1 /* $OpenBSD: ieee80211_node.c,v 1.63 2011/03/28 14:49:40 kettenis Exp $ */ 2 /* $NetBSD: ieee80211_node.c,v 1.14 2004/05/09 09:18:47 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2008 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 #include "bridge.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/malloc.h> 40 #include <sys/kernel.h> 41 #include <sys/socket.h> 42 #include <sys/sockio.h> 43 #include <sys/endian.h> 44 #include <sys/errno.h> 45 #include <sys/proc.h> 46 #include <sys/sysctl.h> 47 #include <sys/tree.h> 48 49 #include <net/if.h> 50 #include <net/if_dl.h> 51 #include <net/if_media.h> 52 #include <net/if_arp.h> 53 #include <net/if_llc.h> 54 55 #if NBPFILTER > 0 56 #include <net/bpf.h> 57 #endif 58 59 #ifdef INET 60 #include <netinet/in.h> 61 #include <netinet/if_ether.h> 62 #endif 63 64 #if NBRIDGE > 0 65 #include <net/if_bridge.h> 66 #endif 67 68 #include <net80211/ieee80211_var.h> 69 #include <net80211/ieee80211_priv.h> 70 71 #include <dev/rndvar.h> 72 73 struct ieee80211_node *ieee80211_node_alloc(struct ieee80211com *); 74 void ieee80211_node_free(struct ieee80211com *, struct ieee80211_node *); 75 void ieee80211_node_copy(struct ieee80211com *, struct ieee80211_node *, 76 const struct ieee80211_node *); 77 void ieee80211_choose_rsnparams(struct ieee80211com *); 78 u_int8_t ieee80211_node_getrssi(struct ieee80211com *, 79 const struct ieee80211_node *); 80 void ieee80211_setup_node(struct ieee80211com *, struct ieee80211_node *, 81 const u_int8_t *); 82 void ieee80211_free_node(struct ieee80211com *, struct ieee80211_node *); 83 struct ieee80211_node *ieee80211_alloc_node_helper(struct ieee80211com *); 84 void ieee80211_node_cleanup(struct ieee80211com *, struct ieee80211_node *); 85 void ieee80211_needs_auth(struct ieee80211com *, struct ieee80211_node *); 86 #ifndef IEEE80211_STA_ONLY 87 #ifndef IEEE80211_NO_HT 88 void ieee80211_node_join_ht(struct ieee80211com *, struct ieee80211_node *); 89 #endif 90 void ieee80211_node_join_rsn(struct ieee80211com *, struct ieee80211_node *); 91 void ieee80211_node_join_11g(struct ieee80211com *, struct ieee80211_node *); 92 #ifndef IEEE80211_NO_HT 93 void ieee80211_node_leave_ht(struct ieee80211com *, struct ieee80211_node *); 94 #endif 95 void ieee80211_node_leave_rsn(struct ieee80211com *, struct ieee80211_node *); 96 void ieee80211_node_leave_11g(struct ieee80211com *, struct ieee80211_node *); 97 void ieee80211_set_tim(struct ieee80211com *, int, int); 98 #endif 99 100 #define M_80211_NODE M_DEVBUF 101 102 void 103 ieee80211_node_attach(struct ifnet *ifp) 104 { 105 struct ieee80211com *ic = (void *)ifp; 106 #ifndef IEEE80211_STA_ONLY 107 int size; 108 #endif 109 110 RB_INIT(&ic->ic_tree); 111 ic->ic_node_alloc = ieee80211_node_alloc; 112 ic->ic_node_free = ieee80211_node_free; 113 ic->ic_node_copy = ieee80211_node_copy; 114 ic->ic_node_getrssi = ieee80211_node_getrssi; 115 ic->ic_scangen = 1; 116 ic->ic_max_nnodes = ieee80211_cache_size; 117 118 if (ic->ic_max_aid == 0) 119 ic->ic_max_aid = IEEE80211_AID_DEF; 120 else if (ic->ic_max_aid > IEEE80211_AID_MAX) 121 ic->ic_max_aid = IEEE80211_AID_MAX; 122 #ifndef IEEE80211_STA_ONLY 123 size = howmany(ic->ic_max_aid, 32) * sizeof(u_int32_t); 124 ic->ic_aid_bitmap = malloc(size, M_DEVBUF, M_NOWAIT | M_ZERO); 125 if (ic->ic_aid_bitmap == NULL) { 126 /* XXX no way to recover */ 127 printf("%s: no memory for AID bitmap!\n", __func__); 128 ic->ic_max_aid = 0; 129 } 130 if (ic->ic_caps & (IEEE80211_C_HOSTAP | IEEE80211_C_IBSS)) { 131 ic->ic_tim_len = howmany(ic->ic_max_aid, 8); 132 ic->ic_tim_bitmap = malloc(ic->ic_tim_len, M_DEVBUF, 133 M_NOWAIT | M_ZERO); 134 if (ic->ic_tim_bitmap == NULL) { 135 printf("%s: no memory for TIM bitmap!\n", __func__); 136 ic->ic_tim_len = 0; 137 } else 138 ic->ic_set_tim = ieee80211_set_tim; 139 timeout_set(&ic->ic_rsn_timeout, 140 ieee80211_gtk_rekey_timeout, ic); 141 } 142 #endif 143 } 144 145 struct ieee80211_node * 146 ieee80211_alloc_node_helper(struct ieee80211com *ic) 147 { 148 struct ieee80211_node *ni; 149 if (ic->ic_nnodes >= ic->ic_max_nnodes) 150 ieee80211_clean_nodes(ic); 151 if (ic->ic_nnodes >= ic->ic_max_nnodes) 152 return NULL; 153 ni = (*ic->ic_node_alloc)(ic); 154 if (ni != NULL) 155 ic->ic_nnodes++; 156 return ni; 157 } 158 159 void 160 ieee80211_node_lateattach(struct ifnet *ifp) 161 { 162 struct ieee80211com *ic = (void *)ifp; 163 struct ieee80211_node *ni; 164 165 ni = ieee80211_alloc_node_helper(ic); 166 if (ni == NULL) 167 panic("unable to setup inital BSS node"); 168 ni->ni_chan = IEEE80211_CHAN_ANYC; 169 ic->ic_bss = ieee80211_ref_node(ni); 170 ic->ic_txpower = IEEE80211_TXPOWER_MAX; 171 } 172 173 void 174 ieee80211_node_detach(struct ifnet *ifp) 175 { 176 struct ieee80211com *ic = (void *)ifp; 177 178 if (ic->ic_bss != NULL) { 179 (*ic->ic_node_free)(ic, ic->ic_bss); 180 ic->ic_bss = NULL; 181 } 182 ieee80211_free_allnodes(ic); 183 #ifndef IEEE80211_STA_ONLY 184 if (ic->ic_aid_bitmap != NULL) 185 free(ic->ic_aid_bitmap, M_DEVBUF); 186 if (ic->ic_tim_bitmap != NULL) 187 free(ic->ic_tim_bitmap, M_DEVBUF); 188 #endif 189 timeout_del(&ic->ic_rsn_timeout); 190 } 191 192 /* 193 * AP scanning support. 194 */ 195 196 /* 197 * Initialize the active channel set based on the set 198 * of available channels and the current PHY mode. 199 */ 200 void 201 ieee80211_reset_scan(struct ifnet *ifp) 202 { 203 struct ieee80211com *ic = (void *)ifp; 204 205 memcpy(ic->ic_chan_scan, ic->ic_chan_active, 206 sizeof(ic->ic_chan_active)); 207 /* NB: hack, setup so next_scan starts with the first channel */ 208 if (ic->ic_bss != NULL && ic->ic_bss->ni_chan == IEEE80211_CHAN_ANYC) 209 ic->ic_bss->ni_chan = &ic->ic_channels[IEEE80211_CHAN_MAX]; 210 } 211 212 /* 213 * Begin an active scan. 214 */ 215 void 216 ieee80211_begin_scan(struct ifnet *ifp) 217 { 218 struct ieee80211com *ic = (void *)ifp; 219 220 if (ic->ic_scan_lock & IEEE80211_SCAN_LOCKED) 221 return; 222 ic->ic_scan_lock |= IEEE80211_SCAN_LOCKED; 223 224 /* 225 * In all but hostap mode scanning starts off in 226 * an active mode before switching to passive. 227 */ 228 #ifndef IEEE80211_STA_ONLY 229 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 230 #endif 231 { 232 ic->ic_flags |= IEEE80211_F_ASCAN; 233 ic->ic_stats.is_scan_active++; 234 } 235 #ifndef IEEE80211_STA_ONLY 236 else 237 ic->ic_stats.is_scan_passive++; 238 #endif 239 if (ifp->if_flags & IFF_DEBUG) 240 printf("%s: begin %s scan\n", ifp->if_xname, 241 (ic->ic_flags & IEEE80211_F_ASCAN) ? 