1 /* $OpenBSD: ieee80211_input.c,v 1.122 2012/10/12 19:53:24 haesbaert Exp $ */ 2 3 /*- 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 6 * Copyright (c) 2007-2009 Damien Bergamini 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "bpfilter.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/socket.h> 40 #include <sys/sockio.h> 41 #include <sys/endian.h> 42 #include <sys/errno.h> 43 #include <sys/proc.h> 44 #include <sys/sysctl.h> 45 #include <sys/workq.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_arp.h> 51 #include <net/if_llc.h> 52 53 #if NBPFILTER > 0 54 #include <net/bpf.h> 55 #endif 56 57 #ifdef INET 58 #include <netinet/in.h> 59 #include <netinet/if_ether.h> 60 #endif 61 62 #include <net80211/ieee80211_var.h> 63 #include <net80211/ieee80211_priv.h> 64 65 struct mbuf *ieee80211_defrag(struct ieee80211com *, struct mbuf *, int); 66 void ieee80211_defrag_timeout(void *); 67 #ifndef IEEE80211_NO_HT 68 void ieee80211_input_ba(struct ifnet *, struct mbuf *, 69 struct ieee80211_node *, int, struct ieee80211_rxinfo *); 70 void ieee80211_ba_move_window(struct ieee80211com *, 71 struct ieee80211_node *, u_int8_t, u_int16_t); 72 #endif 73 struct mbuf *ieee80211_align_mbuf(struct mbuf *); 74 void ieee80211_decap(struct ieee80211com *, struct mbuf *, 75 struct ieee80211_node *, int); 76 #ifndef IEEE80211_NO_HT 77 void ieee80211_amsdu_decap(struct ieee80211com *, struct mbuf *, 78 struct ieee80211_node *, int); 79 #endif 80 void ieee80211_deliver_data(struct ieee80211com *, struct mbuf *, 81 struct ieee80211_node *); 82 int ieee80211_parse_edca_params_body(struct ieee80211com *, 83 const u_int8_t *); 84 int ieee80211_parse_edca_params(struct ieee80211com *, const u_int8_t *); 85 int ieee80211_parse_wmm_params(struct ieee80211com *, const u_int8_t *); 86 enum ieee80211_cipher ieee80211_parse_rsn_cipher(const u_int8_t[]); 87 enum ieee80211_akm ieee80211_parse_rsn_akm(const u_int8_t[]); 88 int ieee80211_parse_rsn_body(struct ieee80211com *, const u_int8_t *, 89 u_int, struct ieee80211_rsnparams *); 90 int ieee80211_save_ie(const u_int8_t *, u_int8_t **); 91 void ieee80211_recv_probe_resp(struct ieee80211com *, struct mbuf *, 92 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 93 #ifndef IEEE80211_STA_ONLY 94 void ieee80211_recv_probe_req(struct ieee80211com *, struct mbuf *, 95 struct ieee80211_node *, struct ieee80211_rxinfo *); 96 #endif 97 void ieee80211_recv_auth(struct ieee80211com *, struct mbuf *, 98 struct ieee80211_node *, struct ieee80211_rxinfo *); 99 #ifndef IEEE80211_STA_ONLY 100 void ieee80211_recv_assoc_req(struct ieee80211com *, struct mbuf *, 101 struct ieee80211_node *, struct ieee80211_rxinfo *, int); 102 #endif 103 void ieee80211_recv_assoc_resp(struct ieee80211com *, struct mbuf *, 104 struct ieee80211_node *, int); 105 void ieee80211_recv_deauth(struct ieee80211com *, struct mbuf *, 106 struct ieee80211_node *); 107 void ieee80211_recv_disassoc(struct ieee80211com *, struct mbuf *, 108 struct ieee80211_node *); 109 #ifndef IEEE80211_NO_HT 110 void ieee80211_recv_addba_req(struct ieee80211com *, struct mbuf *, 111 struct ieee80211_node *); 112 void ieee80211_recv_addba_resp(struct ieee80211com *, struct mbuf *, 113 struct ieee80211_node *); 114 void ieee80211_recv_delba(struct ieee80211com *, struct mbuf *, 115 struct ieee80211_node *); 116 #endif 117 void ieee80211_recv_sa_query_req(struct ieee80211com *, struct mbuf *, 118 struct ieee80211_node *); 119 #ifndef IEEE80211_STA_ONLY 120 void ieee80211_recv_sa_query_resp(struct ieee80211com *, struct mbuf *, 121 struct ieee80211_node *); 122 #endif 123 void ieee80211_recv_action(struct ieee80211com *, struct mbuf *, 124 struct ieee80211_node *); 125 #ifndef IEEE80211_STA_ONLY 126 void ieee80211_recv_pspoll(struct ieee80211com *, struct mbuf *, 127 struct ieee80211_node *); 128 #endif 129 #ifndef IEEE80211_NO_HT 130 void ieee80211_recv_bar(struct ieee80211com *, struct mbuf *, 131 struct ieee80211_node *); 132 void ieee80211_bar_tid(struct ieee80211com *, struct ieee80211_node *, 133 u_int8_t, u_int16_t); 134 #endif 135 void ieee80211_input_print(struct ieee80211com *, struct ifnet *, 136 struct ieee80211_frame *, struct ieee80211_rxinfo *); 137 void ieee80211_input_print_task(void *, void *); 138 139 /* 140 * Retrieve the length in bytes of an 802.11 header. 141 */ 142 u_int 143 ieee80211_get_hdrlen(const struct ieee80211_frame *wh) 144 { 145 u_int size = sizeof(*wh); 146 147 /* NB: does not work with control frames */ 148 KASSERT(ieee80211_has_seq(wh)); 149 150 if (ieee80211_has_addr4(wh)) 151 size += IEEE80211_ADDR_LEN; /* i_addr4 */ 152 if (ieee80211_has_qos(wh)) 153 size += sizeof(u_int16_t); /* i_qos */ 154 if (ieee80211_has_htc(wh)) 155 size += sizeof(u_int32_t); /* i_ht */ 156 return size; 157 } 158 159 /* 160 * Work queue task that prints a received frame. Avoids printf() from 161 * interrupt context at IPL_NET making slow machines unusable when many 162 * frames are received and the interface is put in debug mode. 163 */ 164 void 165 ieee80211_input_print_task(void *arg1, void *arg2) 166 { 167 char *msg = arg1; 168 169 printf("%s", msg); 170 free(msg, M_DEVBUF); 171 172 } 173 174 void 175 ieee80211_input_print(struct ieee80211com *ic, struct ifnet *ifp, 176 struct ieee80211_frame *wh, struct ieee80211_rxinfo *rxi) 177 { 178 int doprint, error; 179 char *msg; 180 u_int8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 181 182 /* avoid printing too many frames */ 183 doprint = 0; 184 switch (subtype) { 185 case IEEE80211_FC0_SUBTYPE_BEACON: 186 if (ic->ic_state == IEEE80211_S_SCAN) 187 doprint = 1; 188 break; 189 #ifndef IEEE80211_STA_ONLY 190 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 191 if (ic->ic_opmode == IEEE80211_M_IBSS) 192 doprint = 1; 193 break; 194 #endif 195 default: 196 doprint = 1; 197 break; 198 } 199 #ifdef IEEE80211_DEBUG 200 doprint += ieee80211_debug; 201 #endif 202 if (!doprint) 203 return; 204 205 msg = malloc(1024, M_DEVBUF, M_NOWAIT); 206 if (msg == NULL) 207 return; 208 209 snprintf(msg, 1024, "%s: received %s from %s rssi %d mode %s\n", 210 ifp->if_xname, 211 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 212 ether_sprintf(wh->i_addr2), rxi->rxi_rssi, 213 ieee80211_phymode_name[ieee80211_chan2mode( 214 ic, ic->ic_bss->ni_chan)]); 215 216 error = workq_add_task(NULL, 0, ieee80211_input_print_task, msg, NULL); 217 if (error) 218 free(msg, M_DEVBUF); 219 } 220 221 /* 222 * Process a received frame. The node associated with the sender 223 * should be supplied. If nothing was found in the node table then 224 * the caller is assumed to supply a reference to ic_bss instead. 225 * The RSSI and a timestamp are also supplied. The RSSI data is used 226 * during AP scanning to select a AP to associate with; it can have 227 * any units so long as values have consistent units and higher values 228 * mean ``better signal''. The receive timestamp is currently not used 229 * by the 802.11 layer. 230 */ 231 void 232 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 233 struct ieee80211_rxinfo *rxi) 234 { 235 struct ieee80211com *ic = (void *)ifp; 236 struct ieee80211_frame *wh; 237 u_int16_t *orxseq, nrxseq, qos; 238 u_int8_t dir, type, subtype, tid; 239 int hdrlen, hasqos; 240 241 KASSERT(ni != NULL); 242 243 /* in monitor mode, send everything directly to bpf */ 244 if (ic->ic_opmode == IEEE80211_M_MONITOR) 245 goto out; 246 247 /* 248 * Do not process frames without an Address 2 field any further. 249 * Only CTS and ACK control frames do not have this field. 250 */ 251 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 252 DPRINTF(("frame too short, len %u\n", m->m_len)); 253 ic->ic_stats.is_rx_tooshort++; 254 goto out; 255 } 256 257 wh = mtod(m, struct ieee80211_frame *); 258 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 259 IEEE80211_FC0_VERSION_0) { 260 DPRINTF(("frame with wrong version: %x\n", wh->i_fc[0])); 261 ic->ic_stats.is_rx_badversion++; 262 goto err; 263 } 264 265 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 266 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 267 268 if (type != IEEE80211_FC0_TYPE_CTL) { 269 hdrlen = ieee80211_get_hdrlen(wh); 270 if (m->m_len < hdrlen) { 271 DPRINTF(("frame too short, len %u\n", m->m_len)); 272 ic->ic_stats.is_rx_tooshort++; 273 goto err; 274 } 275 } 276 if ((hasqos = ieee80211_has_qos(wh))) { 277 qos = ieee80211_get_qos(wh); 278 tid = qos & IEEE80211_QOS_TID; 279 } else { 280 qos = 0; 281 tid = 0; 282 } 283 284 /* duplicate detection (see 9.2.9) */ 285 if (ieee80211_has_seq(wh) && 286 ic->ic_state != IEEE80211_S_SCAN) { 287 nrxseq = letoh16(*(u_int16_t *)wh->i_seq) >> 288 IEEE80211_SEQ_SEQ_SHIFT; 289 if (hasqos) 290 orxseq = &ni->ni_qos_rxseqs[tid]; 291 else 292 orxseq = &ni->ni_rxseq; 293 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 294 nrxseq == *orxseq) { 295 /* duplicate, silently discarded */ 296 ic->ic_stats.is_rx_dup++; 297 goto out; 298 } 299 *orxseq = nrxseq; 300 } 301 if (ic->ic_state != IEEE80211_S_SCAN) { 302 ni->ni_rssi = rxi->rxi_rssi; 303 ni->ni_rstamp = rxi->rxi_tstamp; 304 ni->ni_inact = 0; 305 } 306 307 #ifndef IEEE80211_STA_ONLY 308 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 309 (ic->ic_caps & IEEE80211_C_APPMGT) && 310 ni->ni_state == IEEE80211_STA_ASSOC) { 311 if (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) { 312 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE) { 313 /* turn on PS mode */ 314 ni->ni_pwrsave = IEEE80211_PS_DOZE; 315 ic->ic_pssta++; 316 DPRINTF(("PS mode on for %s, count %d\n", 317 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 318 } 319 } else if (ni->ni_pwrsave == IEEE80211_PS_DOZE) { 320 /* turn off PS mode */ 321 ni->ni_pwrsave = IEEE80211_PS_AWAKE; 322 ic->ic_pssta--; 323 DPRINTF(("PS mode off for %s, count %d\n", 324 ether_sprintf(wh->i_addr2), ic->ic_pssta)); 325 326 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 327 328 /* dequeue buffered unicast frames */ 329 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 330 struct mbuf *m; 331 IF_DEQUEUE(&ni->ni_savedq, m); 332 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 333 (*ifp->if_start)(ifp); 334 } 335 } 336 } 337 #endif 338 switch (type) { 339 case IEEE80211_FC0_TYPE_DATA: 340 switch (ic->ic_opmode) { 341 case IEEE80211_M_STA: 342 if (dir != IEEE80211_FC1_DIR_FROMDS) { 343 ic->ic_stats.is_rx_wrongdir++; 344 goto out; 345 } 346 if (ic->ic_state != IEEE80211_S_SCAN && 347 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 348 /* Source address is not our BSS. */ 349 DPRINTF(("discard frame from SA %s\n", 350 ether_sprintf(wh->i_addr2))); 351 ic->ic_stats.is_rx_wrongbss++; 352 goto out; 353 } 354 if ((ifp->if_flags & IFF_SIMPLEX) && 355 IEEE80211_IS_MULTICAST(wh->i_addr1) && 356 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 357 /* 358 * In IEEE802.11 network, multicast frame 359 * sent from me is broadcasted from AP. 360 * It should be silently discarded for 361 * SIMPLEX interface. 