1 /* $NetBSD: ieee80211_input.c,v 1.118 2025/10/18 07:35:33 mlelstv Exp $ */ 2 3 /* 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The name of the author may not be used to endorse or promote products 17 * derived from this software without specific prior written permission. 18 * 19 * Alternatively, this software may be distributed under the terms of the 20 * GNU General Public License ("GPL") version 2 as published by the Free 21 * Software Foundation. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include <sys/cdefs.h> 36 #ifdef __FreeBSD__ 37 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 38 #endif 39 #ifdef __NetBSD__ 40 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.118 2025/10/18 07:35:33 mlelstv Exp $"); 41 #endif 42 43 #ifdef _KERNEL_OPT 44 #include "opt_inet.h" 45 #endif 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/endian.h> 52 #include <sys/kernel.h> 53 54 #include <sys/socket.h> 55 #include <sys/sockio.h> 56 #include <sys/endian.h> 57 #include <sys/errno.h> 58 #include <sys/proc.h> 59 #include <sys/sysctl.h> 60 #include <sys/cpu.h> 61 62 #include <net/if.h> 63 #include <net/if_media.h> 64 #include <net/if_arp.h> 65 #include <net/if_ether.h> 66 #include <net/if_llc.h> 67 68 #include <net80211/ieee80211_var.h> 69 70 #include <net/bpf.h> 71 72 #ifdef INET 73 #include <netinet/in.h> 74 #include <net/if_ether.h> 75 #endif 76 77 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 78 79 #ifdef IEEE80211_DEBUG 80 81 /* 82 * Decide if a received management frame should be 83 * printed when debugging is enabled. This filters some 84 * of the less interesting frames that come frequently 85 * (e.g. beacons). 86 */ 87 static __inline int 88 doprint(struct ieee80211com *ic, int subtype) 89 { 90 switch (subtype) { 91 case IEEE80211_FC0_SUBTYPE_BEACON: 92 return (ic->ic_flags & IEEE80211_F_SCAN); 93 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 94 return (ic->ic_opmode == IEEE80211_M_IBSS); 95 } 96 return 1; 97 } 98 99 /* 100 * Emit a debug message about discarding a frame or information 101 * element. One format is for extracting the mac address from 102 * the frame header; the other is for when a header is not 103 * available or otherwise appropriate. 104 */ 105 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 106 if ((_ic)->ic_debug & (_m)) \ 107 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 108 } while (0) 109 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 110 if ((_ic)->ic_debug & (_m)) \ 111 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 112 } while (0) 113 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 114 if ((_ic)->ic_debug & (_m)) \ 115 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 116 } while (0) 117 #define IEEE80211_DEBUGVAR(a) a 118 119 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 120 const struct ieee80211_frame *); 121 static void ieee80211_discard_frame(struct ieee80211com *, 122 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 123 static void ieee80211_discard_ie(struct ieee80211com *, 124 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 125 static void ieee80211_discard_mac(struct ieee80211com *, 126 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 127 const char *fmt, ...); 128 #else 129 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 130 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 131 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 132 #define IEEE80211_DEBUGVAR(a) 133 #endif /* IEEE80211_DEBUG */ 134 135 static struct mbuf *ieee80211_defrag(struct ieee80211_node *, 136 struct mbuf *, int); 137 static struct mbuf *ieee80211_decap(struct mbuf *, int); 138 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 139 const u_int8_t *mac, int subtype, int arg); 140 static void ieee80211_deliver_data(struct ieee80211com *, 141 struct ieee80211_node *, struct mbuf *); 142 #ifndef IEEE80211_NO_HOSTAP 143 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 144 static void ieee80211_recv_pspoll(struct ieee80211com *, 145 struct ieee80211_node *, struct mbuf *); 146 #endif /* !IEEE80211_NO_HOSTAP */ 147 static void ieee80211_update_adhoc_node(struct ieee80211com *, 148 struct ieee80211_node *, struct ieee80211_frame *, 149 struct ieee80211_scanparams *, int, u_int32_t); 150 151 /* -------------------------------------------------------------------------- */ 152 153 /* 154 * Input code for a DATA frame. 155 */ 156 static int 157 ieee80211_input_data(struct ieee80211com *ic, struct mbuf **mp, 158 struct ieee80211_node *ni) 159 { 160 struct ifnet *ifp = ic->ic_ifp; 161 struct ieee80211_key *key; 162 struct ieee80211_frame *wh; 163 u_int8_t dir, subtype; 164 struct ether_header *eh; 165 struct mbuf *m = *mp; 166 int hdrspace; 167 168 wh = mtod(m, struct ieee80211_frame *); 169 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 170 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 171 172 hdrspace = ieee80211_hdrspace(ic, wh); 173 174 if (m->m_len < hdrspace && 175 (m = m_pullup(m, hdrspace)) == NULL) { 176 ic->ic_stats.is_rx_tooshort++; 177 goto out; 178 } 179 wh = mtod(m, struct ieee80211_frame *); 180 181 switch (ic->ic_opmode) { 182 case IEEE80211_M_STA: 183 if (dir != IEEE80211_FC1_DIR_FROMDS) { 184 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 185 wh, "data", "unknown dir 0x%x", dir); 186 ic->ic_stats.is_rx_wrongdir++; 187 goto out; 188 } 189 if ((ifp->if_flags & IFF_SIMPLEX) && 190 IEEE80211_IS_MULTICAST(wh->i_addr1) && 191 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 192 /* 193 * In IEEE802.11 network, multicast packet 194 * sent from me is broadcast from AP. 195 * It should be silently discarded for 196 * SIMPLEX interface. 197 */ 198 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 199 wh, NULL, "%s", "multicast echo"); 200 ic->ic_stats.is_rx_mcastecho++; 201 goto out; 202 } 203 break; 204 205 case IEEE80211_M_IBSS: 206 case IEEE80211_M_AHDEMO: 207 if (dir != IEEE80211_FC1_DIR_NODS) { 208 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 209 wh, "data", "unknown dir 0x%x", dir); 210 ic->ic_stats.is_rx_wrongdir++; 211 goto out; 212 } 213 /* XXX no power-save support */ 214 break; 215 216 case IEEE80211_M_HOSTAP: 217 #ifndef IEEE80211_NO_HOSTAP 218 if (dir != IEEE80211_FC1_DIR_TODS) { 219 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 220 wh, "data", "unknown dir 0x%x", dir); 221 ic->ic_stats.is_rx_wrongdir++; 222 goto out; 223 } 224 /* check if source STA is associated */ 225 if (ni == ic->ic_bss) { 226 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 227 wh, "data", "%s", "unknown src"); 228 ieee80211_send_error(ic, ni, wh->i_addr2, 229 IEEE80211_FC0_SUBTYPE_DEAUTH, 230 IEEE80211_REASON_NOT_AUTHED); 231 ic->ic_stats.is_rx_notassoc++; 232 goto err; 233 } 234 if (ni->ni_associd == 0) { 235 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 236 wh, "data", "%s", "unassoc src"); 237 IEEE80211_SEND_MGMT(ic, ni, 238 IEEE80211_FC0_SUBTYPE_DISASSOC, 239 IEEE80211_REASON_NOT_ASSOCED); 240 ic->ic_stats.is_rx_notassoc++; 241 goto err; 242 } 243 244 /* 245 * Check for power save state change. 246 */ 247 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 248 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 249 ieee80211_node_pwrsave(ni, 250 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 251 #endif /* !IEEE80211_NO_HOSTAP */ 252 break; 253 254 default: 255 /* XXX here to keep compiler happy */ 256 goto out; 257 } 258 259 /* 260 * Handle privacy requirements. Note that we 261 * must not be preempted from here until after 262 * we (potentially) call ieee80211_crypto_demic; 263 * otherwise we may violate assumptions in the 264 * crypto cipher modules used to do delayed update 265 * of replay sequence numbers. 266 */ 267 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 268 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 269 /* 270 * Discard encrypted frames when privacy is off. 271 */ 272 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 273 wh, "WEP", "%s", "PRIVACY off"); 274 ic->ic_stats.is_rx_noprivacy++; 275 IEEE80211_NODE_STAT(ni, rx_noprivacy); 276 goto out; 277 } 278 key = ieee80211_crypto_decap(ic, ni, &m, hdrspace); 279 if (key == NULL) { 280 /* NB: stats+msgs handled in crypto_decap */ 281 IEEE80211_NODE_STAT(ni, rx_wepfail); 282 goto out; 283 } 284 } else { 285 key = NULL; 286 } 287 288 /* 289 * Next up, any fragmentation. 290 */ 291 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 292 m = ieee80211_defrag(ni, m, hdrspace); 293 if (m == NULL) { 294 /* Fragment dropped or frame not complete yet */ 295 goto out; 296 } 297 } 298 299 /* 300 * Next, strip any MSDU crypto bits. 301 */ 302 if (key != NULL) { 303 if (!ieee80211_crypto_demic(ic, key, m, 0)) { 304 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 305 ni->ni_macaddr, "data", "%s", "demic error"); 306 IEEE80211_NODE_STAT(ni, rx_demicfail); 307 goto out; 308 } 309 wh = mtod(m, struct ieee80211_frame *); 310 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 311 } 312 313 /* copy to listener after decrypt */ 314 bpf_mtap3(ic->ic_rawbpf, m, BPF_D_IN); 315 316 /* 317 * Finally, strip the 802.11 header. 318 */ 319 m = ieee80211_decap(m, hdrspace); 320 if (m == NULL) { 321 /* don't count Null data frames as errors */ 322 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 323 goto out; 324 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 325 ni->ni_macaddr, "data", "%s", "decap error"); 326 ic->ic_stats.is_rx_decap++; 327 IEEE80211_NODE_STAT(ni, rx_decap); 328 goto err; 329 } 330 331 eh = mtod(m, struct ether_header *); 332 if (!ieee80211_node_is_authorized(ni)) { 333 /* 334 * Deny any non-PAE frames received prior to 335 * authorization. For open/shared-key 336 * authentication the port is mark authorized 337 * after authentication completes. For 802.1x 338 * the port is not marked authorized by the 339 * authenticator until the handshake has completed. 340 */ 341 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 342 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 343 eh->ether_shost, "data", 344 "unauthorized port: ether type 0x%x len %u", 345 eh->ether_type, m->m_pkthdr.len); 346 ic->ic_stats.is_rx_unauth++; 347 IEEE80211_NODE_STAT(ni, rx_unauth); 348 goto err; 349 } 350 } else { 351 /* 352 * When denying unencrypted frames, discard 353 * any non-PAE frames received without encryption. 354 */ 355 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 356 key == NULL && eh->ether_type != htons(ETHERTYPE_PAE)) { 357 /* 358 * Drop unencrypted frames. 359 */ 360 ic->ic_stats.is_rx_unencrypted++; 361 IEEE80211_NODE_STAT(ni, rx_unencrypted); 362 goto out; 363 } 364 } 365 366 IEEE80211_NODE_STAT(ni, rx_data); 367 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 368 369 ieee80211_deliver_data(ic, ni, m); 370 371 *mp = NULL; 372 return 0; 373 374 err: 375 if_statinc(ifp, if_ierrors); 376 out: 377 *mp = m; 378 return -1; 379 } 380 381 /* 382 * Input code for a MANAGEMENT frame. 383 */ 384 static int 385 ieee80211_input_management(struct ieee80211com *ic, struct mbuf **mp, 386 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 387 { 388 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 389 struct ifnet *ifp = ic->ic_ifp; 390 struct ieee80211_key *key; 391 struct ieee80211_frame *wh; 392 u_int8_t dir, subtype; 393 struct mbuf *m = *mp; 394 int hdrspace; 395 396 wh = mtod(m, struct ieee80211_frame *); 397 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 398 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 399 400 IEEE80211_NODE_STAT(ni, rx_mgmt); 401 if (dir != IEEE80211_FC1_DIR_NODS) { 402 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 403 wh, "data", "unknown dir 0x%x", dir); 404 ic->ic_stats.is_rx_wrongdir++; 405 goto err; 406 } 407 if (m->m_len < sizeof(struct ieee80211_frame)) { 408 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, ni->ni_macaddr, 409 "mgt", "too short: len %u", m->m_len); 410 ic->ic_stats.is_rx_tooshort++; 411 goto out; 412 } 413 #ifdef IEEE80211_DEBUG 414 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 415 ieee80211_msg_dumppkts(ic)) { 416 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 417 ieee80211_mgt_subtype_name[subtype >> 418 IEEE80211_FC0_SUBTYPE_SHIFT], 419 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 420 rssi); 421 } 422 #endif 423 424 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 425 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 426 /* 427 * Only shared key auth frames with a challenge 428 * should be encrypted, discard all others. 