242 "active" : "passive"); 243 244 /* 245 * Flush any previously seen AP's. Note that the latter 246 * assumes we don't act as both an AP and a station, 247 * otherwise we'll potentially flush state of stations 248 * associated with us. 249 */ 250 ieee80211_free_allnodes(ic); 251 252 /* 253 * Reset the current mode. Setting the current mode will also 254 * reset scan state. 255 */ 256 if (IFM_MODE(ic->ic_media.ifm_cur->ifm_media) == IFM_AUTO) 257 ic->ic_curmode = IEEE80211_MODE_AUTO; 258 ieee80211_setmode(ic, ic->ic_curmode); 259 260 ic->ic_scan_count = 0; 261 262 /* Scan the next channel. */ 263 ieee80211_next_scan(ifp); 264 } 265 266 /* 267 * Switch to the next channel marked for scanning. 268 */ 269 void 270 ieee80211_next_scan(struct ifnet *ifp) 271 { 272 struct ieee80211com *ic = (void *)ifp; 273 struct ieee80211_channel *chan; 274 275 chan = ic->ic_bss->ni_chan; 276 for (;;) { 277 if (++chan > &ic->ic_channels[IEEE80211_CHAN_MAX]) 278 chan = &ic->ic_channels[0]; 279 if (isset(ic->ic_chan_scan, ieee80211_chan2ieee(ic, chan))) { 280 /* 281 * Ignore channels marked passive-only 282 * during an active scan. 283 */ 284 if ((ic->ic_flags & IEEE80211_F_ASCAN) == 0 || 285 (chan->ic_flags & IEEE80211_CHAN_PASSIVE) == 0) 286 break; 287 } 288 if (chan == ic->ic_bss->ni_chan) { 289 ieee80211_end_scan(ifp); 290 return; 291 } 292 } 293 clrbit(ic->ic_chan_scan, ieee80211_chan2ieee(ic, chan)); 294 DPRINTF(("chan %d->%d\n", 295 ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan), 296 ieee80211_chan2ieee(ic, chan))); 297 ic->ic_bss->ni_chan = chan; 298 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 299 } 300 301 #ifndef IEEE80211_STA_ONLY 302 void 303 ieee80211_create_ibss(struct ieee80211com* ic, struct ieee80211_channel *chan) 304 { 305 struct ieee80211_node *ni; 306 struct ifnet *ifp = &ic->ic_if; 307 308 ni = ic->ic_bss; 309 if (ifp->if_flags & IFF_DEBUG) 310 printf("%s: creating ibss\n", ifp->if_xname); 311 ic->ic_flags |= IEEE80211_F_SIBSS; 312 ni->ni_chan = chan; 313 ni->ni_rates = ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 314 IEEE80211_ADDR_COPY(ni->ni_macaddr, ic->ic_myaddr); 315 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_myaddr); 316 if (ic->ic_opmode == IEEE80211_M_IBSS) { 317 if ((ic->ic_flags & IEEE80211_F_DESBSSID) != 0) 318 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_des_bssid); 319 else 320 ni->ni_bssid[0] |= 0x02; /* local bit for IBSS */ 321 } 322 ni->ni_esslen = ic->ic_des_esslen; 323 memcpy(ni->ni_essid, ic->ic_des_essid, ni->ni_esslen); 324 ni->ni_rssi = 0; 325 ni->ni_rstamp = 0; 326 memset(ni->ni_tstamp, 0, sizeof(ni->ni_tstamp)); 327 ni->ni_intval = ic->ic_lintval; 328 ni->ni_capinfo = IEEE80211_CAPINFO_IBSS; 329 if (ic->ic_flags & IEEE80211_F_WEPON) 330 ni->ni_capinfo |= IEEE80211_CAPINFO_PRIVACY; 331 if (ic->ic_flags & IEEE80211_F_RSNON) { 332 struct ieee80211_key *k; 333 334 /* initialize 256-bit global key counter to a random value */ 335 arc4random_buf(ic->ic_globalcnt, EAPOL_KEY_NONCE_LEN); 336 337 ni->ni_rsnprotos = ic->ic_rsnprotos; 338 ni->ni_rsnakms = ic->ic_rsnakms; 339 ni->ni_rsnciphers = ic->ic_rsnciphers; 340 ni->ni_rsngroupcipher = ic->ic_rsngroupcipher; 341 ni->ni_rsngroupmgmtcipher = ic->ic_rsngroupmgmtcipher; 342 ni->ni_rsncaps = 0; 343 if (ic->ic_caps & IEEE80211_C_MFP) { 344 ni->ni_rsncaps |= IEEE80211_RSNCAP_MFPC; 345 if (ic->ic_flags & IEEE80211_F_MFPR) 346 ni->ni_rsncaps |= IEEE80211_RSNCAP_MFPR; 347 } 348 349 ic->ic_def_txkey = 1; 350 k = &ic->ic_nw_keys[ic->ic_def_txkey]; 351 memset(k, 0, sizeof(*k)); 352 k->k_id = ic->ic_def_txkey; 353 k->k_cipher = ni->ni_rsngroupcipher; 354 k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX; 355 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 356 arc4random_buf(k->k_key, k->k_len); 357 (*ic->ic_set_key)(ic, ni, k); /* XXX */ 358 359 if (ic->ic_caps & IEEE80211_C_MFP) { 360 ic->ic_igtk_kid = 4; 361 k = &ic->ic_nw_keys[ic->ic_igtk_kid]; 362 memset(k, 0, sizeof(*k)); 363 k->k_id = ic->ic_igtk_kid; 364 k->k_cipher = ni->ni_rsngroupmgmtcipher; 365 k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX; 366 k->k_len = 16; 367 arc4random_buf(k->k_key, k->k_len); 368 (*ic->ic_set_key)(ic, ni, k); /* XXX */ 369 } 370 /* 371 * In HostAP mode, multicast traffic is sent using ic_bss 372 * as the Tx node, so mark our node as valid so we can send 373 * multicast frames using the group key we've just configured. 374 */ 375 ni->ni_port_valid = 1; 376 ni->ni_flags |= IEEE80211_NODE_TXPROT; 377 378 /* schedule a GTK/IGTK rekeying after 3600s */ 379 timeout_add_sec(&ic->ic_rsn_timeout, 3600); 380 } 381 ieee80211_new_state(ic, IEEE80211_S_RUN, -1); 382 } 383 #endif /* IEEE80211_STA_ONLY */ 384 385 int 386 ieee80211_match_bss(struct ieee80211com *ic, struct ieee80211_node *ni) 387 { 388 u_int8_t rate; 389 int fail; 390 391 fail = 0; 392 if (isclr(ic->ic_chan_active, ieee80211_chan2ieee(ic, ni->ni_chan))) 393 fail |= 0x01; 394 if (ic->ic_des_chan != IEEE80211_CHAN_ANYC && 395 ni->ni_chan != ic->ic_des_chan) 396 fail |= 0x01; 397 #ifndef IEEE80211_STA_ONLY 398 if (ic->ic_opmode == IEEE80211_M_IBSS) { 399 if ((ni->ni_capinfo & IEEE80211_CAPINFO_IBSS) == 0) 400 fail |= 0x02; 401 } else 402 #endif 403 { 404 if ((ni->ni_capinfo & IEEE80211_CAPINFO_ESS) == 0) 405 fail |= 0x02; 406 } 407 if (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON)) { 408 if ((ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) == 0) 409 fail |= 0x04; 410 } else { 411 if (ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) 412 fail |= 0x04; 413 } 414 415 rate = ieee80211_fix_rate(ic, ni, IEEE80211_F_DONEGO); 416 if (rate & IEEE80211_RATE_BASIC) 417 fail |= 0x08; 418 if (ic->ic_des_esslen != 0 && 419 (ni->ni_esslen != ic->ic_des_esslen || 420 memcmp(ni->ni_essid, ic->ic_des_essid, ic->ic_des_esslen) != 0)) 421 fail |= 0x10; 422 if ((ic->ic_flags & IEEE80211_F_DESBSSID) && 423 !IEEE80211_ADDR_EQ(ic->ic_des_bssid, ni->ni_bssid)) 424 fail |= 0x20; 425 426 if (ic->ic_flags & IEEE80211_F_RSNON) { 427 /* 428 * If at least one RSN IE field from the AP's RSN IE fails 429 * to overlap with any value the STA supports, the STA shall 430 * decline to associate with that AP. 431 */ 432 if ((ni->ni_rsnprotos & ic->ic_rsnprotos) == 0) 433 fail |= 0x40; 434 if ((ni->ni_rsnakms & ic->ic_rsnakms) == 0) 435 fail |= 0x40; 436 if ((ni->ni_rsnakms & ic->ic_rsnakms & 437 ~(IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK)) == 0) { 438 /* AP only supports PSK AKMPs */ 439 if (!