362 */ 363 ic->ic_stats.is_rx_mcastecho++; 364 goto out; 365 } 366 break; 367 #ifndef IEEE80211_STA_ONLY 368 case IEEE80211_M_IBSS: 369 case IEEE80211_M_AHDEMO: 370 if (dir != IEEE80211_FC1_DIR_NODS) { 371 ic->ic_stats.is_rx_wrongdir++; 372 goto out; 373 } 374 if (ic->ic_state != IEEE80211_S_SCAN && 375 !IEEE80211_ADDR_EQ(wh->i_addr3, 376 ic->ic_bss->ni_bssid) && 377 !IEEE80211_ADDR_EQ(wh->i_addr3, 378 etherbroadcastaddr)) { 379 /* Destination is not our BSS or broadcast. */ 380 DPRINTF(("discard data frame to DA %s\n", 381 ether_sprintf(wh->i_addr3))); 382 ic->ic_stats.is_rx_wrongbss++; 383 goto out; 384 } 385 break; 386 case IEEE80211_M_HOSTAP: 387 if (dir != IEEE80211_FC1_DIR_TODS) { 388 ic->ic_stats.is_rx_wrongdir++; 389 goto out; 390 } 391 if (ic->ic_state != IEEE80211_S_SCAN && 392 !IEEE80211_ADDR_EQ(wh->i_addr1, 393 ic->ic_bss->ni_bssid) && 394 !IEEE80211_ADDR_EQ(wh->i_addr1, 395 etherbroadcastaddr)) { 396 /* BSS is not us or broadcast. */ 397 DPRINTF(("discard data frame to BSS %s\n", 398 ether_sprintf(wh->i_addr1))); 399 ic->ic_stats.is_rx_wrongbss++; 400 goto out; 401 } 402 /* check if source STA is associated */ 403 if (ni == ic->ic_bss) { 404 DPRINTF(("data from unknown src %s\n", 405 ether_sprintf(wh->i_addr2))); 406 /* NB: caller deals with reference */ 407 ni = ieee80211_find_node(ic, wh->i_addr2); 408 if (ni == NULL) 409 ni = ieee80211_dup_bss(ic, wh->i_addr2); 410 if (ni != NULL) { 411 IEEE80211_SEND_MGMT(ic, ni, 412 IEEE80211_FC0_SUBTYPE_DEAUTH, 413 IEEE80211_REASON_NOT_AUTHED); 414 } 415 ic->ic_stats.is_rx_notassoc++; 416 goto err; 417 } 418 if (ni->ni_associd == 0) { 419 DPRINTF(("data from unassoc src %s\n", 420 ether_sprintf(wh->i_addr2))); 421 IEEE80211_SEND_MGMT(ic, ni, 422 IEEE80211_FC0_SUBTYPE_DISASSOC, 423 IEEE80211_REASON_NOT_ASSOCED); 424 ic->ic_stats.is_rx_notassoc++; 425 goto err; 426 } 427 break; 428 #endif /* IEEE80211_STA_ONLY */ 429 default: 430 /* can't get there */ 431 goto out; 432 } 433 434 #ifndef IEEE80211_NO_HT 435 if (!(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE) && 436 hasqos && (qos & IEEE80211_QOS_ACK_POLICY_MASK) == 437 IEEE80211_QOS_ACK_POLICY_BA) { 438 /* check if we have a BA agreement for this RA/TID */ 439 if (ni->ni_rx_ba[tid].ba_state != 440 IEEE80211_BA_AGREED) { 441 DPRINTF(("no BA agreement for %s, TID %d\n", 442 ether_sprintf(ni->ni_macaddr), tid)); 443 /* send a DELBA with reason code UNKNOWN-BA */ 444 IEEE80211_SEND_ACTION(ic, ni, 445 IEEE80211_CATEG_BA, IEEE80211_ACTION_DELBA, 446 IEEE80211_REASON_SETUP_REQUIRED << 16 | 447 tid); 448 goto err; 449 } 450 /* go through A-MPDU reordering */ 451 ieee80211_input_ba(ifp, m, ni, tid, rxi); 452 return; /* don't free m! */ 453 } 454 #endif 455 if ((ic->ic_flags & IEEE80211_F_WEPON) || 456 ((ic->ic_flags & IEEE80211_F_RSNON) && 457 (ni->ni_flags & IEEE80211_NODE_RXPROT))) { 458 /* protection is on for Rx */ 459 if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 460 if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 461 /* drop unencrypted */ 462 ic->ic_stats.is_rx_unencrypted++; 463 goto err; 464 } 465 /* do software decryption */ 466 m = ieee80211_decrypt(ic, m, ni); 467 if (m == NULL) { 468 ic->ic_stats.is_rx_wepfail++; 469 goto err; 470 } 471 wh = mtod(m, struct ieee80211_frame *); 472 } 473 } else if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) || 474 (rxi->rxi_flags & IEEE80211_RXI_HWDEC)) { 475 /* frame encrypted but protection off for Rx */ 476 ic->ic_stats.is_rx_nowep++; 477 goto out; 478 } 479 480 #if NBPFILTER > 0 481 /* copy to listener after decrypt */ 482 if (ic->ic_rawbpf) 483 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 484 #endif 485 486 #ifndef IEEE80211_NO_HT 487 if ((ni->ni_flags & IEEE80211_NODE_HT) && 488 hasqos && (qos & IEEE80211_QOS_AMSDU)) 489 ieee80211_amsdu_decap(ic, m, ni, hdrlen); 490 else 491 #endif 492 ieee80211_decap(ic, m, ni, hdrlen); 493 return; 494 495 case IEEE80211_FC0_TYPE_MGT: 496 if (dir != IEEE80211_FC1_DIR_NODS) { 497 ic->ic_stats.is_rx_wrongdir++; 498 goto err; 499 } 500 #ifndef IEEE80211_STA_ONLY 501 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 502 ic->ic_stats.is_rx_ahdemo_mgt++; 503 goto out; 504 } 505 #endif 506 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 507 508 /* drop frames without interest */ 509 if (ic->ic_state == IEEE80211_S_SCAN) { 510 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 511 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 512 ic->ic_stats.is_rx_mgtdiscard++; 513 goto out; 514 } 515 } 516 517 if (ni->ni_flags & IEEE80211_NODE_RXMGMTPROT) { 518 /* MMPDU protection is on for Rx */ 519 if (subtype == IEEE80211_FC0_SUBTYPE_DISASSOC || 520 subtype == IEEE80211_FC0_SUBTYPE_DEAUTH || 521 subtype == IEEE80211_FC0_SUBTYPE_ACTION) { 522 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 523 !(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 524 /* unicast mgmt not encrypted */ 525 goto out; 526 } 527 /* do software decryption */ 528 m = ieee80211_decrypt(ic, m, ni); 529 if (m == NULL) { 530 /* XXX stats */ 531 goto out; 532 } 533 wh = mtod(m, struct ieee80211_frame *); 534 } 535 } else if ((ic->ic_flags & IEEE80211_F_RSNON) && 536 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) { 537 /* encrypted but MMPDU Rx protection off for TA */ 538 goto out; 539 } 540 541 if (ifp->if_flags & IFF_DEBUG) 542 ieee80211_input_print(ic, ifp, wh, rxi); 543 #if NBPFILTER > 0 544 if (ic->ic_rawbpf) 545 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 546 /* 547 * Drop mbuf if it was filtered by bpf. Normally, this is 548 * done in ether_input() but IEEE 802.11 management frames 549 * are a special case. 550 */ 551 if (m->m_flags & M_FILDROP) { 552 m_freem(m); 553 return; 554 } 555 #endif 556 (*ic->ic_recv_mgmt)(ic, m, ni, rxi, subtype); 557 m_freem(m); 558 return; 559 560 case IEEE80211_FC0_TYPE_CTL: 561 ic->ic_stats.is_rx_ctl++; 562 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 563 switch (subtype) { 564 #ifndef IEEE80211_STA_ONLY 565 case IEEE80211_FC0_SUBTYPE_PS_POLL: 566 ieee80211_recv_pspoll(ic, m, ni); 567 break; 568 #endif 569 #ifndef IEEE80211_NO_HT 570 case IEEE80211_FC0_SUBTYPE_BAR: 571 ieee80211_recv_bar(ic, m, ni); 572 break; 573 #endif 574 default: 575 break; 576 } 577 goto out; 578 579 default: 580 DPRINTF(("bad frame type %x\n", type)); 581 /* should not come here */ 582 break; 583 } 584 err: 585 ifp->if_ierrors++; 586 out: 587 if (m != NULL) { 588 #if NBPFILTER > 0 589 if (ic->ic_rawbpf) 590 bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_IN); 591 #endif 592 m_freem(m); 593 } 594 } 595 596 /* 597 * Handle defragmentation (see 9.5 and Annex C). We support the concurrent 598 * reception of fragments of three fragmented MSDUs or MMPDUs. 599 */ 600 struct mbuf * 601 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 602 { 603 const struct ieee80211_frame *owh, *wh; 604 struct ieee80211_defrag *df; 605 u_int16_t rxseq, seq; 606 u_int8_t frag; 607 int i; 608 609 wh = mtod(m, struct ieee80211_frame *); 610 rxseq = letoh16(*(const u_int16_t *)wh->i_seq); 611 seq = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 612 frag = rxseq & IEEE80211_SEQ_FRAG_MASK; 613 614 if (frag == 0 && !(wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)) 615 return m; /* not fragmented */ 616 617 if (frag == 0) { 618 /* first fragment, setup entry in the fragment cache */ 619 if (++ic->ic_defrag_cur == IEEE80211_DEFRAG_SIZE) 620 ic->ic_defrag_cur = 0; 621 df = &ic->ic_defrag[ic->ic_defrag_cur]; 622 if (df->df_m != NULL) 623 m_freem(df->df_m); /* discard old entry */ 624 df->df_seq = seq; 625 df->df_frag = 0; 626 df->df_m = m; 627 /* start receive MSDU timer of aMaxReceiveLifetime */ 628 timeout_add_sec(&df->df_to, 1); 629 return NULL; /* MSDU or MMPDU not yet complete */ 630 } 631 632 /* find matching entry in the fragment cache */ 633 for (i = 0; i < IEEE80211_DEFRAG_SIZE; i++) { 634 df = &ic->ic_defrag[i]; 635 if (df->df_m == NULL) 636 continue; 637 if (df->df_seq != seq || df->df_frag + 1 != frag) 638 continue; 639 owh = mtod(df->df_m, struct ieee80211_frame *); 640 /* frame type, source and destination must match */ 641 if (((wh->i_fc[0] ^ owh->i_fc[0]) & IEEE80211_FC0_TYPE_MASK) || 642 !IEEE80211_ADDR_EQ(wh->i_addr1, owh->i_addr1) || 643 !IEEE80211_ADDR_EQ(wh->i_addr2, owh->i_addr2)) 644 continue; 645 /* matching entry found */ 646 break; 647 } 648 if (i == IEEE80211_DEFRAG_SIZE) { 649 /* no matching entry found, discard fragment */ 650 ic->ic_if.if_ierrors++; 651 m_freem(m); 652 return NULL; 653 } 654 655 df->df_frag = frag; 656 /* strip 802.11 header and concatenate fragment */ 657 m_adj(m, hdrlen); 658 m_cat(df->df_m, m); 659 df->df_m->m_pkthdr.len += m->m_pkthdr.len; 660 661 if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) 662 return NULL; /* MSDU or MMPDU not yet complete */ 663 664 /* MSDU or MMPDU complete */ 665 timeout_del(&df->df_to); 666 m = df->df_m; 667 df->df_m = NULL; 668 return m; 669 } 670 671 /* 672 * Receive MSDU defragmentation timer exceeds aMaxReceiveLifetime. 673 */ 674 void 675 ieee80211_defrag_timeout(void *arg) 676 { 677 struct ieee80211_defrag *df = arg; 678 int s = splnet(); 679 680 /* discard all received fragments */ 681 m_freem(df->df_m); 682 df->df_m = NULL; 683 684 splx(s); 685 } 686 687 #ifndef IEEE80211_NO_HT 688 /* 689 * Process a received data MPDU related to a specific HT-immediate Block Ack 690 * agreement (see 9.10.7.6). 691 */ 692 void 693 ieee80211_input_ba(struct ifnet *ifp, struct mbuf *m, 694 struct ieee80211_node *ni, int tid, struct ieee80211_rxinfo *rxi) 695 { 696 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 697 struct ieee80211_frame *wh; 698 int idx, count; 699 u_int16_t sn; 700 701 wh = mtod(m, struct ieee80211_frame *); 702 sn = letoh16(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 703 704 /* reset Block Ack inactivity timer */ 705 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 706 707 if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ 708 ifp->if_ierrors++; 709 m_freem(m); /* discard the MPDU */ 710 return; 711 } 712 if (SEQ_LT(ba->ba_winend, sn)) { /* WinEndB < SN */ 713 count = (sn - ba->ba_winend) & 0xfff; 714 if (count > ba->ba_winsize) /* no overlap */ 715 count = ba->ba_winsize; 716 while (count-- > 0) { 717 /* gaps may exist */ 718 if (ba->ba_buf[ba->ba_head].m != NULL) { 719 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, 720 ni, &ba->ba_buf[ba->ba_head].rxi); 721 ba->ba_buf[ba->ba_head].m = NULL; 722 } 723 ba->ba_head = (ba->ba_head + 1) % 724 IEEE80211_BA_MAX_WINSZ; 725 } 726 /* move window forward */ 727 ba->ba_winend = sn; 728 ba->ba_winstart = (sn - ba->ba_winsize + 1) & 0xfff; 729 } 730 /* WinStartB <= SN <= WinEndB */ 731 732 idx = (sn - ba->ba_winstart) & 0xfff; 733 idx = (ba->ba_head + idx) % IEEE80211_BA_MAX_WINSZ; 734 /* store the received MPDU in the buffer */ 735 if (ba->ba_buf[idx].m != NULL) { 736 ifp->if_ierrors++; 737 m_freem(m); 738 return; 739 } 740 ba->ba_buf[idx].m = m; 741 /* store Rx meta-data too */ 742 rxi->rxi_flags |= IEEE80211_RXI_AMPDU_DONE; 743 ba->ba_buf[idx].rxi = *rxi; 744 745 /* pass reordered MPDUs up to the next MAC process */ 746 while (ba->ba_buf[ba->ba_head].m != NULL) { 747 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 748 &ba->ba_buf[ba->ba_head].rxi); 749 ba->ba_buf[ba->ba_head].m = NULL; 750 751 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 752 /* move window forward */ 753 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 754 } 755 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 756 } 757 758 /* 759 * Change the value of WinStartB (move window forward) upon reception of a 760 * BlockAckReq frame or an ADDBA Request (PBAC). 