429 */ 430 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 431 wh, ieee80211_mgt_subtype_name[subtype >> 432 IEEE80211_FC0_SUBTYPE_SHIFT], 433 "%s", "WEP set but not permitted"); 434 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 435 goto out; 436 } 437 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 438 /* 439 * Discard encrypted frames when privacy is off. 440 */ 441 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 442 wh, "mgt", "%s", "WEP set but PRIVACY off"); 443 ic->ic_stats.is_rx_noprivacy++; 444 goto out; 445 } 446 hdrspace = ieee80211_hdrspace(ic, wh); 447 key = ieee80211_crypto_decap(ic, ni, &m, hdrspace); 448 if (key == NULL) { 449 /* NB: stats+msgs handled in crypto_decap */ 450 goto out; 451 } 452 wh = mtod(m, struct ieee80211_frame *); 453 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 454 } 455 456 bpf_mtap3(ic->ic_rawbpf, m, BPF_D_IN); 457 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 458 m_freem(m); 459 460 *mp = NULL; 461 return 0; 462 463 err: 464 if_statinc(ifp, if_ierrors); 465 out: 466 *mp = m; 467 return -1; 468 } 469 470 /* 471 * Input code for a CONTROL frame. 472 */ 473 static void 474 ieee80211_input_control(struct ieee80211com *ic, struct mbuf *m, 475 struct ieee80211_node *ni) 476 { 477 IEEE80211_NODE_STAT(ni, rx_ctrl); 478 ic->ic_stats.is_rx_ctl++; 479 480 #ifndef IEEE80211_NO_HOSTAP 481 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 482 struct ieee80211_frame *wh; 483 u_int8_t subtype; 484 485 wh = mtod(m, struct ieee80211_frame *); 486 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 487 488 switch (subtype) { 489 case IEEE80211_FC0_SUBTYPE_PS_POLL: 490 ieee80211_recv_pspoll(ic, ni, m); 491 break; 492 } 493 } 494 #endif 495 } 496 497 /* -------------------------------------------------------------------------- */ 498 499 /* 500 * Process a received frame. The node associated with the sender 501 * should be supplied. If nothing was found in the node table then 502 * the caller is assumed to supply a reference to ic_bss instead. 503 * The RSSI and a timestamp are also supplied. The RSSI data is used 504 * during AP scanning to select a AP to associate with; it can have 505 * any units so long as values have consistent units and higher values 506 * mean ``better signal''. The receive timestamp is currently not used 507 * by the 802.11 layer. 508 */ 509 int 510 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 511 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 512 { 513 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 514 #define HAS_SEQ(type) ((type & 0x4) == 0) 515 struct ifnet *ifp = ic->ic_ifp; 516 struct ieee80211_frame *wh; 517 u_int8_t dir, type; 518 u_int16_t rxseq; 519 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 520 int ret; 521 522 KASSERT(!cpu_intr_p()); 523 524 IASSERT(ni != NULL, ("null node")); 525 ni->ni_inact = ni->ni_inact_reload; 526 527 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 528 if (m->m_flags & M_HASFCS) { 529 m_adj(m, -IEEE80211_CRC_LEN); 530 m->m_flags &= ~M_HASFCS; 531 } 532 type = -1; /* undefined */ 533 534 /* 535 * In monitor mode, send everything directly to bpf. 536 * XXX may want to include the CRC 537 */ 538 if (ic->ic_opmode == IEEE80211_M_MONITOR) 539 goto out; 540 541 if (m->m_len < sizeof(struct ieee80211_frame_min)) { 542 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 543 ni->ni_macaddr, NULL, 544 "too short (1): len %u", m->m_len); 545 ic->ic_stats.is_rx_tooshort++; 546 goto out; 547 } 548 549 /* 550 * Bit of a cheat here, we use a pointer for a 3-address 551 * frame format but don't reference fields past outside 552 * ieee80211_frame_min w/o first validating the data is 553 * present. 554 */ 555 wh = mtod(m, struct ieee80211_frame *); 556 557 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 558 IEEE80211_FC0_VERSION_0) { 559 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 560 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 561 ic->ic_stats.is_rx_badversion++; 562 goto err; 563 } 564 565 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 566 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 567 568 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 569 u_int8_t *bssid; 570 571 switch (ic->ic_opmode) { 572 case IEEE80211_M_STA: 573 bssid = wh->i_addr2; 574 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 575 /* not interested in */ 576 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 577 bssid, NULL, "node %s, %s", 578 ether_snprintf(ebuf, sizeof(ebuf), 579 ni->ni_bssid), "not to bss"); 580 ic->ic_stats.is_rx_wrongbss++; 581 goto out; 582 } 583 584 /* 585 * Filter out packets not directed to us in case the 586 * device is in promiscuous mode 587 */ 588 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) && 589 !IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 590 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 591 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 592 ic->ic_myaddr, ":", wh->i_addr1, ":"); 593 ic->ic_stats.is_rx_wrongbss++; 594 goto out; 595 } 596 break; 597 598 case IEEE80211_M_IBSS: 599 case IEEE80211_M_AHDEMO: 600 case IEEE80211_M_HOSTAP: 601 if (dir != IEEE80211_FC1_DIR_NODS) 602 bssid = wh->i_addr1; 603 else if (type == IEEE80211_FC0_TYPE_CTL) 604 bssid = wh->i_addr1; 605 else { 606 if (m->m_len < sizeof(struct ieee80211_frame)) { 607 IEEE80211_DISCARD_MAC(ic, 608 IEEE80211_MSG_ANY, ni->ni_macaddr, 609 NULL, "too short (2): len %u", 610 m->m_len); 611 ic->ic_stats.is_rx_tooshort++; 612 goto out; 613 } 614 bssid = wh->i_addr3; 615 } 616 if (type != IEEE80211_FC0_TYPE_DATA) 617 break; 618 619 /* 620 * Data frame, validate the bssid. 621 */ 622 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 623 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 624 /* not interested in */ 625 IEEE80211_DEBUGVAR( 626 char bbuf[3 * ETHER_ADDR_LEN]); 627 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 628 bssid, NULL, "bss %s, broadcast %s, %s", 629 ether_snprintf(ebuf, sizeof(ebuf), 630 ic->ic_bss->ni_bssid), 631 ether_snprintf(bbuf, sizeof(bbuf), 632 ifp->if_broadcastaddr), "not to bss"); 633 ic->ic_stats.is_rx_wrongbss++; 634 goto out; 635 } 636 637 /* 638 * For adhoc mode we cons up a node when it doesn't 639 * exist. This should probably be done after an ACL 640 * check. 641 */ 642 if (ni == ic->ic_bss && 643 ic->ic_opmode != IEEE80211_M_HOSTAP && 644 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 645 /* 646 * Fake up a node for this newly 647 * discovered member of the IBSS. 648 */ 649 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 650 wh->i_addr2); 651 if (ni == NULL) { 652 /* NB: stat kept for alloc failure */ 653 goto err; 654 } 655 } 656 break; 657 658 default: 659 goto out; 660 } 661 662 ni->ni_rssi = rssi; 663 ni->ni_rstamp = rstamp; 664 665 if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || 666 !IEEE80211_IS_MULTICAST(wh->i_addr1))) { 667 u_int8_t tid, retry; 668 u_int16_t rxno, orxno; 669 670 if (ieee80211_has_qos(wh)) { 671 struct ieee80211_qosframe *qosf; 672 673 if (m->m_len < sizeof(struct ieee80211_qosframe)) { 674 IEEE80211_DISCARD_MAC(ic, 675 IEEE80211_MSG_ANY, 676 ni->ni_macaddr, NULL, 677 "too short (1): len %u", m->m_len); 678 ic->ic_stats.is_rx_tooshort++; 679 goto out; 680 } 681 qosf = mtod(m, struct ieee80211_qosframe *); 682 683 tid = qosf->i_qos[0] & IEEE80211_QOS_TID; 684 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 685 ic->ic_wme.wme_hipri_traffic++; 686 tid++; 687 } else { 688 tid = 0; 689 } 690 691 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 692 retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; 693 rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 694 orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; 695 696 if (retry && ( 697 (orxno == 4095 && rxno == orxno) || 698 (orxno != 4095 && 699 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) 700 )) { 701 /* duplicate, discard */ 702 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 703 bssid, "duplicate", 704 "seqno <%u,%u> fragno <%u,%u> tid %u", 705 rxno, 706 orxno, 707 rxseq & IEEE80211_SEQ_FRAG_MASK, 708 ni->ni_rxseqs[tid] & 709 IEEE80211_SEQ_FRAG_MASK, 710 tid); 711 ic->ic_stats.is_rx_dup++; 712 IEEE80211_NODE_STAT(ni, rx_dup); 713 goto out; 714 } 715 ni->ni_rxseqs[tid] = rxseq; 716 } 717 } 718 719 switch (type) { 720 case IEEE80211_FC0_TYPE_DATA: 721 ret = ieee80211_input_data(ic, &m, ni); 722 if (ret == -1) { 723 goto out; 724 } 725 return IEEE80211_FC0_TYPE_DATA; 726 727 case IEEE80211_FC0_TYPE_MGT: 728 ret = ieee80211_input_management(ic, &m, ni, rssi, rstamp); 729 if (ret == -1) { 730 goto out; 731 } 732 return IEEE80211_FC0_TYPE_MGT; 733 734 case IEEE80211_FC0_TYPE_CTL: 735 ieee80211_input_control(ic, m, ni); 736 goto out; 737 738 default: 739 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 740 wh, NULL, "bad frame type 0x%x", type); 741 /* should not come here */ 742 break; 743 } 744 745 err: 746 if_statinc(ifp, if_ierrors); 747 748 out: 749 if (m != NULL) { 750 bpf_mtap3(ic->ic_rawbpf, m, BPF_D_IN); 751 m_freem(m); 752 } 753 return type; 754 #undef SEQ_LEQ 755 } 756 757 /* 758 * This function reassembles fragments. 759 */ 760 static struct mbuf * 761 ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) 762 { 763 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 764 struct ieee80211_frame *lwh; 765 u_int16_t rxseq, iseq; 766 u_int8_t fragno; 767 const u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 768 struct mbuf *mfrag; 769 770 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 771 772 iseq = *(u_int16_t *)wh->i_seq; 773 rxseq = le16toh(iseq); 774 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 775 776 /* Quick way out, if there's nothing to defragment */ 777 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 778 return m; 779 780 /* 781 * Remove frag to insure it doesn't get reaped by timer. 782 */ 783 if (ni->ni_table == NULL) { 784 /* 785 * Should never happen. If the node is orphaned (not in 786 * the table) then input packets should not reach here. 787 * Otherwise, a concurrent request that yanks the table 788 * should be blocked by other interlocking and/or by first 789 * shutting the driver down. Regardless, be defensive 790 * here and just bail 791 */ 792 /* XXX need msg+stat */ 793 m_freem(m); 794 return NULL; 795 } 796 IEEE80211_NODE_LOCK(ni->ni_table); 797 mfrag = ni->ni_rxfrag[0]; 798 ni->ni_rxfrag[0] = NULL; 799 IEEE80211_NODE_UNLOCK(ni->ni_table); 800 801 /* 802 * Validate new fragment is in order and 803 * related to the previous ones. 804 */ 805 if (mfrag != NULL) { 806 u_int16_t last_rxseq; 807 808 lwh = mtod(mfrag, struct ieee80211_frame *); 809 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 810 /* 811 * NB: check seq # and frag together. Also check that both 812 * fragments are plaintext or that both are encrypted. 813 */ 814 if (rxseq != last_rxseq+1 || 815 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 816 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) || 817 ((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_WEP)) { 818 /* 819 * Unrelated fragment or no space for it, 820 * clear current fragments. 821 */ 822 m_freem(mfrag); 823 mfrag = NULL; 824 } 825 } 826 827 if (mfrag == NULL) { 828 if (fragno != 0) { /* !first fragment, discard */ 829 IEEE80211_NODE_STAT(ni, rx_defrag); 830 m_freem(m); 831 return NULL; 832 } 833 mfrag = m; 834 } else { 835 int mlen; 836 837 /* Strip header and concatenate */ 838 m_adj(m, hdrspace); 839 mlen = m->m_pkthdr.len; 840 m_cat(mfrag, m); 841 842 /* NB: m_cat doesn't update the packet header */ 843 mfrag->m_pkthdr.len += mlen; 844 845 /* track last seqnum and fragno */ 846 lwh = mtod(mfrag, struct ieee80211_frame *); 847 *(u_int16_t *)lwh->i_seq = iseq; 848 } 849 850 if (more_frag) { 851 /* more to come, save */ 852 ni->ni_rxfragstamp = ticks; 853 ni->ni_rxfrag[0] = mfrag; 854 mfrag = NULL; 855 } 856 857 return mfrag; 858 } 859 860 static void 861 ieee80211_deliver_data(struct ieee80211com *ic, 862 struct ieee80211_node *ni, struct mbuf *m) 863 { 864 struct ether_header *eh = mtod(m, struct ether_header *); 865 struct ifnet *ifp = ic->ic_ifp; 866 int error; 867 868 /* perform as a bridge within the AP */ 869 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 870 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 871 struct mbuf *m1 = NULL; 872 873 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 874 m1 = m_copypacket(m, M_DONTWAIT); 875 if (m1 == NULL) 876 if_statinc(ifp, if_oerrors); 877 else 878 m1->m_flags |= M_MCAST; 879 } else { 880 /* 881 * Check if the destination is known; if so 882 * and the port is authorized dispatch directly. 