(ic->ic_flags & IEEE80211_F_PSK)) 440 fail |= 0x40; 441 } 442 if (ni->ni_rsngroupcipher != IEEE80211_CIPHER_WEP40 && 443 ni->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 444 ni->ni_rsngroupcipher != IEEE80211_CIPHER_CCMP && 445 ni->ni_rsngroupcipher != IEEE80211_CIPHER_WEP104) 446 fail |= 0x40; 447 if ((ni->ni_rsnciphers & ic->ic_rsnciphers) == 0) 448 fail |= 0x40; 449 450 /* we only support BIP as the IGTK cipher */ 451 if ((ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 452 ni->ni_rsngroupmgmtcipher != IEEE80211_CIPHER_BIP) 453 fail |= 0x40; 454 455 /* we do not support MFP but AP requires it */ 456 if (!(ic->ic_caps & IEEE80211_C_MFP) && 457 (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPR)) 458 fail |= 0x40; 459 460 /* we require MFP but AP does not support it */ 461 if ((ic->ic_caps & IEEE80211_C_MFP) && 462 (ic->ic_flags & IEEE80211_F_MFPR) && 463 !(ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) 464 fail |= 0x40; 465 } 466 467 #ifdef IEEE80211_DEBUG 468 if (ic->ic_if.if_flags & IFF_DEBUG) { 469 printf(" %c %s", fail ? '-' : '+', 470 ether_sprintf(ni->ni_macaddr)); 471 printf(" %s%c", ether_sprintf(ni->ni_bssid), 472 fail & 0x20 ? '!' : ' '); 473 printf(" %3d%c", ieee80211_chan2ieee(ic, ni->ni_chan), 474 fail & 0x01 ? '!' : ' '); 475 printf(" %+4d", ni->ni_rssi); 476 printf(" %2dM%c", (rate & IEEE80211_RATE_VAL) / 2, 477 fail & 0x08 ? '!' : ' '); 478 printf(" %4s%c", 479 (ni->ni_capinfo & IEEE80211_CAPINFO_ESS) ? "ess" : 480 (ni->ni_capinfo & IEEE80211_CAPINFO_IBSS) ? "ibss" : 481 "????", 482 fail & 0x02 ? '!' : ' '); 483 printf(" %7s%c ", 484 (ni->ni_capinfo & IEEE80211_CAPINFO_PRIVACY) ? 485 "privacy" : "no", 486 fail & 0x04 ? '!' : ' '); 487 printf(" %3s%c ", 488 (ic->ic_flags & IEEE80211_F_RSNON) ? 489 "rsn" : "no", 490 fail & 0x40 ? '!' : ' '); 491 ieee80211_print_essid(ni->ni_essid, ni->ni_esslen); 492 printf("%s\n", fail & 0x10 ? "!" : ""); 493 } 494 #endif 495 return fail; 496 } 497 498 /* 499 * Complete a scan of potential channels. 500 */ 501 void 502 ieee80211_end_scan(struct ifnet *ifp) 503 { 504 struct ieee80211com *ic = (void *)ifp; 505 struct ieee80211_node *ni, *nextbs, *selbs; 506 507 if (ifp->if_flags & IFF_DEBUG) 508 printf("%s: end %s scan\n", ifp->if_xname, 509 (ic->ic_flags & IEEE80211_F_ASCAN) ? 510 "active" : "passive"); 511 512 if (ic->ic_scan_count) 513 ic->ic_flags &= ~IEEE80211_F_ASCAN; 514 515 ni = RB_MIN(ieee80211_tree, &ic->ic_tree); 516 517 #ifndef IEEE80211_STA_ONLY 518 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 519 /* XXX off stack? */ 520 u_char occupied[howmany(IEEE80211_CHAN_MAX, NBBY)]; 521 int i, fail; 522 523 /* 524 * The passive scan to look for existing AP's completed, 525 * select a channel to camp on. Identify the channels 526 * that already have one or more AP's and try to locate 527 * an unnoccupied one. If that fails, pick a random 528 * channel from the active set. 529 */ 530 memset(occupied, 0, sizeof(occupied)); 531 RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) 532 setbit(occupied, ieee80211_chan2ieee(ic, ni->ni_chan)); 533 for (i = 0; i < IEEE80211_CHAN_MAX; i++) 534 if (isset(ic->ic_chan_active, i) && isclr(occupied, i)) 535 break; 536 if (i == IEEE80211_CHAN_MAX) { 537 fail = arc4random() & 3; /* random 0-3 */ 538 for (i = 0; i < IEEE80211_CHAN_MAX; i++) 539 if (isset(ic->ic_chan_active, i) && fail-- == 0) 540 break; 541 } 542 ieee80211_create_ibss(ic, &ic->ic_channels[i]); 543 goto wakeup; 544 } 545 #endif 546 if (ni == NULL) { 547 DPRINTF(("no scan candidate\n")); 548 notfound: 549 550 #ifndef IEEE80211_STA_ONLY 551 if (ic->ic_opmode == IEEE80211_M_IBSS && 552 (ic->ic_flags & IEEE80211_F_IBSSON) && 553 ic->ic_des_esslen != 0) { 554 ieee80211_create_ibss(ic, ic->ic_ibss_chan); 555 goto wakeup; 556 } 557 #endif 558 /* 559 * Scan the next mode if nothing has been found. This 560 * is necessary if the device supports different 561 * incompatible modes in the same channel range, like 562 * like 11b and "pure" 11G mode. This will loop 563 * forever except for user-initiated scans. 564 */ 565 if (ieee80211_next_mode(ifp) == IEEE80211_MODE_AUTO) { 566 if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST && 567 ic->ic_scan_lock & IEEE80211_SCAN_RESUME) { 568 ic->ic_scan_lock = IEEE80211_SCAN_LOCKED; 569 /* Return from an user-initiated scan */ 570 wakeup(&ic->ic_scan_lock); 571 } else if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST) 572 goto wakeup; 573 ic->ic_scan_count++; 574 } 575 576 /* 577 * Reset the list of channels to scan and start again. 578 */ 579 ieee80211_next_scan(ifp); 580 return; 581 } 582 selbs = NULL; 583 584 for (; ni != NULL; ni = nextbs) { 585 nextbs = RB_NEXT(ieee80211_tree, &ic->ic_tree, ni); 586 if (ni->ni_fails) { 587 /* 588 * The configuration of the access points may change 589 * during my scan. So delete the entry for the AP 590 * and retry to associate if there is another beacon. 591 */ 592 if (ni->ni_fails++ > 2) 593 ieee80211_free_node(ic, ni); 594 continue; 595 } 596 if (ieee80211_match_bss(ic, ni) == 0) { 597 if (selbs == NULL) 598 selbs = ni; 599 else if (ni->ni_rssi > selbs->ni_rssi) 600 selbs = ni; 601 } 602 } 603 if (selbs == NULL) 604 goto notfound; 605 (*ic->ic_node_copy)(ic, ic->ic_bss, selbs); 606 ni = ic->ic_bss; 607 608 /* 609 * Set the erp state (mostly the slot time) to deal with 610 * the auto-select case; this should be redundant if the 611 * mode is locked. 612 */ 613 ic->ic_curmode = ieee80211_chan2mode(ic, ni->ni_chan); 614 ieee80211_reset_erp(ic); 615 616 if (ic->ic_flags & IEEE80211_F_RSNON) 617 ieee80211_choose_rsnparams(ic); 618 else if (ic->ic_flags & IEEE80211_F_WEPON) 619 ni->ni_rsncipher = IEEE80211_CIPHER_USEGROUP; 620 621 ieee80211_node_newstate(selbs, IEEE80211_STA_BSS); 622 #ifndef IEEE80211_STA_ONLY 623 if (ic->ic_opmode == IEEE80211_M_IBSS) { 624 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 625 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 626 if (ni->ni_rates.rs_nrates == 0) 627 goto notfound; 628 ieee80211_new_state(ic, IEEE80211_S_RUN, -1); 629 } else 630 #endif 631 ieee80211_new_state(ic, IEEE80211_S_AUTH, -1); 632 633 wakeup: 634 if (ic->ic_scan_lock & IEEE80211_SCAN_REQUEST) { 635 /* Return from an user-initiated scan */ 636 wakeup(&ic->ic_scan_lock); 637 } 638 639 ic->ic_scan_lock = IEEE80211_SCAN_UNLOCKED; 640 } 641 642 /* 643 * Autoselect the best RSN parameters (protocol, AKMP, pairwise cipher...) 