761 */ 762 void 763 ieee80211_ba_move_window(struct ieee80211com *ic, struct ieee80211_node *ni, 764 u_int8_t tid, u_int16_t ssn) 765 { 766 struct ifnet *ifp = &ic->ic_if; 767 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 768 int count; 769 770 /* assert(WinStartB <= SSN) */ 771 772 count = (ssn - ba->ba_winstart) & 0xfff; 773 if (count > ba->ba_winsize) /* no overlap */ 774 count = ba->ba_winsize; 775 while (count-- > 0) { 776 /* gaps may exist */ 777 if (ba->ba_buf[ba->ba_head].m != NULL) { 778 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 779 &ba->ba_buf[ba->ba_head].rxi); 780 ba->ba_buf[ba->ba_head].m = NULL; 781 } 782 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 783 } 784 /* move window forward */ 785 ba->ba_winstart = ssn; 786 787 /* pass reordered MPDUs up to the next MAC process */ 788 while (ba->ba_buf[ba->ba_head].m != NULL) { 789 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, 790 &ba->ba_buf[ba->ba_head].rxi); 791 ba->ba_buf[ba->ba_head].m = NULL; 792 793 ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; 794 /* move window forward */ 795 ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; 796 } 797 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 798 } 799 #endif /* !IEEE80211_NO_HT */ 800 801 void 802 ieee80211_deliver_data(struct ieee80211com *ic, struct mbuf *m, 803 struct ieee80211_node *ni) 804 { 805 struct ifnet *ifp = &ic->ic_if; 806 struct ether_header *eh; 807 struct mbuf *m1; 808 809 eh = mtod(m, struct ether_header *); 810 811 if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid && 812 eh->ether_type != htons(ETHERTYPE_PAE)) { 813 DPRINTF(("port not valid: %s\n", 814 ether_sprintf(eh->ether_dhost))); 815 ic->ic_stats.is_rx_unauth++; 816 m_freem(m); 817 return; 818 } 819 ifp->if_ipackets++; 820 821 /* 822 * Perform as a bridge within the AP. Notice that we do not 823 * bridge EAPOL frames as suggested in C.1.1 of IEEE Std 802.1X. 824 */ 825 m1 = NULL; 826 #ifndef IEEE80211_STA_ONLY 827 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 828 !(ic->ic_flags & IEEE80211_F_NOBRIDGE) && 829 eh->ether_type != htons(ETHERTYPE_PAE)) { 830 struct ieee80211_node *ni1; 831 int error, len; 832 833 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 834 m1 = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 835 if (m1 == NULL) 836 ifp->if_oerrors++; 837 else 838 m1->m_flags |= M_MCAST; 839 } else { 840 ni1 = ieee80211_find_node(ic, eh->ether_dhost); 841 if (ni1 != NULL && 842 ni1->ni_state == IEEE80211_STA_ASSOC) { 843 m1 = m; 844 m = NULL; 845 } 846 } 847 if (m1 != NULL) { 848 len = m1->m_pkthdr.len; 849 IFQ_ENQUEUE(&ifp->if_snd, m1, NULL, error); 850 if (error) 851 ifp->if_oerrors++; 852 else { 853 if (m != NULL) 854 ifp->if_omcasts++; 855 ifp->if_obytes += len; 856 if_start(ifp); 857 } 858 } 859 } 860 #endif 861 if (m != NULL) { 862 #if NBPFILTER > 0 863 /* 864 * If we forward frame into transmitter of the AP, 865 * we don't need to duplicate for DLT_EN10MB. 866 */ 867 if (ifp->if_bpf && m1 == NULL) 868 bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_IN); 869 #endif 870 if ((ic->ic_flags & IEEE80211_F_RSNON) && 871 eh->ether_type == htons(ETHERTYPE_PAE)) 872 ieee80211_eapol_key_input(ic, m, ni); 873 else 874 ether_input_mbuf(ifp, m); 875 } 876 } 877 878 #ifdef __STRICT_ALIGNMENT 879 /* 880 * Make sure protocol header (e.g. IP) is aligned on a 32-bit boundary. 881 * This is achieved by copying mbufs so drivers should try to map their 882 * buffers such that this copying is not necessary. It is however not 883 * always possible because 802.11 header length may vary (non-QoS+LLC 884 * is 32 bytes while QoS+LLC is 34 bytes). Some devices are smart and 885 * add 2 padding bytes after the 802.11 header in the QoS case so this 886 * function is there for stupid drivers/devices only. 887 * 888 * XXX -- this is horrible 889 */ 890 struct mbuf * 891 ieee80211_align_mbuf(struct mbuf *m) 892 { 893 struct mbuf *n, *n0, **np; 894 caddr_t newdata; 895 int off, pktlen; 896 897 n0 = NULL; 898 np = &n0; 899 off = 0; 900 pktlen = m->m_pkthdr.len; 901 while (pktlen > off) { 902 if (n0 == NULL) { 903 MGETHDR(n, M_DONTWAIT, MT_DATA); 904 if (n == NULL) { 905 m_freem(m); 906 return NULL; 907 } 908 if (m_dup_pkthdr(n, m, M_DONTWAIT)) { 909 m_free(n); 910 m_freem(m); 911 return (NULL); 912 } 913 n->m_len = MHLEN; 914 } else { 915 MGET(n, M_DONTWAIT, MT_DATA); 916 if (n == NULL) { 917 m_freem(m); 918 m_freem(n0); 919 return NULL; 920 } 921 n->m_len = MLEN; 922 } 923 if (pktlen - off >= MINCLSIZE) { 924 MCLGET(n, M_DONTWAIT); 925 if (n->m_flags & M_EXT) 926 n->m_len = n->m_ext.ext_size; 927 } 928 if (n0 == NULL) { 929 newdata = (caddr_t)ALIGN(n->m_data + ETHER_HDR_LEN) - 930 ETHER_HDR_LEN; 931 n->m_len -= newdata - n->m_data; 932 n->m_data = newdata; 933 } 934 if (n->m_len > pktlen - off) 935 n->m_len = pktlen - off; 936 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 937 off += n->m_len; 938 *np = n; 939 np = &n->m_next; 940 } 941 m_freem(m); 942 return n0; 943 } 944 #endif /* __STRICT_ALIGNMENT */ 945 946 void 947 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, 948 struct ieee80211_node *ni, int hdrlen) 949 { 950 struct ether_header eh; 951 struct ieee80211_frame *wh; 952 struct llc *llc; 953 954 if (m->m_len < hdrlen + LLC_SNAPFRAMELEN && 955 (m = m_pullup(m, hdrlen + LLC_SNAPFRAMELEN)) == NULL) { 956 ic->ic_stats.is_rx_decap++; 957 return; 958 } 959 wh = mtod(m, struct ieee80211_frame *); 960 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 961 case IEEE80211_FC1_DIR_NODS: 962 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 963 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 964 break; 965 case IEEE80211_FC1_DIR_TODS: 966 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 967 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr2); 968 break; 969 case IEEE80211_FC1_DIR_FROMDS: 970 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr1); 971 IEEE80211_ADDR_COPY(eh.ether_shost, wh->i_addr3); 972 break; 973 case IEEE80211_FC1_DIR_DSTODS: 974 IEEE80211_ADDR_COPY(eh.ether_dhost, wh->i_addr3); 975 IEEE80211_ADDR_COPY(eh.ether_shost, 976 ((struct ieee80211_frame_addr4 *)wh)->i_addr4); 977 break; 978 } 979 llc = (struct llc *)((caddr_t)wh + hdrlen); 980 if (llc->llc_dsap == LLC_SNAP_LSAP && 981 llc->llc_ssap == LLC_SNAP_LSAP && 982 llc->llc_control == LLC_UI && 983 llc->llc_snap.org_code[0] == 0 && 984 llc->llc_snap.org_code[1] == 0 && 985 llc->llc_snap.org_code[2] == 0) { 986 eh.ether_type = llc->llc_snap.ether_type; 987 m_adj(m, hdrlen + LLC_SNAPFRAMELEN - ETHER_HDR_LEN); 988 } else { 989 eh.ether_type = htons(m->m_pkthdr.len - hdrlen); 990 m_adj(m, hdrlen - ETHER_HDR_LEN); 991 } 992 memcpy(mtod(m, caddr_t), &eh, ETHER_HDR_LEN); 993 #ifdef __STRICT_ALIGNMENT 994 if (!ALIGNED_POINTER(mtod(m, caddr_t) + ETHER_HDR_LEN, u_int32_t)) { 995 if ((m = ieee80211_align_mbuf(m)) == NULL) { 996 ic->ic_stats.is_rx_decap++; 997 return; 998 } 999 } 1000 #endif 1001 ieee80211_deliver_data(ic, m, ni); 1002 } 1003 1004 #ifndef IEEE80211_NO_HT 1005 /* 1006 * Decapsulate an Aggregate MSDU (see 7.2.2.2). 1007 */ 1008 void 1009 ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m, 1010 struct ieee80211_node *ni, int hdrlen) 1011 { 1012 struct mbuf *n; 1013 struct ether_header *eh; 1014 struct llc *llc; 1015 int len, pad; 1016 1017 /* strip 802.11 header */ 1018 m_adj(m, hdrlen); 1019 1020 for (;;) { 1021 /* process an A-MSDU subframe */ 1022 if (m->m_len < ETHER_HDR_LEN + LLC_SNAPFRAMELEN) { 1023 m = m_pullup(m, ETHER_HDR_LEN + LLC_SNAPFRAMELEN); 1024 if (m == NULL) { 1025 ic->ic_stats.is_rx_decap++; 1026 break; 1027 } 1028 } 1029 eh = mtod(m, struct ether_header *); 1030 /* examine 802.3 header */ 1031 len = ntohs(eh->ether_type); 1032 if (len < LLC_SNAPFRAMELEN) { 1033 DPRINTF(("A-MSDU subframe too short (%d)\n", len)); 1034 /* stop processing A-MSDU subframes */ 1035 ic->ic_stats.is_rx_decap++; 1036 m_freem(m); 1037 break; 1038 } 1039 llc = (struct llc *)&eh[1]; 1040 /* examine 802.2 LLC header */ 1041 if (llc->llc_dsap == LLC_SNAP_LSAP && 1042 llc->llc_ssap == LLC_SNAP_LSAP && 1043 llc->llc_control == LLC_UI && 1044 llc->llc_snap.org_code[0] == 0 && 1045 llc->llc_snap.org_code[1] == 0 && 1046 llc->llc_snap.org_code[2] == 0) { 1047 /* convert to Ethernet II header */ 1048 eh->ether_type = llc->llc_snap.ether_type; 1049 /* strip LLC+SNAP headers */ 1050 ovbcopy(eh, (u_int8_t *)eh + LLC_SNAPFRAMELEN, 1051 ETHER_HDR_LEN); 1052 m_adj(m, LLC_SNAPFRAMELEN); 1053 len -= LLC_SNAPFRAMELEN; 1054 } 1055 len += ETHER_HDR_LEN; 1056 1057 /* "detach" our A-MSDU subframe from the others */ 1058 n = m_split(m, len, M_NOWAIT); 1059 if (n == NULL) { 1060 /* stop processing A-MSDU subframes */ 1061 ic->ic_stats.is_rx_decap++; 1062 m_freem(m); 1063 break; 1064 } 1065 ieee80211_deliver_data(ic, m, ni); 1066 1067 m = n; 1068 /* remove padding */ 1069 pad = ((len + 3) & ~3) - len; 1070 m_adj(m, pad); 1071 } 1072 } 1073 #endif /* !IEEE80211_NO_HT */ 1074 1075 /* 1076 * Parse an EDCA Parameter Set element (see 7.3.2.27). 1077 */ 1078 int 1079 ieee80211_parse_edca_params_body(struct ieee80211com *ic, const u_int8_t *frm) 1080 { 1081 u_int updtcount; 1082 int aci; 1083 1084 /* 1085 * Check if EDCA parameters have changed XXX if we miss more than 1086 * 15 consecutive beacons, we might not detect changes to EDCA 1087 * parameters due to wraparound of the 4-bit Update Count field. 