1 /* $OpenBSD: ieee80211_proto.c,v 1.64 2016/02/08 01:00:47 stsp Exp $ */ 2 /* $NetBSD: ieee80211_proto.c,v 1.8 2004/04/30 23:58:20 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2008, 2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 /* 34 * IEEE 802.11 protocol support. 35 */ 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/kernel.h> 41 #include <sys/socket.h> 42 #include <sys/sockio.h> 43 #include <sys/endian.h> 44 #include <sys/errno.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_llc.h> 51 52 #include <netinet/in.h> 53 #include <netinet/if_ether.h> 54 55 #include <net80211/ieee80211_var.h> 56 #include <net80211/ieee80211_priv.h> 57 58 const char * const ieee80211_mgt_subtype_name[] = { 59 "assoc_req", "assoc_resp", "reassoc_req", "reassoc_resp", 60 "probe_req", "probe_resp", "reserved#6", "reserved#7", 61 "beacon", "atim", "disassoc", "auth", 62 "deauth", "action", "action_noack", "reserved#15" 63 }; 64 const char * const ieee80211_state_name[IEEE80211_S_MAX] = { 65 "INIT", /* IEEE80211_S_INIT */ 66 "SCAN", /* IEEE80211_S_SCAN */ 67 "AUTH", /* IEEE80211_S_AUTH */ 68 "ASSOC", /* IEEE80211_S_ASSOC */ 69 "RUN" /* IEEE80211_S_RUN */ 70 }; 71 const char * const ieee80211_phymode_name[] = { 72 "auto", /* IEEE80211_MODE_AUTO */ 73 "11a", /* IEEE80211_MODE_11A */ 74 "11b", /* IEEE80211_MODE_11B */ 75 "11g", /* IEEE80211_MODE_11G */ 76 "11n", /* IEEE80211_MODE_11N */ 77 }; 78 79 int ieee80211_newstate(struct ieee80211com *, enum ieee80211_state, int); 80 81 void 82 ieee80211_proto_attach(struct ifnet *ifp) 83 { 84 struct ieee80211com *ic = (void *)ifp; 85 86 mq_init(&ic->ic_mgtq, IFQ_MAXLEN, IPL_NET); 87 mq_init(&ic->ic_pwrsaveq, IFQ_MAXLEN, IPL_NET); 88 89 ifp->if_hdrlen = sizeof(struct ieee80211_frame); 90 91 #ifdef notdef 92 ic->ic_rtsthreshold = IEEE80211_RTS_DEFAULT; 93 #else 94 ic->ic_rtsthreshold = IEEE80211_RTS_MAX; 95 #endif 96 ic->ic_fragthreshold = 2346; /* XXX not used yet */ 97 ic->ic_fixed_rate = -1; /* no fixed rate */ 98 ic->ic_fixed_mcs = -1; /* no fixed mcs */ 99 ic->ic_protmode = IEEE80211_PROT_CTSONLY; 100 101 /* protocol state change handler */ 102 ic->ic_newstate = ieee80211_newstate; 103 104 /* initialize management frame handlers */ 105 ic->ic_recv_mgmt = ieee80211_recv_mgmt; 106 ic->ic_send_mgmt = ieee80211_send_mgmt; 107 } 108 109 void 110 ieee80211_proto_detach(struct ifnet *ifp) 111 { 112 struct ieee80211com *ic = (void *)ifp; 113 114 mq_purge(&ic->ic_mgtq); 115 mq_purge(&ic->ic_pwrsaveq); 116 } 117 118 void 119 ieee80211_print_essid(const u_int8_t *essid, int len) 120 { 121 int i; 122 const u_int8_t *p; 123 124 if (len > IEEE80211_NWID_LEN) 125 len = IEEE80211_NWID_LEN; 126 /* determine printable or not */ 127 for (i = 0, p = essid; i < len; i++, p++) { 128 if (*p < ' ' || *p > 0x7e) 129 break; 130 } 131 if (i == len) { 132 printf("\""); 133 for (i = 0, p = essid; i < len; i++, p++) 134 printf("%c", *p); 135 printf("\""); 136 } else { 137 printf("0x"); 138 for (i = 0, p = essid; i < len; i++, p++) 139 printf("%02x", *p); 140 } 141 } 142 143 #ifdef IEEE80211_DEBUG 144 void 145 ieee80211_dump_pkt(const u_int8_t *buf, int len, int rate, int rssi) 146 { 147 struct ieee80211_frame *wh; 148 int i; 149 150 wh = (struct ieee80211_frame *)buf; 151 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 152 case IEEE80211_FC1_DIR_NODS: 153 printf("NODS %s", ether_sprintf(wh->i_addr2)); 154 printf("->%s", ether_sprintf(wh->i_addr1)); 155 printf("(%s)", ether_sprintf(wh->i_addr3)); 156 break; 157 case IEEE80211_FC1_DIR_TODS: 158 printf("TODS %s", ether_sprintf(wh->i_addr2)); 159 printf("->%s", ether_sprintf(wh->i_addr3)); 160 printf("(%s)", ether_sprintf(wh->i_addr1)); 161 break; 