644 * that are supported by both peers (STA mode only). 645 */ 646 void 647 ieee80211_choose_rsnparams(struct ieee80211com *ic) 648 { 649 struct ieee80211_node *ni = ic->ic_bss; 650 struct ieee80211_pmk *pmk; 651 652 /* filter out unsupported protocol versions */ 653 ni->ni_rsnprotos &= ic->ic_rsnprotos; 654 /* prefer RSN (aka WPA2) over WPA */ 655 if (ni->ni_rsnprotos & IEEE80211_PROTO_RSN) 656 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 657 else 658 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 659 660 /* filter out unsupported AKMPs */ 661 ni->ni_rsnakms &= ic->ic_rsnakms; 662 /* prefer SHA-256 based AKMPs */ 663 if ((ic->ic_flags & IEEE80211_F_PSK) && (ni->ni_rsnakms & 664 (IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK))) { 665 /* AP supports PSK AKMP and a PSK is configured */ 666 if (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK) 667 ni->ni_rsnakms = IEEE80211_AKM_SHA256_PSK; 668 else 669 ni->ni_rsnakms = IEEE80211_AKM_PSK; 670 } else { 671 if (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X) 672 ni->ni_rsnakms = IEEE80211_AKM_SHA256_8021X; 673 else 674 ni->ni_rsnakms = IEEE80211_AKM_8021X; 675 /* check if we have a cached PMK for this AP */ 676 if (ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 677 (pmk = ieee80211_pmksa_find(ic, ni, NULL)) != NULL) { 678 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 679 IEEE80211_PMKID_LEN); 680 ni->ni_flags |= IEEE80211_NODE_PMKID; 681 } 682 } 683 684 /* filter out unsupported pairwise ciphers */ 685 ni->ni_rsnciphers &= ic->ic_rsnciphers; 686 /* prefer CCMP over TKIP */ 687 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) 688 ni->ni_rsnciphers = IEEE80211_CIPHER_CCMP; 689 else 690 ni->ni_rsnciphers = IEEE80211_CIPHER_TKIP; 691 ni->ni_rsncipher = ni->ni_rsnciphers; 692 693 /* use MFP if we both support it */ 694 if ((ic->ic_caps & IEEE80211_C_MFP) && 695 (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) 696 ni->ni_flags |= IEEE80211_NODE_MFP; 697 } 698 699 int 700 ieee80211_get_rate(struct ieee80211com *ic) 701 { 702 u_int8_t (*rates)[IEEE80211_RATE_MAXSIZE]; 703 int rate; 704 705 rates = &ic->ic_bss->ni_rates.rs_rates; 706 707 if (ic->ic_fixed_rate != -1) 708 rate = (*rates)[ic->ic_fixed_rate]; 709 else if (ic->ic_state == IEEE80211_S_RUN) 710 rate = (*rates)[ic->ic_bss->ni_txrate]; 711 else 712 rate = 0; 713 714 return rate & IEEE80211_RATE_VAL; 715 } 716 717 struct ieee80211_node * 718 ieee80211_node_alloc(struct ieee80211com *ic) 719 { 720 return malloc(sizeof(struct ieee80211_node), M_80211_NODE, 721 M_NOWAIT | M_ZERO); 722 } 723 724 void 725 ieee80211_node_cleanup(struct ieee80211com *ic, struct ieee80211_node *ni) 726 { 727 if (ni->ni_rsnie != NULL) { 728 free(ni->ni_rsnie, M_DEVBUF); 729 ni->ni_rsnie = NULL; 730 } 731 } 732 733 void 734 ieee80211_node_free(struct ieee80211com *ic, struct ieee80211_node *ni) 735 { 736 ieee80211_node_cleanup(ic, ni); 737 free(ni, M_80211_NODE); 738 } 739 740 void 741 ieee80211_node_copy(struct ieee80211com *ic, 742 struct ieee80211_node *dst, const struct ieee80211_node *src) 743 { 744 ieee80211_node_cleanup(ic, dst); 745 *dst = *src; 746 dst->ni_rsnie = NULL; 747 if (src->ni_rsnie != NULL) 748 ieee80211_save_ie(src->ni_rsnie, &dst->ni_rsnie); 749 } 750 751 u_int8_t 752 ieee80211_node_getrssi(struct ieee80211com *ic, 753 const struct ieee80211_node *ni) 754 { 755 return ni->ni_rssi; 756 } 757 758 void 759 ieee80211_setup_node(struct ieee80211com *ic, 760 struct ieee80211_node *ni, const u_int8_t *macaddr) 761 { 762 int s; 763 764 DPRINTF(("%s\n", ether_sprintf((u_int8_t *)macaddr))); 765 IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr); 766 ieee80211_node_newstate(ni, IEEE80211_STA_CACHE); 767 768 ni->ni_ic = ic; /* back-pointer */ 769 #ifndef IEEE80211_STA_ONLY 770 IFQ_SET_MAXLEN(&ni->ni_savedq, IEEE80211_PS_MAX_QUEUE); 771 timeout_set(&ni->ni_eapol_to, ieee80211_eapol_timeout, ni); 772 timeout_set(&ni->ni_sa_query_to, ieee80211_sa_query_timeout, ni); 773 #endif 774 775 /* 776 * Note we don't enable the inactive timer when acting 777 * as a station. Nodes created in this mode represent 778 * AP's identified while scanning. If we time them out 779 * then several things happen: we can't return the data 780 * to users to show the list of AP's we encountered, and 781 * more importantly, we'll incorrectly deauthenticate 782 * ourself because the inactivity timer will kick us off. 783 */ 784 s = splnet(); 785 if (ic->ic_opmode != IEEE80211_M_STA && 786 RB_EMPTY(&ic->ic_tree)) 787 ic->ic_inact_timer = IEEE80211_INACT_WAIT; 788 RB_INSERT(ieee80211_tree, &ic->ic_tree, ni); 789 splx(s); 790 } 791 792 struct ieee80211_node * 793 ieee80211_alloc_node(struct ieee80211com *ic, const u_int8_t *macaddr) 794 { 795 struct ieee80211_node *ni = ieee80211_alloc_node_helper(ic); 796 if (ni != NULL) 797 ieee80211_setup_node(ic, ni, macaddr); 798 else 799 ic->ic_stats.is_rx_nodealloc++; 800 return ni; 801 } 802 803 struct ieee80211_node * 804 ieee80211_dup_bss(struct ieee80211com *ic, const u_int8_t *macaddr) 805 { 806 struct ieee80211_node *ni = ieee80211_alloc_node_helper(ic); 807 if (ni != NULL) { 808 ieee80211_setup_node(ic, ni, macaddr); 809 /* 810 * Inherit from ic_bss. 811 */ 812 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 813 ni->ni_chan = ic->ic_bss->ni_chan; 814 } else 815 ic->ic_stats.is_rx_nodealloc++; 816 return ni; 817 } 818 819 struct ieee80211_node * 820 ieee80211_find_node(struct ieee80211com *ic, const u_int8_t *macaddr) 821 { 822 struct ieee80211_node *ni; 823 int cmp; 824 825 /* similar to RB_FIND except we compare keys, not nodes */ 826 ni = RB_ROOT(&ic->ic_tree); 827 while (ni != NULL) { 828 cmp = memcmp(macaddr, ni->ni_macaddr, IEEE80211_ADDR_LEN); 829 if (cmp < 0) 830 ni = RB_LEFT(ni, ni_node); 831 else if (cmp > 0) 832 ni = RB_RIGHT(ni, ni_node); 833 else 834 break; 835 } 836 return ni; 837 } 838 839 /* 840 * Return a reference to the appropriate node for sending 841 * a data frame. This handles node discovery in adhoc networks. 