1088 */ 1089 updtcount = frm[0] & 0xf; 1090 if (updtcount == ic->ic_edca_updtcount) 1091 return 0; /* no changes to EDCA parameters, ignore */ 1092 ic->ic_edca_updtcount = updtcount; 1093 1094 frm += 2; /* skip QoS Info & Reserved fields */ 1095 1096 /* parse AC Parameter Records */ 1097 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 1098 struct ieee80211_edca_ac_params *ac = &ic->ic_edca_ac[aci]; 1099 1100 ac->ac_acm = (frm[0] >> 4) & 0x1; 1101 ac->ac_aifsn = frm[0] & 0xf; 1102 ac->ac_ecwmin = frm[1] & 0xf; 1103 ac->ac_ecwmax = frm[1] >> 4; 1104 ac->ac_txoplimit = LE_READ_2(frm + 2); 1105 frm += 4; 1106 } 1107 /* give drivers a chance to update their settings */ 1108 if ((ic->ic_flags & IEEE80211_F_QOS) && ic->ic_updateedca != NULL) 1109 (*ic->ic_updateedca)(ic); 1110 1111 return 0; 1112 } 1113 1114 int 1115 ieee80211_parse_edca_params(struct ieee80211com *ic, const u_int8_t *frm) 1116 { 1117 if (frm[1] < 18) { 1118 ic->ic_stats.is_rx_elem_toosmall++; 1119 return IEEE80211_REASON_IE_INVALID; 1120 } 1121 return ieee80211_parse_edca_params_body(ic, frm + 2); 1122 } 1123 1124 int 1125 ieee80211_parse_wmm_params(struct ieee80211com *ic, const u_int8_t *frm) 1126 { 1127 if (frm[1] < 24) { 1128 ic->ic_stats.is_rx_elem_toosmall++; 1129 return IEEE80211_REASON_IE_INVALID; 1130 } 1131 return ieee80211_parse_edca_params_body(ic, frm + 8); 1132 } 1133 1134 enum ieee80211_cipher 1135 ieee80211_parse_rsn_cipher(const u_int8_t selector[4]) 1136 { 1137 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1138 switch (selector[3]) { 1139 case 0: /* use group data cipher suite */ 1140 return IEEE80211_CIPHER_USEGROUP; 1141 case 1: /* WEP-40 */ 1142 return IEEE80211_CIPHER_WEP40; 1143 case 2: /* TKIP */ 1144 return IEEE80211_CIPHER_TKIP; 1145 case 4: /* CCMP (RSNA default) */ 1146 return IEEE80211_CIPHER_CCMP; 1147 case 5: /* WEP-104 */ 1148 return IEEE80211_CIPHER_WEP104; 1149 } 1150 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1151 /* from IEEE Std 802.11 - Table 20da */ 1152 switch (selector[3]) { 1153 case 0: /* use group data cipher suite */ 1154 return IEEE80211_CIPHER_USEGROUP; 1155 case 1: /* WEP-40 */ 1156 return IEEE80211_CIPHER_WEP40; 1157 case 2: /* TKIP */ 1158 return IEEE80211_CIPHER_TKIP; 1159 case 4: /* CCMP (RSNA default) */ 1160 return IEEE80211_CIPHER_CCMP; 1161 case 5: /* WEP-104 */ 1162 return IEEE80211_CIPHER_WEP104; 1163 case 6: /* BIP */ 1164 return IEEE80211_CIPHER_BIP; 1165 } 1166 } 1167 return IEEE80211_CIPHER_NONE; /* ignore unknown ciphers */ 1168 } 1169 1170 enum ieee80211_akm 1171 ieee80211_parse_rsn_akm(const u_int8_t selector[4]) 1172 { 1173 if (memcmp(selector, MICROSOFT_OUI, 3) == 0) { /* WPA */ 1174 switch (selector[3]) { 1175 case 1: /* IEEE 802.1X (RSNA default) */ 1176 return IEEE80211_AKM_8021X; 1177 case 2: /* PSK */ 1178 return IEEE80211_AKM_PSK; 1179 } 1180 } else if (memcmp(selector, IEEE80211_OUI, 3) == 0) { /* RSN */ 1181 /* from IEEE Std 802.11i-2004 - Table 20dc */ 1182 switch (selector[3]) { 1183 case 1: /* IEEE 802.1X (RSNA default) */ 1184 return IEEE80211_AKM_8021X; 1185 case 2: /* PSK */ 1186 return IEEE80211_AKM_PSK; 1187 case 5: /* IEEE 802.1X with SHA256 KDF */ 1188 return IEEE80211_AKM_SHA256_8021X; 1189 case 6: /* PSK with SHA256 KDF */ 1190 return IEEE80211_AKM_SHA256_PSK; 1191 } 1192 } 1193 return IEEE80211_AKM_NONE; /* ignore unknown AKMs */ 1194 } 1195 1196 /* 1197 * Parse an RSN element (see 7.3.2.25). 1198 */ 1199 int 1200 ieee80211_parse_rsn_body(struct ieee80211com *ic, const u_int8_t *frm, 1201 u_int len, struct ieee80211_rsnparams *rsn) 1202 { 1203 const u_int8_t *efrm; 1204 u_int16_t m, n, s; 1205 1206 efrm = frm + len; 1207 1208 /* check Version field */ 1209 if (LE_READ_2(frm) != 1) 1210 return IEEE80211_STATUS_RSN_IE_VER_UNSUP; 1211 frm += 2; 1212 1213 /* all fields after the Version field are optional */ 1214 1215 /* if Cipher Suite missing, default to CCMP */ 1216 rsn->rsn_groupcipher = IEEE80211_CIPHER_CCMP; 1217 rsn->rsn_nciphers = 1; 1218 rsn->rsn_ciphers = IEEE80211_CIPHER_CCMP; 1219 /* if Group Management Cipher Suite missing, defaut to BIP */ 1220 rsn->rsn_groupmgmtcipher = IEEE80211_CIPHER_BIP; 1221 /* if AKM Suite missing, default to 802.1X */ 1222 rsn->rsn_nakms = 1; 1223 rsn->rsn_akms = IEEE80211_AKM_8021X; 1224 /* if RSN capabilities missing, default to 0 */ 1225 rsn->rsn_caps = 0; 1226 rsn->rsn_npmkids = 0; 1227 1228 /* read Group Data Cipher Suite field */ 1229 if (frm + 4 > efrm) 1230 return 0; 1231 rsn->rsn_groupcipher = ieee80211_parse_rsn_cipher(frm); 1232 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_USEGROUP) 1233 return IEEE80211_STATUS_BAD_GROUP_CIPHER; 1234 frm += 4; 1235 1236 /* read Pairwise Cipher Suite Count field */ 1237 if (frm + 2 > efrm) 1238 return 0; 1239 m = rsn->rsn_nciphers = LE_READ_2(frm); 1240 frm += 2; 1241 1242 /* read Pairwise Cipher Suite List */ 1243 if (frm + m * 4 > efrm) 1244 return IEEE80211_STATUS_IE_INVALID; 1245 rsn->rsn_ciphers = IEEE80211_CIPHER_NONE; 1246 while (m-- > 0) { 1247 rsn->rsn_ciphers |= ieee80211_parse_rsn_cipher(frm); 1248 frm += 4; 1249 } 1250 if (rsn->rsn_ciphers & IEEE80211_CIPHER_USEGROUP) { 1251 if (rsn->rsn_ciphers != IEEE80211_CIPHER_USEGROUP) 1252 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1253 if (rsn->rsn_groupcipher == IEEE80211_CIPHER_CCMP) 1254 return IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 1255 } 1256 1257 /* read AKM Suite List Count field */ 1258 if (frm + 2 > efrm) 1259 return 0; 1260 n = rsn->rsn_nakms = LE_READ_2(frm); 1261 frm += 2; 1262 1263 /* read AKM Suite List */ 1264 if (frm + n * 4 > efrm) 1265 return IEEE80211_STATUS_IE_INVALID; 1266 rsn->rsn_akms = IEEE80211_AKM_NONE; 1267 while (n-- > 0) { 1268 rsn->rsn_akms |= ieee80211_parse_rsn_akm(frm); 1269 frm += 4; 1270 } 1271 1272 /* read RSN Capabilities field */ 1273 if (frm + 2 > efrm) 1274 return 0; 1275 rsn->rsn_caps = LE_READ_2(frm); 1276 frm += 2; 1277 1278 /* read PMKID Count field */ 1279 if (frm + 2 > efrm) 1280 return 0; 1281 s = rsn->rsn_npmkids = LE_READ_2(frm); 1282 frm += 2; 1283 1284 /* read PMKID List */ 1285 if (frm + s * IEEE80211_PMKID_LEN > efrm) 1286 return IEEE80211_STATUS_IE_INVALID; 1287 if (s != 0) { 1288 rsn->rsn_pmkids = frm; 1289 frm += s * IEEE80211_PMKID_LEN; 1290 } 1291 1292 /* read Group Management Cipher Suite field */ 1293 if (frm + 4 > efrm) 1294 return 0; 1295 rsn->rsn_groupmgmtcipher = ieee80211_parse_rsn_cipher(frm); 1296 1297 return IEEE80211_STATUS_SUCCESS; 1298 } 1299 1300 int 1301 ieee80211_parse_rsn(struct ieee80211com *ic, const u_int8_t *frm, 1302 struct ieee80211_rsnparams *rsn) 1303 { 1304 if (frm[1] < 2) { 1305 ic->ic_stats.is_rx_elem_toosmall++; 1306 return IEEE80211_STATUS_IE_INVALID; 1307 } 1308 return ieee80211_parse_rsn_body(ic, frm + 2, frm[1], rsn); 1309 } 1310 1311 int 1312 ieee80211_parse_wpa(struct ieee80211com *ic, const u_int8_t *frm, 1313 struct ieee80211_rsnparams *rsn) 1314 { 1315 if (frm[1] < 6) { 1316 ic->ic_stats.is_rx_elem_toosmall++; 1317 return IEEE80211_STATUS_IE_INVALID; 1318 } 1319 return ieee80211_parse_rsn_body(ic, frm + 6, frm[1] - 4, rsn); 1320 } 1321 1322 /* 1323 * Create (or update) a copy of an information element. 1324 */ 1325 int 1326 ieee80211_save_ie(const u_int8_t *frm, u_int8_t **ie) 1327 { 1328 if (*ie == NULL || (*ie)[1] != frm[1]) { 1329 if (*ie != NULL) 1330 free(*ie, M_DEVBUF); 1331 *ie = malloc(2 + frm[1], M_DEVBUF, M_NOWAIT); 1332 if (*ie == NULL) 1333 return ENOMEM; 1334 } 1335 memcpy(*ie, frm, 2 + frm[1]); 1336 return 0; 1337 } 1338 1339 /*- 1340 * Beacon/Probe response frame format: 1341 * [8] Timestamp 1342 * [2] Beacon interval 1343 * [2] Capability 1344 * [tlv] Service Set Identifier (SSID) 1345 * [tlv] Supported rates 1346 * [tlv] DS Parameter Set (802.11g) 1347 * [tlv] ERP Information (802.11g) 1348 * [tlv] Extended Supported Rates (802.11g) 1349 * [tlv] RSN (802.11i) 1350 * [tlv] EDCA Parameter Set (802.11e) 1351 * [tlv] QoS Capability (Beacon only, 802.11e) 1352 * [tlv] HT Capabilities (802.11n) 1353 * [tlv] HT Operation (802.11n) 1354 */ 1355 void 1356 ieee80211_recv_probe_resp(struct ieee80211com *ic, struct mbuf *m, 1357 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int isprobe) 1358 { 1359 const struct ieee80211_frame *wh; 1360 const u_int8_t *frm, *efrm; 1361 const u_int8_t *tstamp, *ssid, *rates, *xrates, *edcaie, *wmmie; 1362 const u_int8_t *rsnie, *wpaie, *htcaps, *htop; 1363 u_int16_t capinfo, bintval; 1364 u_int8_t chan, bchan, erp; 1365 int is_new; 1366 1367 /* 1368 * We process beacon/probe response frames for: 1369 * o station mode: to collect state 1370 * updates such as 802.11g slot time and for passive 1371 * scanning of APs 1372 * o adhoc mode: to discover neighbors 1373 * o hostap mode: for passive scanning of neighbor APs 1374 * o when scanning 1375 * In other words, in all modes other than monitor (which 1376 * does not process incoming frames) and adhoc-demo (which 1377 * does not use management frames at all). 1378 */ 1379 #ifdef DIAGNOSTIC 1380 if (ic->ic_opmode != IEEE80211_M_STA && 1381 #ifndef IEEE80211_STA_ONLY 1382 ic->ic_opmode != IEEE80211_M_IBSS && 1383 ic->ic_opmode != IEEE80211_M_HOSTAP && 1384 #endif 1385 ic->ic_state != IEEE80211_S_SCAN) { 1386 panic("%s: impossible operating mode", __func__); 1387 } 1388 #endif 1389 /* make sure all mandatory fixed fields are present */ 1390 if (m->m_len < sizeof(*wh) + 12) { 1391 DPRINTF(("frame too short\n")); 1392 return; 1393 } 1394 wh = mtod(m, struct ieee80211_frame *); 1395 frm = (const u_int8_t *)&wh[1]; 1396 efrm = mtod(m, u_int8_t *) + m->m_len; 1397 1398 tstamp = frm; frm += 8; 1399 bintval = LE_READ_2(frm); frm += 2; 1400 capinfo = LE_READ_2(frm); frm += 2; 1401 1402 ssid = rates = xrates = edcaie = wmmie = rsnie = wpaie = NULL; 1403 htcaps = htop = NULL; 1404 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1405 chan = bchan; 1406 erp = 0; 1407 while (frm + 2 <= efrm) { 1408 if (frm + 2 + frm[1] > efrm) { 1409 ic->ic_stats.is_rx_elem_toosmall++; 1410 break; 1411 } 1412 switch (frm[0]) { 1413 case IEEE80211_ELEMID_SSID: 1414 ssid = frm; 1415 break; 1416 case IEEE80211_ELEMID_RATES: 1417 rates = frm; 1418 break; 1419 case IEEE80211_ELEMID_DSPARMS: 1420 if (frm[1] < 1) { 1421 ic->ic_stats.is_rx_elem_toosmall++; 1422 break; 1423 } 1424 chan = frm[2]; 1425 break; 1426 case IEEE80211_ELEMID_XRATES: 1427 xrates = frm; 1428 break; 1429 case IEEE80211_ELEMID_ERP: 1430 if (frm[1] < 1) { 1431 ic->ic_stats.is_rx_elem_toosmall++; 1432 break; 1433 } 1434 erp = frm[2]; 1435 break; 1436 case IEEE80211_ELEMID_RSN: 1437 rsnie = frm; 1438 break; 1439 case IEEE80211_ELEMID_EDCAPARMS: 1440 edcaie = frm; 1441 break; 1442 #ifndef IEEE80211_NO_HT 1443 case IEEE80211_ELEMID_HTCAPS: 1444 htcaps = frm; 1445 break; 1446 case IEEE80211_ELEMID_HTOP: 1447 htop = frm; 1448 break; 1449 #endif 1450 case IEEE80211_ELEMID_VENDOR: 1451 if (frm[1] < 4) { 1452 ic->ic_stats.is_rx_elem_toosmall++; 1453 break; 1454 } 1455 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1456 if (frm[5] == 1) 1457 wpaie = frm; 1458 else if (frm[1] >= 5 && 1459 frm[5] == 2 && frm[6] == 1) 1460 wmmie = frm; 1461 } 1462 break; 1463 } 1464 frm += 2 + frm[1]; 1465 } 1466 /* supported rates element is mandatory */ 1467 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1468 DPRINTF(("invalid supported rates element\n")); 1469 return; 1470 } 1471 /* SSID element is mandatory */ 1472 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1473 DPRINTF(("invalid SSID element\n")); 1474 return; 1475 } 1476 1477 if ( 1478 #if IEEE80211_CHAN_MAX < 255 1479 chan > IEEE80211_CHAN_MAX || 1480 #endif 1481 isclr(ic->ic_chan_active, chan)) { 1482 DPRINTF(("ignore %s with invalid channel %u\n", 1483 isprobe ? "probe response" : "beacon", chan)); 1484 ic->ic_stats.is_rx_badchan++; 1485 return; 1486 } 1487 if ((ic->ic_state != IEEE80211_S_SCAN || 1488 !(ic->ic_caps & IEEE80211_C_SCANALL)) && 1489 chan != bchan) { 1490 /* 1491 * Frame was received on a channel different from the 1492 * one indicated in the DS params element id; 1493 * silently discard it. 1494 * 1495 * NB: this can happen due to signal leakage. 1496 */ 1497 DPRINTF(("ignore %s on channel %u marked for channel %u\n", 1498 isprobe ? "probe response" : "beacon", bchan, chan)); 1499 ic->ic_stats.is_rx_chanmismatch++; 1500 return; 1501 } 1502 /* 1503 * Use mac, channel and rssi so we collect only the 1504 * best potential AP with the equal bssid while scanning. 