162 case IEEE80211_FC1_DIR_FROMDS: 163 printf("FRDS %s", ether_sprintf(wh->i_addr3)); 164 printf("->%s", ether_sprintf(wh->i_addr1)); 165 printf("(%s)", ether_sprintf(wh->i_addr2)); 166 break; 167 case IEEE80211_FC1_DIR_DSTODS: 168 printf("DSDS %s", ether_sprintf((u_int8_t *)&wh[1])); 169 printf("->%s", ether_sprintf(wh->i_addr3)); 170 printf("(%s", ether_sprintf(wh->i_addr2)); 171 printf("->%s)", ether_sprintf(wh->i_addr1)); 172 break; 173 } 174 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { 175 case IEEE80211_FC0_TYPE_DATA: 176 printf(" data"); 177 break; 178 case IEEE80211_FC0_TYPE_MGT: 179 printf(" %s", ieee80211_mgt_subtype_name[ 180 (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) 181 >> IEEE80211_FC0_SUBTYPE_SHIFT]); 182 break; 183 default: 184 printf(" type#%d", wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK); 185 break; 186 } 187 if (wh->i_fc[1] & IEEE80211_FC1_WEP) 188 printf(" WEP"); 189 if (rate >= 0) 190 printf(" %d%sM", rate / 2, (rate & 1) ? ".5" : ""); 191 if (rssi >= 0) 192 printf(" +%d", rssi); 193 printf("\n"); 194 if (len > 0) { 195 for (i = 0; i < len; i++) { 196 if ((i & 1) == 0) 197 printf(" "); 198 printf("%02x", buf[i]); 199 } 200 printf("\n"); 201 } 202 } 203 #endif 204 205 int 206 ieee80211_fix_rate(struct ieee80211com *ic, struct ieee80211_node *ni, 207 int flags) 208 { 209 #define RV(v) ((v) & IEEE80211_RATE_VAL) 210 int i, j, ignore, error; 211 int okrate, badrate, fixedrate; 212 const struct ieee80211_rateset *srs; 213 struct ieee80211_rateset *nrs; 214 u_int8_t r; 215 216 /* 217 * If the fixed rate check was requested but no fixed rate has been 218 * defined then just remove the check. 219 */ 220 if ((flags & IEEE80211_F_DOFRATE) && ic->ic_fixed_rate == -1) 221 flags &= ~IEEE80211_F_DOFRATE; 222 223 error = 0; 224 okrate = badrate = fixedrate = 0; 225 srs = &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 226 nrs = &ni->ni_rates; 227 for (i = 0; i < nrs->rs_nrates; ) { 228 ignore = 0; 229 if (flags & IEEE80211_F_DOSORT) { 230 /* 231 * Sort rates. 232 */ 233 for (j = i + 1; j < nrs->rs_nrates; j++) { 234 if (RV(nrs->rs_rates[i]) > 235 RV(nrs->rs_rates[j])) { 236 r = nrs->rs_rates[i]; 237 nrs->rs_rates[i] = nrs->rs_rates[j]; 238 nrs->rs_rates[j] = r; 239 } 240 } 241 } 242 r = nrs->rs_rates[i] & IEEE80211_RATE_VAL; 243 badrate = r; 244 if (flags & IEEE80211_F_DOFRATE) { 245 /* 246 * Check fixed rate is included. 247 */ 248 if (r == RV(srs->rs_rates[ic->ic_fixed_rate])) 249 fixedrate = r; 250 } 251 if (flags & IEEE80211_F_DONEGO) { 252 /* 253 * Check against supported rates. 254 */ 255 for (j = 0; j < srs->rs_nrates; j++) { 256 if (r == RV(srs->rs_rates[j])) { 257 /* 258 * Overwrite with the supported rate 259 * value so any basic rate bit is set. 260 * This insures that response we send 261 * to stations have the necessary basic 262 * rate bit set. 263 */ 264 nrs->rs_rates[i] = srs->rs_rates[j]; 265 break; 266 } 267 } 268 if (j == srs->rs_nrates) { 269 /* 270 * A rate in the node's rate set is not 271 * supported. If this is a basic rate and we 272 * are operating as an AP then this is an error. 273 * Otherwise we just discard/ignore the rate. 274 * Note that this is important for 11b stations 275 * when they want to associate with an 11g AP. 276 */ 277 #ifndef IEEE80211_STA_ONLY 278 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 279 (nrs->rs_rates[i] & IEEE80211_RATE_BASIC)) 280 error++; 281 #endif 282 ignore++; 283 } 284 } 285 if (flags & IEEE80211_F_DODEL) { 286 /* 287 * Delete unacceptable rates. 