883 */ 884 struct ieee80211_node *sta = 885 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 886 if (sta != NULL) { 887 if (ieee80211_node_is_authorized(sta)) { 888 /* 889 * Beware of sending to ourself; this 890 * needs to happen via the normal 891 * input path. 892 */ 893 if (sta != ic->ic_bss) { 894 m1 = m; 895 m = NULL; 896 } 897 } else { 898 ic->ic_stats.is_rx_unauth++; 899 IEEE80211_NODE_STAT(sta, rx_unauth); 900 } 901 ieee80211_free_node(sta); 902 } 903 } 904 905 if (m1 != NULL) { 906 int len; 907 #ifdef ALTQ 908 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 909 altq_etherclassify(&ifp->if_snd, m1); 910 } 911 #endif 912 len = m1->m_pkthdr.len; 913 IFQ_ENQUEUE(&ifp->if_snd, m1, error); 914 if (error) { 915 if_statinc(ifp, if_oerrors); 916 m_freem(m); 917 m = NULL; 918 } 919 if_statadd(ifp, if_obytes, len); 920 } 921 } 922 923 if (m != NULL) { 924 if (ni->ni_vlan != 0) 925 vlan_set_tag(m, ni->ni_vlan); 926 927 /* 928 * XXX once ieee80211_input (or rxintr itself) runs in softint 929 * we have to change here too to use if_input. 930 */ 931 KASSERT(ifp->if_percpuq); 932 if_percpuq_enqueue(ifp->if_percpuq, m); 933 } 934 935 return; 936 } 937 938 static struct mbuf * 939 ieee80211_decap(struct mbuf *m, int hdrlen) 940 { 941 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 942 struct ether_header *eh; 943 struct llc *llc; 944 945 if (m->m_len < hdrlen + sizeof(*llc) && 946 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 947 return NULL; 948 } 949 950 memcpy(&wh, mtod(m, void *), hdrlen); 951 952 llc = (struct llc *)(mtod(m, char *) + hdrlen); 953 if (llc->llc_dsap == LLC_SNAP_LSAP && 954 llc->llc_ssap == LLC_SNAP_LSAP && 955 llc->llc_control == LLC_UI && 956 llc->llc_snap.org_code[0] == 0 && 957 llc->llc_snap.org_code[1] == 0 && 958 llc->llc_snap.org_code[2] == 0) { 959 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 960 llc = NULL; 961 } else { 962 /* Keep the LLC after the Ethernet header. */ 963 m_adj(m, hdrlen - sizeof(*eh)); 964 } 965 966 eh = mtod(m, struct ether_header *); 967 968 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 969 case IEEE80211_FC1_DIR_NODS: 970 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 971 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 972 break; 973 case IEEE80211_FC1_DIR_TODS: 974 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 975 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 976 break; 977 case IEEE80211_FC1_DIR_FROMDS: 978 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 979 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 980 break; 981 case IEEE80211_FC1_DIR_DSTODS: 982 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 983 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 984 break; 985 } 986 987 #ifdef ALIGNED_POINTER 988 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 989 struct mbuf *n, *n0, **np; 990 char *newdata; 991 int off, pktlen; 992 993 n0 = NULL; 994 np = &n0; 995 off = 0; 996 pktlen = m->m_pkthdr.len; 997 while (pktlen > off) { 998 if (n0 == NULL) { 999 MGETHDR(n, M_DONTWAIT, MT_DATA); 1000 if (n == NULL) { 1001 m_freem(m); 1002 return NULL; 1003 } 1004 m_move_pkthdr(n, m); 1005 n->m_len = MHLEN; 1006 } else { 1007 MGET(n, M_DONTWAIT, MT_DATA); 1008 if (n == NULL) { 1009 m_freem(m); 1010 m_freem(n0); 1011 return NULL; 1012 } 1013 n->m_len = MLEN; 1014 } 1015 if (pktlen - off >= MINCLSIZE) { 1016 MCLGET(n, M_DONTWAIT); 1017 if (n->m_flags & M_EXT) 1018 n->m_len = n->m_ext.ext_size; 1019 } 1020 if (n0 == NULL) { 1021 newdata = 1022 (char *)ALIGN(n->m_data + sizeof(*eh)) - 1023 sizeof(*eh); 1024 n->m_len -= newdata - n->m_data; 1025 n->m_data = newdata; 1026 } 1027 if (n->m_len > pktlen - off) 1028 n->m_len = pktlen - off; 1029 m_copydata(m, off, n->m_len, mtod(n, void *)); 1030 off += n->m_len; 1031 *np = n; 1032 np = &n->m_next; 1033 } 1034 m_freem(m); 1035 m = n0; 1036 } 1037 #endif /* ALIGNED_POINTER */ 1038 1039 if (llc != NULL) { 1040 eh = mtod(m, struct ether_header *); 1041 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 1042 } 1043 1044 return m; 1045 } 1046 1047 /* 1048 * Install received rate set information in the node's state block. 1049 */ 1050 int 1051 ieee80211_setup_rates(struct ieee80211_node *ni, const u_int8_t *rates, 1052 const u_int8_t *xrates, int flags) 1053 { 1054 struct ieee80211com *ic = ni->ni_ic; 1055 struct ieee80211_rateset *rs = &ni->ni_rates; 1056 1057 memset(rs, 0, sizeof(*rs)); 1058 1059 rs->rs_nrates = rates[1]; 1060 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 1061 1062 if (xrates != NULL) { 1063 u_int8_t nxrates; 1064 size_t totalrate; 1065 1066 /* 1067 * Tack on 11g extended supported rate element. 1068 */ 1069 nxrates = xrates[1]; 1070 totalrate = (size_t)rs->rs_nrates + (size_t)nxrates; 1071 1072 if (totalrate > IEEE80211_RATE_MAXSIZE) { 1073 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1074 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 1075 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 1076 "[%s] extended rate set too large;" 1077 " only using %u of %u rates\n", 1078 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 1079 nxrates, xrates[1]); 1080 ic->ic_stats.is_rx_rstoobig++; 1081 } 1082 1083 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 1084 rs->rs_nrates += nxrates; 1085 } 1086 1087 return ieee80211_fix_rate(ni, flags); 1088 } 1089 1090 static void 1091 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 1092 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 1093 u_int16_t seq, u_int16_t status) 1094 { 1095 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1096 1097 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 1098 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1099 ni->ni_macaddr, "open auth", 1100 "bad sta auth mode %u", ni->ni_authmode); 1101 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 1102 1103 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1104 /* XXX hack to workaround calling convention */ 1105 ieee80211_send_error(ic, ni, wh->i_addr2, 1106 IEEE80211_FC0_SUBTYPE_AUTH, 1107 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 1108 } 1109 return; 1110 } 1111 1112 switch (ic->ic_opmode) { 1113 case IEEE80211_M_IBSS: 1114 case IEEE80211_M_AHDEMO: 1115 case IEEE80211_M_MONITOR: 1116 /* should not come here */ 1117 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1118 ni->ni_macaddr, "open auth", 1119 "bad operating mode %u", ic->ic_opmode); 1120 break; 1121 1122 case IEEE80211_M_HOSTAP: 1123 #ifndef IEEE80211_NO_HOSTAP 1124 if (ic->ic_state != IEEE80211_S_RUN || 1125 seq != IEEE80211_AUTH_OPEN_REQUEST) { 1126 ic->ic_stats.is_rx_bad_auth++; 1127 return; 1128 } 1129 1130 /* always accept open authentication requests */ 1131 if (ni == ic->ic_bss) { 1132 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1133 if (ni == NULL) 1134 return; 1135 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) { 1136 (void)ieee80211_ref_node(ni); 1137 } 1138 1139 /* 1140 * Mark the node as referenced to reflect that its 1141 * reference count has been bumped to insure it remains 1142 * after the transaction completes. 1143 */ 1144 ni->ni_flags |= IEEE80211_NODE_AREF; 1145 1146 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH, 1147 seq + 1); 1148 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1149 "[%s] station authenticated (open)\n", 1150 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1151 1152 /* 1153 * When 802.1x is not in use mark the port 1154 * authorized at this point so traffic can flow. 1155 */ 1156 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 1157 ieee80211_node_authorize(ni); 1158 #endif /* !IEEE80211_NO_HOSTAP */ 1159 break; 1160 1161 case IEEE80211_M_STA: 1162 if (ic->ic_state != IEEE80211_S_AUTH || 1163 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1164 ic->ic_stats.is_rx_bad_auth++; 1165 return; 1166 } 1167 if (status != 0) { 1168 IEEE80211_DPRINTF(ic, 1169 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1170 "[%s] open auth failed (reason %d)\n", 1171 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 1172 status); 1173 1174 /* XXX can this happen? */ 1175 if (ni != ic->ic_bss) 1176 ni->ni_fails++; 1177 1178 ic->ic_stats.is_rx_auth_fail++; 1179 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1180 } else { 1181 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1182 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1183 } 1184 break; 1185 } 1186 } 1187 1188 /* 1189 * Send a management frame error response to the specified 1190 * station. If ni is associated with the station then use 1191 * it; otherwise allocate a temporary node suitable for 1192 * transmitting the frame and then free the reference so 1193 * it will go away as soon as the frame has been transmitted. 1194 */ 1195 static void 1196 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1197 const u_int8_t *mac, int subtype, int arg) 1198 { 1199 bool istmp; 1200 1201 if (ni == ic->ic_bss) { 1202 ni = ieee80211_tmp_node(ic, mac); 1203 if (ni == NULL) { 1204 /* XXX msg */ 1205 return; 1206 } 1207 istmp = true; 1208 } else { 1209 istmp = false; 1210 } 1211 1212 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1213 if (istmp) 1214 ieee80211_free_node(ni); 1215 } 1216 1217 static int 1218 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1219 { 1220 if (ni->ni_challenge == NULL) { 1221 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1222 M_DEVBUF, M_NOWAIT); 1223 } 1224 if (ni->ni_challenge == NULL) { 1225 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1226 1227 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1228 "[%s] shared key challenge alloc failed\n", 1229 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1230 /* XXX statistic */ 1231 } 1232 return (ni->ni_challenge != NULL); 1233 } 1234 1235 /* XXX TODO: add statistics */ 1236 static void 1237 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1238 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1239 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1240 { 1241 u_int8_t *challenge; 1242 int estatus; 1243 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1244 1245 /* 1246 * NB: this can happen as we allow pre-shared key 1247 * authentication to be enabled w/o wep being turned 1248 * on so that configuration of these can be done 1249 * in any order. It may be better to enforce the 1250 * ordering in which case this check would just be 1251 * for sanity/consistency. 1252 */ 1253 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1254 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1255 ni->ni_macaddr, "shared key auth", 1256 "%s", " PRIVACY is disabled"); 1257 estatus = IEEE80211_STATUS_ALG; 1258 goto bad; 1259 } 1260 1261 /* 1262 * Pre-shared key authentication is evil; accept 1263 * it only if explicitly configured (it is supported 1264 * mainly for compatibility with clients like OS X). 