1505 * Collecting all potential APs may result in bloat of 1506 * the node tree. This call will return NULL if the node 1507 * for this APs does not exist or if the new node is the 1508 * potential better one. 1509 */ 1510 if ((ni = ieee80211_find_node_for_beacon(ic, wh->i_addr2, 1511 &ic->ic_channels[chan], ssid, rxi->rxi_rssi)) != NULL) 1512 return; 1513 1514 #ifdef IEEE80211_DEBUG 1515 if (ieee80211_debug && 1516 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1517 printf("%s: %s%s on chan %u (bss chan %u) ", 1518 __func__, (ni == NULL ? "new " : ""), 1519 isprobe ? "probe response" : "beacon", 1520 chan, bchan); 1521 ieee80211_print_essid(ssid + 2, ssid[1]); 1522 printf(" from %s\n", ether_sprintf((u_int8_t *)wh->i_addr2)); 1523 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1524 __func__, capinfo, bintval, erp); 1525 } 1526 #endif 1527 1528 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1529 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1530 if (ni == NULL) 1531 return; 1532 is_new = 1; 1533 } else 1534 is_new = 0; 1535 1536 /* 1537 * When operating in station mode, check for state updates 1538 * while we're associated. We consider only 11g stuff right 1539 * now. 1540 */ 1541 if (ic->ic_opmode == IEEE80211_M_STA && 1542 ic->ic_state == IEEE80211_S_RUN && 1543 ni->ni_state == IEEE80211_STA_BSS) { 1544 /* 1545 * Check if protection mode has changed since last beacon. 1546 */ 1547 if (ni->ni_erp != erp) { 1548 DPRINTF(("[%s] erp change: was 0x%x, now 0x%x\n", 1549 ether_sprintf((u_int8_t *)wh->i_addr2), 1550 ni->ni_erp, erp)); 1551 if (ic->ic_curmode == IEEE80211_MODE_11G && 1552 (erp & IEEE80211_ERP_USE_PROTECTION)) 1553 ic->ic_flags |= IEEE80211_F_USEPROT; 1554 else 1555 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1556 ic->ic_bss->ni_erp = erp; 1557 } 1558 /* 1559 * Check if AP short slot time setting has changed 1560 * since last beacon and give the driver a chance to 1561 * update the hardware. 1562 */ 1563 if ((ni->ni_capinfo ^ capinfo) & 1564 IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1565 ieee80211_set_shortslottime(ic, 1566 ic->ic_curmode == IEEE80211_MODE_11A || 1567 (capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1568 } 1569 } 1570 /* 1571 * We do not try to update EDCA parameters if QoS was not negotiated 1572 * with the AP at association time. 1573 */ 1574 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1575 /* always prefer EDCA IE over Wi-Fi Alliance WMM IE */ 1576 if (edcaie != NULL) 1577 ieee80211_parse_edca_params(ic, edcaie); 1578 else if (wmmie != NULL) 1579 ieee80211_parse_wmm_params(ic, wmmie); 1580 } 1581 1582 if (ic->ic_state == IEEE80211_S_SCAN && 1583 #ifndef IEEE80211_STA_ONLY 1584 ic->ic_opmode != IEEE80211_M_HOSTAP && 1585 #endif 1586 (ic->ic_flags & IEEE80211_F_RSNON)) { 1587 struct ieee80211_rsnparams rsn; 1588 const u_int8_t *saveie = NULL; 1589 /* 1590 * If the AP advertises both RSN and WPA IEs (WPA1+WPA2), 1591 * we only store the parameters of the highest protocol 1592 * version we support. 1593 */ 1594 if (rsnie != NULL && 1595 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1596 if (ieee80211_parse_rsn(ic, rsnie, &rsn) == 0) { 1597 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1598 saveie = rsnie; 1599 } 1600 } else if (wpaie != NULL && 1601 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1602 if (ieee80211_parse_wpa(ic, wpaie, &rsn) == 0) { 1603 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1604 saveie = wpaie; 1605 } 1606 } 1607 if (saveie != NULL && 1608 ieee80211_save_ie(saveie, &ni->ni_rsnie) == 0) { 1609 ni->ni_rsnakms = rsn.rsn_akms; 1610 ni->ni_rsnciphers = rsn.rsn_ciphers; 1611 ni->ni_rsngroupcipher = rsn.rsn_groupcipher; 1612 ni->ni_rsngroupmgmtcipher = rsn.rsn_groupmgmtcipher; 1613 ni->ni_rsncaps = rsn.rsn_caps; 1614 } else 1615 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1616 } else if (ic->ic_state == IEEE80211_S_SCAN) 1617 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 1618 1619 if (ssid[1] != 0 && ni->ni_esslen == 0) { 1620 ni->ni_esslen = ssid[1]; 1621 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1622 /* we know that ssid[1] <= IEEE80211_NWID_LEN */ 1623 memcpy(ni->ni_essid, &ssid[2], ssid[1]); 1624 } 1625 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1626 ni->ni_rssi = rxi->rxi_rssi; 1627 ni->ni_rstamp = rxi->rxi_tstamp; 1628 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1629 ni->ni_intval = bintval; 1630 ni->ni_capinfo = capinfo; 1631 /* XXX validate channel # */ 1632 ni->ni_chan = &ic->ic_channels[chan]; 1633 ni->ni_erp = erp; 1634 /* NB: must be after ni_chan is setup */ 1635 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1636 1637 /* 1638 * When scanning we record results (nodes) with a zero 1639 * refcnt. Otherwise we want to hold the reference for 1640 * ibss neighbors so the nodes don't get released prematurely. 1641 * Anything else can be discarded (XXX and should be handled 1642 * above so we don't do so much work). 1643 */ 1644 if ( 1645 #ifndef IEEE80211_STA_ONLY 1646 ic->ic_opmode == IEEE80211_M_IBSS || 1647 #endif 1648 (is_new && isprobe)) { 1649 /* 1650 * Fake an association so the driver can setup it's 1651 * private state. The rate set has been setup above; 1652 * there is no handshake as in ap/station operation. 1653 */ 1654 if (ic->ic_newassoc) 1655 (*ic->ic_newassoc)(ic, ni, 1); 1656 } 1657 } 1658 1659 #ifndef IEEE80211_STA_ONLY 1660 /*- 1661 * Probe request frame format: 1662 * [tlv] SSID 1663 * [tlv] Supported rates 1664 * [tlv] Extended Supported Rates (802.11g) 1665 * [tlv] HT Capabilities (802.11n) 1666 */ 1667 void 1668 ieee80211_recv_probe_req(struct ieee80211com *ic, struct mbuf *m, 1669 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1670 { 1671 const struct ieee80211_frame *wh; 1672 const u_int8_t *frm, *efrm; 1673 const u_int8_t *ssid, *rates, *xrates, *htcaps; 1674 u_int8_t rate; 1675 1676 if (ic->ic_opmode == IEEE80211_M_STA || 1677 ic->ic_state != IEEE80211_S_RUN) 1678 return; 1679 1680 wh = mtod(m, struct ieee80211_frame *); 1681 frm = (const u_int8_t *)&wh[1]; 1682 efrm = mtod(m, u_int8_t *) + m->m_len; 1683 1684 ssid = rates = xrates = htcaps = NULL; 1685 while (frm + 2 <= efrm) { 1686 if (frm + 2 + frm[1] > efrm) { 1687 ic->ic_stats.is_rx_elem_toosmall++; 1688 break; 1689 } 1690 switch (frm[0]) { 1691 case IEEE80211_ELEMID_SSID: 1692 ssid = frm; 1693 break; 1694 case IEEE80211_ELEMID_RATES: 1695 rates = frm; 1696 break; 1697 case IEEE80211_ELEMID_XRATES: 1698 xrates = frm; 1699 break; 1700 #ifndef IEEE80211_NO_HT 1701 case IEEE80211_ELEMID_HTCAPS: 1702 htcaps = frm; 1703 break; 1704 #endif 1705 } 1706 frm += 2 + frm[1]; 1707 } 1708 /* supported rates element is mandatory */ 1709 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1710 DPRINTF(("invalid supported rates element\n")); 1711 return; 1712 } 1713 /* SSID element is mandatory */ 1714 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1715 DPRINTF(("invalid SSID element\n")); 1716 return; 1717 } 1718 /* check that the specified SSID (if not wildcard) matches ours */ 1719 if (ssid[1] != 0 && (ssid[1] != ic->ic_bss->ni_esslen || 1720 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen))) { 1721 DPRINTF(("SSID mismatch\n")); 1722 ic->ic_stats.is_rx_ssidmismatch++; 1723 return; 1724 } 1725 /* refuse wildcard SSID if we're hiding our SSID in beacons */ 1726 if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) { 1727 DPRINTF(("wildcard SSID rejected")); 1728 ic->ic_stats.is_rx_ssidmismatch++; 1729 return; 1730 } 1731 1732 if (ni == ic->ic_bss) { 1733 ni = ieee80211_find_node(ic, wh->i_addr2); 1734 if (ni == NULL) 1735 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1736 if (ni == NULL) 1737 return; 1738 DPRINTF(("new probe req from %s\n", 1739 ether_sprintf((u_int8_t *)wh->i_addr2))); 1740 } 1741 ni->ni_rssi = rxi->rxi_rssi; 1742 ni->ni_rstamp = rxi->rxi_tstamp; 1743 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1744 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1745 IEEE80211_F_DODEL); 1746 if (rate & IEEE80211_RATE_BASIC) { 1747 DPRINTF(("rate mismatch for %s\n", 1748 ether_sprintf((u_int8_t *)wh->i_addr2))); 1749 return; 1750 } 1751 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1752 } 1753 #endif /* IEEE80211_STA_ONLY */ 1754 1755 /*- 1756 * Authentication frame format: 1757 * [2] Authentication algorithm number 1758 * [2] Authentication transaction sequence number 1759 * [2] Status code 1760 */ 1761 void 1762 ieee80211_recv_auth(struct ieee80211com *ic, struct mbuf *m, 1763 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) 1764 { 1765 const struct ieee80211_frame *wh; 1766 const u_int8_t *frm; 1767 u_int16_t algo, seq, status; 1768 1769 /* make sure all mandatory fixed fields are present */ 1770 if (m->m_len < sizeof(*wh) + 6) { 1771 DPRINTF(("frame too short\n")); 1772 return; 1773 } 1774 wh = mtod(m, struct ieee80211_frame *); 1775 frm = (const u_int8_t *)&wh[1]; 1776 1777 algo = LE_READ_2(frm); frm += 2; 1778 seq = LE_READ_2(frm); frm += 2; 1779 status = LE_READ_2(frm); frm += 2; 1780 DPRINTF(("auth %d seq %d from %s\n", algo, seq, 1781 ether_sprintf((u_int8_t *)wh->i_addr2))); 1782 1783 /* only "open" auth mode is supported */ 1784 if (algo != IEEE80211_AUTH_ALG_OPEN) { 1785 DPRINTF(("unsupported auth algorithm %d from %s\n", 1786 algo, ether_sprintf((u_int8_t *)wh->i_addr2))); 1787 ic->ic_stats.is_rx_auth_unsupported++; 1788 #ifndef IEEE80211_STA_ONLY 1789 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1790 /* XXX hack to workaround calling convention */ 1791 IEEE80211_SEND_MGMT(ic, ni, 1792 IEEE80211_FC0_SUBTYPE_AUTH, 1793 IEEE80211_STATUS_ALG << 16 | ((seq + 1) & 0xffff)); 1794 } 1795 #endif 1796 return; 1797 } 1798 ieee80211_auth_open(ic, wh, ni, rxi, seq, status); 1799 } 1800 1801 #ifndef IEEE80211_STA_ONLY 1802 /*- 1803 * (Re)Association request frame format: 1804 * [2] Capability information 1805 * [2] Listen interval 1806 * [6*] Current AP address (Reassociation only) 1807 * [tlv] SSID 1808 * [tlv] Supported rates 1809 * [tlv] Extended Supported Rates (802.11g) 1810 * [tlv] RSN (802.11i) 1811 * [tlv] QoS Capability (802.11e) 1812 * [tlv] HT Capabilities (802.11n) 1813 */ 1814 void 1815 ieee80211_recv_assoc_req(struct ieee80211com *ic, struct mbuf *m, 1816 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int reassoc) 1817 { 1818 const struct ieee80211_frame *wh; 1819 const u_int8_t *frm, *efrm; 1820 const u_int8_t *ssid, *rates, *xrates, *rsnie, *wpaie, *htcaps; 1821 u_int16_t capinfo, bintval; 1822 int resp, status = 0; 1823 struct ieee80211_rsnparams rsn; 1824 u_int8_t rate; 1825 1826 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1827 ic->ic_state != IEEE80211_S_RUN) 1828 return; 1829 1830 /* make sure all mandatory fixed fields are present */ 1831 if (m->m_len < sizeof(*wh) + (reassoc ? 