288 */ 289 if (ignore) { 290 nrs->rs_nrates--; 291 for (j = i; j < nrs->rs_nrates; j++) 292 nrs->rs_rates[j] = nrs->rs_rates[j + 1]; 293 nrs->rs_rates[j] = 0; 294 continue; 295 } 296 } 297 if (!ignore) 298 okrate = nrs->rs_rates[i]; 299 i++; 300 } 301 if (okrate == 0 || error != 0 || 302 ((flags & IEEE80211_F_DOFRATE) && fixedrate == 0)) 303 return badrate | IEEE80211_RATE_BASIC; 304 else 305 return RV(okrate); 306 #undef RV 307 } 308 309 /* 310 * Reset 11g-related state. 311 */ 312 void 313 ieee80211_reset_erp(struct ieee80211com *ic) 314 { 315 ic->ic_flags &= ~IEEE80211_F_USEPROT; 316 ic->ic_nonerpsta = 0; 317 ic->ic_longslotsta = 0; 318 319 /* 320 * Enable short slot time iff: 321 * - we're operating in 802.11a or 322 * - we're operating in 802.11g and we're not in IBSS mode and 323 * the device supports short slot time 324 */ 325 ieee80211_set_shortslottime(ic, 326 ic->ic_curmode == IEEE80211_MODE_11A 327 #ifndef IEEE80211_STA_ONLY 328 || 329 (ic->ic_curmode == IEEE80211_MODE_11G && 330 ic->ic_opmode == IEEE80211_M_HOSTAP && 331 (ic->ic_caps & IEEE80211_C_SHSLOT)) 332 #endif 333 ); 334 335 if (ic->ic_curmode == IEEE80211_MODE_11A || 336 (ic->ic_caps & IEEE80211_C_SHPREAMBLE)) 337 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 338 else 339 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 340 } 341 342 /* 343 * Set the short slot time state and notify the driver. 344 */ 345 void 346 ieee80211_set_shortslottime(struct ieee80211com *ic, int on) 347 { 348 if (on) 349 ic->ic_flags |= IEEE80211_F_SHSLOT; 350 else 351 ic->ic_flags &= ~IEEE80211_F_SHSLOT; 352 353 /* notify the driver */ 354 if (ic->ic_updateslot != NULL) 355 ic->ic_updateslot(ic); 356 } 357 358 /* 359 * This function is called by the 802.1X PACP machine (via an ioctl) when 360 * the transmit key machine (4-Way Handshake for 802.11) should run. 361 */ 362 int 363 ieee80211_keyrun(struct ieee80211com *ic, u_int8_t *macaddr) 364 { 365 #ifndef IEEE80211_STA_ONLY 366 struct ieee80211_node *ni; 367 struct ieee80211_pmk *pmk; 368 #endif 369 370 /* STA must be associated or AP must be ready */ 371 if (ic->ic_state != IEEE80211_S_RUN || 372 !(ic->ic_flags & IEEE80211_F_RSNON)) 373 return ENETDOWN; 374 375 #ifndef IEEE80211_STA_ONLY 376 if (ic->ic_opmode == IEEE80211_M_STA) 377 #endif 378 return 0; /* supplicant only, do nothing */ 379 380 #ifndef IEEE80211_STA_ONLY 381 /* find the STA with which we must start the key exchange */ 382 if ((ni = ieee80211_find_node(ic, macaddr)) == NULL) { 383 DPRINTF(("no node found for %s\n", ether_sprintf(macaddr))); 384 return EINVAL; 385 } 386 /* check that the STA is in the correct state */ 387 if (ni->ni_state != IEEE80211_STA_ASSOC || 388 ni->ni_rsn_state != RSNA_AUTHENTICATION_2) { 389 DPRINTF(("unexpected in state %d\n", ni->ni_rsn_state)); 390 return EINVAL; 391 } 392 ni->ni_rsn_state = RSNA_INITPMK; 393 394 /* make sure a PMK is available for this STA, otherwise deauth it */ 395 if ((pmk = ieee80211_pmksa_find(ic, ni, NULL)) == NULL) { 396 DPRINTF(("no PMK available for %s\n", ether_sprintf(macaddr))); 397 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 398 IEEE80211_REASON_AUTH_LEAVE); 399 ieee80211_node_leave(ic, ni); 400 return EINVAL; 401 } 402 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 403 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, IEEE80211_PMKID_LEN); 404 ni->ni_flags |= IEEE80211_NODE_PMK; 405 406 /* initiate key exchange (4-Way Handshake) with STA */ 407 return ieee80211_send_4way_msg1(ic, ni); 408 #endif /* IEEE80211_STA_ONLY */ 409 } 410 411 #ifndef IEEE80211_STA_ONLY 412 /* 413 * Initiate a group key handshake with a node. 414 */ 415 static void 416 ieee80211_node_gtk_rekey(void *arg, struct ieee80211_node *ni) 417 { 418 struct ieee80211com *ic = arg; 419 420 if (ni->ni_state != IEEE80211_STA_ASSOC || 421 ni->ni_rsn_gstate != RSNA_IDLE) 422 return; 423 424 /* initiate a group key handshake with STA */ 425 ni->ni_flags |= IEEE80211_NODE_REKEY; 426 if (ieee80211_send_group_msg1(ic, ni) != 0) 427 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 428 else 429 ic->ic_rsn_keydonesta++; 430 } 431 432 /* 433 * This function is called in HostAP mode when the group key needs to be 434 * changed. 