1265 */ 1266 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1267 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1268 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1269 ni->ni_macaddr, "shared key auth", 1270 "bad sta auth mode %u", ni->ni_authmode); 1271 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1272 estatus = IEEE80211_STATUS_ALG; 1273 goto bad; 1274 } 1275 1276 challenge = NULL; 1277 if (frm + 1 < efrm) { 1278 if ((frm[1] + 2) > (efrm - frm)) { 1279 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1280 ni->ni_macaddr, "shared key auth", 1281 "ie %d/%d too long", 1282 frm[0], (frm[1] + 2) - (efrm - frm)); 1283 ic->ic_stats.is_rx_bad_auth++; 1284 estatus = IEEE80211_STATUS_CHALLENGE; 1285 goto bad; 1286 } 1287 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1288 challenge = frm; 1289 frm += frm[1] + 2; 1290 } 1291 1292 switch (seq) { 1293 case IEEE80211_AUTH_SHARED_CHALLENGE: 1294 case IEEE80211_AUTH_SHARED_RESPONSE: 1295 if (challenge == NULL) { 1296 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1297 ni->ni_macaddr, "shared key auth", 1298 "%s", "no challenge"); 1299 ic->ic_stats.is_rx_bad_auth++; 1300 estatus = IEEE80211_STATUS_CHALLENGE; 1301 goto bad; 1302 } 1303 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1304 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1305 ni->ni_macaddr, "shared key auth", 1306 "bad challenge len %d", challenge[1]); 1307 ic->ic_stats.is_rx_bad_auth++; 1308 estatus = IEEE80211_STATUS_CHALLENGE; 1309 goto bad; 1310 } 1311 default: 1312 break; 1313 } 1314 1315 switch (ic->ic_opmode) { 1316 case IEEE80211_M_MONITOR: 1317 case IEEE80211_M_AHDEMO: 1318 case IEEE80211_M_IBSS: 1319 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1320 ni->ni_macaddr, "shared key auth", 1321 "bad operating mode %u", ic->ic_opmode); 1322 return; 1323 1324 case IEEE80211_M_HOSTAP: 1325 #ifndef IEEE80211_NO_HOSTAP 1326 { 1327 int allocbs; 1328 if (ic->ic_state != IEEE80211_S_RUN) { 1329 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1330 ni->ni_macaddr, "shared key auth", 1331 "bad state %u", ic->ic_state); 1332 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1333 goto bad; 1334 } 1335 switch (seq) { 1336 case IEEE80211_AUTH_SHARED_REQUEST: 1337 if (ni == ic->ic_bss) { 1338 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1339 if (ni == NULL) { 1340 /* NB: no way to return an error */ 1341 return; 1342 } 1343 allocbs = 1; 1344 } else { 1345 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1346 (void)ieee80211_ref_node(ni); 1347 allocbs = 0; 1348 } 1349 __USE(allocbs); 1350 1351 /* 1352 * Mark the node as referenced to reflect that its 1353 * reference count has been bumped to insure it remains 1354 * after the transaction completes. 1355 */ 1356 ni->ni_flags |= IEEE80211_NODE_AREF; 1357 ni->ni_rssi = rssi; 1358 ni->ni_rstamp = rstamp; 1359 if (!alloc_challenge(ic, ni)) { 1360 /* NB: don't return error so they rexmit */ 1361 return; 1362 } 1363 1364 get_random_bytes(ni->ni_challenge, 1365 IEEE80211_CHALLENGE_LEN); 1366 1367 IEEE80211_DPRINTF(ic, 1368 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1369 "[%s] shared key %sauth request\n", 1370 ether_snprintf(ebuf, sizeof(ebuf), 1371 ni->ni_macaddr), 1372 allocbs ? "" : "re"); 1373 break; 1374 1375 case IEEE80211_AUTH_SHARED_RESPONSE: 1376 if (ni == ic->ic_bss) { 1377 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1378 ni->ni_macaddr, "shared key response", 1379 "%s", "unknown station"); 1380 /* NB: don't send a response */ 1381 return; 1382 } 1383 1384 if (ni->ni_challenge == NULL) { 1385 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1386 ni->ni_macaddr, "shared key response", 1387 "%s", "no challenge recorded"); 1388 ic->ic_stats.is_rx_bad_auth++; 1389 estatus = IEEE80211_STATUS_CHALLENGE; 1390 goto bad; 1391 } 1392 1393 if (memcmp(ni->ni_challenge, &challenge[2], 1394 challenge[1]) != 0) { 1395 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1396 ni->ni_macaddr, "shared key response", 1397 "%s", "challenge mismatch"); 1398 ic->ic_stats.is_rx_auth_fail++; 1399 estatus = IEEE80211_STATUS_CHALLENGE; 1400 goto bad; 1401 } 1402 1403 IEEE80211_DPRINTF(ic, 1404 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1405 "[%s] station authenticated (shared key)\n", 1406 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1407 1408 ieee80211_node_authorize(ni); 1409 break; 1410 1411 default: 1412 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1413 ni->ni_macaddr, "shared key auth", 1414 "bad seq %d", seq); 1415 ic->ic_stats.is_rx_bad_auth++; 1416 estatus = IEEE80211_STATUS_SEQUENCE; 1417 goto bad; 1418 } 1419 1420 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH, 1421 seq + 1); 1422 } 1423 #endif /* !IEEE80211_NO_HOSTAP */ 1424 break; 1425 1426 case IEEE80211_M_STA: 1427 if (ic->ic_state != IEEE80211_S_AUTH) 1428 return; 1429 switch (seq) { 1430 case IEEE80211_AUTH_SHARED_PASS: 1431 if (ni->ni_challenge != NULL) { 1432 free(ni->ni_challenge, M_DEVBUF); 1433 ni->ni_challenge = NULL; 1434 } 1435 if (status != 0) { 1436 IEEE80211_DPRINTF(ic, 1437 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1438 "[%s] shared key auth failed (reason %d)\n", 1439 ether_snprintf(ebuf, sizeof(ebuf), 1440 ieee80211_getbssid(ic, wh)), 1441 status); 1442 1443 /* XXX can this happen? */ 1444 if (ni != ic->ic_bss) 1445 ni->ni_fails++; 1446 1447 ic->ic_stats.is_rx_auth_fail++; 1448 return; 1449 } 1450 1451 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1452 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1453 break; 1454 1455 case IEEE80211_AUTH_SHARED_CHALLENGE: 1456 if (!alloc_challenge(ic, ni)) 1457 return; 1458 /* XXX could optimize by passing recvd challenge */ 1459 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1460 1461 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH, 1462 seq + 1); 1463 break; 1464 1465 default: 1466 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1467 wh, "shared key auth", "bad seq %d", seq); 1468 ic->ic_stats.is_rx_bad_auth++; 1469 return; 1470 } 1471 break; 1472 } 1473 return; 1474 1475 bad: 1476 #ifndef IEEE80211_NO_HOSTAP 1477 /* 1478 * Send an error response; but only when operating as an AP. 1479 */ 1480 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1481 /* XXX hack to workaround calling convention */ 1482 ieee80211_send_error(ic, ni, wh->i_addr2, 1483 IEEE80211_FC0_SUBTYPE_AUTH, 1484 (seq + 1) | (estatus<<16)); 1485 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1486 /* 1487 * Kick the state machine. This short-circuits 1488 * using the mgt frame timeout to trigger the 1489 * state transition. 1490 */ 1491 if (ic->ic_state == IEEE80211_S_AUTH) 1492 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1493 } 1494 #else 1495 ; 1496 #endif /* !IEEE80211_NO_HOSTAP */ 1497 } 1498 1499 #ifdef IEEE80211_DEBUG 1500 static void 1501 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1502 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1503 { 1504 char ebuf[3 * ETHER_ADDR_LEN]; 1505 1506 printf("[%s] discard %s frame, ssid mismatch: ", 1507 ether_snprintf(ebuf, sizeof(ebuf), mac), tag); 1508 ieee80211_print_essid(ssid + 2, ssid[1]); 1509 printf("\n"); 1510 } 1511 1512 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1513 if ((_ssid)[1] != 0 && \ 1514 ((_ssid)[1] != (_ni)->ni_esslen || \ 1515 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1516 if (ieee80211_msg_input(ic)) \ 1517 ieee80211_ssid_mismatch(ic, \ 1518 ieee80211_mgt_subtype_name[subtype >> \ 1519 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1520 wh->i_addr2, _ssid); \ 1521 ic->ic_stats.is_rx_ssidmismatch++; \ 1522 return; \ 1523 } \ 1524 } while (0) 1525 #else /* !IEEE80211_DEBUG */ 1526 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1527 if ((_ssid)[1] != 0 && \ 1528 ((_ssid)[1] != (_ni)->ni_esslen || \ 1529 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1530 ic->ic_stats.is_rx_ssidmismatch++; \ 1531 return; \ 1532 } \ 1533 } while (0) 1534 #endif /* !IEEE80211_DEBUG */ 1535 1536 /* unaligned little endian access */ 1537 #define LE_READ_2(p) \ 1538 ((u_int16_t) \ 1539 ((((const u_int8_t *)(p))[0] ) | \ 1540 (((const u_int8_t *)(p))[1] << 8))) 1541 #define LE_READ_4(p) \ 1542 ((u_int32_t) \ 1543 ((((const u_int8_t *)(p))[0] ) | \ 1544 (((const u_int8_t *)(p))[1] << 8) | \ 1545 (((const u_int8_t *)(p))[2] << 16) | \ 1546 (((const u_int8_t *)(p))[3] << 24))) 1547 1548 static __inline int 1549 iswpaoui(const u_int8_t *frm) 1550 { 1551 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1552 } 1553 1554 static __inline int 1555 iswmeoui(const u_int8_t *frm) 1556 { 1557 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1558 } 1559 1560 static __inline int 1561 iswmeparam(const u_int8_t *frm) 1562 { 1563 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1564 frm[6] == WME_PARAM_OUI_SUBTYPE; 1565 } 1566 1567 static __inline int 1568 iswmeinfo(const u_int8_t *frm) 1569 { 1570 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1571 frm[6] == WME_INFO_OUI_SUBTYPE; 1572 } 1573 1574 /* 1575 * Convert a WPA cipher selector OUI to an internal 1576 * cipher algorithm. Where appropriate we also 1577 * record any key length. 1578 */ 1579 static int 1580 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1581 { 1582 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1583 u_int32_t w = LE_READ_4(sel); 1584 1585 switch (w) { 1586 case WPA_SEL(WPA_CSE_NULL): 1587 return IEEE80211_CIPHER_NONE; 1588 case WPA_SEL(WPA_CSE_WEP40): 1589 if (keylen) 1590 *keylen = 40 / NBBY; 1591 return IEEE80211_CIPHER_WEP; 1592 case WPA_SEL(WPA_CSE_WEP104): 1593 if (keylen) 1594 *keylen = 104 / NBBY; 1595 return IEEE80211_CIPHER_WEP; 1596 case WPA_SEL(WPA_CSE_TKIP): 1597 return IEEE80211_CIPHER_TKIP; 1598 case WPA_SEL(WPA_CSE_CCMP): 1599 return IEEE80211_CIPHER_AES_CCM; 1600 } 1601 return 32; /* NB: so 1<< is discarded */ 1602 #undef WPA_SEL 1603 } 1604 1605 /* 1606 * Convert a WPA key management/authentication algorithm 1607 * to an internal code. 1608 */ 1609 static int 1610 wpa_keymgmt(u_int8_t *sel) 1611 { 1612 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1613 u_int32_t w = LE_READ_4(sel); 1614 1615 switch (w) { 1616 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1617 return WPA_ASE_8021X_UNSPEC; 1618 case WPA_SEL(WPA_ASE_8021X_PSK): 1619 return WPA_ASE_8021X_PSK; 1620 case WPA_SEL(WPA_ASE_NONE): 1621 return WPA_ASE_NONE; 1622 } 1623 return 0; /* NB: so is discarded */ 1624 #undef WPA_SEL 1625 } 1626 1627 /* 1628 * Parse a WPA information element to collect parameters 1629 * and validate the parameters against what has been 1630 * configured for the system. 1631 */ 1632 static int 1633 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1634 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1635 { 1636 u_int8_t len = frm[1]; 1637 u_int32_t w; 1638 int n; 1639 1640 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1641 IEEE80211_DISCARD_IE(ic, 1642 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1643 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1644 return IEEE80211_REASON_IE_INVALID; 1645 } 1646 1647 /* 1648 * Check the length once for fixed parts: OUI, type, 1649 * version, mcast cipher, and 2 selector counts. 1650 * Other, variable-length data, must be checked separately. 1651 */ 1652 if (len < 14) { 1653 IEEE80211_DISCARD_IE(ic, 1654 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1655 wh, "WPA", "too short, len %u", len); 1656 return IEEE80211_REASON_IE_INVALID; 1657 } 1658 1659 frm += 2; /* beginning of payload */ 1660 frm += 4, len -= 4; 1661 1662 /* NB: iswapoui already validated the OUI and type */ 1663 w = LE_READ_2(frm); 1664 if (w != WPA_VERSION) { 1665 IEEE80211_DISCARD_IE(ic, 1666 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1667 wh, "WPA", "bad version %u", w); 1668 return IEEE80211_REASON_IE_INVALID; 1669 } 1670 frm += 2, len -= 2; 1671 1672 /* multicast/group cipher */ 1673 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1674 if (w != rsn->rsn_mcastcipher) { 1675 IEEE80211_DISCARD_IE(ic, 1676 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1677 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1678 w, rsn->rsn_mcastcipher); 1679 return IEEE80211_REASON_IE_INVALID; 1680 } 1681 frm += 4, len -= 4; 1682 1683 /* unicast ciphers */ 1684 n = LE_READ_2(frm); 1685 frm += 2, len -= 2; 1686 if (len < n*4+2) { 1687 IEEE80211_DISCARD_IE(ic, 1688 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1689 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1690 len, n); 1691 return IEEE80211_REASON_IE_INVALID; 1692 } 1693 w = 0; 1694 for (; n > 0; n--) { 1695 w |= 1 << wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1696 frm += 4, len -= 4; 1697 } 1698 w &= rsn->rsn_ucastcipherset; 1699 if (w == 0) { 1700 IEEE80211_DISCARD_IE(ic, 1701 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1702 wh, "WPA", "%s", "ucast cipher set empty"); 1703 return IEEE80211_REASON_IE_INVALID; 1704 } 1705 if (w & (1 << IEEE80211_CIPHER_TKIP)) 1706 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1707 else 1708 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1709 1710 /* key management algorithms */ 1711 n = LE_READ_2(frm); 1712 frm += 2, len -= 2; 1713 if (len < n*4) { 1714 IEEE80211_DISCARD_IE(ic, 1715 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1716 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1717 len, n); 1718 return IEEE80211_REASON_IE_INVALID; 1719 } 1720 w = 0; 1721 for (; n > 0; n--) { 1722 w |= wpa_keymgmt(frm); 1723 frm += 4, len -= 4; 1724 } 1725 w &= rsn->rsn_keymgmtset; 1726 if (w == 0) { 1727 IEEE80211_DISCARD_IE(ic, 1728 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1729 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1730 return IEEE80211_REASON_IE_INVALID; 1731 } 1732 if (w & WPA_ASE_8021X_UNSPEC) 1733 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1734 else 1735 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1736 1737 if (len > 2) /* optional capabilities */ 1738 rsn->rsn_caps = LE_READ_2(frm); 1739 1740 return 0; 1741 } 1742 1743 /* 1744 * Convert an RSN cipher selector OUI to an internal 1745 * cipher algorithm. Where appropriate we also 1746 * record any key length. 