ieee80211_input.c revision 1.91
1 1.90 maxv /* $NetBSD: ieee80211_input.c,v 1.91 2017/12/10 08:56:23 maxv Exp $ */ 2 1.1 dyoung /*- 3 1.1 dyoung * Copyright (c) 2001 Atsushi Onoe 4 1.40 dyoung * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 1.1 dyoung * All rights reserved. 6 1.1 dyoung * 7 1.1 dyoung * Redistribution and use in source and binary forms, with or without 8 1.1 dyoung * modification, are permitted provided that the following conditions 9 1.1 dyoung * are met: 10 1.1 dyoung * 1. Redistributions of source code must retain the above copyright 11 1.1 dyoung * notice, this list of conditions and the following disclaimer. 12 1.1 dyoung * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 dyoung * notice, this list of conditions and the following disclaimer in the 14 1.1 dyoung * documentation and/or other materials provided with the distribution. 15 1.1 dyoung * 3. The name of the author may not be used to endorse or promote products 16 1.1 dyoung * derived from this software without specific prior written permission. 17 1.1 dyoung * 18 1.1 dyoung * Alternatively, this software may be distributed under the terms of the 19 1.1 dyoung * GNU General Public License ("GPL") version 2 as published by the Free 20 1.1 dyoung * Software Foundation. 21 1.1 dyoung * 22 1.1 dyoung * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 1.1 dyoung * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 1.1 dyoung * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 1.1 dyoung * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 1.1 dyoung * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 1.1 dyoung * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 1.1 dyoung * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 1.1 dyoung * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 1.1 dyoung * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 1.1 dyoung * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 1.1 dyoung */ 33 1.1 dyoung 34 1.1 dyoung #include <sys/cdefs.h> 35 1.3 dyoung #ifdef __FreeBSD__ 36 1.47 skrll __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 1.40 dyoung #endif 38 1.40 dyoung #ifdef __NetBSD__ 39 1.90 maxv __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.91 2017/12/10 08:56:23 maxv Exp $"); 40 1.3 dyoung #endif 41 1.1 dyoung 42 1.79 pooka #ifdef _KERNEL_OPT 43 1.1 dyoung #include "opt_inet.h" 44 1.79 pooka #endif 45 1.1 dyoung 46 1.5 dyoung #ifdef __NetBSD__ 47 1.5 dyoung #endif /* __NetBSD__ */ 48 1.5 dyoung 49 1.1 dyoung #include <sys/param.h> 50 1.38 perry #include <sys/systm.h> 51 1.85 christos #include <sys/mbuf.h> 52 1.1 dyoung #include <sys/malloc.h> 53 1.40 dyoung #include <sys/endian.h> 54 1.1 dyoung #include <sys/kernel.h> 55 1.74 christos 56 1.1 dyoung #include <sys/socket.h> 57 1.1 dyoung #include <sys/sockio.h> 58 1.1 dyoung #include <sys/endian.h> 59 1.1 dyoung #include <sys/errno.h> 60 1.1 dyoung #include <sys/proc.h> 61 1.1 dyoung #include <sys/sysctl.h> 62 1.87 nonaka #include <sys/cpu.h> 63 1.1 dyoung 64 1.1 dyoung #include <net/if.h> 65 1.1 dyoung #include <net/if_media.h> 66 1.1 dyoung #include <net/if_arp.h> 67 1.4 dyoung #include <net/if_ether.h> 68 1.1 dyoung #include <net/if_llc.h> 69 1.1 dyoung 70 1.1 dyoung #include <net80211/ieee80211_var.h> 71 1.1 dyoung 72 1.1 dyoung #include <net/bpf.h> 73 1.1 dyoung 74 1.1 dyoung #ifdef INET 75 1.74 christos #include <netinet/in.h> 76 1.4 dyoung #include <net/if_ether.h> 77 1.4 dyoung #endif 78 1.1 dyoung 79 1.31 dyoung const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 80 1.31 dyoung 81 1.40 dyoung #ifdef IEEE80211_DEBUG 82 1.5 dyoung 83 1.26 mycroft /* 84 1.26 mycroft * Decide if a received management frame should be 85 1.26 mycroft * printed when debugging is enabled. This filters some 86 1.26 mycroft * of the less interesting frames that come frequently 87 1.26 mycroft * (e.g. beacons). 