842 * 843 * Drivers will call this, so increase the reference count before 844 * returning the node. 845 */ 846 struct ieee80211_node * 847 ieee80211_find_txnode(struct ieee80211com *ic, const u_int8_t *macaddr) 848 { 849 #ifndef IEEE80211_STA_ONLY 850 struct ieee80211_node *ni; 851 int s; 852 #endif 853 854 /* 855 * The destination address should be in the node table 856 * unless we are operating in station mode or this is a 857 * multicast/broadcast frame. 858 */ 859 if (ic->ic_opmode == IEEE80211_M_STA || IEEE80211_IS_MULTICAST(macaddr)) 860 return ieee80211_ref_node(ic->ic_bss); 861 862 #ifndef IEEE80211_STA_ONLY 863 s = splnet(); 864 ni = ieee80211_find_node(ic, macaddr); 865 splx(s); 866 if (ni == NULL) { 867 if (ic->ic_opmode != IEEE80211_M_IBSS && 868 ic->ic_opmode != IEEE80211_M_AHDEMO) 869 return NULL; 870 871 /* 872 * Fake up a node; this handles node discovery in 873 * adhoc mode. Note that for the driver's benefit 874 * we we treat this like an association so the driver 875 * has an opportunity to setup its private state. 876 * 877 * XXX need better way to handle this; issue probe 878 * request so we can deduce rate set, etc. 879 */ 880 if ((ni = ieee80211_dup_bss(ic, macaddr)) == NULL) 881 return NULL; 882 /* XXX no rate negotiation; just dup */ 883 ni->ni_rates = ic->ic_bss->ni_rates; 884 if (ic->ic_newassoc) 885 (*ic->ic_newassoc)(ic, ni, 1); 886 } 887 return ieee80211_ref_node(ni); 888 #else 889 return NULL; /* can't get there */ 890 #endif /* IEEE80211_STA_ONLY */ 891 } 892 893 /* 894 * It is usually desirable to process a Rx packet using its sender's 895 * node-record instead of the BSS record. 896 * 897 * - AP mode: keep a node-record for every authenticated/associated 898 * station *in the BSS*. For future use, we also track neighboring 899 * APs, since they might belong to the same ESS. APs in the same 900 * ESS may bridge packets to each other, forming a Wireless 901 * Distribution System (WDS). 902 * 903 * - IBSS mode: keep a node-record for every station *in the BSS*. 904 * Also track neighboring stations by their beacons/probe responses. 905 * 906 * - monitor mode: keep a node-record for every sender, regardless 907 * of BSS. 908 * 909 * - STA mode: the only available node-record is the BSS record, 910 * ic->ic_bss. 911 * 912 * Of all the 802.11 Control packets, only the node-records for 913 * RTS packets node-record can be looked up. 914 * 915 * Return non-zero if the packet's node-record is kept, zero 916 * otherwise. 917 */ 918 static __inline int 919 ieee80211_needs_rxnode(struct ieee80211com *ic, 920 const struct ieee80211_frame *wh, const u_int8_t **bssid) 921 { 922 int monitor, rc = 0; 923 924 monitor = (ic->ic_opmode == IEEE80211_M_MONITOR); 925 926 *bssid = NULL; 927 928 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { 929 case IEEE80211_FC0_TYPE_CTL: 930 if (!monitor) 931 break; 932 return (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == 933 IEEE80211_FC0_SUBTYPE_RTS; 934 case IEEE80211_FC0_TYPE_MGT: 935 *bssid = wh->i_addr3; 936 switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) { 937 case IEEE80211_FC0_SUBTYPE_BEACON: 938 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 939 break; 940 default: 941 #ifndef IEEE80211_STA_ONLY 942 if (ic->ic_opmode == IEEE80211_M_STA) 943 break; 944 rc = IEEE80211_ADDR_EQ(*bssid, ic->ic_bss->ni_bssid) || 945 IEEE80211_ADDR_EQ(*bssid, etherbroadcastaddr); 946 #endif 947 break; 948 } 949 break; 950 case IEEE80211_FC0_TYPE_DATA: 951 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 952 case IEEE80211_FC1_DIR_NODS: 953 *bssid = wh->i_addr3; 954 #ifndef IEEE80211_STA_ONLY 955 if (ic->ic_opmode == IEEE80211_M_IBSS || 956 ic->ic_opmode == IEEE80211_M_AHDEMO) 957 rc = IEEE80211_ADDR_EQ(*bssid, 958 ic->ic_bss->ni_bssid); 959 #endif 960 break; 961 case IEEE80211_FC1_DIR_TODS: 962 *bssid = wh->i_addr1; 963 #ifndef IEEE80211_STA_ONLY 964 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 965 rc = IEEE80211_ADDR_EQ(*bssid, 966 ic->ic_bss->ni_bssid); 967 #endif 968 break; 969 case IEEE80211_FC1_DIR_FROMDS: 970 case IEEE80211_FC1_DIR_DSTODS: 971 *bssid = wh->i_addr2; 972 #ifndef IEEE80211_STA_ONLY 973 rc = (ic->ic_opmode == IEEE80211_M_HOSTAP); 974 #endif 975 break; 976 } 977 break; 978 } 979 return monitor || rc; 980 } 981 982 /* 983 * Drivers call this, so increase the reference count before returning 984 * the node. 985 */ 986 struct ieee80211_node * 987 ieee80211_find_rxnode(struct ieee80211com *ic, 988 const struct ieee80211_frame *wh) 989 { 990 static const u_int8_t zero[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 991 struct ieee80211_node *ni; 992 const u_int8_t *bssid; 993 int s; 994 995 if (!ieee80211_needs_rxnode(ic, wh, &bssid)) 996 return ieee80211_ref_node(ic->ic_bss); 997 998 s = splnet(); 999 ni = ieee80211_find_node(ic, wh->i_addr2); 1000 splx(s); 1001 1002 if (ni != NULL) 1003 return ieee80211_ref_node(ni); 1004 #ifndef IEEE80211_STA_ONLY 1005 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 1006 return ieee80211_ref_node(ic->ic_bss); 1007 #endif 1008 /* XXX see remarks in ieee80211_find_txnode */ 1009 /* XXX no rate negotiation; just dup */ 1010 if ((ni = ieee80211_dup_bss(ic, wh->i_addr2)) == NULL) 1011 return ieee80211_ref_node(ic->ic_bss); 1012 1013 IEEE80211_ADDR_COPY(ni->ni_bssid, (bssid != NULL) ? bssid : zero); 1014 1015 ni->ni_rates = ic->ic_bss->ni_rates; 1016 if (ic->ic_newassoc) 1017 (*ic->ic_newassoc)(ic, ni, 1); 1018 1019 DPRINTF(("faked-up node %p for %s\n", ni, 1020 ether_sprintf((u_int8_t *)wh->i_addr2))); 1021 1022 return ieee80211_ref_node(ni); 1023 } 1024 1025 struct ieee80211_node * 1026 ieee80211_find_node_for_beacon(struct ieee80211com *ic, 1027 const u_int8_t *macaddr, const struct ieee80211_channel *chan, 1028 const char *ssid, u_int8_t rssi) 1029 { 1030 struct ieee80211_node *ni, *keep = NULL; 1031 int s, score = 0; 1032 1033 if ((ni = ieee80211_find_node(ic, macaddr)) != NULL) { 1034 s = splnet(); 1035 1036 if (ni->ni_chan != chan && ni->ni_rssi >= rssi) 1037 score++; 1038 if (ssid[1] == 0 && ni->ni_esslen != 0) 1039 score++; 1040 if (score > 0) 1041 keep = ni; 1042 1043 splx(s); 1044 } 1045 1046 return (keep); 1047 } 1048 1049 void 1050 ieee80211_free_node(struct ieee80211com *ic, struct ieee80211_node *ni) 1051 { 1052 if (ni == ic->ic_bss) 1053 panic("freeing bss node"); 1054 1055 DPRINTF(("%s\n", ether_sprintf(ni->ni_macaddr))); 1056 #ifndef IEEE80211_STA_ONLY 1057 timeout_del(&ni->ni_eapol_to); 1058 timeout_del(&ni->ni_sa_query_to); 1059 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1060 #endif 1061 