1747 */ 1748 static int 1749 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1750 { 1751 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1752 u_int32_t w = LE_READ_4(sel); 1753 1754 switch (w) { 1755 case RSN_SEL(RSN_CSE_NULL): 1756 return IEEE80211_CIPHER_NONE; 1757 case RSN_SEL(RSN_CSE_WEP40): 1758 if (keylen) 1759 *keylen = 40 / NBBY; 1760 return IEEE80211_CIPHER_WEP; 1761 case RSN_SEL(RSN_CSE_WEP104): 1762 if (keylen) 1763 *keylen = 104 / NBBY; 1764 return IEEE80211_CIPHER_WEP; 1765 case RSN_SEL(RSN_CSE_TKIP): 1766 return IEEE80211_CIPHER_TKIP; 1767 case RSN_SEL(RSN_CSE_CCMP): 1768 return IEEE80211_CIPHER_AES_CCM; 1769 case RSN_SEL(RSN_CSE_WRAP): 1770 return IEEE80211_CIPHER_AES_OCB; 1771 } 1772 return 32; /* NB: so 1<< is discarded */ 1773 #undef WPA_SEL 1774 } 1775 1776 /* 1777 * Convert an RSN key management/authentication algorithm 1778 * to an internal code. 1779 */ 1780 static int 1781 rsn_keymgmt(u_int8_t *sel) 1782 { 1783 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1784 u_int32_t w = LE_READ_4(sel); 1785 1786 switch (w) { 1787 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1788 return RSN_ASE_8021X_UNSPEC; 1789 case RSN_SEL(RSN_ASE_8021X_PSK): 1790 return RSN_ASE_8021X_PSK; 1791 case RSN_SEL(RSN_ASE_NONE): 1792 return RSN_ASE_NONE; 1793 } 1794 return 0; /* NB: so is discarded */ 1795 #undef RSN_SEL 1796 } 1797 1798 /* 1799 * Parse a WPA/RSN information element to collect parameters 1800 * and validate the parameters against what has been 1801 * configured for the system. 1802 */ 1803 static int 1804 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1805 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1806 { 1807 u_int8_t len = frm[1]; 1808 u_int32_t w; 1809 int n; 1810 1811 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1812 IEEE80211_DISCARD_IE(ic, 1813 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1814 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1815 return IEEE80211_REASON_IE_INVALID; 1816 } 1817 1818 /* 1819 * Check the length once for fixed parts: 1820 * version, mcast cipher, and 2 selector counts. 1821 * Other, variable-length data, must be checked separately. 1822 */ 1823 if (len < 10) { 1824 IEEE80211_DISCARD_IE(ic, 1825 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1826 wh, "RSN", "too short, len %u", len); 1827 return IEEE80211_REASON_IE_INVALID; 1828 } 1829 1830 frm += 2; /* beginning of payload */ 1831 w = LE_READ_2(frm); 1832 if (w != RSN_VERSION) { 1833 IEEE80211_DISCARD_IE(ic, 1834 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1835 wh, "RSN", "bad version %u", w); 1836 return IEEE80211_REASON_IE_INVALID; 1837 } 1838 frm += 2, len -= 2; 1839 1840 /* multicast/group cipher */ 1841 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1842 if (w != rsn->rsn_mcastcipher) { 1843 IEEE80211_DISCARD_IE(ic, 1844 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1845 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1846 w, rsn->rsn_mcastcipher); 1847 return IEEE80211_REASON_IE_INVALID; 1848 } 1849 frm += 4, len -= 4; 1850 1851 /* unicast ciphers */ 1852 n = LE_READ_2(frm); 1853 frm += 2, len -= 2; 1854 if (len < n*4+2) { 1855 IEEE80211_DISCARD_IE(ic, 1856 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1857 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1858 len, n); 1859 return IEEE80211_REASON_IE_INVALID; 1860 } 1861 w = 0; 1862 for (; n > 0; n--) { 1863 w |= 1 << rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1864 frm += 4, len -= 4; 1865 } 1866 w &= rsn->rsn_ucastcipherset; 1867 if (w == 0) { 1868 IEEE80211_DISCARD_IE(ic, 1869 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1870 wh, "RSN", "%s", "ucast cipher set empty"); 1871 return IEEE80211_REASON_IE_INVALID; 1872 } 1873 if (w & (1 << IEEE80211_CIPHER_TKIP)) 1874 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1875 else 1876 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1877 1878 /* key management algorithms */ 1879 n = LE_READ_2(frm); 1880 frm += 2, len -= 2; 1881 if (len < n*4) { 1882 IEEE80211_DISCARD_IE(ic, 1883 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1884 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1885 len, n); 1886 return IEEE80211_REASON_IE_INVALID; 1887 } 1888 w = 0; 1889 for (; n > 0; n--) { 1890 w |= rsn_keymgmt(frm); 1891 frm += 4, len -= 4; 1892 } 1893 w &= rsn->rsn_keymgmtset; 1894 if (w == 0) { 1895 IEEE80211_DISCARD_IE(ic, 1896 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1897 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1898 return IEEE80211_REASON_IE_INVALID; 1899 } 1900 if (w & RSN_ASE_8021X_UNSPEC) 1901 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1902 else 1903 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1904 1905 /* optional RSN capabilities */ 1906 if (len > 2) 1907 rsn->rsn_caps = LE_READ_2(frm); 1908 /* XXXPMKID */ 1909 1910 return 0; 1911 } 1912 1913 static int 1914 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1915 const struct ieee80211_frame *wh) 1916 { 1917 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1918 struct ieee80211_wme_state *wme = &ic->ic_wme; 1919 u_int len = frm[1], qosinfo; 1920 int i; 1921 1922 if (len < sizeof(struct ieee80211_wme_param)-2) { 1923 IEEE80211_DISCARD_IE(ic, 1924 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1925 wh, "WME", "too short, len %u", len); 1926 return -1; 1927 } 1928 1929 qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1930 qosinfo &= WME_QOSINFO_COUNT; 1931 1932 /* XXX do proper check for wraparound */ 1933 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1934 return 0; 1935 1936 frm += offsetof(struct ieee80211_wme_param, params_acParams); 1937 for (i = 0; i < WME_NUM_AC; i++) { 1938 struct wmeParams *wmep = 1939 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1940 /* NB: ACI not used */ 1941 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1942 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1943 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1944 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1945 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1946 frm += 4; 1947 } 1948 1949 wme->wme_wmeChanParams.cap_info = qosinfo; 1950 return 1; 1951 #undef MS 1952 } 1953 1954 void 1955 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1956 { 1957 u_int ielen = ie[1]+2; 1958 1959 /* Record information element for later use. */ 1960 if (*iep == NULL || (*iep)[1] != ie[1]) { 1961 if (*iep != NULL) 1962 free(*iep, M_DEVBUF); 1963 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1964 } 1965 if (*iep != NULL) 1966 memcpy(*iep, ie, ielen); 1967 /* XXX note failure */ 1968 } 1969 1970 static void 1971 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1972 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1973 u_int32_t rstamp) 1974 { 1975 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1976 /* 1977 * Create a new entry in the neighbor table. 1978 * Records the TSF. 1979 */ 1980 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1981 return; 1982 } else if (ni->ni_capinfo == 0) { 1983 /* 1984 * Initialize a node that was "faked up." Records 1985 * the TSF. 1986 * 1987 * No need to check for a change of BSSID: ni could 1988 * not have been the IBSS (ic_bss) 1989 */ 1990 ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1991 } else { 1992 /* Record TSF for potential resync. */ 1993 memcpy(ni->ni_tstamp.data, scan->sp_tstamp, sizeof(ni->ni_tstamp)); 1994 } 1995 1996 ni->ni_rssi = rssi; 1997 ni->ni_rstamp = rstamp; 1998 1999 /* Mark a neighbor's change of BSSID. */ 2000 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 2001 return; 2002 2003 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 2004 2005 if (ni != ic->ic_bss) 2006 return; 2007 else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 2008 /* 2009 * Now, ni does not represent a network we 2010 * want to belong to, so start a scan. 2011 */ 2012 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2013 return; 2014 } else { 2015 /* 2016 * A RUN->RUN transition lets the driver 2017 * reprogram its BSSID filter. 2018 * 2019 * No need to SCAN, we already belong to 2020 * an IBSS that meets our criteria: channel, 2021 * SSID, etc. It could be harmful to scan, 2022 * too: if a scan does not detect nodes 2023 * belonging to my current IBSS, then we 2024 * will create a new IBSS at the end of 2025 * the scan, needlessly splitting the 2026 * network. 2027 */ 2028 ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 2029 } 2030 } 2031 2032 /* -------------------------------------------------------------------------- */ 2033 2034 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 2035 if ((__elem) == NULL) { \ 2036 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 2037 wh, ieee80211_mgt_subtype_name[subtype >> \ 2038 IEEE80211_FC0_SUBTYPE_SHIFT], \ 2039 "%s", "no " #__elem ); \ 2040 ic->ic_stats.is_rx_elem_missing++; \ 2041 return; \ 2042 } \ 2043 if ((__elem)[1] > (__maxlen)) { \ 2044 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 2045 wh, ieee80211_mgt_subtype_name[subtype >> \ 2046 IEEE80211_FC0_SUBTYPE_SHIFT], \ 2047 "bad " #__elem " len %d", (__elem)[1]); \ 2048 ic->ic_stats.is_rx_elem_toobig++; \ 2049 return; \ 2050 } \ 2051 } while (0) 2052 2053 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 2054 if ((size_t)(_len) < (size_t)(_minlen)) { \ 2055 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 2056 wh, ieee80211_mgt_subtype_name[subtype >> \ 2057 IEEE80211_FC0_SUBTYPE_SHIFT], \ 2058 "%s", "ie too short"); \ 2059 ic->ic_stats.is_rx_elem_toosmall++; \ 2060 return; \ 2061 } \ 2062 } while (0) 2063 2064 static void 2065 ieee80211_recv_mgmt_beacon(struct ieee80211com *ic, struct mbuf *m0, 2066 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2067 { 2068 struct ieee80211_frame *wh; 2069 u_int8_t *frm, *efrm; 2070 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2071 struct ieee80211_scanparams scan; 2072 2073 wh = mtod(m0, struct ieee80211_frame *); 2074 frm = (u_int8_t *)(wh + 1); 2075 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2076 2077 /* 2078 * We process beacon/probe response frames: 2079 * o when scanning, or 2080 * o station mode when associated (to collect state 2081 * updates such as 802.11g slot time), or 2082 * o adhoc mode (to discover neighbors) 2083 * Frames otherwise received are discarded. 2084 */ 2085 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 2086 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 2087 ic->ic_opmode == IEEE80211_M_IBSS)) { 2088 ic->ic_stats.is_rx_mgtdiscard++; 2089 return; 2090 } 2091 2092 /* 2093 * beacon/probe response frame format 2094 * [8] time stamp 2095 * [2] beacon interval 2096 * [2] capability information 2097 * [tlv] ssid 2098 * [tlv] supported rates 2099 * [tlv] country information 2100 * [tlv] parameter set (FH/DS) 2101 * [tlv] erp information 2102 * [tlv] extended supported rates 2103 * [tlv] WME 2104 * [tlv] WPA or RSN 2105 */ 2106 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 2107 memset(&scan, 0, sizeof(scan)); 2108 scan.sp_tstamp = frm; frm += 8; 2109 scan.sp_bintval = le16toh(*(u_int16_t *)frm); frm += 2; 2110 scan.sp_capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2111 scan.sp_bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 2112 scan.sp_chan = scan.sp_bchan; 2113 2114 while (frm + 1 < efrm) { 2115 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2116 2117 switch (*frm) { 2118 case IEEE80211_ELEMID_SSID: 2119 /* no length check needed */ 2120 scan.sp_ssid = frm; 2121 break; 2122 case IEEE80211_ELEMID_RATES: 2123 /* no length check needed */ 2124 scan.sp_rates = frm; 2125 break; 2126 case IEEE80211_ELEMID_COUNTRY: 2127 /* XXX: we don't do anything with this? */ 2128 scan.sp_country = frm; 2129 break; 2130 case IEEE80211_ELEMID_FHPARMS: 2131 IEEE80211_VERIFY_LENGTH(frm[1], 5); 2132 if (ic->ic_phytype == IEEE80211_T_FH) { 2133 scan.sp_fhdwell = LE_READ_2(&frm[2]); 2134 scan.sp_chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 2135 scan.sp_fhindex = frm[6]; 2136 } 2137 break; 2138 case IEEE80211_ELEMID_DSPARMS: 2139 /* 2140 * XXX hack this since depending on phytype 2141 * is problematic for multi-mode devices. 