88 1.26 mycroft */ 89 1.26 mycroft static __inline int 90 1.26 mycroft doprint(struct ieee80211com *ic, int subtype) 91 1.26 mycroft { 92 1.26 mycroft switch (subtype) { 93 1.26 mycroft case IEEE80211_FC0_SUBTYPE_BEACON: 94 1.40 dyoung return (ic->ic_flags & IEEE80211_F_SCAN); 95 1.26 mycroft case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 96 1.26 mycroft return (ic->ic_opmode == IEEE80211_M_IBSS); 97 1.26 mycroft } 98 1.26 mycroft return 1; 99 1.26 mycroft } 100 1.40 dyoung 101 1.40 dyoung /* 102 1.40 dyoung * Emit a debug message about discarding a frame or information 103 1.40 dyoung * element. One format is for extracting the mac address from 104 1.40 dyoung * the frame header; the other is for when a header is not 105 1.40 dyoung * available or otherwise appropriate. 106 1.40 dyoung */ 107 1.40 dyoung #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 108 1.40 dyoung if ((_ic)->ic_debug & (_m)) \ 109 1.40 dyoung ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 110 1.40 dyoung } while (0) 111 1.40 dyoung #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 112 1.40 dyoung if ((_ic)->ic_debug & (_m)) \ 113 1.40 dyoung ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 114 1.40 dyoung } while (0) 115 1.40 dyoung #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 116 1.40 dyoung if ((_ic)->ic_debug & (_m)) \ 117 1.40 dyoung ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 118 1.40 dyoung } while (0) 119 1.85 christos #define IEEE80211_DEBUGVAR(a) a 120 1.40 dyoung 121 1.40 dyoung static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 122 1.40 dyoung const struct ieee80211_frame *); 123 1.40 dyoung static void ieee80211_discard_frame(struct ieee80211com *, 124 1.40 dyoung const struct ieee80211_frame *, const char *type, const char *fmt, ...); 125 1.40 dyoung static void ieee80211_discard_ie(struct ieee80211com *, 126 1.40 dyoung const struct ieee80211_frame *, const char *type, const char *fmt, ...); 127 1.40 dyoung static void ieee80211_discard_mac(struct ieee80211com *, 128 1.40 dyoung const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 129 1.40 dyoung const char *fmt, ...); 130 1.40 dyoung #else 131 1.40 dyoung #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 132 1.40 dyoung #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 133 1.40 dyoung #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 134 1.85 christos #define IEEE80211_DEBUGVAR(a) 135 1.40 dyoung #endif /* IEEE80211_DEBUG */ 136 1.40 dyoung 137 1.40 dyoung static struct mbuf *ieee80211_defrag(struct ieee80211com *, 138 1.44 dyoung struct ieee80211_node *, struct mbuf *, int); 139 1.44 dyoung static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 140 1.44 dyoung static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 141 1.44 dyoung const u_int8_t *mac, int subtype, int arg); 142 1.47 skrll static void ieee80211_deliver_data(struct ieee80211com *, 143 1.47 skrll struct ieee80211_node *, struct mbuf *); 144 1.57 dyoung #ifndef IEEE80211_NO_HOSTAP 145 1.40 dyoung static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 146 1.40 dyoung static void ieee80211_recv_pspoll(struct ieee80211com *, 147 1.40 dyoung struct ieee80211_node *, struct mbuf *); 148 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 149 1.56 dyoung static void ieee80211_update_adhoc_node(struct ieee80211com *, 150 1.56 dyoung struct ieee80211_node *, struct ieee80211_frame *, 151 1.56 dyoung struct ieee80211_scanparams *, int, u_int32_t); 152 1.26 mycroft 153 1.1 dyoung /* 154 1.1 dyoung * Process a received frame. The node associated with the sender 155 1.1 dyoung * should be supplied. If nothing was found in the node table then 156 1.1 dyoung * the caller is assumed to supply a reference to ic_bss instead. 