RB_REMOVE(ieee80211_tree, &ic->ic_tree, ni); 1062 ic->ic_nnodes--; 1063 #ifndef IEEE80211_STA_ONLY 1064 if (!IF_IS_EMPTY(&ni->ni_savedq)) { 1065 IF_PURGE(&ni->ni_savedq); 1066 if (ic->ic_set_tim != NULL) 1067 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 1068 } 1069 #endif 1070 if (RB_EMPTY(&ic->ic_tree)) 1071 ic->ic_inact_timer = 0; 1072 (*ic->ic_node_free)(ic, ni); 1073 /* TBD indicate to drivers that a new node can be allocated */ 1074 } 1075 1076 void 1077 ieee80211_release_node(struct ieee80211com *ic, struct ieee80211_node *ni) 1078 { 1079 int s; 1080 1081 DPRINTF(("%s refcnt %d\n", ether_sprintf(ni->ni_macaddr), 1082 ni->ni_refcnt)); 1083 if (ieee80211_node_decref(ni) == 0 && 1084 ni->ni_state == IEEE80211_STA_COLLECT) { 1085 s = splnet(); 1086 ieee80211_free_node(ic, ni); 1087 splx(s); 1088 } 1089 } 1090 1091 void 1092 ieee80211_free_allnodes(struct ieee80211com *ic) 1093 { 1094 struct ieee80211_node *ni; 1095 int s; 1096 1097 DPRINTF(("freeing all nodes\n")); 1098 s = splnet(); 1099 while ((ni = RB_MIN(ieee80211_tree, &ic->ic_tree)) != NULL) 1100 ieee80211_free_node(ic, ni); 1101 splx(s); 1102 1103 if (ic->ic_bss != NULL) 1104 ieee80211_node_cleanup(ic, ic->ic_bss); /* for station mode */ 1105 } 1106 1107 /* 1108 * Timeout inactive nodes. 1109 */ 1110 void 1111 ieee80211_clean_nodes(struct ieee80211com *ic) 1112 { 1113 struct ieee80211_node *ni, *next_ni; 1114 u_int gen = ic->ic_scangen++; /* NB: ok 'cuz single-threaded*/ 1115 int s; 1116 1117 s = splnet(); 1118 for (ni = RB_MIN(ieee80211_tree, &ic->ic_tree); 1119 ni != NULL; ni = next_ni) { 1120 next_ni = RB_NEXT(ieee80211_tree, &ic->ic_tree, ni); 1121 if (ic->ic_nnodes < ic->ic_max_nnodes) 1122 break; 1123 if (ni->ni_scangen == gen) /* previously handled */ 1124 continue; 1125 ni->ni_scangen = gen; 1126 if (ni->ni_refcnt > 0) 1127 continue; 1128 DPRINTF(("station %s purged from LRU cache\n", 1129 ether_sprintf(ni->ni_macaddr))); 1130 /* 1131 * Send a deauthenticate frame. 1132 */ 1133 #ifndef IEEE80211_STA_ONLY 1134 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1135 splx(s); 1136 IEEE80211_SEND_MGMT(ic, ni, 1137 IEEE80211_FC0_SUBTYPE_DEAUTH, 1138 IEEE80211_REASON_AUTH_EXPIRE); 1139 s = splnet(); 1140 ieee80211_node_leave(ic, ni); 1141 } else 1142 #endif 1143 ieee80211_free_node(ic, ni); 1144 ic->ic_stats.is_node_timeout++; 1145 } 1146 splx(s); 1147 } 1148 1149 void 1150 ieee80211_iterate_nodes(struct ieee80211com *ic, ieee80211_iter_func *f, 1151 void *arg) 1152 { 1153 struct ieee80211_node *ni; 1154 int s; 1155 1156 s = splnet(); 1157 RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) 1158 (*f)(arg, ni); 1159 splx(s); 1160 } 1161 1162 /* 1163 * Install received rate set information in the node's state block. 1164 */ 1165 int 1166 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 1167 const u_int8_t *rates, const u_int8_t *xrates, int flags) 1168 { 1169 struct ieee80211_rateset *rs = &ni->ni_rates; 1170 1171 memset(rs, 0, sizeof(*rs)); 1172 rs->rs_nrates = rates[1]; 1173 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 1174 if (xrates != NULL) { 1175 u_int8_t nxrates; 1176 /* 1177 * Tack on 11g extended supported rate element. 1178 */ 1179 nxrates = xrates[1]; 1180 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 1181 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 1182 DPRINTF(("extended rate set too large; " 1183 "only using %u of %u rates\n", 1184 nxrates, xrates[1])); 1185 ic->ic_stats.is_rx_rstoobig++; 1186 } 1187 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 1188 rs->rs_nrates += nxrates; 1189 } 1190 return ieee80211_fix_rate(ic, ni, flags); 1191 } 1192 1193 #ifndef IEEE80211_STA_ONLY 1194 /* 1195 * Check if the specified node supports ERP. 1196 */ 1197 int 1198 ieee80211_iserp_sta(const struct ieee80211_node *ni) 1199 { 1200 #define N(a) (sizeof (a) / sizeof (a)[0]) 1201 static const u_int8_t rates[] = { 2, 4, 11, 22, 12, 24, 48 }; 1202 const struct ieee80211_rateset *rs = &ni->ni_rates; 1203 int i, j; 1204 1205 /* 1206 * A STA supports ERP operation if it includes all the Clause 19 1207 * mandatory rates in its supported rate set. 1208 */ 1209 for (i = 0; i < N(rates); i++) { 1210 for (j = 0; j < rs->rs_nrates; j++) { 1211 if ((rs->rs_rates[j] & IEEE80211_RATE_VAL) == rates[i]) 1212 break; 1213 } 1214 if (j == rs->rs_nrates) 1215 return 0; 1216 } 1217 return 1; 1218 #undef N 1219 } 1220 1221 /* 1222 * This function is called to notify the 802.1X PACP machine that a new 1223 * 802.1X port is enabled and must be authenticated. For 802.11, a port 1224 * becomes enabled whenever a STA successfully completes Open System 1225 * authentication with an AP. 1226 */ 1227 void 1228 ieee80211_needs_auth(struct ieee80211com *ic, struct ieee80211_node *ni) 1229 { 1230 /* 1231 * XXX this could be done via the route socket of via a dedicated 1232 * EAP socket or another kernel->userland notification mechanism. 1233 * The notification should include the MAC address (ni_macaddr). 1234 */ 1235 } 1236 1237 #ifndef IEEE80211_NO_HT 1238 /* 1239 * Handle an HT STA joining an HT network. 1240 */ 1241 void 1242 ieee80211_node_join_ht(struct ieee80211com *ic, struct ieee80211_node *ni) 1243 { 1244 /* TBD */ 1245 } 1246 #endif /* !IEEE80211_NO_HT */ 1247 1248 /* 1249 * Handle a station joining an RSN network. 1250 */ 1251 void 1252 ieee80211_node_join_rsn(struct ieee80211com *ic, struct ieee80211_node *ni) 1253 { 1254 DPRINTF(("station %s associated using proto %d akm 0x%x " 1255 "cipher 0x%x groupcipher 0x%x\n", ether_sprintf(ni->ni_macaddr), 1256 ni->ni_rsnprotos, ni->ni_rsnakms, ni->ni_rsnciphers, 1257 ni->ni_rsngroupcipher)); 1258 1259 ni->ni_rsn_state = RSNA_AUTHENTICATION; 1260 ic->ic_rsnsta++; 1261 1262 ni->ni_key_count = 0; 1263 ni->ni_port_valid = 0; 1264 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 1265 ni->ni_replaycnt = -1; /* XXX */ 1266 ni->ni_rsn_retries = 0; 1267 ni->ni_rsncipher = ni->ni_rsnciphers; 1268 1269 ni->ni_rsn_state = RSNA_AUTHENTICATION_2; 1270 1271 /* generate a new authenticator nonce (ANonce) */ 1272 arc4random_buf(ni->ni_nonce, EAPOL_KEY_NONCE_LEN); 1273 1274 if (!ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 1275 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 1276 ni->ni_flags |= IEEE80211_NODE_PMK; 1277 (void)ieee80211_send_4way_msg1(ic, ni); 1278 } else if (ni->ni_flags & IEEE80211_NODE_PMK) { 1279 /* skip 802.1X auth if a cached PMK was found */ 1280 (void)ieee80211_send_4way_msg1(ic, ni); 1281 } else { 1282 /* no cached PMK found, needs full 802.1X auth */ 1283 ieee80211_needs_auth(ic, ni); 1284 } 1285 } 1286 1287 /* 1288 * Handle a station joining an 11g network. 