435 */ 436 void 437 ieee80211_setkeys(struct ieee80211com *ic) 438 { 439 struct ieee80211_key *k; 440 u_int8_t kid; 441 442 /* Swap(GM, GN) */ 443 kid = (ic->ic_def_txkey == 1) ? 2 : 1; 444 k = &ic->ic_nw_keys[kid]; 445 memset(k, 0, sizeof(*k)); 446 k->k_id = kid; 447 k->k_cipher = ic->ic_bss->ni_rsngroupcipher; 448 k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX; 449 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 450 arc4random_buf(k->k_key, k->k_len); 451 452 if (ic->ic_caps & IEEE80211_C_MFP) { 453 /* Swap(GM_igtk, GN_igtk) */ 454 kid = (ic->ic_igtk_kid == 4) ? 5 : 4; 455 k = &ic->ic_nw_keys[kid]; 456 memset(k, 0, sizeof(*k)); 457 k->k_id = kid; 458 k->k_cipher = ic->ic_bss->ni_rsngroupmgmtcipher; 459 k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX; 460 k->k_len = 16; 461 arc4random_buf(k->k_key, k->k_len); 462 } 463 464 ic->ic_rsn_keydonesta = 0; 465 ieee80211_iterate_nodes(ic, ieee80211_node_gtk_rekey, ic); 466 } 467 468 /* 469 * The group key handshake has been completed with all associated stations. 470 */ 471 void 472 ieee80211_setkeysdone(struct ieee80211com *ic) 473 { 474 u_int8_t kid; 475 476 /* install GTK */ 477 kid = (ic->ic_def_txkey == 1) ? 2 : 1; 478 if ((*ic->ic_set_key)(ic, ic->ic_bss, &ic->ic_nw_keys[kid]) == 0) 479 ic->ic_def_txkey = kid; 480 481 if (ic->ic_caps & IEEE80211_C_MFP) { 482 /* install IGTK */ 483 kid = (ic->ic_igtk_kid == 4) ? 5 : 4; 484 if ((*ic->ic_set_key)(ic, ic->ic_bss, 485 &ic->ic_nw_keys[kid]) == 0) 486 ic->ic_igtk_kid = kid; 487 } 488 } 489 490 /* 491 * Group key lifetime has expired, update it. 492 */ 493 void 494 ieee80211_gtk_rekey_timeout(void *arg) 495 { 496 struct ieee80211com *ic = arg; 497 int s; 498 499 s = splnet(); 500 ieee80211_setkeys(ic); 501 splx(s); 502 503 /* re-schedule a GTK rekeying after 3600s */ 504 timeout_add_sec(&ic->ic_rsn_timeout, 3600); 505 } 506 507 void 508 ieee80211_sa_query_timeout(void *arg) 509 { 510 struct ieee80211_node *ni = arg; 511 struct ieee80211com *ic = ni->ni_ic; 512 int s; 513 514 s = splnet(); 515 if (++ni->ni_sa_query_count >= 3) { 516 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 517 ni->ni_flags |= IEEE80211_NODE_SA_QUERY_FAILED; 518 } else /* retry SA Query Request */ 519 ieee80211_sa_query_request(ic, ni); 520 splx(s); 521 } 522 523 /* 524 * Request that a SA Query Request frame be sent to a specified peer STA 525 * to which the STA is associated. 526 */ 527 void 528 ieee80211_sa_query_request(struct ieee80211com *ic, struct ieee80211_node *ni) 529 { 530 /* MLME-SAQuery.request */ 531 532 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 533 ni->ni_flags |= IEEE80211_NODE_SA_QUERY; 534 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY_FAILED; 535 ni->ni_sa_query_count = 0; 536 } 537 /* generate new Transaction Identifier */ 538 ni->ni_sa_query_trid++; 539 540 /* send SA Query Request */ 541 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 542 IEEE80211_ACTION_SA_QUERY_REQ, 0); 543 timeout_add_msec(&ni->ni_sa_query_to, 10); 544 } 545 #endif /* IEEE80211_STA_ONLY */ 546 547 void 548 ieee80211_ht_negotiate(struct ieee80211com *ic, struct ieee80211_node *ni) 549 { 550 int i; 551 552 ni->ni_flags &= ~IEEE80211_NODE_HT; 553 554 /* Check if we support HT. */ 555 if ((ic->ic_modecaps & (1 << IEEE80211_MODE_11N)) == 