, ni, resp, 2437 IEEE80211_STATUS_BASIC_RATE); 2438 ieee80211_node_leave(ic, ni); 2439 ic->ic_stats.is_rx_assoc_norate++; 2440 return; 2441 } 2442 ni->ni_rssi = rssi; 2443 ni->ni_rstamp = rstamp; 2444 ni->ni_intval = lintval; 2445 ni->ni_capinfo = capinfo; 2446 ni->ni_chan = ic->ic_bss->ni_chan; 2447 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2448 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2449 if (wpa != NULL) { 2450 /* 2451 * Record WPA/RSN parameters for station, mark 2452 * node as using WPA and record information element 2453 * for applications that require it. 2454 */ 2455 ni->ni_rsn = rsn; 2456 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2457 } else if (ni->ni_wpa_ie != NULL) { 2458 /* 2459 * Flush any state from a previous association. 2460 */ 2461 FREE(ni->ni_wpa_ie, M_DEVBUF); 2462 ni->ni_wpa_ie = NULL; 2463 } 2464 if (wme != NULL) { 2465 /* 2466 * Record WME parameters for station, mark node 2467 * as capable of QoS and record information 2468 * element for applications that require it. 2469 */ 2470 ieee80211_saveie(&ni->ni_wme_ie, wme); 2471 ni->ni_flags |= IEEE80211_NODE_QOS; 2472 } else if (ni->ni_wme_ie != NULL) { 2473 /* 2474 * Flush any state from a previous association. 2475 */ 2476 FREE(ni->ni_wme_ie, M_DEVBUF); 2477 ni->ni_wme_ie = NULL; 2478 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2479 } 2480 ieee80211_deliver_l2uf(ni); 2481 ieee80211_node_join(ic, ni, resp); 2482 break; 2483 } 2484 2485 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2486 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2487 uint16_t capinfo, associd; 2488 uint16_t status; 2489 2490 if (ic->ic_opmode != IEEE80211_M_STA || 2491 ic->ic_state != IEEE80211_S_ASSOC) { 2492 ic->ic_stats.is_rx_mgtdiscard++; 2493 return; 2494 } 2495 2496 /* 2497 * asresp frame format 2498 * [2] capability information 2499 * [2] status 2500 * [2] association ID 2501 * [tlv] supported rates 2502 * [tlv] extended supported rates 2503 * [tlv] WME 2504 */ 2505 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2506 ni = ic->ic_bss; 2507 capinfo = le16toh(*(uint16_t *)frm); 2508 frm += 2; 2509 status = le16toh(*(uint16_t *)frm); 2510 frm += 2; 2511 if (status != 0) { 2512 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2513 "[%6D] %sassoc failed (reason %d)\n", 2514 wh->i_addr2, ":", 2515 ISREASSOC(subtype) ? "re" : "", status); 2516 if (ni != ic->ic_bss) /* XXX never true? */ 2517 ni->ni_fails++; 2518 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2519 return; 2520 } 2521 associd = le16toh(*(uint16_t *)frm); 2522 frm += 2; 2523 2524 rates = xrates = wpa = wme = NULL; 2525 while (efrm - frm > 1) { 2526 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2527 switch (*frm) { 2528 case IEEE80211_ELEMID_RATES: 2529 rates = frm; 2530 break; 2531 case IEEE80211_ELEMID_XRATES: 2532 xrates = frm; 2533 break; 2534 case IEEE80211_ELEMID_VENDOR: 2535 if (iswmeoui(frm)) 2536 wme = frm; 2537 /* XXX Atheros OUI support */ 2538 break; 2539 } 2540 frm += frm[1] + 2; 2541 } 2542 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2543 if (xrates != NULL) { 2544 IEEE80211_VERIFY_ELEMENT(xrates, 2545 IEEE80211_RATE_MAXSIZE - rates[1]); 2546 } 2547 2548 rate = ieee80211_setup_rates(ni, rates, xrates, 2549 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2550 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 1); 2551 if (rate & IEEE80211_RATE_BASIC) { 2552 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2553 "[%6D] %sassoc failed (rate set mismatch)\n", 2554 wh->i_addr2, ":", 2555 ISREASSOC(subtype) ? "re" : ""); 2556 if (ni != ic->ic_bss) /* XXX never true? */ 2557 ni->ni_fails++; 2558 ic->ic_stats.is_rx_assoc_norate++; 2559 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2560 return; 2561 } 2562 2563 ni->ni_capinfo = capinfo; 2564 ni->ni_associd = associd; 2565 if (wme != NULL && 2566 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2567 ni->ni_flags |= IEEE80211_NODE_QOS; 2568 ieee80211_wme_updateparams(ic); 2569 } else 2570 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2571 /* 2572 * Configure state now that we are associated. 