1289 */ 1290 void 1291 ieee80211_node_join_11g(struct ieee80211com *ic, struct ieee80211_node *ni) 1292 { 1293 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 1294 /* 1295 * Joining STA doesn't support short slot time. We must 1296 * disable the use of short slot time for all other associated 1297 * STAs and give the driver a chance to reconfigure the 1298 * hardware. 1299 */ 1300 if (++ic->ic_longslotsta == 1) { 1301 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1302 ieee80211_set_shortslottime(ic, 0); 1303 } 1304 DPRINTF(("[%s] station needs long slot time, count %d\n", 1305 ether_sprintf(ni->ni_macaddr), ic->ic_longslotsta)); 1306 } 1307 1308 if (!ieee80211_iserp_sta(ni)) { 1309 /* 1310 * Joining STA is non-ERP. 1311 */ 1312 ic->ic_nonerpsta++; 1313 1314 DPRINTF(("[%s] station is non-ERP, %d non-ERP " 1315 "stations associated\n", ether_sprintf(ni->ni_macaddr), 1316 ic->ic_nonerpsta)); 1317 1318 /* must enable the use of protection */ 1319 if (ic->ic_protmode != IEEE80211_PROT_NONE) { 1320 DPRINTF(("enable use of protection\n")); 1321 ic->ic_flags |= IEEE80211_F_USEPROT; 1322 } 1323 1324 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 1325 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 1326 } else 1327 ni->ni_flags |= IEEE80211_NODE_ERP; 1328 } 1329 1330 void 1331 ieee80211_node_join(struct ieee80211com *ic, struct ieee80211_node *ni, 1332 int resp) 1333 { 1334 int newassoc; 1335 1336 if (ni->ni_associd == 0) { 1337 u_int16_t aid; 1338 1339 /* 1340 * It would be clever to search the bitmap 1341 * more efficiently, but this will do for now. 1342 */ 1343 for (aid = 1; aid < ic->ic_max_aid; aid++) { 1344 if (!IEEE80211_AID_ISSET(aid, 1345 ic->ic_aid_bitmap)) 1346 break; 1347 } 1348 if (aid >= ic->ic_max_aid) { 1349 IEEE80211_SEND_MGMT(ic, ni, resp, 1350 IEEE80211_REASON_ASSOC_TOOMANY); 1351 ieee80211_node_leave(ic, ni); 1352 return; 1353 } 1354 ni->ni_associd = aid | 0xc000; 1355 IEEE80211_AID_SET(ni->ni_associd, ic->ic_aid_bitmap); 1356 newassoc = 1; 1357 if (ic->ic_curmode == IEEE80211_MODE_11G) 1358 ieee80211_node_join_11g(ic, ni); 1359 } else 1360 newassoc = 0; 1361 1362 DPRINTF(("station %s %s associated at aid %d\n", 1363 ether_sprintf(ni->ni_macaddr), newassoc ? "newly" : "already", 1364 ni->ni_associd & ~0xc000)); 1365 1366 /* give driver a chance to setup state like ni_txrate */ 1367 if (ic->ic_newassoc) 1368 (*ic->ic_newassoc)(ic, ni, newassoc); 1369 IEEE80211_SEND_MGMT(ic, ni, resp, IEEE80211_STATUS_SUCCESS); 1370 ieee80211_node_newstate(ni, IEEE80211_STA_ASSOC); 1371 1372 if (!(ic->ic_flags & IEEE80211_F_RSNON)) { 1373 ni->ni_port_valid = 1; 1374 ni->ni_rsncipher = IEEE80211_CIPHER_USEGROUP; 1375 } else 1376 ieee80211_node_join_rsn(ic, ni); 1377 1378 #ifndef IEEE80211_NO_HT 1379 if (ni->ni_flags & IEEE80211_NODE_HT) 1380 ieee80211_node_join_ht(ic, ni); 1381 #endif 1382 1383 #if NBRIDGE > 0 1384 /* 1385 * If the parent interface belongs to a bridge, learn 1386 * the node's address dynamically on this interface. 1387 */ 1388 if (ic->ic_if.if_bridge != NULL) 1389 bridge_update(&ic->ic_if, 1390 (struct ether_addr *)ni->ni_macaddr, 0); 1391 #endif 1392 } 1393 1394 #ifndef IEEE80211_NO_HT 1395 /* 1396 * Handle an HT STA leaving an HT network. 1397 */ 1398 void 1399 ieee80211_node_leave_ht(struct ieee80211com *ic, struct ieee80211_node *ni) 1400 { 1401 struct ieee80211_rx_ba *ba; 1402 u_int8_t tid; 1403 int i; 1404 1405 /* free all Block Ack records */ 1406 for (tid = 0; tid < IEEE80211_NUM_TID; tid++) { 1407 ba = &ni->ni_rx_ba[tid]; 1408 if (ba->ba_buf != NULL) { 1409 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 1410 if (ba->ba_buf[i].m != NULL) 1411 m_freem(ba->ba_buf[i].m); 1412 free(ba->ba_buf, M_DEVBUF); 1413 ba->ba_buf = NULL; 1414 } 1415 } 1416 } 1417 #endif /* !IEEE80211_NO_HT */ 1418 1419 /* 1420 * Handle a station leaving an RSN network. 1421 */ 1422 void 1423 ieee80211_node_leave_rsn(struct ieee80211com *ic, struct ieee80211_node *ni) 1424 { 1425 ni->ni_rsn_state = RSNA_DISCONNECTED; 1426 ic->ic_rsnsta--; 1427 1428 ni->ni_rsn_state = RSNA_INITIALIZE; 1429 if ((ni->ni_flags & IEEE80211_NODE_REKEY) && 1430 --ic->ic_rsn_keydonesta == 0) 1431 ieee80211_setkeysdone(ic); 1432 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1433 1434 ni->ni_flags &= ~IEEE80211_NODE_PMK; 1435 ni->ni_rsn_gstate = RSNA_IDLE; 1436 1437 timeout_del(&ni->ni_eapol_to); 1438 timeout_del(&ni->ni_sa_query_to); 1439 1440 ni->ni_rsn_retries = 0; 1441 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 1442 ni->ni_port_valid = 0; 1443 (*ic->ic_delete_key)(ic, ni, &ni->ni_pairwise_key); 1444 } 1445 1446 /* 1447 * Handle a station leaving an 11g network. 1448 */ 1449 void 1450 ieee80211_node_leave_11g(struct ieee80211com *ic, struct ieee80211_node *ni) 1451 { 1452 if (!(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)) { 1453 #ifdef DIAGNOSTIC 1454 if (ic->ic_longslotsta == 0) { 1455 panic("bogus long slot station count %d", 1456 ic->ic_longslotsta); 1457 } 1458 #endif 1459 /* leaving STA did not support short slot time */ 1460 if (--ic->ic_longslotsta == 0) { 1461 /* 1462 * All associated STAs now support short slot time, so 1463 * enable this feature and give the driver a chance to 1464 * reconfigure the hardware. Notice that IBSS always 1465 * use a long slot time. 1466 */ 1467 if ((ic->ic_caps & IEEE80211_C_SHSLOT) && 1468 ic->ic_opmode != IEEE80211_M_IBSS) 1469 ieee80211_set_shortslottime(ic, 1); 1470 } 1471 DPRINTF(("[%s] long slot time station leaves, count %d\n", 1472 ether_sprintf(ni->ni_macaddr), ic->ic_longslotsta)); 1473 } 1474 1475 if (!(ni->ni_flags & IEEE80211_NODE_ERP)) { 1476 #ifdef DIAGNOSTIC 1477 if (ic->ic_nonerpsta == 0) { 1478 panic("bogus non-ERP station count %d", 1479 ic->ic_nonerpsta); 1480 } 1481 #endif 1482 /* leaving STA was non-ERP */ 1483 if (--ic->ic_nonerpsta == 0) { 1484 /* 1485 * All associated STAs are now ERP capable, disable use 1486 * of protection and re-enable short preamble support. 