2142 */ 2143 IEEE80211_VERIFY_LENGTH(frm[1], 1); 2144 if (ic->ic_phytype != IEEE80211_T_FH) 2145 scan.sp_chan = frm[2]; 2146 break; 2147 case IEEE80211_ELEMID_TIM: 2148 /* XXX ATIM? */ 2149 IEEE80211_VERIFY_LENGTH(frm[1], 4); 2150 scan.sp_tim = frm; 2151 scan.sp_timoff = frm - mtod(m0, u_int8_t *); 2152 break; 2153 case IEEE80211_ELEMID_IBSSPARMS: 2154 break; 2155 case IEEE80211_ELEMID_XRATES: 2156 scan.sp_xrates = frm; 2157 break; 2158 case IEEE80211_ELEMID_ERP: 2159 if (frm[1] != 1) { 2160 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 2161 wh, "ERP", "bad len %u", frm[1]); 2162 ic->ic_stats.is_rx_elem_toobig++; 2163 break; 2164 } 2165 scan.sp_erp = frm[2]; 2166 break; 2167 case IEEE80211_ELEMID_RSN: 2168 /* no length check needed */ 2169 scan.sp_wpa = frm; 2170 break; 2171 case IEEE80211_ELEMID_VENDOR: 2172 /* no length check needed */ 2173 if (iswpaoui(frm)) 2174 scan.sp_wpa = frm; 2175 else if (iswmeparam(frm) || iswmeinfo(frm)) 2176 scan.sp_wme = frm; 2177 /* XXX Atheros OUI support */ 2178 break; 2179 default: 2180 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 2181 wh, "unhandled", "id %u, len %u", *frm, frm[1]); 2182 ic->ic_stats.is_rx_elem_unknown++; 2183 break; 2184 } 2185 2186 frm += frm[1] + 2; 2187 } 2188 2189 IEEE80211_VERIFY_ELEMENT(scan.sp_rates, IEEE80211_RATE_MAXSIZE); 2190 IEEE80211_VERIFY_ELEMENT(scan.sp_ssid, IEEE80211_NWID_LEN); 2191 2192 if ( 2193 #if IEEE80211_CHAN_MAX < 255 2194 scan.sp_chan > IEEE80211_CHAN_MAX || 2195 #endif 2196 isclr(ic->ic_chan_active, scan.sp_chan)) { 2197 IEEE80211_DISCARD(ic, 2198 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2199 wh, ieee80211_mgt_subtype_name[subtype >> 2200 IEEE80211_FC0_SUBTYPE_SHIFT], 2201 "invalid channel %u", scan.sp_chan); 2202 ic->ic_stats.is_rx_badchan++; 2203 return; 2204 } 2205 2206 if (scan.sp_chan != scan.sp_bchan && 2207 ic->ic_phytype != IEEE80211_T_FH) { 2208 /* 2209 * Frame was received on a channel different from the 2210 * one indicated in the DS params element id; 2211 * silently discard it. 2212 * 2213 * NB: this can happen due to signal leakage. 2214 * But we should take it for FH phy because 2215 * the rssi value should be correct even for 2216 * different hop pattern in FH. 2217 */ 2218 IEEE80211_DISCARD(ic, 2219 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2220 wh, ieee80211_mgt_subtype_name[subtype >> 2221 IEEE80211_FC0_SUBTYPE_SHIFT], 2222 "for off-channel %u", scan.sp_chan); 2223 ic->ic_stats.is_rx_chanmismatch++; 2224 return; 2225 } 2226 2227 if (!(IEEE80211_BINTVAL_MIN <= scan.sp_bintval && 2228 scan.sp_bintval <= IEEE80211_BINTVAL_MAX)) { 2229 IEEE80211_DISCARD(ic, 2230 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2231 wh, ieee80211_mgt_subtype_name[subtype >> 2232 IEEE80211_FC0_SUBTYPE_SHIFT], 2233 "bogus beacon interval", scan.sp_bintval); 2234 ic->ic_stats.is_rx_badbintval++; 2235 return; 2236 } 2237 2238 if (ni != ic->ic_bss) { 2239 ni = ieee80211_refine_node_for_beacon(ic, ni, 2240 &ic->ic_channels[scan.sp_chan], scan.sp_ssid); 2241 } 2242 2243 /* 2244 * Count frame now that we know it's to be processed. 2245 */ 2246 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2247 ic->ic_stats.is_rx_beacon++; 2248 IEEE80211_NODE_STAT(ni, rx_beacons); 2249 } else { 2250 IEEE80211_NODE_STAT(ni, rx_proberesp); 2251 } 2252 2253 /* 2254 * When operating in station mode, check for state updates. 2255 * Be careful to ignore beacons received while doing a 2256 * background scan. We consider only 11g/WMM stuff right now. 2257 */ 2258 if (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd != 0 && 2259 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2260 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2261 /* record tsf of last beacon */ 2262 memcpy(ni->ni_tstamp.data, scan.sp_tstamp, sizeof(ni->ni_tstamp)); 2263 2264 if (ni->ni_erp != scan.sp_erp) { 2265 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2266 "[%s] erp change: was 0x%x, now 0x%x\n", 2267 ether_snprintf(ebuf, sizeof(ebuf), 2268 wh->i_addr2), ni->ni_erp, scan.sp_erp); 2269 2270 if (ic->ic_curmode == IEEE80211_MODE_11G && 2271 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) { 2272 ic->ic_flags |= IEEE80211_F_USEPROT; 2273 } else { 2274 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2275 } 2276 ni->ni_erp = scan.sp_erp; 2277 } 2278 2279 if ((ni->ni_capinfo ^ scan.sp_capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2280 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2281 "[%s] capabilities change: before 0x%x," 2282 " now 0x%x\n", 2283 ether_snprintf(ebuf, sizeof(ebuf), 2284 wh->i_addr2), 2285 ni->ni_capinfo, scan.sp_capinfo); 2286 /* 2287 * NB: we assume short preamble doesn't 2288 * change dynamically 2289 */ 2290 ieee80211_set_shortslottime(ic, 2291 ic->ic_curmode == IEEE80211_MODE_11A || 2292 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2293 ni->ni_capinfo = scan.sp_capinfo; 2294 } 2295 2296 if (scan.sp_wme != NULL && (ni->ni_flags & IEEE80211_NODE_QOS) && 2297 ieee80211_parse_wmeparams(ic, scan.sp_wme, wh) > 0) { 2298 ieee80211_wme_updateparams(ic); 2299 } 2300 2301 if (scan.sp_tim != NULL) { 2302 struct ieee80211_tim_ie *ie = 2303 (struct ieee80211_tim_ie *)scan.sp_tim; 2304 2305 ni->ni_dtim_count = ie->tim_count; 2306 ni->ni_dtim_period = ie->tim_period; 2307 } 2308 2309 if (ic->ic_flags & IEEE80211_F_SCAN) { 2310 ieee80211_add_scan(ic, &scan, wh, subtype, rssi, 2311 rstamp); 2312 } 2313 2314 ic->ic_bmiss_count = 0; 2315 return; 2316 } 2317 2318 /* 2319 * If scanning, just pass information to the scan module. 2320 */ 2321 if (ic->ic_flags & IEEE80211_F_SCAN) { 2322 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2323 /* 2324 * Actively scanning a channel marked passive; 2325 * send a probe request now that we know there 2326 * is 802.11 traffic present. 2327 * 2328 * XXX check if the beacon we recv'd gives 2329 * us what we need and suppress the probe req 2330 */ 2331 ieee80211_probe_curchan(ic, 1); 2332 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2333 } 2334 ieee80211_add_scan(ic, &scan, wh, subtype, rssi, rstamp); 2335 return; 2336 } 2337 2338 if (scan.sp_capinfo & IEEE80211_CAPINFO_IBSS) { 2339 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, rstamp); 2340 } 2341 } 2342 2343 static void 2344 ieee80211_recv_mgmt_probe_req(struct ieee80211com *ic, struct mbuf *m0, 2345 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2346 { 2347 struct ieee80211_frame *wh; 2348 u_int8_t *frm, *efrm; 2349 u_int8_t *ssid, *rates, *xrates; 2350 bool need_free = false; 2351 u_int8_t rate; 2352 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2353 2354 wh = mtod(m0, struct ieee80211_frame *); 2355 frm = (u_int8_t *)(wh + 1); 2356 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2357 2358 if (ic->ic_opmode == IEEE80211_M_STA || 2359 ic->ic_state != IEEE80211_S_RUN) { 2360 ic->ic_stats.is_rx_mgtdiscard++; 2361 return; 2362 } 2363 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2364 /* frame must be directed */ 2365 ic->ic_stats.is_rx_mgtdiscard++; 2366 return; 2367 } 2368 2369 /* 2370 * prreq frame format 2371 * [tlv] ssid 2372 * [tlv] supported rates 2373 * [tlv] extended supported rates 2374 */ 2375 ssid = rates = xrates = NULL; 2376 while (frm + 1 < efrm) { 2377 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2378 2379 switch (*frm) { 2380 case IEEE80211_ELEMID_SSID: 2381 ssid = frm; 2382 break; 2383 case IEEE80211_ELEMID_RATES: 2384 rates = frm; 2385 break; 2386 case IEEE80211_ELEMID_XRATES: 2387 xrates = frm; 2388 break; 2389 } 2390 2391 frm += frm[1] + 2; 2392 } 2393 2394 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2395 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2396 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2397 2398 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2399 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2400 wh, ieee80211_mgt_subtype_name[subtype >> 2401 IEEE80211_FC0_SUBTYPE_SHIFT], 2402 "%s", "no ssid with ssid suppression enabled"); 2403 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2404 return; 2405 } 2406 2407 if (ni == ic->ic_bss) { 2408 if (ic->ic_opmode != IEEE80211_M_IBSS) { 2409 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2410 need_free = true; 2411 } else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2412 ; 2413 } else { 2414 /* 2415 * XXX Cannot tell if the sender is operating 2416 * in ibss mode. But we need a new node to 2417 * send the response so blindly add them to the 2418 * neighbor table. 2419 */ 2420 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2421 wh->i_addr2); 2422 } 2423 if (ni == NULL) 2424 return; 2425 } 2426 2427 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, "[%s] recv probe req\n", 2428 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2429 2430 ni->ni_rssi = rssi; 2431 ni->ni_rstamp = rstamp; 2432 rate = ieee80211_setup_rates(ni, rates, xrates, 2433 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2434 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2435 2436 if (rate & IEEE80211_RATE_BASIC) { 2437 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2438 wh, ieee80211_mgt_subtype_name[subtype >> 2439 IEEE80211_FC0_SUBTYPE_SHIFT], 2440 "%s", "recv'd rate set invalid"); 2441 } else { 2442 IEEE80211_SEND_MGMT(ic, ni, 2443 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2444 } 2445 2446 if (need_free) { 2447 /* reclaim immediately */ 2448 ieee80211_free_node(ni); 2449 } 2450 } 2451 2452 static void 2453 ieee80211_recv_mgmt_auth(struct ieee80211com *ic, struct mbuf *m0, 2454 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2455 { 2456 struct ieee80211_frame *wh; 2457 u_int8_t *frm, *efrm; 2458 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2459 u_int16_t algo, seq, status; 2460 2461 wh = mtod(m0, struct ieee80211_frame *); 2462 frm = (u_int8_t *)(wh + 1); 2463 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2464 2465 /* 2466 * auth frame format 2467 * [2] algorithm 2468 * [2] sequence 2469 * [2] status 2470 * [tlv*] challenge 2471 */ 2472 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2473 algo = le16toh(*(u_int16_t *)frm); 2474 seq = le16toh(*(u_int16_t *)(frm + 2)); 2475 status = le16toh(*(u_int16_t *)(frm + 4)); 2476 2477 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2478 "[%s] recv auth frame with algorithm %d seq %d\n", 2479 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq); 2480 2481 /* 2482 * Consult the ACL policy module if setup. 2483 */ 2484 if (ic->ic_acl != NULL && !