10 : 4)) { 1832 DPRINTF(("frame too short\n")); 1833 return; 1834 } 1835 wh = mtod(m, struct ieee80211_frame *); 1836 frm = (const u_int8_t *)&wh[1]; 1837 efrm = mtod(m, u_int8_t *) + m->m_len; 1838 1839 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1840 DPRINTF(("ignore other bss from %s\n", 1841 ether_sprintf((u_int8_t *)wh->i_addr2))); 1842 ic->ic_stats.is_rx_assoc_bss++; 1843 return; 1844 } 1845 capinfo = LE_READ_2(frm); frm += 2; 1846 bintval = LE_READ_2(frm); frm += 2; 1847 if (reassoc) { 1848 frm += IEEE80211_ADDR_LEN; /* skip current AP address */ 1849 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1850 } else 1851 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1852 1853 ssid = rates = xrates = rsnie = wpaie = htcaps = NULL; 1854 while (frm + 2 <= efrm) { 1855 if (frm + 2 + frm[1] > efrm) { 1856 ic->ic_stats.is_rx_elem_toosmall++; 1857 break; 1858 } 1859 switch (frm[0]) { 1860 case IEEE80211_ELEMID_SSID: 1861 ssid = frm; 1862 break; 1863 case IEEE80211_ELEMID_RATES: 1864 rates = frm; 1865 break; 1866 case IEEE80211_ELEMID_XRATES: 1867 xrates = frm; 1868 break; 1869 case IEEE80211_ELEMID_RSN: 1870 rsnie = frm; 1871 break; 1872 case IEEE80211_ELEMID_QOS_CAP: 1873 break; 1874 #ifndef IEEE80211_NO_HT 1875 case IEEE80211_ELEMID_HTCAPS: 1876 htcaps = frm; 1877 break; 1878 #endif 1879 case IEEE80211_ELEMID_VENDOR: 1880 if (frm[1] < 4) { 1881 ic->ic_stats.is_rx_elem_toosmall++; 1882 break; 1883 } 1884 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 1885 if (frm[5] == 1) 1886 wpaie = frm; 1887 } 1888 break; 1889 } 1890 frm += 2 + frm[1]; 1891 } 1892 /* supported rates element is mandatory */ 1893 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 1894 DPRINTF(("invalid supported rates element\n")); 1895 return; 1896 } 1897 /* SSID element is mandatory */ 1898 if (ssid == NULL || ssid[1] > IEEE80211_NWID_LEN) { 1899 DPRINTF(("invalid SSID element\n")); 1900 return; 1901 } 1902 /* check that the specified SSID matches ours */ 1903 if (ssid[1] != ic->ic_bss->ni_esslen || 1904 memcmp(&ssid[2], ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen)) { 1905 DPRINTF(("SSID mismatch\n")); 1906 ic->ic_stats.is_rx_ssidmismatch++; 1907 return; 1908 } 1909 1910 if (ni->ni_state != IEEE80211_STA_AUTH && 1911 ni->ni_state != IEEE80211_STA_ASSOC) { 1912 DPRINTF(("deny %sassoc from %s, not authenticated\n", 1913 reassoc ? "re" : "", 1914 ether_sprintf((u_int8_t *)wh->i_addr2))); 1915 ni = ieee80211_find_node(ic, wh->i_addr2); 1916 if (ni == NULL) 1917 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1918 if (ni != NULL) { 1919 IEEE80211_SEND_MGMT(ic, ni, 1920 IEEE80211_FC0_SUBTYPE_DEAUTH, 1921 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1922 } 1923 ic->ic_stats.is_rx_assoc_notauth++; 1924 return; 1925 } 1926 1927 if (ni->ni_state == IEEE80211_STA_ASSOC && 1928 (ni->ni_flags & IEEE80211_NODE_MFP)) { 1929 if (ni->ni_flags & IEEE80211_NODE_SA_QUERY_FAILED) { 1930 /* send a protected Disassociate frame */ 1931 IEEE80211_SEND_MGMT(ic, ni, 1932 IEEE80211_FC0_SUBTYPE_DISASSOC, 1933 IEEE80211_REASON_AUTH_EXPIRE); 1934 /* terminate the old SA */ 1935 ieee80211_node_leave(ic, ni); 1936 } else { 1937 /* reject the (Re)Association Request temporarily */ 1938 IEEE80211_SEND_MGMT(ic, ni, resp, 1939 IEEE80211_STATUS_TRY_AGAIN_LATER); 1940 /* start SA Query procedure if not already engaged */ 1941 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) 1942 ieee80211_sa_query_request(ic, ni); 1943 /* do not modify association state */ 1944 } 1945 return; 1946 } 1947 1948 if (!(capinfo & IEEE80211_CAPINFO_ESS)) { 1949 ic->ic_stats.is_rx_assoc_capmismatch++; 1950 status = IEEE80211_STATUS_CAPINFO; 1951 goto end; 1952 } 1953 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1954 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 1955 IEEE80211_F_DODEL); 1956 if (rate & IEEE80211_RATE_BASIC) { 1957 ic->ic_stats.is_rx_assoc_norate++; 1958 status = IEEE80211_STATUS_BASIC_RATE; 1959 goto end; 1960 } 1961 1962 if (ic->ic_flags & IEEE80211_F_RSNON) { 1963 const u_int8_t *saveie; 1964 /* 1965 * A station should never include both a WPA and an RSN IE 1966 * in its (Re)Association Requests, but if it does, we only 1967 * consider the IE of the highest version of the protocol 1968 * that is allowed (ie RSN over WPA). 1969 */ 1970 if (rsnie != NULL && 1971 (ic->ic_rsnprotos & IEEE80211_PROTO_RSN)) { 1972 status = ieee80211_parse_rsn(ic, rsnie, &rsn); 1973 if (status != 0) 1974 goto end; 1975 ni->ni_rsnprotos = IEEE80211_PROTO_RSN; 1976 saveie = rsnie; 1977 } else if (wpaie != NULL && 1978 (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) { 1979 status = ieee80211_parse_wpa(ic, wpaie, &rsn); 1980 if (status != 0) 1981 goto end; 1982 ni->ni_rsnprotos = IEEE80211_PROTO_WPA; 1983 saveie = wpaie; 1984 } else { 1985 /* 1986 * In an RSN, an AP shall not associate with STAs 1987 * that fail to include the RSN IE in the 1988 * (Re)Association Request. 1989 */ 1990 status = IEEE80211_STATUS_IE_INVALID; 1991 goto end; 1992 } 1993 /* 1994 * The initiating STA's RSN IE shall include one authentication 1995 * and pairwise cipher suite among those advertised by the 1996 * targeted AP. It shall also specify the group cipher suite 1997 * specified by the targeted AP. 1998 */ 1999 if (rsn.rsn_nakms != 1 || 2000 !(rsn.rsn_akms & ic->ic_bss->ni_rsnakms)) { 2001 status = IEEE80211_STATUS_BAD_AKMP; 2002 goto end; 2003 } 2004 if (rsn.rsn_nciphers != 1 || 2005 !(rsn.rsn_ciphers & ic->ic_bss->ni_rsnciphers)) { 2006 status = IEEE80211_STATUS_BAD_PAIRWISE_CIPHER; 2007 goto end; 2008 } 2009 if (rsn.rsn_groupcipher != ic->ic_bss->ni_rsngroupcipher) { 2010 status = IEEE80211_STATUS_BAD_GROUP_CIPHER; 2011 goto end; 2012 } 2013 2014 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPR) && 2015 !(rsn.rsn_caps & IEEE80211_RSNCAP_MFPC)) { 2016 status = IEEE80211_STATUS_MFP_POLICY; 2017 goto end; 2018 } 2019 if ((ic->ic_bss->ni_rsncaps & IEEE80211_RSNCAP_MFPC) && 2020 (rsn.rsn_caps & (IEEE80211_RSNCAP_MFPC | 2021 IEEE80211_RSNCAP_MFPR)) == IEEE80211_RSNCAP_MFPR) { 2022 /* STA advertises an invalid setting */ 2023 status = IEEE80211_STATUS_MFP_POLICY; 2024 goto end; 2025 } 2026 /* 2027 * A STA that has associated with Management Frame Protection 2028 * enabled shall not use cipher suite pairwise selector WEP40, 2029 * WEP104, TKIP, or "Use Group cipher suite". 2030 */ 2031 if ((rsn.rsn_caps & IEEE80211_RSNCAP_MFPC) && 2032 (rsn.rsn_ciphers != IEEE80211_CIPHER_CCMP || 2033 rsn.rsn_groupmgmtcipher != 2034 ic->ic_bss->ni_rsngroupmgmtcipher)) { 2035 status = IEEE80211_STATUS_MFP_POLICY; 2036 goto end; 2037 } 2038 2039 /* 2040 * Disallow new associations using TKIP if countermeasures 2041 * are active. 2042 */ 2043 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 2044 (rsn.rsn_ciphers == IEEE80211_CIPHER_TKIP || 2045 rsn.rsn_groupcipher == IEEE80211_CIPHER_TKIP)) { 2046 status = IEEE80211_STATUS_CIPHER_REJ_POLICY; 2047 goto end; 2048 } 2049 2050 /* everything looks fine, save IE and parameters */ 2051 if (ieee80211_save_ie(saveie, &ni->ni_rsnie) != 0) { 2052 status = IEEE80211_STATUS_TOOMANY; 2053 goto end; 2054 } 2055 ni->ni_rsnakms = rsn.rsn_akms; 2056 ni->ni_rsnciphers = rsn.rsn_ciphers; 2057 ni->ni_rsngroupcipher = ic->ic_bss->ni_rsngroupcipher; 2058 ni->ni_rsngroupmgmtcipher = ic->ic_bss->ni_rsngroupmgmtcipher; 2059 ni->ni_rsncaps = rsn.rsn_caps; 2060 2061 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 2062 struct ieee80211_pmk *pmk = NULL; 2063 const u_int8_t *pmkid = rsn.rsn_pmkids; 2064 /* 2065 * Check if we have a cached PMK entry matching one 2066 * of the PMKIDs specified in the RSN IE. 2067 */ 2068 while (rsn.rsn_npmkids-- > 0) { 2069 pmk = ieee80211_pmksa_find(ic, ni, pmkid); 2070 if (pmk != NULL) 2071 break; 2072 pmkid += IEEE80211_PMKID_LEN; 2073 } 2074 if (pmk != NULL) { 2075 memcpy(ni->ni_pmk, pmk->pmk_key, 2076 IEEE80211_PMK_LEN); 2077 memcpy(ni->ni_pmkid, pmk->pmk_pmkid, 2078 IEEE80211_PMKID_LEN); 2079 ni->ni_flags |= IEEE80211_NODE_PMK; 2080 } 2081 } 2082 } else 2083 ni->ni_rsnprotos = IEEE80211_PROTO_NONE; 2084 2085 ni->ni_rssi = rxi->rxi_rssi; 2086 ni->ni_rstamp = rxi->rxi_tstamp; 2087 ni->ni_intval = bintval; 2088 ni->ni_capinfo = capinfo; 2089 ni->ni_chan = ic->ic_bss->ni_chan; 2090 end: 2091 if (status != 0) { 2092 IEEE80211_SEND_MGMT(ic, ni, resp, status); 2093 ieee80211_node_leave(ic, ni); 2094 } else 2095 ieee80211_node_join(ic, ni, resp); 2096 } 2097 #endif /* IEEE80211_STA_ONLY */ 2098 2099 /*- 2100 * (Re)Association response frame format: 2101 * [2] Capability information 2102 * [2] Status code 2103 * [2] Association ID (AID) 2104 * [tlv] Supported rates 2105 * [tlv] Extended Supported Rates (802.11g) 2106 * [tlv] EDCA Parameter Set (802.11e) 2107 * [tlv] HT Capabilities (802.11n) 2108 * [tlv] HT Operation (802.11n) 2109 */ 2110 void 2111 ieee80211_recv_assoc_resp(struct ieee80211com *ic, struct mbuf *m, 2112 struct ieee80211_node *ni, int reassoc) 2113 { 2114 struct ifnet *ifp = &ic->ic_if; 2115 const struct ieee80211_frame *wh; 2116 const u_int8_t *frm, *efrm; 2117 const u_int8_t *rates, *xrates, *edcaie, *wmmie, *htcaps, *htop; 2118 u_int16_t capinfo, status, associd; 2119 u_int8_t rate; 2120 2121 if (ic->ic_opmode != IEEE80211_M_STA || 2122 ic->ic_state != IEEE80211_S_ASSOC) { 2123 ic->ic_stats.is_rx_mgtdiscard++; 2124 return; 2125 } 2126 2127 /* make sure all mandatory fixed fields are present */ 2128 if (m->m_len < sizeof(*wh) + 6) { 2129 DPRINTF(("frame too short\n")); 2130 return; 2131 } 2132 wh = mtod(m, struct ieee80211_frame *); 2133 frm = (const u_int8_t *)&wh[1]; 2134 efrm = mtod(m, u_int8_t *) + m->m_len; 2135 2136 capinfo = LE_READ_2(frm); frm += 2; 2137 status = LE_READ_2(frm); frm += 2; 2138 if (status != IEEE80211_STATUS_SUCCESS) { 2139 if (ifp->if_flags & IFF_DEBUG) 2140 printf("%s: %sassociation failed (status %d)" 2141 " for %s\n", ifp->if_xname, 2142 reassoc ? "re" : "", 2143 status, ether_sprintf((u_int8_t *)wh->i_addr3)); 2144 if (ni != ic->ic_bss) 2145 ni->ni_fails++; 2146 ic->ic_stats.is_rx_auth_fail++; 2147 return; 2148 } 2149 associd = LE_READ_2(frm); frm += 2; 2150 2151 rates = xrates = edcaie = wmmie = htcaps = htop = NULL; 2152 while (frm + 2 <= efrm) { 2153 if (frm + 2 + frm[1] > efrm) { 2154 ic->ic_stats.is_rx_elem_toosmall++; 2155 break; 2156 } 2157 switch (frm[0]) { 2158 case IEEE80211_ELEMID_RATES: 2159 rates = frm; 2160 break; 2161 case IEEE80211_ELEMID_XRATES: 2162 xrates = frm; 2163 break; 2164 case IEEE80211_ELEMID_EDCAPARMS: 2165 edcaie = frm; 2166 break; 2167 #ifndef IEEE80211_NO_HT 2168 case IEEE80211_ELEMID_HTCAPS: 2169 htcaps = frm; 2170 break; 2171 case IEEE80211_ELEMID_HTOP: 2172 htop = frm; 2173 break; 2174 #endif 2175 case IEEE80211_ELEMID_VENDOR: 2176 if (frm[1] < 4) { 2177 ic->ic_stats.is_rx_elem_toosmall++; 2178 break; 2179 } 2180 if (memcmp(frm + 2, MICROSOFT_OUI, 3) == 0) { 2181 if (frm[1] >= 5 && frm[5] == 2 && frm[6] == 1) 2182 wmmie = frm; 2183 } 2184 break; 2185 } 2186 frm += 2 + frm[1]; 2187 } 2188 /* supported rates element is mandatory */ 2189 if (rates == NULL || rates[1] > IEEE80211_RATE_MAXSIZE) { 2190 DPRINTF(("invalid supported rates element\n")); 2191 return; 2192 } 2193 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2194 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | IEEE80211_F_DONEGO | 2195 IEEE80211_F_DODEL); 2196 if (rate & IEEE80211_RATE_BASIC) { 2197 DPRINTF(("rate mismatch for %s\n", 2198 ether_sprintf((u_int8_t *)wh->i_addr2))); 2199 ic->ic_stats.is_rx_assoc_norate++; 2200 return; 2201 } 2202 ni->ni_capinfo = capinfo; 2203 ni->ni_associd = associd; 2204 if (edcaie != NULL || wmmie != NULL) { 2205 /* force update of EDCA parameters */ 2206 ic->ic_edca_updtcount = -1; 2207 2208 if ((edcaie != NULL && 2209 ieee80211_parse_edca_params(ic, edcaie) == 0) || 2210 (wmmie != NULL && 2211 ieee80211_parse_wmm_params(ic, wmmie) == 0)) 2212 ni->ni_flags |= IEEE80211_NODE_QOS; 2213 else /* for Reassociation */ 2214 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2215 } 2216 /* 2217 * Configure state now that we are associated. 