0) 556 return; 557 558 /* Check if HT support has been explicitly disabled. */ 559 if ((ic->ic_flags & IEEE80211_F_HTON) == 0) 560 return; 561 562 /* Check if the peer supports HT. MCS 0-7 are mandatory. */ 563 if (ni->ni_rxmcs[0] != 0xff) 564 return; 565 566 if (ic->ic_opmode == IEEE80211_M_STA) { 567 /* We must support the AP's basic MCS set. */ 568 for (i = 0; i < IEEE80211_HT_NUM_MCS; i++) { 569 if (isset(ni->ni_basic_mcs, i) && 570 !isset(ic->ic_sup_mcs, i)) 571 return; 572 } 573 } 574 575 /* 576 * Don't allow group cipher (includes WEP) or TKIP 577 * for pairwise encryption (see 802.11-2012 11.1.6). 578 */ 579 if (ic->ic_flags & IEEE80211_F_WEPON) 580 return; 581 if ((ic->ic_flags & IEEE80211_F_RSNON) && 582 (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP || 583 ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP)) 584 return; 585 586 ni->ni_flags |= IEEE80211_NODE_HT; 587 } 588 589 void 590 ieee80211_tx_ba_timeout(void *arg) 591 { 592 struct ieee80211_tx_ba *ba = arg; 593 struct ieee80211_node *ni = ba->ba_ni; 594 struct ieee80211com *ic = ni->ni_ic; 595 u_int8_t tid; 596 int s; 597 598 s = splnet(); 599 if (ba->ba_state == IEEE80211_BA_REQUESTED) { 600 /* MLME-ADDBA.confirm(TIMEOUT) */ 601 ba->ba_state = IEEE80211_BA_INIT; 602 603 } else if (ba->ba_state == IEEE80211_BA_AGREED) { 604 /* Block Ack inactivity timeout */ 605 tid = ((caddr_t)ba - (caddr_t)ni->ni_tx_ba) / sizeof(*ba); 606 ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 607 1, tid); 608 } 609 splx(s); 610 } 611 612 void 613 ieee80211_rx_ba_timeout(void *arg) 614 { 615 struct ieee80211_rx_ba *ba = arg; 616 struct ieee80211_node *ni = ba->ba_ni; 617 struct ieee80211com *ic = ni->ni_ic; 618 u_int8_t tid; 619 int s; 620 621 s = splnet(); 622 623 /* Block Ack inactivity timeout */ 624 tid = ((caddr_t)ba - (caddr_t)ni->ni_rx_ba) / sizeof(*ba); 625 ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 0, tid); 626 627 splx(s); 628 } 629 630 /* 631 * Request initiation of Block Ack with the specified peer. 632 */ 633 int 634 ieee80211_addba_request(struct ieee80211com *ic, struct ieee80211_node *ni, 635 u_int16_t ssn, u_int8_t tid) 636 { 637 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 638 639 /* MLME-ADDBA.request */ 640 641 /* setup Block Ack */ 642 ba->ba_state = IEEE80211_BA_REQUESTED; 643 ba->ba_token = ic->ic_dialog_token++; 644 ba->ba_timeout_val = 0; 645 timeout_set(&ba->ba_to, ieee80211_tx_ba_timeout, ba); 646 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 647 ba->ba_winstart = ssn; 648 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 649 ba->ba_params = 650 (ba->ba_winsize << IEEE80211_ADDBA_BUFSZ_SHIFT) | 651 (tid << IEEE80211_ADDBA_TID_SHIFT) | IEEE80211_ADDBA_AMSDU; 652 if ((ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) == 0) 653 /* immediate BA */ 654 ba->ba_params |= IEEE80211_ADDBA_BA_POLICY; 655 656 timeout_add_sec(&ba->ba_to, 1); /* dot11ADDBAResponseTimeout */ 657 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 658 IEEE80211_ACTION_ADDBA_REQ, tid); 659 return 0; 660 } 661 662 /* 663 * Request the deletion of Block Ack with a peer. 664 */ 665 void 666 ieee80211_delba_request(struct ieee80211com *ic, struct ieee80211_node *ni, 667 u_int16_t reason, u_int8_t dir, u_int8_t tid) 668 { 669 /* MLME-DELBA.request */ 670 671 /* transmit a DELBA frame */ 672 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 673 IEEE80211_ACTION_DELBA, reason << 16 | dir << 8 | tid); 674 if (dir) { 675 /* MLME-DELBA.confirm(Originator) */ 676 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 677 678 if (ic->ic_ampdu_tx_stop != NULL) 679 ic->ic_ampdu_tx_stop(ic, ni, tid); 680 681 ba->ba_state = IEEE80211_BA_INIT; 682 /* stop Block Ack inactivity timer */ 683 timeout_del(&ba->ba_to); 684 } else { 685 /* MLME-DELBA.confirm(Recipient) */ 686 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 687 int i; 688 689 if (ic->ic_ampdu_rx_stop != NULL) 690 ic->ic_ampdu_rx_stop(ic, ni, tid); 691 692 ba->ba_state = IEEE80211_BA_INIT; 693 /* stop Block Ack inactivity timer */ 694 timeout_del(&ba->ba_to); 695 timeout_del(&ba->ba_gap_to); 696 697 if (ba->ba_buf != NULL) { 698 /* free all MSDUs stored in reordering buffer */ 699 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 700 m_freem(ba->ba_buf[i].m); 701 /* free reordering buffer */ 702 free(ba->ba_buf, M_DEVBUF, 0); 703 ba->ba_buf = NULL; 704 } 705 } 706 } 707 708 void 709 ieee80211_auth_open(struct ieee80211com *ic, const struct ieee80211_frame *wh, 710 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, u_int16_t seq, 711 u_int16_t status) 712 { 713 struct ifnet *ifp = &ic->ic_if; 714 switch (ic->ic_opmode) { 715 #ifndef IEEE80211_STA_ONLY 716 case IEEE80211_M_IBSS: 717 if (ic->ic_state != IEEE80211_S_RUN || 718 seq != IEEE80211_AUTH_OPEN_REQUEST) { 719 DPRINTF(("discard auth from %s; state %u, seq %u\n", 720 ether_sprintf((u_int8_t *)wh->i_addr2), 721 ic->ic_state, seq)); 722 ic->ic_stats.is_rx_bad_auth++; 723 return; 724 } 725 ieee80211_new_state(ic, IEEE80211_S_AUTH, 726 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 727 break; 728 729 case IEEE80211_M_AHDEMO: 730 /* should not come here */ 731 break; 732 733 case IEEE80211_M_HOSTAP: 734 if (ic->ic_state != IEEE80211_S_RUN || 735 seq != IEEE80211_AUTH_OPEN_REQUEST) { 736 DPRINTF(("discard auth from %s; state %u, seq %u\n", 737 ether_sprintf((u_int8_t *)wh->i_addr2), 738 ic->ic_state, seq)); 739 ic->ic_stats.is_rx_bad_auth++; 740 return; 741 } 742 if (ni == ic->ic_bss) { 743 ni = ieee80211_find_node(ic, wh->i_addr2); 744 if (ni == NULL) 745 ni = ieee80211_alloc_node(ic, wh->i_addr2); 746 if (ni == NULL) { 747 return; 748 } 749 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 750 ni->ni_rssi = rxi->rxi_rssi; 751 ni->ni_rstamp = rxi->rxi_tstamp; 752 ni->ni_chan = ic->ic_bss->ni_chan; 753 } 754 IEEE80211_SEND_MGMT(ic, ni, 755 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 756 if (ifp->if_flags & IFF_DEBUG) 757 printf("%s: station %s %s authenticated (open)\n", 758 ifp->if_xname, 759 ether_sprintf((u_int8_t *)ni->ni_macaddr), 760 ni->ni_state != IEEE80211_STA_CACHE ? 761 "newly" : "already"); 762 ieee80211_node_newstate(ni, IEEE80211_STA_AUTH); 763 break; 764 #endif /* IEEE80211_STA_ONLY */ 765 766 case IEEE80211_M_STA: 767 if (ic->ic_state != IEEE80211_S_AUTH || 768 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 769 ic->ic_stats.is_rx_bad_auth++; 770 DPRINTF(("discard auth from %s; state %u, seq %u\n", 771 ether_sprintf((u_int8_t *)wh->i_addr2), 772 ic->ic_state, seq)); 773 return; 774 } 775 if (ic->ic_flags & IEEE80211_F_RSNON) { 776 /* XXX not here! */ 777 ic->ic_bss->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 778 ic->ic_bss->ni_port_valid = 0; 779 ic->ic_bss->ni_replaycnt_ok = 0; 780 (*ic->ic_delete_key)(ic, ic->ic_bss, 781 &ic->ic_bss->ni_pairwise_key); 782 } 783 if (status != 0) { 784 if (ifp->if_flags & IFF_DEBUG) 785 printf("%s: open authentication failed " 786 "(reason %d) for %s\n", ifp->if_xname, 787 status, 788 ether_sprintf((u_int8_t *)wh->i_addr3)); 789 if (ni != ic->ic_bss) 790 ni->ni_fails++; 791 ic->ic_stats.is_rx_auth_fail++; 792 return; 793 } 794 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 795 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 796 break; 797 default: 798 break; 799 } 800 } 801 802 int 803 