1487 */ 1488 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1489 if (ic->ic_caps & IEEE80211_C_SHPREAMBLE) 1490 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 1491 } 1492 DPRINTF(("[%s] non-ERP station leaves, count %d\n", 1493 ether_sprintf(ni->ni_macaddr), ic->ic_nonerpsta)); 1494 } 1495 } 1496 1497 /* 1498 * Handle bookkeeping for station deauthentication/disassociation 1499 * when operating as an ap. 1500 */ 1501 void 1502 ieee80211_node_leave(struct ieee80211com *ic, struct ieee80211_node *ni) 1503 { 1504 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 1505 panic("not in ap mode, mode %u", ic->ic_opmode); 1506 /* 1507 * If node wasn't previously associated all we need to do is 1508 * reclaim the reference. 1509 */ 1510 if (ni->ni_associd == 0) 1511 return; 1512 1513 if (ni->ni_pwrsave == IEEE80211_PS_DOZE) 1514 ic->ic_pssta--; 1515 1516 if (ic->ic_flags & IEEE80211_F_RSNON) 1517 ieee80211_node_leave_rsn(ic, ni); 1518 1519 if (ic->ic_curmode == IEEE80211_MODE_11G) 1520 ieee80211_node_leave_11g(ic, ni); 1521 1522 #ifndef IEEE80211_NO_HT 1523 if (ni->ni_flags & IEEE80211_NODE_HT) 1524 ieee80211_node_leave_ht(ic, ni); 1525 #endif 1526 1527 if (ic->ic_node_leave != NULL) 1528 (*ic->ic_node_leave)(ic, ni); 1529 1530 IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); 1531 ni->ni_associd = 0; 1532 ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT); 1533 1534 #if NBRIDGE > 0 1535 /* 1536 * If the parent interface belongs to a bridge, delete 1537 * any dynamically learned address for this node. 1538 */ 1539 if (ic->ic_if.if_bridge != NULL) 1540 bridge_update(&ic->ic_if, 1541 (struct ether_addr *)ni->ni_macaddr, 1); 1542 #endif 1543 } 1544 1545 static int 1546 ieee80211_do_slow_print(struct ieee80211com *ic, int *did_print) 1547 { 1548 static const struct timeval merge_print_intvl = { 1549 .tv_sec = 1, .tv_usec = 0 1550 }; 1551 if ((ic->ic_if.if_flags & IFF_LINK0) == 0) 1552 return 0; 1553 if (!*did_print && (ic->ic_if.if_flags & IFF_DEBUG) == 0 && 1554 !ratecheck(&ic->ic_last_merge_print, &merge_print_intvl)) 1555 return 0; 1556 1557 *did_print = 1; 1558 return 1; 1559 } 1560 1561 /* ieee80211_ibss_merge helps merge 802.11 ad hoc networks. The 1562 * convention, set by the Wireless Ethernet Compatibility Alliance 1563 * (WECA), is that an 802.11 station will change its BSSID to match 1564 * the "oldest" 802.11 ad hoc network, on the same channel, that 1565 * has the station's desired SSID. The "oldest" 802.11 network 1566 * sends beacons with the greatest TSF timestamp. 1567 * 1568 * Return ENETRESET if the BSSID changed, 0 otherwise. 1569 * 1570 * XXX Perhaps we should compensate for the time that elapses 1571 * between the MAC receiving the beacon and the host processing it 1572 * in ieee80211_ibss_merge. 1573 */ 1574 int 1575 ieee80211_ibss_merge(struct ieee80211com *ic, struct ieee80211_node *ni, 1576 u_int64_t local_tsft) 1577 { 1578 u_int64_t beacon_tsft; 1579 int did_print = 0, sign; 1580 union { 1581 u_int64_t word; 1582 u_int8_t tstamp[8]; 1583 } u; 1584 1585 /* ensure alignment */ 1586 (void)memcpy(&u, &ni->ni_tstamp[0], sizeof(u)); 1587 beacon_tsft = letoh64(u.word); 1588 1589 /* we are faster, let the other guy catch up */ 1590 if (beacon_tsft < local_tsft) 1591 sign = -1; 1592 else 1593 sign = 1; 1594 1595 if (IEEE80211_ADDR_EQ(ni->ni_bssid, ic->ic_bss->ni_bssid)) { 1596 if (!ieee80211_do_slow_print(ic, &did_print)) 1597 return 0; 1598 printf("%s: tsft offset %s%llu\n", ic->ic_if.if_xname, 1599 (sign < 0) ? "-" : "", 1600 (sign < 0) 1601 ? (local_tsft - beacon_tsft) 1602 : (beacon_tsft - local_tsft)); 1603 return 0; 1604 } 1605 1606 if (sign < 0) 1607 return 0; 1608 1609 if (ieee80211_match_bss(ic, ni) != 0) 1610 return 0; 1611 1612 if (ieee80211_do_slow_print(ic, &did_print)) { 1613 printf("%s: ieee80211_ibss_merge: bssid mismatch %s\n", 1614 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1615 printf("%s: my tsft %llu beacon tsft %llu\n", 1616 ic->ic_if.if_xname, local_tsft, beacon_tsft); 1617 printf("%s: sync TSF with %s\n", 1618 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 1619 } 1620 1621 ic->ic_flags &= ~IEEE80211_F_SIBSS; 1622 1623 /* negotiate rates with new IBSS */ 1624 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 1625 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1626 if (ni->ni_rates.rs_nrates == 0) { 1627 if (ieee80211_do_slow_print(ic, &did_print)) { 1628 printf("%s: rates mismatch, BSSID %s\n", 1629 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1630 } 1631 return 0; 1632 } 1633 1634 if (ieee80211_do_slow_print(ic, &did_print)) { 1635 printf("%s: sync BSSID %s -> ", 1636 ic->ic_if.if_xname, ether_sprintf(ic->ic_bss->ni_bssid)); 1637 printf("%s ", ether_sprintf(ni->ni_bssid)); 1638 printf("(from %s)\n", ether_sprintf(ni->ni_macaddr)); 1639 } 1640 1641 ieee80211_node_newstate(ni, IEEE80211_STA_BSS); 1642 (*ic->ic_node_copy)(ic, ic->ic_bss, ni); 1643 1644 return ENETRESET; 1645 } 1646 1647 void 1648 ieee80211_set_tim(struct ieee80211com *ic, int aid, int set) 1649 { 1650 if (set) 1651 setbit(ic->ic_tim_bitmap, aid & ~0xc000); 1652 else 1653 clrbit(ic->ic_tim_bitmap, aid & ~0xc000); 1654 } 1655 1656 /* 1657 * This function shall be called by drivers immediately after every DTIM. 1658 * Transmit all group addressed MSDUs buffered at the AP. 1659 */ 1660 void 1661 ieee80211_notify_dtim(struct ieee80211com *ic) 1662 { 1663 /* NB: group addressed MSDUs are buffered in ic_bss */ 1664 struct ieee80211_node *ni = ic->ic_bss; 1665 struct ifnet *ifp = &ic->ic_if; 1666 struct ieee80211_frame *wh; 1667 struct mbuf *m; 1668 1669 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 1670 1671 for (;;) { 1672 IF_DEQUEUE(&ni->ni_savedq, m); 1673 if (m == NULL) 1674 break; 1675 if (!IF_IS_EMPTY(&ni->ni_savedq)) { 1676 /* more queued frames, set the more data bit */ 1677 wh = mtod(m, struct ieee80211_frame *); 1678 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1679 } 1680 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 1681 (*ifp->if_start)(ifp); 1682 } 1683 /* XXX assumes everything has been sent */ 1684 ic->ic_tim_mcast_pending = 0; 1685 } 1686 #endif /* IEEE80211_STA_ONLY */ 1687 1688 /* 1689 * Compare nodes in the tree by lladdr 1690 */ 1691 int 1692 ieee80211_node_cmp(const struct ieee80211_node *b1, 1693 const struct ieee80211_node *b2) 1694 { 1695 return (memcmp(b1->ni_macaddr, b2->ni_macaddr, IEEE80211_ADDR_LEN)); 1696 } 1697 1698 /* 1699 * Generate red-black tree function logic 1700 */ 1701 RB_GENERATE(ieee80211_tree, ieee80211_node, ni_node, ieee80211_node_cmp); 1702