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2485 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2486 wh, "auth", "%s", "disallowed by ACL"); 2487 ic->ic_stats.is_rx_acl++; 2488 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2489 IEEE80211_SEND_MGMT(ic, ni, 2490 IEEE80211_FC0_SUBTYPE_AUTH, 2491 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2492 } 2493 return; 2494 } 2495 2496 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2497 IEEE80211_DISCARD(ic, 2498 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2499 wh, "auth", "%s", "TKIP countermeasures enabled"); 2500 ic->ic_stats.is_rx_auth_countermeasures++; 2501 #ifndef IEEE80211_NO_HOSTAP 2502 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2503 IEEE80211_SEND_MGMT(ic, ni, 2504 IEEE80211_FC0_SUBTYPE_AUTH, 2505 IEEE80211_REASON_MIC_FAILURE); 2506 } 2507 #endif 2508 return; 2509 } 2510 2511 if (algo == IEEE80211_AUTH_ALG_SHARED) { 2512 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2513 rstamp, seq, status); 2514 } else if (algo == IEEE80211_AUTH_ALG_OPEN) { 2515 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, status); 2516 } else { 2517 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2518 wh, "auth", "unsupported alg %d", algo); 2519 ic->ic_stats.is_rx_auth_unsupported++; 2520 #ifndef IEEE80211_NO_HOSTAP 2521 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2522 /* XXX not right */ 2523 IEEE80211_SEND_MGMT(ic, ni, 2524 IEEE80211_FC0_SUBTYPE_AUTH, 2525 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2526 } 2527 #endif 2528 } 2529 } 2530 2531 static void 2532 ieee80211_recv_mgmt_assoc_req(struct ieee80211com *ic, struct mbuf *m0, 2533 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2534 { 2535 struct ieee80211_frame *wh; 2536 u_int8_t *frm, *efrm; 2537 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 2538 int reassoc, resp; 2539 u_int8_t rate; 2540 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2541 u_int16_t capinfo, lintval; 2542 struct ieee80211_rsnparms rsn; 2543 u_int8_t reason; 2544 2545 wh = mtod(m0, struct ieee80211_frame *); 2546 frm = (u_int8_t *)(wh + 1); 2547 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2548 2549 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2550 ic->ic_state != IEEE80211_S_RUN) { 2551 ic->ic_stats.is_rx_mgtdiscard++; 2552 return; 2553 } 2554 2555 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2556 reassoc = 1; 2557 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2558 } else { 2559 reassoc = 0; 2560 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2561 } 2562 2563 /* 2564 * asreq frame format 2565 * [2] capability information 2566 * [2] listen interval 2567 * [6*] current AP address (reassoc only) 2568 * [tlv] ssid 2569 * [tlv] supported rates 2570 * [tlv] extended supported rates 2571 * [tlv] WPA or RSN 2572 */ 2573 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2574 2575 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2576 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2577 wh, ieee80211_mgt_subtype_name[subtype >> 2578 IEEE80211_FC0_SUBTYPE_SHIFT], 2579 "%s", "wrong bssid"); 2580 ic->ic_stats.is_rx_assoc_bss++; 2581 return; 2582 } 2583 2584 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2585 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2586 if (reassoc) 2587 frm += 6; /* ignore current AP info */ 2588 2589 ssid = rates = xrates = wpa = wme = NULL; 2590 while (frm + 1 < efrm) { 2591 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2592 2593 switch (*frm) { 2594 case IEEE80211_ELEMID_SSID: 2595 ssid = frm; 2596 break; 2597 case IEEE80211_ELEMID_RATES: 2598 rates = frm; 2599 break; 2600 case IEEE80211_ELEMID_XRATES: 2601 xrates = frm; 2602 break; 2603 /* XXX verify only one of RSN and WPA ie's? */ 2604 case IEEE80211_ELEMID_RSN: 2605 wpa = frm; 2606 break; 2607 case IEEE80211_ELEMID_VENDOR: 2608 if (iswpaoui(frm)) 2609 wpa = frm; 2610 else if (iswmeinfo(frm)) 2611 wme = frm; 2612 /* XXX Atheros OUI support */ 2613 break; 2614 } 2615 2616 frm += frm[1] + 2; 2617 } 2618 2619 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2620 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2621 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2622 2623 if (ni == ic->ic_bss) { 2624 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2625 "[%s] deny %s request, sta not authenticated\n", 2626 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2627 reassoc ? "reassoc" : "assoc"); 2628 ieee80211_send_error(ic, ni, wh->i_addr2, 2629 IEEE80211_FC0_SUBTYPE_DEAUTH, 2630 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2631 ic->ic_stats.is_rx_assoc_notauth++; 2632 return; 2633 } 2634 2635 /* assert right association security credentials */ 2636 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2637 IEEE80211_DPRINTF(ic, 2638 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2639 "[%s] no WPA/RSN IE in association request\n", 2640 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2641 2642 IEEE80211_SEND_MGMT(ic, ni, 2643 IEEE80211_FC0_SUBTYPE_DEAUTH, 2644 IEEE80211_REASON_RSN_REQUIRED); 2645 ieee80211_node_leave(ic, ni); 2646 2647 /* XXX distinguish WPA/RSN? */ 2648 ic->ic_stats.is_rx_assoc_badwpaie++; 2649 return; 2650 } 2651 2652 if (wpa != NULL) { 2653 /* 2654 * Parse WPA information element. Note that 2655 * we initialize the param block from the node 2656 * state so that information in the IE overrides 2657 * our defaults. The resulting parameters are 2658 * installed below after the association is assured. 2659 */ 2660 rsn = ni->ni_rsn; 2661 if (wpa[0] != IEEE80211_ELEMID_RSN) 2662 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2663 else 2664 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2665 2666 if (reason != 0) { 2667 IEEE80211_SEND_MGMT(ic, ni, 2668 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2669 ieee80211_node_leave(ic, ni); 2670 2671 /* XXX distinguish WPA/RSN? */ 2672 ic->ic_stats.is_rx_assoc_badwpaie++; 2673 return; 2674 } 2675 2676 IEEE80211_DPRINTF(ic, 2677 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2678 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2679 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2680 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2681 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2682 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2683 rsn.rsn_keymgmt, rsn.rsn_caps); 2684 } 2685 2686 /* discard challenge after association */ 2687 if (ni->ni_challenge != NULL) { 2688 free(ni->ni_challenge, M_DEVBUF); 2689 ni->ni_challenge = NULL; 2690 } 2691 2692 /* NB: 802.11 spec says to ignore station's privacy bit */ 2693 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2694 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2695 "[%s] deny %s request, capability mismatch 0x%x\n", 2696 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2697 reassoc ? "reassoc" : "assoc", capinfo); 2698 IEEE80211_SEND_MGMT(ic, ni, resp, 2699 IEEE80211_STATUS_CAPINFO); 2700 ieee80211_node_leave(ic, ni); 2701 ic->ic_stats.is_rx_assoc_capmismatch++; 2702 return; 2703 } 2704 2705 rate = ieee80211_setup_rates(ni, rates, xrates, 2706 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2707 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2708 2709 /* 2710 * If constrained to 11g-only stations reject an 2711 * 11b-only station. We cheat a bit here by looking 2712 * at the max negotiated xmit rate and assuming anyone 2713 * with a best rate <24Mb/s is an 11b station. 2714 */ 2715 if ((rate & IEEE80211_RATE_BASIC) || 2716 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2717 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2718 "[%s] deny %s request, rate set mismatch\n", 2719 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2720 reassoc ? "reassoc" : "assoc"); 2721 IEEE80211_SEND_MGMT(ic, ni, resp, 2722 IEEE80211_STATUS_BASIC_RATE); 2723 ieee80211_node_leave(ic, ni); 2724 ic->ic_stats.is_rx_assoc_norate++; 2725 return; 2726 } 2727 2728 ni->ni_rssi = rssi; 2729 ni->ni_rstamp = rstamp; 2730 ni->ni_intval = lintval; 2731 ni->ni_capinfo = capinfo; 2732 ni->ni_chan = ic->ic_bss->ni_chan; 2733 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2734 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2735 2736 if (wpa != NULL) { 2737 /* 2738 * Record WPA/RSN parameters for station, mark 2739 * node as using WPA and record information element 2740 * for applications that require it. 2741 */ 2742 ni->ni_rsn = rsn; 2743 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2744 } else if (ni->ni_wpa_ie != NULL) { 2745 /* 2746 * Flush any state from a previous association. 2747 */ 2748 free(ni->ni_wpa_ie, M_DEVBUF); 2749 ni->ni_wpa_ie = NULL; 2750 } 2751 2752 if (wme != NULL) { 2753 /* 2754 * Record WME parameters for station, mark node 2755 * as capable of QoS and record information 2756 * element for applications that require it. 2757 */ 2758 ieee80211_saveie(&ni->ni_wme_ie, wme); 2759 ni->ni_flags |= IEEE80211_NODE_QOS; 2760 } else if (ni->ni_wme_ie != NULL) { 2761 /* 2762 * Flush any state from a previous association. 2763 */ 2764 free(ni->ni_wme_ie, M_DEVBUF); 2765 ni->ni_wme_ie = NULL; 2766 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2767 } 2768 2769 ieee80211_node_join(ic, ni, resp); 2770 } 2771 2772 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 2773 2774 static void 2775 ieee80211_recv_mgmt_assoc_resp(struct ieee80211com *ic, struct mbuf *m0, 2776 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2777 { 2778 struct ieee80211_frame *wh; 2779 u_int8_t *frm, *efrm; 2780 u_int8_t *rates, *xrates, *wme; 2781 u_int8_t rate; 2782 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2783 u_int16_t capinfo, associd; 2784 u_int16_t status; 2785 2786 wh = mtod(m0, struct ieee80211_frame *); 2787 frm = (u_int8_t *)(wh + 1); 2788 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2789 2790 if (ic->ic_opmode != IEEE80211_M_STA || 2791 ic->ic_state != IEEE80211_S_ASSOC) { 2792 ic->ic_stats.is_rx_mgtdiscard++; 2793 return; 2794 } 2795 2796 /* 2797 * asresp frame format 2798 * [2] capability information 2799 * [2] status 2800 * [2] association ID 2801 * [tlv] supported rates 2802 * [tlv] extended supported rates 2803 * [tlv] WME 2804 */ 2805 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2806 ni = ic->ic_bss; 2807 capinfo = le16toh(*(u_int16_t *)frm); 2808 frm += 2; 2809 status = le16toh(*(u_int16_t *)frm); 2810 frm += 2; 2811 if (status != 0) { 2812 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2813 "[%s] %sassoc failed (reason %d)\n", 2814 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2815 ISREASSOC(subtype) ? "re" : "", status); 2816 if (ni != ic->ic_bss) /* XXX never true? */ 2817 ni->ni_fails++; 2818 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2819 return; 2820 } 2821 associd = le16toh(*(u_int16_t *)frm); 2822 frm += 2; 2823 2824 rates = xrates = wme = NULL; 2825 while (frm + 1 < efrm) { 2826 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2); 2827 2828 switch (*frm) { 2829 case IEEE80211_ELEMID_RATES: 2830 rates = frm; 2831 break; 2832 case IEEE80211_ELEMID_XRATES: 2833 xrates = frm; 2834 break; 2835 case IEEE80211_ELEMID_VENDOR: 2836 if (iswmeoui(frm)) 2837 wme = frm; 2838 /* XXX Atheros OUI support */ 2839 break; 2840 } 2841 2842 frm += frm[1] + 2; 2843 } 2844 2845 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2846 2847 rate = ieee80211_setup_rates(ni, rates, xrates, 2848 IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2849 IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2850 2851 if (rate & IEEE80211_RATE_BASIC) { 2852 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2853 "[%s] %sassoc failed (rate set mismatch)\n", 2854 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2855 ISREASSOC(subtype) ? "re" : ""); 2856 if (ni != ic->ic_bss) /* XXX never true? */ 2857 ni->ni_fails++; 2858 ic->ic_stats.is_rx_assoc_norate++; 2859 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2860 return; 2861 } 2862 2863 ni->ni_capinfo = capinfo; 2864 ni->ni_associd = associd; 2865 if (wme != NULL && ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2866 ni->ni_flags |= IEEE80211_NODE_QOS; 2867 ieee80211_wme_updateparams(ic); 2868 } else { 2869 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2870 } 2871 2872 /* 2873 * Configure state now that we are associated. 2874 * 2875 * XXX may need different/additional driver callbacks? 2876 */ 2877 if (ic->ic_curmode == IEEE80211_MODE_11A || 2878 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2879 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2880 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2881 } else { 2882 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2883 ic->ic_flags |= IEEE80211_F_USEBARKER; 2884 } 2885 ieee80211_set_shortslottime(ic, 2886 ic->ic_curmode == IEEE80211_MODE_11A || 2887 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2888 2889 /* 2890 * Honor ERP protection. 2891 * 2892 * NB: ni_erp should zero for non-11g operation. 2893 * XXX check ic_curmode anyway? 