2218 */ 2219 if (ic->ic_curmode == IEEE80211_MODE_11A || 2220 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) 2221 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2222 else 2223 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2224 2225 ieee80211_set_shortslottime(ic, 2226 ic->ic_curmode == IEEE80211_MODE_11A || 2227 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2228 /* 2229 * Honor ERP protection. 2230 */ 2231 if (ic->ic_curmode == IEEE80211_MODE_11G && 2232 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2233 ic->ic_flags |= IEEE80211_F_USEPROT; 2234 else 2235 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2236 /* 2237 * If not an RSNA, mark the port as valid, otherwise wait for 2238 * 802.1X authentication and 4-way handshake to complete.. 2239 */ 2240 if (ic->ic_flags & IEEE80211_F_RSNON) { 2241 /* XXX ic->ic_mgt_timer = 5; */ 2242 } else if (ic->ic_flags & IEEE80211_F_WEPON) 2243 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 2244 2245 ieee80211_new_state(ic, IEEE80211_S_RUN, 2246 IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 2247 } 2248 2249 /*- 2250 * Deauthentication frame format: 2251 * [2] Reason code 2252 */ 2253 void 2254 ieee80211_recv_deauth(struct ieee80211com *ic, struct mbuf *m, 2255 struct ieee80211_node *ni) 2256 { 2257 const struct ieee80211_frame *wh; 2258 const u_int8_t *frm; 2259 u_int16_t reason; 2260 2261 /* make sure all mandatory fixed fields are present */ 2262 if (m->m_len < sizeof(*wh) + 2) { 2263 DPRINTF(("frame too short\n")); 2264 return; 2265 } 2266 wh = mtod(m, struct ieee80211_frame *); 2267 frm = (const u_int8_t *)&wh[1]; 2268 2269 reason = LE_READ_2(frm); 2270 2271 ic->ic_stats.is_rx_deauth++; 2272 switch (ic->ic_opmode) { 2273 case IEEE80211_M_STA: 2274 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2275 IEEE80211_FC0_SUBTYPE_DEAUTH); 2276 break; 2277 #ifndef IEEE80211_STA_ONLY 2278 case IEEE80211_M_HOSTAP: 2279 if (ni != ic->ic_bss) { 2280 if (ic->ic_if.if_flags & IFF_DEBUG) 2281 printf("%s: station %s deauthenticated " 2282 "by peer (reason %d)\n", 2283 ic->ic_if.if_xname, 2284 ether_sprintf(ni->ni_macaddr), 2285 reason); 2286 ieee80211_node_leave(ic, ni); 2287 } 2288 break; 2289 #endif 2290 default: 2291 break; 2292 } 2293 } 2294 2295 /*- 2296 * Disassociation frame format: 2297 * [2] Reason code 2298 */ 2299 void 2300 ieee80211_recv_disassoc(struct ieee80211com *ic, struct mbuf *m, 2301 struct ieee80211_node *ni) 2302 { 2303 const struct ieee80211_frame *wh; 2304 const u_int8_t *frm; 2305 u_int16_t reason; 2306 2307 /* make sure all mandatory fixed fields are present */ 2308 if (m->m_len < sizeof(*wh) + 2) { 2309 DPRINTF(("frame too short\n")); 2310 return; 2311 } 2312 wh = mtod(m, struct ieee80211_frame *); 2313 frm = (const u_int8_t *)&wh[1]; 2314 2315 reason = LE_READ_2(frm); 2316 2317 ic->ic_stats.is_rx_disassoc++; 2318 switch (ic->ic_opmode) { 2319 case IEEE80211_M_STA: 2320 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2321 IEEE80211_FC0_SUBTYPE_DISASSOC); 2322 break; 2323 #ifndef IEEE80211_STA_ONLY 2324 case IEEE80211_M_HOSTAP: 2325 if (ni != ic->ic_bss) { 2326 if (ic->ic_if.if_flags & IFF_DEBUG) 2327 printf("%s: station %s disassociated " 2328 "by peer (reason %d)\n", 2329 ic->ic_if.if_xname, 2330 ether_sprintf(ni->ni_macaddr), 2331 reason); 2332 ieee80211_node_leave(ic, ni); 2333 } 2334 break; 2335 #endif 2336 default: 2337 break; 2338 } 2339 } 2340 2341 #ifndef IEEE80211_NO_HT 2342 /*- 2343 * ADDBA Request frame format: 2344 * [1] Category 2345 * [1] Action 2346 * [1] Dialog Token 2347 * [2] Block Ack Parameter Set 2348 * [2] Block Ack Timeout Value 2349 * [2] Block Ack Starting Sequence Control 2350 */ 2351 void 2352 ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m, 2353 struct ieee80211_node *ni) 2354 { 2355 const struct ieee80211_frame *wh; 2356 const u_int8_t *frm; 2357 struct ieee80211_rx_ba *ba; 2358 u_int16_t params, ssn, bufsz, timeout, status; 2359 u_int8_t token, tid; 2360 2361 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2362 DPRINTF(("received ADDBA req from non-HT STA %s\n", 2363 ether_sprintf(ni->ni_macaddr))); 2364 return; 2365 } 2366 if (m->m_len < sizeof(*wh) + 9) { 2367 DPRINTF(("frame too short\n")); 2368 return; 2369 } 2370 /* MLME-ADDBA.indication */ 2371 wh = mtod(m, struct ieee80211_frame *); 2372 frm = (const u_int8_t *)&wh[1]; 2373 2374 token = frm[2]; 2375 params = LE_READ_2(&frm[3]); 2376 tid = (params >> 2) & 0xf; 2377 bufsz = (params >> 6) & 0x3ff; 2378 timeout = LE_READ_2(&frm[5]); 2379 ssn = LE_READ_2(&frm[7]) >> 4; 2380 2381 ba = &ni->ni_rx_ba[tid]; 2382 /* check if we already have a Block Ack agreement for this RA/TID */ 2383 if (ba->ba_state == IEEE80211_BA_AGREED) { 2384 /* XXX should we update the timeout value? */ 2385 /* reset Block Ack inactivity timer */ 2386 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2387 2388 /* check if it's a Protected Block Ack agreement */ 2389 if (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2390 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) 2391 return; /* not a PBAC, ignore */ 2392 2393 /* PBAC: treat the ADDBA Request like a BlockAckReq */ 2394 if (SEQ_LT(ba->ba_winstart, ssn)) 2395 ieee80211_ba_move_window(ic, ni, tid, ssn); 2396 return; 2397 } 2398 /* if PBAC required but RA does not support it, refuse request */ 2399 if ((ic->ic_flags & IEEE80211_F_PBAR) && 2400 (!(ni->ni_flags & IEEE80211_NODE_MFP) || 2401 !(ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC))) { 2402 status = IEEE80211_STATUS_REFUSED; 2403 goto resp; 2404 } 2405 /* 2406 * If the TID for which the Block Ack agreement is requested is 2407 * configured with a no-ACK policy, refuse the agreement. 2408 */ 2409 if (ic->ic_tid_noack & (1 << tid)) { 2410 status = IEEE80211_STATUS_REFUSED; 2411 goto resp; 2412 } 2413 /* check that we support the requested Block Ack Policy */ 2414 if (!(ic->ic_htcaps & IEEE80211_HTCAP_DELAYEDBA) && 2415 !(params & IEEE80211_BA_ACK_POLICY)) { 2416 status = IEEE80211_STATUS_INVALID_PARAM; 2417 goto resp; 2418 } 2419 2420 /* setup Block Ack agreement */ 2421 ba->ba_state = IEEE80211_BA_INIT; 2422 ba->ba_timeout_val = timeout * IEEE80211_DUR_TU; 2423 if (ba->ba_timeout_val < IEEE80211_BA_MIN_TIMEOUT) 2424 ba->ba_timeout_val = IEEE80211_BA_MIN_TIMEOUT; 2425 else if (ba->ba_timeout_val > IEEE80211_BA_MAX_TIMEOUT) 2426 ba->ba_timeout_val = IEEE80211_BA_MAX_TIMEOUT; 2427 timeout_set(&ba->ba_to, ieee80211_rx_ba_timeout, ba); 2428 ba->ba_winsize = bufsz; 2429 if (ba->ba_winsize == 0 || ba->ba_winsize > IEEE80211_BA_MAX_WINSZ) 2430 ba->ba_winsize = IEEE80211_BA_MAX_WINSZ; 2431 ba->ba_winstart = ssn; 2432 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 2433 /* allocate and setup our reordering buffer */ 2434 ba->ba_buf = malloc(IEEE80211_BA_MAX_WINSZ * sizeof(*ba->ba_buf), 2435 M_DEVBUF, M_NOWAIT | M_ZERO); 2436 if (ba->ba_buf == NULL) { 2437 status = IEEE80211_STATUS_REFUSED; 2438 goto resp; 2439 } 2440 ba->ba_head = 0; 2441 2442 /* notify drivers of this new Block Ack agreement */ 2443 if (ic->ic_ampdu_rx_start != NULL && 2444 ic->ic_ampdu_rx_start(ic, ni, tid) != 0) { 2445 /* driver failed to setup, rollback */ 2446 free(ba->ba_buf, M_DEVBUF); 2447 ba->ba_buf = NULL; 2448 status = IEEE80211_STATUS_REFUSED; 2449 goto resp; 2450 } 2451 ba->ba_state = IEEE80211_BA_AGREED; 2452 /* start Block Ack inactivity timer */ 2453 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2454 status = IEEE80211_STATUS_SUCCESS; 2455 resp: 2456 /* MLME-ADDBA.response */ 2457 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2458 IEEE80211_ACTION_ADDBA_RESP, status << 16 | token << 8 | tid); 2459 } 2460 2461 /*- 2462 * ADDBA Response frame format: 2463 * [1] Category 2464 * [1] Action 2465 * [1] Dialog Token 2466 * [2] Status Code 2467 * [2] Block Ack Parameter Set 2468 * [2] Block Ack Timeout Value 2469 */ 2470 void 2471 ieee80211_recv_addba_resp(struct ieee80211com *ic, struct mbuf *m, 2472 struct ieee80211_node *ni) 2473 { 2474 const struct ieee80211_frame *wh; 2475 const u_int8_t *frm; 2476 struct ieee80211_tx_ba *ba; 2477 u_int16_t status, params, bufsz, timeout; 2478 u_int8_t token, tid; 2479 2480 if (m->m_len < sizeof(*wh) + 9) { 2481 DPRINTF(("frame too short\n")); 2482 return; 2483 } 2484 wh = mtod(m, struct ieee80211_frame *); 2485 frm = (const u_int8_t *)&wh[1]; 2486 2487 token = frm[2]; 2488 status = LE_READ_2(&frm[3]); 2489 params = LE_READ_2(&frm[5]); 2490 tid = (params >> 2) & 0xf; 2491 bufsz = (params >> 6) & 0x3ff; 2492 timeout = LE_READ_2(&frm[7]); 2493 2494 DPRINTF(("received ADDBA resp from %s, TID %d, status %d\n", 2495 ether_sprintf(ni->ni_macaddr), tid, status)); 2496 2497 /* 2498 * Ignore if no ADDBA request has been sent for this RA/TID or 2499 * if we already have a Block Ack agreement. 2500 */ 2501 ba = &ni->ni_tx_ba[tid]; 2502 if (ba->ba_state != IEEE80211_BA_REQUESTED) { 2503 DPRINTF(("no matching ADDBA req found\n")); 2504 return; 2505 } 2506 if (token != ba->ba_token) { 2507 DPRINTF(("ignoring ADDBA resp from %s: token %x!