ieee80211_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, 804 int mgt) 805 { 806 struct ifnet *ifp = &ic->ic_if; 807 struct ieee80211_node *ni; 808 enum ieee80211_state ostate; 809 u_int rate; 810 #ifndef IEEE80211_STA_ONLY 811 int s; 812 #endif 813 814 ostate = ic->ic_state; 815 DPRINTF(("%s -> %s\n", ieee80211_state_name[ostate], 816 ieee80211_state_name[nstate])); 817 ic->ic_state = nstate; /* state transition */ 818 ni = ic->ic_bss; /* NB: no reference held */ 819 if (ostate == IEEE80211_S_RUN) 820 ieee80211_set_link_state(ic, LINK_STATE_DOWN); 821 switch (nstate) { 822 case IEEE80211_S_INIT: 823 /* 824 * If mgt = -1, driver is already partway down, so do 825 * not send management frames. 826 */ 827 switch (ostate) { 828 case IEEE80211_S_INIT: 829 break; 830 case IEEE80211_S_RUN: 831 if (mgt == -1) 832 goto justcleanup; 833 switch (ic->ic_opmode) { 834 case IEEE80211_M_STA: 835 IEEE80211_SEND_MGMT(ic, ni, 836 IEEE80211_FC0_SUBTYPE_DISASSOC, 837 IEEE80211_REASON_ASSOC_LEAVE); 838 break; 839 #ifndef IEEE80211_STA_ONLY 840 case IEEE80211_M_HOSTAP: 841 s = splnet(); 842 RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) { 843 if (ni->ni_associd == 0) 844 continue; 845 IEEE80211_SEND_MGMT(ic, ni, 846 IEEE80211_FC0_SUBTYPE_DISASSOC, 847 IEEE80211_REASON_ASSOC_LEAVE); 848 } 849 splx(s); 850 break; 851 #endif 852 default: 853 break; 854 } 855 /* FALLTHROUGH */ 856 case IEEE80211_S_ASSOC: 857 if (mgt == -1) 858 goto justcleanup; 859 switch (ic->ic_opmode) { 860 case IEEE80211_M_STA: 861 IEEE80211_SEND_MGMT(ic, ni, 862 IEEE80211_FC0_SUBTYPE_DEAUTH, 863 IEEE80211_REASON_AUTH_LEAVE); 864 break; 865 #ifndef IEEE80211_STA_ONLY 866 case IEEE80211_M_HOSTAP: 867 s = splnet(); 868 RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) { 869 IEEE80211_SEND_MGMT(ic, ni, 870 IEEE80211_FC0_SUBTYPE_DEAUTH, 871 IEEE80211_REASON_AUTH_LEAVE); 872 } 873 splx(s); 874 break; 875 #endif 876 default: 877 break; 878 } 879 /* FALLTHROUGH */ 880 case IEEE80211_S_AUTH: 881 case IEEE80211_S_SCAN: 882 justcleanup: 883 #ifndef IEEE80211_STA_ONLY 884 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 885 timeout_del(&ic->ic_rsn_timeout); 886 #endif 887 ic->ic_mgt_timer = 0; 888 mq_purge(&ic->ic_mgtq); 889 mq_purge(&ic->ic_pwrsaveq); 890 ieee80211_free_allnodes(ic); 891 break; 892 } 893 break; 894 case IEEE80211_S_SCAN: 895 ic->ic_flags &= ~IEEE80211_F_SIBSS; 896 /* initialize bss for probe request */ 897 IEEE80211_ADDR_COPY(ni->ni_macaddr, etherbroadcastaddr); 898 IEEE80211_ADDR_COPY(ni->ni_bssid, etherbroadcastaddr); 899 ni->ni_rates = ic->ic_sup_rates[ 900 ieee80211_chan2mode(ic, ni->ni_chan)]; 901 ni->ni_associd = 0; 902 ni->ni_rstamp = 0; 903 switch (ostate) { 904 case IEEE80211_S_INIT: 905 #ifndef IEEE80211_STA_ONLY 906 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 907 ic->ic_des_chan != IEEE80211_CHAN_ANYC) { 908 /* 909 * AP operation and we already have a channel; 910 * bypass the scan and startup immediately. 911 */ 912 ieee80211_create_ibss(ic, ic->ic_des_chan); 913 } else 914 #endif 915 ieee80211_begin_scan(ifp); 916 break; 917 case IEEE80211_S_SCAN: 918 /* scan next */ 919 if (ic->ic_flags & IEEE80211_F_ASCAN) { 920 IEEE80211_SEND_MGMT(ic, ni, 921 IEEE80211_FC0_SUBTYPE_PROBE_REQ, 0); 922 } 923 break; 924 case IEEE80211_S_RUN: 925 /* beacon miss */ 926 if (ifp->if_flags & IFF_DEBUG) { 927 /* XXX bssid clobbered above */ 928 printf("%s: no recent beacons from %s;" 929 " rescanning\n", ifp->if_xname, 930 ether_sprintf(ic->ic_bss->ni_bssid)); 931 } 932 ieee80211_free_allnodes(ic); 933 /* FALLTHROUGH */ 934 case IEEE80211_S_AUTH: 935 case IEEE80211_S_ASSOC: 936 /* timeout restart scan */ 937 ni = ieee80211_find_node(ic, ic->ic_bss->ni_macaddr); 