2894 */ 2895 if (ic->ic_curmode == IEEE80211_MODE_11G && 2896 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) { 2897 ic->ic_flags |= IEEE80211_F_USEPROT; 2898 } else { 2899 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2900 } 2901 2902 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2903 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2904 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2905 ISREASSOC(subtype) ? "re" : "", 2906 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2907 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2908 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2909 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2910 ); 2911 2912 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2913 } 2914 2915 static void 2916 ieee80211_recv_mgmt_deauth(struct ieee80211com *ic, struct mbuf *m0, 2917 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2918 { 2919 struct ieee80211_frame *wh; 2920 u_int8_t *frm, *efrm; 2921 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2922 u_int16_t reason; 2923 2924 wh = mtod(m0, struct ieee80211_frame *); 2925 frm = (u_int8_t *)(wh + 1); 2926 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2927 2928 if (ic->ic_state == IEEE80211_S_SCAN) { 2929 ic->ic_stats.is_rx_mgtdiscard++; 2930 return; 2931 } 2932 2933 /* 2934 * deauth frame format 2935 * [2] reason 2936 */ 2937 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2938 reason = le16toh(*(u_int16_t *)frm); 2939 __USE(reason); 2940 ic->ic_stats.is_rx_deauth++; 2941 IEEE80211_NODE_STAT(ni, rx_deauth); 2942 2943 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2944 /* Not intended for this station. */ 2945 ic->ic_stats.is_rx_mgtdiscard++; 2946 return; 2947 } 2948 2949 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2950 "[%s] recv deauthenticate (reason %d)\n", 2951 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2952 2953 switch (ic->ic_opmode) { 2954 case IEEE80211_M_STA: 2955 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2956 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2957 break; 2958 case IEEE80211_M_HOSTAP: 2959 #ifndef IEEE80211_NO_HOSTAP 2960 if (ni != ic->ic_bss) 2961 ieee80211_node_leave(ic, ni); 2962 #endif 2963 break; 2964 default: 2965 ic->ic_stats.is_rx_mgtdiscard++; 2966 break; 2967 } 2968 } 2969 2970 static void 2971 ieee80211_recv_mgmt_disassoc(struct ieee80211com *ic, struct mbuf *m0, 2972 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 2973 { 2974 struct ieee80211_frame *wh; 2975 u_int8_t *frm, *efrm; 2976 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2977 u_int16_t reason; 2978 2979 wh = mtod(m0, struct ieee80211_frame *); 2980 frm = (u_int8_t *)(wh + 1); 2981 efrm = mtod(m0, u_int8_t *) + m0->m_len; 2982 2983 if (ic->ic_state != IEEE80211_S_RUN && 2984 ic->ic_state != IEEE80211_S_ASSOC && 2985 ic->ic_state != IEEE80211_S_AUTH) { 2986 ic->ic_stats.is_rx_mgtdiscard++; 2987 return; 2988 } 2989 2990 /* 2991 * disassoc frame format 2992 * [2] reason 2993 */ 2994 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2995 reason = le16toh(*(u_int16_t *)frm); 2996 __USE(reason); 2997 ic->ic_stats.is_rx_disassoc++; 2998 IEEE80211_NODE_STAT(ni, rx_disassoc); 2999 3000 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 3001 /* Not intended for this station. */ 3002 ic->ic_stats.is_rx_mgtdiscard++; 3003 return; 3004 } 3005 3006 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 3007 "[%s] recv disassociate (reason %d)\n", 3008 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 3009 3010 switch (ic->ic_opmode) { 3011 case IEEE80211_M_STA: 3012 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 3013 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 3014 break; 3015 case IEEE80211_M_HOSTAP: 3016 #ifndef IEEE80211_NO_HOSTAP 3017 if (ni != ic->ic_bss) 3018 ieee80211_node_leave(ic, ni); 3019 #endif 3020 break; 3021 default: 3022 ic->ic_stats.is_rx_mgtdiscard++; 3023 break; 3024 } 3025 } 3026 3027 #undef ISREASSOC 3028 #undef IEEE80211_VERIFY_LENGTH 3029 #undef IEEE80211_VERIFY_ELEMENT 3030 3031 /* -------------------------------------------------------------------------- */ 3032 3033 void 3034 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 3035 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 3036 { 3037 struct ieee80211_frame *wh; 3038 3039 wh = mtod(m0, struct ieee80211_frame *); 3040 3041 switch (subtype) { 3042 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 3043 case IEEE80211_FC0_SUBTYPE_BEACON: 3044 ieee80211_recv_mgmt_beacon(ic, m0, ni, subtype, rssi, rstamp); 3045 return; 3046 3047 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 3048 ieee80211_recv_mgmt_probe_req(ic, m0, ni, subtype, rssi, rstamp); 3049 return; 3050 3051 case IEEE80211_FC0_SUBTYPE_AUTH: 3052 ieee80211_recv_mgmt_auth(ic, m0, ni, subtype, rssi, rstamp); 3053 return; 3054 3055 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 3056 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 3057 ieee80211_recv_mgmt_assoc_req(ic, m0, ni, subtype, rssi, rstamp); 3058 return; 3059 3060 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 3061 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 3062 ieee80211_recv_mgmt_assoc_resp(ic, m0, ni, subtype, rssi, rstamp); 3063 return; 3064 3065 case IEEE80211_FC0_SUBTYPE_DEAUTH: 3066 ieee80211_recv_mgmt_deauth(ic, m0, ni, subtype, rssi, rstamp); 3067 return; 3068 3069 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3070 ieee80211_recv_mgmt_disassoc(ic, m0, ni, subtype, rssi, rstamp); 3071 return; 3072 3073 default: 3074 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 3075 wh, "mgt", "subtype 0x%x not handled", subtype); 3076 ic->ic_stats.is_rx_badsubtype++; 3077 break; 3078 } 3079 } 3080 3081 #ifndef IEEE80211_NO_HOSTAP 3082 /* 3083 * Handle station power-save state change. 3084 */ 3085 static void 3086 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 3087 { 3088 struct ieee80211com *ic = ni->ni_ic; 3089 struct mbuf *m; 3090 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 3091 3092 if (enable) { 3093 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 3094 ic->ic_ps_sta++; 3095 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 3096 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3097 "[%s] power save mode on, %u sta's in ps mode\n", 3098 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 3099 ic->ic_ps_sta); 3100 return; 3101 } 3102 3103 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 3104 ic->ic_ps_sta--; 3105 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 3106 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3107 "[%s] power save mode off, %u sta's in ps mode\n", 3108 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta); 3109 /* XXX if no stations in ps mode, flush mc frames */ 3110 3111 /* 3112 * Flush queued unicast frames. 3113 */ 3114 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 3115 if (ic->ic_set_tim != NULL) 3116 ic->ic_set_tim(ni, 0); /* just in case */ 3117 return; 3118 } 3119 3120 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3121 "[%s] flush ps queue, %u packets queued\n", 3122 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 3123 IEEE80211_NODE_SAVEQ_QLEN(ni)); 3124 3125 for (;;) { 3126 int qlen; 3127 3128 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 3129 if (m == NULL) 3130 break; 3131 3132 /* 3133 * If this is the last packet, turn off the TIM bit. 3134 * If there are more packets, set the more packets bit 3135 * in the mbuf so ieee80211_encap will mark the 802.11 3136 * head to indicate more data frames will follow. 3137 */ 3138 if (qlen != 0) 3139 m->m_flags |= M_MORE_DATA; 3140 3141 /* XXX need different driver interface */ 3142 /* XXX bypasses q max */ 3143 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 3144 } 3145 3146 if (ic->ic_set_tim != NULL) 3147 ic->ic_set_tim(ni, 0); 3148 } 3149 3150 /* 3151 * Process a received ps-poll frame. 3152 */ 3153 static void 3154 ieee80211_recv_pspoll(struct ieee80211com *ic, struct ieee80211_node *ni, 3155 struct mbuf *m0) 3156 { 3157 struct ieee80211_frame_min *wh; 3158 struct mbuf *m; 3159 u_int16_t aid; 3160 int qlen; 3161 IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 3162 3163 wh = mtod(m0, struct ieee80211_frame_min *); 3164 if (ni->ni_associd == 0) { 3165 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 3166 (struct ieee80211_frame *)wh, "ps-poll", 3167 "%s", "unassociated station"); 3168 ic->ic_stats.is_ps_unassoc++; 3169 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 3170 IEEE80211_REASON_NOT_ASSOCED); 3171 return; 3172 } 3173 3174 aid = le16toh(*(u_int16_t *)wh->i_dur); 3175 if (aid != ni->ni_associd) { 3176 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 3177 (struct ieee80211_frame *)wh, "ps-poll", 3178 "aid mismatch: sta aid 0x%x poll aid 0x%x", 3179 ni->ni_associd, aid); 3180 ic->ic_stats.is_ps_badaid++; 3181 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 3182 IEEE80211_REASON_NOT_ASSOCED); 3183 return; 3184 } 3185 3186 /* Okay, take the first queued packet and put it out... */ 3187 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 3188 if (m == NULL) { 3189 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3190 "[%s] recv ps-poll, but queue empty\n", 3191 ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 3192 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 3193 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 3194 if (ic->ic_set_tim != NULL) 3195 ic->ic_set_tim(ni, 0); /* just in case */ 3196 return; 3197 } 3198 3199 /* 3200 * If there are more packets, set the more packets bit 3201 * in the packet dispatched to the station; otherwise 3202 * turn off the TIM bit. 3203 */ 3204 if (qlen != 0) { 3205 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3206 "[%s] recv ps-poll, send packet, %u still queued\n", 3207 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen); 3208 m->m_flags |= M_MORE_DATA; 3209 } else { 3210 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 3211 "[%s] recv ps-poll, send packet, queue empty\n", 3212 ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 3213 if (ic->ic_set_tim != NULL) 3214 ic->ic_set_tim(ni, 0); 3215 } 3216 3217 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 3218 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 3219 } 3220 #endif /* !IEEE80211_NO_HOSTAP */ 3221 3222 #ifdef IEEE80211_DEBUG 3223 /* 3224 * Debugging support. 3225 */ 3226 3227 /* 3228 * Return the bssid of a frame. 3229 */ 3230 static const u_int8_t * 3231 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 3232 { 3233 if (ic->ic_opmode == IEEE80211_M_STA) 3234 return wh->i_addr2; 3235 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 3236 return wh->i_addr1; 3237 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 3238 return wh->i_addr1; 3239 return wh->i_addr3; 3240 } 3241 3242 void 3243 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 3244 { 3245 char buf[128]; /* XXX */ 3246 va_list ap; 3247 3248 va_start(ap, fmt); 3249 vsnprintf(buf, sizeof(buf), fmt, ap); 3250 va_end(ap); 3251 3252 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 3253 } 3254 3255 void 3256 ieee80211_note_mac(struct ieee80211com *ic, 3257 const u_int8_t mac[IEEE80211_ADDR_LEN], 3258 const char *fmt, ...) 3259 { 3260 char buf[128]; /* XXX */ 3261 va_list ap; 3262 char ebuf[3 * ETHER_ADDR_LEN]; 3263 3264 va_start(ap, fmt); 3265 vsnprintf(buf, sizeof(buf), fmt, ap); 3266 va_end(ap); 3267 if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf), 3268 mac), buf); 3269 } 3270 3271 static void 3272 ieee80211_discard_frame(struct ieee80211com *ic, 3273 const struct ieee80211_frame *wh, 3274 const char *type, const char *fmt, ...) 3275 { 3276 va_list ap; 3277 char ebuf[3 * ETHER_ADDR_LEN]; 3278 3279 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 3280 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 3281 if (type != NULL) 3282 printf("%s frame, ", type); 3283 else 3284 printf("frame, "); 3285 va_start(ap, fmt); 3286 vprintf(fmt, ap); 3287 va_end(ap); 3288 printf("\n"); 3289 } 3290 3291 static void 3292 ieee80211_discard_ie(struct ieee80211com *ic, 3293 const struct ieee80211_frame *wh, 3294 const char *type, const char *fmt, ...) 3295 { 3296 va_list ap; 3297 char ebuf[3 * ETHER_ADDR_LEN]; 3298 3299 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 3300 ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 3301 if (type != NULL) 3302 printf("%s information element, ", type); 3303 else 3304 printf("information element, "); 3305 va_start(ap, fmt); 3306 vprintf(fmt, ap); 3307 va_end(ap); 3308 printf("\n"); 3309 } 3310 3311 static void 3312 ieee80211_discard_mac(struct ieee80211com *ic, 3313 const u_int8_t mac[IEEE80211_ADDR_LEN], 3314 const char *type, const char *fmt, ...) 3315 { 3316 va_list ap; 3317 char ebuf[3 * ETHER_ADDR_LEN]; 3318 3319 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 3320 ether_snprintf(ebuf, sizeof(ebuf), mac)); 3321 if (type != NULL) 3322 printf("%s frame, ", type); 3323 else 3324 printf("frame, "); 3325 va_start(ap, fmt); 3326 vprintf(fmt, ap); 3327 va_end(ap); 3328 printf("\n"); 3329 } 3330 #endif /* IEEE80211_DEBUG */ 3331