=%x\n", 2508 ether_sprintf(ni->ni_macaddr), token, ba->ba_token)); 2509 return; 2510 } 2511 /* we got an ADDBA Response matching our request, stop timeout */ 2512 timeout_del(&ba->ba_to); 2513 2514 if (status != IEEE80211_STATUS_SUCCESS) { 2515 /* MLME-ADDBA.confirm(Failure) */ 2516 ba->ba_state = IEEE80211_BA_INIT; 2517 return; 2518 } 2519 /* MLME-ADDBA.confirm(Success) */ 2520 ba->ba_state = IEEE80211_BA_AGREED; 2521 2522 /* notify drivers of this new Block Ack agreement */ 2523 if (ic->ic_ampdu_tx_start != NULL) 2524 (void)ic->ic_ampdu_tx_start(ic, ni, tid); 2525 2526 /* start Block Ack inactivity timeout */ 2527 if (ba->ba_timeout_val != 0) 2528 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2529 } 2530 2531 /*- 2532 * DELBA frame format: 2533 * [1] Category 2534 * [1] Action 2535 * [2] DELBA Parameter Set 2536 * [2] Reason Code 2537 */ 2538 void 2539 ieee80211_recv_delba(struct ieee80211com *ic, struct mbuf *m, 2540 struct ieee80211_node *ni) 2541 { 2542 const struct ieee80211_frame *wh; 2543 const u_int8_t *frm; 2544 u_int16_t params, reason; 2545 u_int8_t tid; 2546 int i; 2547 2548 if (m->m_len < sizeof(*wh) + 6) { 2549 DPRINTF(("frame too short\n")); 2550 return; 2551 } 2552 wh = mtod(m, struct ieee80211_frame *); 2553 frm = (const u_int8_t *)&wh[1]; 2554 2555 params = LE_READ_2(&frm[2]); 2556 reason = LE_READ_2(&frm[4]); 2557 tid = params >> 12; 2558 2559 DPRINTF(("received DELBA from %s, TID %d, reason %d\n", 2560 ether_sprintf(ni->ni_macaddr), tid, reason)); 2561 2562 if (params & IEEE80211_DELBA_INITIATOR) { 2563 /* MLME-DELBA.indication(Originator) */ 2564 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2565 2566 if (ba->ba_state != IEEE80211_BA_AGREED) { 2567 DPRINTF(("no matching Block Ack agreement\n")); 2568 return; 2569 } 2570 /* notify drivers of the end of the Block Ack agreement */ 2571 if (ic->ic_ampdu_rx_stop != NULL) 2572 ic->ic_ampdu_rx_stop(ic, ni, tid); 2573 2574 ba->ba_state = IEEE80211_BA_INIT; 2575 /* stop Block Ack inactivity timer */ 2576 timeout_del(&ba->ba_to); 2577 2578 if (ba->ba_buf != NULL) { 2579 /* free all MSDUs stored in reordering buffer */ 2580 for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++) 2581 if (ba->ba_buf[i].m != NULL) 2582 m_freem(ba->ba_buf[i].m); 2583 /* free reordering buffer */ 2584 free(ba->ba_buf, M_DEVBUF); 2585 ba->ba_buf = NULL; 2586 } 2587 } else { 2588 /* MLME-DELBA.indication(Recipient) */ 2589 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 2590 2591 if (ba->ba_state != IEEE80211_BA_AGREED) { 2592 DPRINTF(("no matching Block Ack agreement\n")); 2593 return; 2594 } 2595 /* notify drivers of the end of the Block Ack agreement */ 2596 if (ic->ic_ampdu_tx_stop != NULL) 2597 ic->ic_ampdu_tx_stop(ic, ni, tid); 2598 2599 ba->ba_state = IEEE80211_BA_INIT; 2600 /* stop Block Ack inactivity timer */ 2601 timeout_del(&ba->ba_to); 2602 } 2603 } 2604 #endif /* !IEEE80211_NO_HT */ 2605 2606 /*- 2607 * SA Query Request frame format: 2608 * [1] Category 2609 * [1] Action 2610 * [2] Transaction Identifier 2611 */ 2612 void 2613 ieee80211_recv_sa_query_req(struct ieee80211com *ic, struct mbuf *m, 2614 struct ieee80211_node *ni) 2615 { 2616 const struct ieee80211_frame *wh; 2617 const u_int8_t *frm; 2618 2619 if (ic->ic_opmode != IEEE80211_M_STA || 2620 !(ni->ni_flags & IEEE80211_NODE_MFP)) { 2621 DPRINTF(("unexpected SA Query req from %s\n", 2622 ether_sprintf(ni->ni_macaddr))); 2623 return; 2624 } 2625 if (m->m_len < sizeof(*wh) + 4) { 2626 DPRINTF(("frame too short\n")); 2627 return; 2628 } 2629 wh = mtod(m, struct ieee80211_frame *); 2630 frm = (const u_int8_t *)&wh[1]; 2631 2632 /* MLME-SAQuery.indication */ 2633 2634 /* save Transaction Identifier for SA Query Response */ 2635 ni->ni_sa_query_trid = LE_READ_2(&frm[2]); 2636 2637 /* MLME-SAQuery.response */ 2638 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY, 2639 IEEE80211_ACTION_SA_QUERY_RESP, 0); 2640 } 2641 2642 #ifndef IEEE80211_STA_ONLY 2643 /*- 2644 * SA Query Response frame format: 2645 * [1] Category 2646 * [1] Action 2647 * [2] Transaction Identifier 2648 */ 2649 void 2650 ieee80211_recv_sa_query_resp(struct ieee80211com *ic, struct mbuf *m, 2651 struct ieee80211_node *ni) 2652 { 2653 const struct ieee80211_frame *wh; 2654 const u_int8_t *frm; 2655 2656 /* ignore if we're not engaged in an SA Query with that STA */ 2657 if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) { 2658 DPRINTF(("unexpected SA Query resp from %s\n", 2659 ether_sprintf(ni->ni_macaddr))); 2660 return; 2661 } 2662 if (m->m_len < sizeof(*wh) + 4) { 2663 DPRINTF(("frame too short\n")); 2664 return; 2665 } 2666 wh = mtod(m, struct ieee80211_frame *); 2667 frm = (const u_int8_t *)&wh[1]; 2668 2669 /* check that Transaction Identifier matches */ 2670 if (ni->ni_sa_query_trid != LE_READ_2(&frm[2])) { 2671 DPRINTF(("transaction identifier does not match\n")); 2672 return; 2673 } 2674 /* MLME-SAQuery.confirm */ 2675 timeout_del(&ni->ni_sa_query_to); 2676 ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY; 2677 } 2678 #endif 2679 2680 /*- 2681 * Action frame format: 2682 * [1] Category 2683 * [1] Action 2684 */ 2685 void 2686 ieee80211_recv_action(struct ieee80211com *ic, struct mbuf *m, 2687 struct ieee80211_node *ni) 2688 { 2689 const struct ieee80211_frame *wh; 2690 const u_int8_t *frm; 2691 2692 if (m->m_len < sizeof(*wh) + 2) { 2693 DPRINTF(("frame too short\n")); 2694 return; 2695 } 2696 wh = mtod(m, struct ieee80211_frame *); 2697 frm = (const u_int8_t *)&wh[1]; 2698 2699 switch (frm[0]) { 2700 #ifndef IEEE80211_NO_HT 2701 case IEEE80211_CATEG_BA: 2702 switch (frm[1]) { 2703 case IEEE80211_ACTION_ADDBA_REQ: 2704 ieee80211_recv_addba_req(ic, m, ni); 2705 break; 2706 case IEEE80211_ACTION_ADDBA_RESP: 2707 ieee80211_recv_addba_resp(ic, m, ni); 2708 break; 2709 case IEEE80211_ACTION_DELBA: 2710 ieee80211_recv_delba(ic, m, ni); 2711 break; 2712 } 2713 break; 2714 #endif 2715 case IEEE80211_CATEG_SA_QUERY: 2716 switch (frm[1]) { 2717 case IEEE80211_ACTION_SA_QUERY_REQ: 2718 ieee80211_recv_sa_query_req(ic, m, ni); 2719 break; 2720 #ifndef IEEE80211_STA_ONLY 2721 case IEEE80211_ACTION_SA_QUERY_RESP: 2722 ieee80211_recv_sa_query_resp(ic, m, ni); 2723 break; 2724 #endif 2725 } 2726 break; 2727 default: 2728 DPRINTF(("action frame category %d not handled\n", frm[0])); 2729 break; 2730 } 2731 } 2732 2733 void 2734 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m, 2735 struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, int subtype) 2736 { 2737 switch (subtype) { 2738 case IEEE80211_FC0_SUBTYPE_BEACON: 2739 ieee80211_recv_probe_resp(ic, m, ni, rxi, 0); 2740 break; 2741 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 2742 ieee80211_recv_probe_resp(ic, m, ni, rxi, 1); 2743 break; 2744 #ifndef IEEE80211_STA_ONLY 2745 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2746 ieee80211_recv_probe_req(ic, m, ni, rxi); 2747 break; 2748 #endif 2749 case IEEE80211_FC0_SUBTYPE_AUTH: 2750 ieee80211_recv_auth(ic, m, ni, rxi); 2751 break; 2752 #ifndef IEEE80211_STA_ONLY 2753 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2754 ieee80211_recv_assoc_req(ic, m, ni, rxi, 0); 2755 break; 2756 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2757 ieee80211_recv_assoc_req(ic, m, ni, rxi, 1); 2758 break; 2759 #endif 2760 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2761 ieee80211_recv_assoc_resp(ic, m, ni, 0); 2762 break; 2763 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2764 ieee80211_recv_assoc_resp(ic, m, ni, 1); 2765 break; 2766 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2767 ieee80211_recv_deauth(ic, m, ni); 2768 break; 2769 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2770 ieee80211_recv_disassoc(ic, m, ni); 2771 break; 2772 case IEEE80211_FC0_SUBTYPE_ACTION: 2773 ieee80211_recv_action(ic, m, ni); 2774 break; 2775 default: 2776 DPRINTF(("mgmt frame with subtype 0x%x not handled\n", 2777 subtype)); 2778 ic->ic_stats.is_rx_badsubtype++; 2779 break; 2780 } 2781 } 2782 2783 #ifndef IEEE80211_STA_ONLY 2784 /* 2785 * Process an incoming PS-Poll control frame (see 11.2). 2786 */ 2787 void 2788 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m, 2789 struct ieee80211_node *ni) 2790 { 2791 struct ifnet *ifp = &ic->ic_if; 2792 struct ieee80211_frame_pspoll *psp; 2793 struct ieee80211_frame *wh; 2794 u_int16_t aid; 2795 2796 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2797 !(ic->ic_caps & IEEE80211_C_APPMGT) || 2798 ni->ni_state != IEEE80211_STA_ASSOC) 2799 return; 2800 2801 if (m->m_len < sizeof(*psp)) { 2802 DPRINTF(("frame too short, len %u\n", m->m_len)); 2803 ic->ic_stats.is_rx_tooshort++; 2804 return; 2805 } 2806 psp = mtod(m, struct ieee80211_frame_pspoll *); 2807 if (!IEEE80211_ADDR_EQ(psp->i_bssid, ic->ic_bss->ni_bssid)) { 2808 DPRINTF(("discard pspoll frame to BSS %s\n", 2809 ether_sprintf(psp->i_bssid))); 2810 ic->ic_stats.is_rx_wrongbss++; 2811 return; 2812 } 2813 aid = letoh16(*(u_int16_t *)psp->i_aid); 2814 if (aid != ni->ni_associd) { 2815 DPRINTF(("invalid pspoll aid %x from %s\n", aid, 2816 ether_sprintf(psp->i_ta))); 2817 return; 2818 } 2819 2820 /* take the first queued frame and put it out.. */ 2821 IF_DEQUEUE(&ni->ni_savedq, m); 2822 if (m == NULL) 2823 return; 2824 if (IF_IS_EMPTY(&ni->ni_savedq)) { 2825 /* last queued frame, turn off the TIM bit */ 2826 (*ic->ic_set_tim)(ic, ni->ni_associd, 0); 2827 } else { 2828 /* more queued frames, set the more data bit */ 2829 wh = mtod(m, struct ieee80211_frame *); 2830 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2831 } 2832 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 2833 (*ifp->if_start)(ifp); 2834 } 2835 #endif /* IEEE80211_STA_ONLY */ 2836 2837 #ifndef IEEE80211_NO_HT 2838 /* 2839 * Process an incoming BlockAckReq control frame (see 7.2.1.7). 2840 */ 2841 void 2842 ieee80211_recv_bar(struct ieee80211com *ic, struct mbuf *m, 2843 struct ieee80211_node *ni) 2844 { 2845 const struct ieee80211_frame_min *wh; 2846 const u_int8_t *frm; 2847 u_int16_t ctl, ssn; 2848 u_int8_t tid, ntids; 2849 2850 if (!(ni->ni_flags & IEEE80211_NODE_HT)) { 2851 DPRINTF(("received BlockAckReq from non-HT STA %s\n", 2852 ether_sprintf(ni->ni_macaddr))); 2853 return; 2854 } 2855 if (m->m_len < sizeof(*wh) + 4) { 2856 DPRINTF(("frame too short\n")); 2857 return; 2858 } 2859 wh = mtod(m, struct ieee80211_frame_min *); 2860 frm = (const u_int8_t *)&wh[1]; 2861 2862 /* read BlockAckReq Control field */ 2863 ctl = LE_READ_2(&frm[0]); 2864 tid = ctl >> 12; 2865 2866 /* determine BlockAckReq frame variant */ 2867 if (ctl & IEEE80211_BA_MULTI_TID) { 2868 /* Multi-TID BlockAckReq variant (PSMP only) */ 2869 ntids = tid + 1; 2870 2871 if (m->m_len < sizeof(*wh) + 2 + 4 * ntids) { 2872 DPRINTF(("MTBAR frame too short\n")); 2873 return; 2874 } 2875 frm += 2; /* skip BlockAckReq Control field */ 2876 while (ntids-- > 0) { 2877 /* read MTBAR Information field */ 2878 tid = LE_READ_2(&frm[0]) >> 12; 2879 ssn = LE_READ_2(&frm[2]) >> 4; 2880 ieee80211_bar_tid(ic, ni, tid, ssn); 2881 frm += 4; 2882 } 2883 } else { 2884 /* Basic or Compressed BlockAckReq variants */ 2885 ssn = LE_READ_2(&frm[2]) >> 4; 2886 ieee80211_bar_tid(ic, ni, tid, ssn); 2887 } 2888 } 2889 2890 /* 2891 * Process a BlockAckReq for a specific TID (see 9.10.7.6.3). 2892 * This is the common back-end for all BlockAckReq frame variants. 2893 */ 2894 void 2895 ieee80211_bar_tid(struct ieee80211com *ic, struct ieee80211_node *ni, 2896 u_int8_t tid, u_int16_t ssn) 2897 { 2898 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 2899 2900 /* check if we have a Block Ack agreement for RA/TID */ 2901 if (ba->ba_state != IEEE80211_BA_AGREED) { 2902 /* XXX not sure in PBAC case */ 2903 /* send a DELBA with reason code UNKNOWN-BA */ 2904 IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA, 2905 IEEE80211_ACTION_DELBA, 2906 IEEE80211_REASON_SETUP_REQUIRED << 16 | tid); 2907 return; 2908 } 2909 /* check if it is a Protected Block Ack agreement */ 2910 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 2911 (ni->ni_rsncaps & IEEE80211_RSNCAP_PBAC)) { 2912 /* ADDBA Requests must be used in PBAC case */ 2913 if (SEQ_LT(ssn, ba->ba_winstart) || 2914 SEQ_LT(ba->ba_winend, ssn)) 2915 ic->ic_stats.is_pbac_errs++; 2916 return; /* PBAC, do not move window */ 2917 } 2918 /* reset Block Ack inactivity timer */ 2919 timeout_add_usec(&ba->ba_to, ba->ba_timeout_val); 2920 2921 if (SEQ_LT(ba->ba_winstart, ssn)) 2922 ieee80211_ba_move_window(ic, ni, tid, ssn); 2923 } 2924 #endif /* !IEEE80211_NO_HT */ 2925