157 1.1 dyoung * The RSSI and a timestamp are also supplied. The RSSI data is used 158 1.1 dyoung * during AP scanning to select a AP to associate with; it can have 159 1.1 dyoung * any units so long as values have consistent units and higher values 160 1.1 dyoung * mean ``better signal''. The receive timestamp is currently not used 161 1.1 dyoung * by the 802.11 layer. 162 1.1 dyoung */ 163 1.40 dyoung int 164 1.40 dyoung ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 165 1.40 dyoung struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 166 1.1 dyoung { 167 1.40 dyoung #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 168 1.40 dyoung #define HAS_SEQ(type) ((type & 0x4) == 0) 169 1.40 dyoung struct ifnet *ifp = ic->ic_ifp; 170 1.1 dyoung struct ieee80211_frame *wh; 171 1.40 dyoung struct ieee80211_key *key; 172 1.1 dyoung struct ether_header *eh; 173 1.44 dyoung int hdrspace; 174 1.16 dyoung u_int8_t dir, type, subtype; 175 1.40 dyoung u_int8_t *bssid; 176 1.1 dyoung u_int16_t rxseq; 177 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 178 1.1 dyoung 179 1.87 nonaka KASSERT(!cpu_intr_p()); 180 1.87 nonaka 181 1.17 dyoung IASSERT(ni != NULL, ("null node")); 182 1.40 dyoung ni->ni_inact = ni->ni_inact_reload; 183 1.1 dyoung 184 1.16 dyoung /* trim CRC here so WEP can find its own CRC at the end of packet. */ 185 1.1 dyoung if (m->m_flags & M_HASFCS) { 186 1.1 dyoung m_adj(m, -IEEE80211_CRC_LEN); 187 1.1 dyoung m->m_flags &= ~M_HASFCS; 188 1.1 dyoung } 189 1.40 dyoung type = -1; /* undefined */ 190 1.16 dyoung /* 191 1.16 dyoung * In monitor mode, send everything directly to bpf. 192 1.16 dyoung * XXX may want to include the CRC 193 1.16 dyoung */ 194 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_MONITOR) 195 1.16 dyoung goto out; 196 1.1 dyoung 197 1.40 dyoung if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 198 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 199 1.40 dyoung ni->ni_macaddr, NULL, 200 1.40 dyoung "too short (1): len %u", m->m_pkthdr.len); 201 1.40 dyoung ic->ic_stats.is_rx_tooshort++; 202 1.40 dyoung goto out; 203 1.40 dyoung } 204 1.40 dyoung /* 205 1.40 dyoung * Bit of a cheat here, we use a pointer for a 3-address 206 1.40 dyoung * frame format but don't reference fields past outside 207 1.40 dyoung * ieee80211_frame_min w/o first validating the data is 208 1.40 dyoung * present. 209 1.40 dyoung */ 210 1.1 dyoung wh = mtod(m, struct ieee80211_frame *); 211 1.40 dyoung 212 1.1 dyoung if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 213 1.1 dyoung IEEE80211_FC0_VERSION_0) { 214 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 215 1.40 dyoung ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 216 1.16 dyoung ic->ic_stats.is_rx_badversion++; 217 1.1 dyoung goto err; 218 1.1 dyoung } 219 1.1 dyoung 220 1.1 dyoung dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 221 1.16 dyoung type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 222 1.40 dyoung subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 223 1.40 dyoung if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 224 1.40 dyoung switch (ic->ic_opmode) { 225 1.40 dyoung case