938 if (ni != NULL) 939 ni->ni_fails++; 940 ieee80211_begin_scan(ifp); 941 break; 942 } 943 break; 944 case IEEE80211_S_AUTH: 945 switch (ostate) { 946 case IEEE80211_S_INIT: 947 DPRINTF(("invalid transition\n")); 948 break; 949 case IEEE80211_S_SCAN: 950 IEEE80211_SEND_MGMT(ic, ni, 951 IEEE80211_FC0_SUBTYPE_AUTH, 1); 952 break; 953 case IEEE80211_S_AUTH: 954 case IEEE80211_S_ASSOC: 955 switch (mgt) { 956 case IEEE80211_FC0_SUBTYPE_AUTH: 957 /* ??? */ 958 IEEE80211_SEND_MGMT(ic, ni, 959 IEEE80211_FC0_SUBTYPE_AUTH, 2); 960 break; 961 case IEEE80211_FC0_SUBTYPE_DEAUTH: 962 /* ignore and retry scan on timeout */ 963 break; 964 } 965 break; 966 case IEEE80211_S_RUN: 967 switch (mgt) { 968 case IEEE80211_FC0_SUBTYPE_AUTH: 969 IEEE80211_SEND_MGMT(ic, ni, 970 IEEE80211_FC0_SUBTYPE_AUTH, 2); 971 ic->ic_state = ostate; /* stay RUN */ 972 break; 973 case IEEE80211_FC0_SUBTYPE_DEAUTH: 974 /* try to reauth */ 975 IEEE80211_SEND_MGMT(ic, ni, 976 IEEE80211_FC0_SUBTYPE_AUTH, 1); 977 break; 978 } 979 break; 980 } 981 break; 982 case IEEE80211_S_ASSOC: 983 switch (ostate) { 984 case IEEE80211_S_INIT: 985 case IEEE80211_S_SCAN: 986 case IEEE80211_S_ASSOC: 987 DPRINTF(("invalid transition\n")); 988 break; 989 case IEEE80211_S_AUTH: 990 IEEE80211_SEND_MGMT(ic, ni, 991 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 992 break; 993 case IEEE80211_S_RUN: 994 IEEE80211_SEND_MGMT(ic, ni, 995 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 1); 996 break; 997 } 998 break; 999 case IEEE80211_S_RUN: 1000 switch (ostate) { 1001 case IEEE80211_S_INIT: 1002 case IEEE80211_S_AUTH: 1003 case IEEE80211_S_RUN: 1004 DPRINTF(("invalid transition\n")); 1005 break; 1006 case IEEE80211_S_SCAN: /* adhoc/hostap mode */ 1007 case IEEE80211_S_ASSOC: /* infra mode */ 1008 if (ni->ni_txrate >= ni->ni_rates.rs_nrates) 1009 panic("%s: bogus xmit rate %u setup", 1010 __func__, ni->ni_txrate); 1011 if (ifp->if_flags & IFF_DEBUG) { 1012 printf("%s: %s with %s ssid ", 1013 ifp->if_xname, 1014 ic->ic_opmode == IEEE80211_M_STA ? 1015 "associated" : "synchronized", 1016 ether_sprintf(ni->ni_bssid)); 1017 ieee80211_print_essid(ic->ic_bss->ni_essid, 1018 ni->ni_esslen); 1019 rate = ni->ni_rates.rs_rates[ni->ni_txrate] & 1020 IEEE80211_RATE_VAL; 1021 printf(" channel %d", 1022 ieee80211_chan2ieee(ic, ni->ni_chan)); 1023 if (ni->ni_flags & IEEE80211_NODE_HT) 1024 printf(" start MCS %u", ni->ni_txmcs); 1025 else 1026 printf(" start %u%sMb", 1027 rate / 2, (rate & 1) ? ".5" : ""); 1028 printf(" %s preamble %s slot time%s%s\n", 1029 (ic->ic_flags & IEEE80211_F_SHPREAMBLE) ? 1030 "short" : "long", 1031 (ic->ic_flags & IEEE80211_F_SHSLOT) ? 1032 "short" : "long", 1033 (ic->ic_flags & IEEE80211_F_USEPROT) ? 1034 " protection enabled" : "", 1035 (ni->ni_flags & IEEE80211_NODE_HT) ? 1036 " HT enabled" : ""); 1037 } 1038 if (!(ic->ic_flags & IEEE80211_F_RSNON)) { 1039 /* 1040 * NB: When RSN is enabled, we defer setting 1041 * the link up until the port is valid. 1042 */ 1043 ieee80211_set_link_state(ic, LINK_STATE_UP); 1044 } 1045 ic->ic_mgt_timer = 0; 1046 (*ifp->if_start)(ifp); 1047 break; 1048 } 1049 break; 1050 } 1051 return 0; 1052 } 1053 1054 void 1055 ieee80211_set_link_state(struct ieee80211com *ic, int nstate) 1056 { 1057 struct ifnet *ifp = &ic->ic_if; 1058 1059 switch (ic->ic_opmode) { 1060 #ifndef IEEE80211_STA_ONLY 1061 case IEEE80211_M_IBSS: 1062 case IEEE80211_M_HOSTAP: 1063 nstate = LINK_STATE_UNKNOWN; 1064 break; 1065 #endif 1066 case IEEE80211_M_MONITOR: 1067 nstate = LINK_STATE_DOWN; 1068 break; 1069 default: 1070 break; 1071 } 1072 if (nstate != ifp->if_link_state) { 1073 ifp->if_link_state = nstate; 1074 if_link_state_change(ifp); 1075 } 1076 } 1077