2573 * 2574 * XXX may need different/additional driver callbacks? 2575 */ 2576 ieee80211_update_shpreamble(ic, ni); 2577 ieee80211_set_shortslottime(ic, 2578 ic->ic_curmode == IEEE80211_MODE_11A || 2579 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2580 /* 2581 * Honor ERP protection. 2582 * 2583 * NB: ni_erp should zero for non-11g operation. 2584 * XXX check ic_curmode anyway? 2585 */ 2586 if (ic->ic_curmode == IEEE80211_MODE_11G && 2587 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2588 ic->ic_flags |= IEEE80211_F_USEPROT; 2589 else 2590 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2591 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2592 "[%6D] %sassoc success: %s preamble, %s slot time%s%s\n", 2593 wh->i_addr2, ":", 2594 ISREASSOC(subtype) ? "re" : "", 2595 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2596 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2597 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2598 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2599 ); 2600 IEEE80211_PRINT_NODERATES(ic, ni, IEEE80211_MSG_ASSOC); 2601 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2602 break; 2603 } 2604 2605 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2606 uint16_t reason; 2607 2608 if (ic->ic_state == IEEE80211_S_SCAN) { 2609 ic->ic_stats.is_rx_mgtdiscard++; 2610 return; 2611 } 2612 /* 2613 * deauth frame format 2614 * [2] reason 2615 */ 2616 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2617 reason = le16toh(*(uint16_t *)frm); 2618 ic->ic_stats.is_rx_deauth++; 2619 IEEE80211_NODE_STAT(ni, rx_deauth); 2620 2621 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2622 /* NB: can happen when in promiscuous mode */ 2623 ic->ic_stats.is_rx_mgtdiscard++; 2624 break; 2625 } 2626 2627 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2628 "[%6D] recv deauthenticate (reason %d)\n", 2629 ni->ni_macaddr, ":", reason); 2630 switch (ic->ic_opmode) { 2631 case IEEE80211_M_STA: 2632 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2633 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2634 break; 2635 case IEEE80211_M_HOSTAP: 2636 if (ni != ic->ic_bss) 2637 ieee80211_node_leave(ic, ni); 2638 break; 2639 default: 2640 ic->ic_stats.is_rx_mgtdiscard++; 2641 break; 2642 } 2643 break; 2644 } 2645 2646 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2647 uint16_t reason; 2648 2649 if (ic->ic_state != IEEE80211_S_RUN && 2650 ic->ic_state != IEEE80211_S_ASSOC && 2651 ic->ic_state != IEEE80211_S_AUTH) { 2652 ic->ic_stats.is_rx_mgtdiscard++; 2653 return; 2654 } 2655 /* 2656 * disassoc frame format 2657 * [2] reason 2658 */ 2659 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2660 reason = le16toh(*(uint16_t *)frm); 2661 ic->ic_stats.is_rx_disassoc++; 2662 IEEE80211_NODE_STAT(ni, rx_disassoc); 2663 2664 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2665 /* NB: can happen when in promiscuous mode */ 2666 ic->ic_stats.is_rx_mgtdiscard++; 2667 break; 2668 } 2669 2670 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2671 "[%6D] recv disassociate (reason %d)\n", 2672 ni->ni_macaddr, ":", reason); 2673 switch (ic->ic_opmode) { 2674 case IEEE80211_M_STA: 2675 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2676 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2677 break; 2678 case IEEE80211_M_HOSTAP: 2679 if (ni != ic->ic_bss) 2680 ieee80211_node_leave(ic, ni); 2681 break; 2682 default: 2683 ic->ic_stats.is_rx_mgtdiscard++; 2684 break; 2685 } 2686 break; 2687 } 2688 default: 2689 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2690 wh, "mgt", "subtype 0x%x not handled", subtype); 2691 ic->ic_stats.is_rx_badsubtype++; 2692 break; 2693 } 2694 #undef ISREASSOC 2695 #undef ISPROBE 2696 } 2697 #undef IEEE80211_VERIFY_LENGTH 2698 #undef IEEE80211_VERIFY_ELEMENT 2699 2700 /* 2701 * Handle station power-save state change. 2702 */ 2703 static void 2704 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2705 { 2706 struct ieee80211com *ic = ni->ni_ic; 2707 struct mbuf *m; 2708 2709 ASSERT_SERIALIZED(ic->ic_ifp->if_serializer); 2710 2711 if (enable) { 2712 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2713 ic->ic_ps_sta++; 2714 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2715 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2716 "[%6D] power save mode on, %u sta's in ps mode\n", 2717 ni->ni_macaddr, ":", ic->ic_ps_sta); 2718 return; 2719 } 2720 2721 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2722 ic->ic_ps_sta--; 2723 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2724 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2725 "[%6D] power save mode off, %u sta's in ps mode\n", 2726 ni->ni_macaddr, ":", ic->ic_ps_sta); 2727 /* XXX if no stations in ps mode, flush mc frames */ 2728 2729 /* 2730 * Flush queued unicast frames. 2731 */ 2732 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2733 if (ic->ic_set_tim != NULL) 2734 ic->ic_set_tim(ni, 0); /* just in case */ 2735 return; 2736 } 2737 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2738 "[%6D] flush ps queue, %u packets queued\n", 2739 ni->ni_macaddr, ":", IEEE80211_NODE_SAVEQ_QLEN(ni)); 2740 for (;;) { 2741 int qlen; 2742 2743 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2744 if (m == NULL) 2745 break; 2746 /* 2747 * If this is the last packet, turn off the TIM bit. 2748 * If there are more packets, set the more packets bit 2749 * in the mbuf so ieee80211_encap will mark the 802.11 2750 * head to indicate more data frames will follow. 2751 */ 2752 if (qlen != 0) 2753 m->m_flags |= M_MORE_DATA; 2754 /* XXX need different driver interface */ 2755 /* XXX bypasses q max */ 2756 /* XXX bypasses ALTQ */ 2757 ifq_enqueue(&ic->ic_ifp->if_snd, m, NULL); 2758 } 2759 if (ic->ic_set_tim != NULL) 2760 ic->ic_set_tim(ni, 0); 2761 } 2762 2763 /* 2764 * Process a received ps-poll frame. 2765 */ 2766 static void 2767 ieee80211_recv_pspoll(struct ieee80211com *ic, 2768 struct ieee80211_node *ni, struct mbuf *m0) 2769 { 2770 struct ieee80211_frame_min *wh; 2771 struct mbuf *m; 2772 uint16_t aid; 2773 int qlen; 2774 2775 ASSERT_SERIALIZED(ic->ic_ifp->if_serializer); 2776 2777 wh = mtod(m0, struct ieee80211_frame_min *); 2778 if (ni->ni_associd == 0) { 2779 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2780 (struct ieee80211_frame *) wh, "ps-poll", 2781 "%s", "unassociated station"); 2782 ic->ic_stats.is_ps_unassoc++; 2783 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2784 IEEE80211_REASON_NOT_ASSOCED); 2785 return; 2786 } 2787 2788 aid = le16toh(*(uint16_t *)wh->i_dur); 2789 if (aid != ni->ni_associd) { 2790 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2791 (struct ieee80211_frame *) wh, "ps-poll", 2792 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2793 ni->ni_associd, aid); 2794 ic->ic_stats.is_ps_badaid++; 2795 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2796 IEEE80211_REASON_NOT_ASSOCED); 2797 return; 2798 } 2799 2800 /* Okay, take the first queued packet and put it out... */ 2801 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2802 if (m == NULL) { 2803 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2804 "[%6D] recv ps-poll, but queue empty\n", 2805 wh->i_addr2, ":"); 2806 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2807 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2808 if (ic->ic_set_tim != NULL) 2809 ic->ic_set_tim(ni, 0); /* just in case */ 2810 return; 2811 } 2812 /* 2813 * If there are more packets, set the more packets bit 2814 * in the packet dispatched to the station; otherwise 2815 * turn off the TIM bit. 2816 */ 2817 if (qlen != 0) { 2818 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2819 "[%6D] recv ps-poll, send packet, %u still queued\n", 2820 ni->ni_macaddr, ":", qlen); 2821 m->m_flags |= M_MORE_DATA; 2822 } else { 2823 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2824 "[%6D] recv ps-poll, send packet, queue empty\n", 2825 ni->ni_macaddr, ":"); 2826 if (ic->ic_set_tim != NULL) 2827 ic->ic_set_tim(ni, 0); 2828 } 2829 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2830 ifq_enqueue(&ic->ic_ifp->if_snd, m, NULL); /* XXX bypasses ALTQ */ 2831 } 2832 2833 #ifdef IEEE80211_DEBUG 2834 /* 2835 * Debugging support. 2836 */ 2837 2838 /* 2839 * Return the bssid of a frame. 2840 */ 2841 static const uint8_t * 2842 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2843 { 2844 if (ic->ic_opmode == IEEE80211_M_STA) 2845 return wh->i_addr2; 2846 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2847 return wh->i_addr1; 2848 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2849 return wh->i_addr1; 2850 return wh->i_addr3; 2851 } 2852 2853 void 2854 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2855 { 2856 char buf[128]; /* XXX */ 2857 __va_list ap; 2858 2859 __va_start(ap, fmt); 2860 kvsnprintf(buf, sizeof(buf), fmt, ap); 2861 __va_end(ap); 2862 2863 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2864 } 2865 2866 void 2867 ieee80211_note_frame(struct ieee80211com *ic, 2868 const struct ieee80211_frame *wh, 2869 const char *fmt, ...) 2870 { 2871 char buf[128]; /* XXX */ 2872 __va_list ap; 2873 2874 __va_start(ap, fmt); 2875 kvsnprintf(buf, sizeof(buf), fmt, ap); 2876 __va_end(ap); 2877 if_printf(ic->ic_ifp, "[%6D] %s\n", 2878 ieee80211_getbssid(ic, wh), ":", buf); 2879 } 2880 2881 void 2882 ieee80211_note_mac(struct ieee80211com *ic, 2883 const uint8_t mac[IEEE80211_ADDR_LEN], 2884 const char *fmt, ...) 2885 { 2886 char buf[128]; /* XXX */ 2887 __va_list ap; 2888 2889 __va_start(ap, fmt); 2890 kvsnprintf(buf, sizeof(buf), fmt, ap); 2891 __va_end(ap); 2892 if_printf(ic->ic_ifp, "[%6D] %s\n", mac, ":", buf); 2893 } 2894 2895 static void 2896 ieee80211_discard_frame(struct ieee80211com *ic, 2897 const struct ieee80211_frame *wh, 2898 const char *type, const char *fmt, ...) 2899 { 2900 __va_list ap; 2901 2902 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, 2903 ieee80211_getbssid(ic, wh), ":"); 2904 if (type != NULL) 2905 kprintf("%s frame, ", type); 2906 else 2907 kprintf("frame, "); 2908 __va_start(ap, fmt); 2909 kvprintf(fmt, ap); 2910 __va_end(ap); 2911 kprintf("\n"); 2912 } 2913 2914 static void 2915 ieee80211_discard_ie(struct ieee80211com *ic, 2916 const struct ieee80211_frame *wh, 2917 const char *type, const char *fmt, ...) 2918 { 2919 __va_list ap; 2920 2921 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, 2922 ieee80211_getbssid(ic, wh), ":"); 2923 if (type != NULL) 2924 kprintf("%s information element, ", type); 2925 else 2926 kprintf("information element, "); 2927 __va_start(ap, fmt); 2928 kvprintf(fmt, ap); 2929 __va_end(ap); 2930 kprintf("\n"); 2931 } 2932 2933 static void 2934 ieee80211_discard_mac(struct ieee80211com *ic, 2935 const uint8_t mac[IEEE80211_ADDR_LEN], 2936 const char *type, const char *fmt, ...) 2937 { 2938 __va_list ap; 2939 2940 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, mac, ":"); 2941 if (type != NULL) 2942 kprintf("%s frame, ", type); 2943 else 2944 kprintf("frame, "); 2945 __va_start(ap, fmt); 2946 kvprintf(fmt, ap); 2947 __va_end(ap); 2948 kprintf("\n"); 2949 } 2950 #endif /* IEEE80211_DEBUG */ 2951