IEEE80211_M_STA: 226 1.40 dyoung bssid = wh->i_addr2; 227 1.40 dyoung if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 228 1.40 dyoung /* not interested in */ 229 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 230 1.85 christos bssid, NULL, "node %s, %s", 231 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 232 1.85 christos ni->ni_bssid), "not to bss"); 233 1.40 dyoung ic->ic_stats.is_rx_wrongbss++; 234 1.40 dyoung goto out; 235 1.40 dyoung } 236 1.84 mlelstv 237 1.84 mlelstv /* Filter out packets not directed to us in case the 238 1.84 mlelstv * device is in promiscous mode 239 1.84 mlelstv */ 240 1.84 mlelstv if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) 241 1.84 mlelstv && (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) { 242 1.84 mlelstv IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 243 1.84 mlelstv bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 244 1.84 mlelstv ic->ic_myaddr, ":", wh->i_addr1, ":"); 245 1.84 mlelstv ic->ic_stats.is_rx_wrongbss++; 246 1.84 mlelstv goto out; 247 1.84 mlelstv } 248 1.40 dyoung break; 249 1.40 dyoung case IEEE80211_M_IBSS: 250 1.40 dyoung case IEEE80211_M_AHDEMO: 251 1.40 dyoung case IEEE80211_M_HOSTAP: 252 1.40 dyoung if (dir != IEEE80211_FC1_DIR_NODS) 253 1.40 dyoung bssid = wh->i_addr1; 254 1.40 dyoung else if (type == IEEE80211_FC0_TYPE_CTL) 255 1.40 dyoung bssid = wh->i_addr1; 256 1.40 dyoung else { 257 1.40 dyoung if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 258 1.40 dyoung IEEE80211_DISCARD_MAC(ic, 259 1.40 dyoung IEEE80211_MSG_ANY, ni->ni_macaddr, 260 1.40 dyoung NULL, "too short (2): len %u", 261 1.40 dyoung m->m_pkthdr.len); 262 1.40 dyoung ic->ic_stats.is_rx_tooshort++; 263 1.40 dyoung goto out; 264 1.40 dyoung } 265 1.40 dyoung bssid = wh->i_addr3; 266 1.40 dyoung } 267 1.40 dyoung if (type != IEEE80211_FC0_TYPE_DATA) 268 1.40 dyoung break; 269 1.40 dyoung /* 270 1.40 dyoung * Data frame, validate the bssid. 271 1.40 dyoung */ 272 1.40 dyoung if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 273 1.40 dyoung !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 274 1.40 dyoung /* not interested in */ 275 1.85 christos IEEE80211_DEBUGVAR( 276 1.85 christos char bbuf[3 * ETHER_ADDR_LEN]); 277 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 278 1.85 christos bssid, NULL, "bss %s, broadcast %s, %s", 279 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 280 1.85 christos ic->ic_bss->ni_bssid), 281 1.85 christos ether_snprintf(bbuf, sizeof(bbuf), 282 1.85 christos ifp->if_broadcastaddr), "not to bss"); 283 1.40 dyoung ic->ic_stats.is_rx_wrongbss++; 284 1.40 dyoung goto out; 285 1.40 dyoung } 286 1.40 dyoung /* 287 1.40 dyoung * For adhoc mode we cons up a node when it doesn't 288 1.40 dyoung * exist. This should probably done after an ACL check. 289 1.40 dyoung */ 290 1.40 dyoung if (ni == ic->ic_bss && 291 1.50 dyoung ic->ic_opmode != IEEE80211_M_HOSTAP && 292 1.50 dyoung !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 293 1.40 dyoung /* 294 1.40 dyoung * Fake up a node for this newly 295 1.40 dyoung * discovered member of the IBSS. 296 1.40 dyoung */ 297 1.40 dyoung ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 298 1.40 dyoung wh->i_addr2); 299 1.40 dyoung if (ni == NULL) { 300 1.40 dyoung /* NB: stat kept for alloc failure */ 301 1.40 dyoung goto err; 302 1.40 dyoung } 303 1.40 dyoung } 304 1.40 dyoung break; 305 1.40 dyoung default: 306 1.40 dyoung goto out; 307 1.40 dyoung } 308 1.1 dyoung ni->ni_rssi = rssi; 309 1.1 dyoung ni->ni_rstamp = rstamp; 310 1.83 mlelstv if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA || 311 1.83 mlelstv !IEEE80211_IS_MULTICAST(wh->i_addr1))) { 312 1.83 mlelstv u_int8_t tid, retry; 313 1.83 mlelstv u_int16_t rxno, orxno; 314 1.83 mlelstv 315 1.75 christos if (ieee80211_has_qos(wh)) { 316 1.40 dyoung tid = ((struct ieee80211_qosframe *)wh)-> 317 1.40 dyoung i_qos[0] & IEEE80211_QOS_TID; 318 1.44 dyoung if (TID_TO_WME_AC(tid) >= WME_AC_VI) 319 1.40 dyoung ic->ic_wme.wme_hipri_traffic++; 320 1.40 dyoung tid++; 321 1.40 dyoung } else 322 1.40 dyoung tid = 0; 323 1.40 dyoung rxseq = le16toh(*(u_int16_t *)wh->i_seq); 324 1.83 mlelstv retry = wh->i_fc[1] & IEEE80211_FC1_RETRY; 325 1.83 mlelstv rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT; 326 1.83 mlelstv orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT; 327 1.83 mlelstv if (retry && ( 328 1.83 mlelstv (orxno == 4095 && rxno == orxno) || 329 1.83 mlelstv (orxno != 4095 && 330 1.83 mlelstv SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) 331 1.83 mlelstv )) { 332 1.40 dyoung /* duplicate, discard */ 333 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 334 1.40 dyoung bssid, "duplicate", 335 1.40 dyoung "seqno <%u,%u> fragno <%u,%u> tid %u", 336 1.83 mlelstv rxno, 337 1.83 mlelstv orxno, 338 1.40 dyoung rxseq & IEEE80211_SEQ_FRAG_MASK, 339 1.40 dyoung ni->ni_rxseqs[tid] & 340 1.40 dyoung IEEE80211_SEQ_FRAG_MASK, 341 1.40 dyoung tid); 342 1.40 dyoung ic->ic_stats.is_rx_dup++; 343 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_dup); 344 1.40 dyoung goto out; 345 1.40 dyoung } 346 1.40 dyoung ni->ni_rxseqs[tid] = rxseq; 347 1.5 dyoung } 348 1.5 dyoung } 349 1.5 dyoung 350 1.16 dyoung switch (type) { 351 1.1 dyoung case IEEE80211_FC0_TYPE_DATA: 352 1.44 dyoung hdrspace = ieee80211_hdrspace(ic, wh); 353 1.44 dyoung if (m->m_len < hdrspace && 354 1.44 dyoung (m = m_pullup(m, hdrspace)) == NULL) { 355 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 356 1.40 dyoung ni->ni_macaddr, NULL, 357 1.44 dyoung "data too short: expecting %u", hdrspace); 358 1.40 dyoung ic->ic_stats.is_rx_tooshort++; 359 1.40 dyoung goto out; /* XXX */ 360 1.40 dyoung } 361 1.90 maxv wh = mtod(m, struct ieee80211_frame *); 362 1.90 maxv 363 1.1 dyoung switch (ic->ic_opmode) { 364 1.1 dyoung case IEEE80211_M_STA: 365 1.16 dyoung if (dir != IEEE80211_FC1_DIR_FROMDS) { 366 1.47 skrll IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 367 1.47 skrll wh, "data", "%s", "unknown dir 0x%x", dir); 368 1.16 dyoung ic->ic_stats.is_rx_wrongdir++; 369 1.1 dyoung goto out; 370 1.16 dyoung } 371 1.1 dyoung if ((ifp->if_flags & IFF_SIMPLEX) && 372 1.1 dyoung IEEE80211_IS_MULTICAST(wh->i_addr1) && 373 1.1 dyoung IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 374 1.1 dyoung /* 375 1.1 dyoung * In IEEE802.11 network, multicast packet 376 1.1 dyoung * sent from me is broadcasted from AP. 377 1.1 dyoung * It should be silently discarded for 378 1.1 dyoung * SIMPLEX interface. 379 1.1 dyoung */ 380 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 381 1.40 dyoung wh, NULL, "%s", "multicast echo"); 382 1.16 dyoung ic->ic_stats.is_rx_mcastecho++; 383 1.1 dyoung goto out; 384 1.1 dyoung } 385 1.1 dyoung break; 386 1.1 dyoung case IEEE80211_M_IBSS: 387 1.1 dyoung case IEEE80211_M_AHDEMO: 388 1.16 dyoung if (dir != IEEE80211_FC1_DIR_NODS) { 389 1.47 skrll IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 390 1.47 skrll wh, "data", "%s", "unknown dir 0x%x", dir); 391 1.16 dyoung ic->ic_stats.is_rx_wrongdir++; 392 1.1 dyoung goto out; 393 1.16 dyoung } 394 1.40 dyoung /* XXX no power-save support */ 395 1.1 dyoung break; 396 1.1 dyoung case IEEE80211_M_HOSTAP: 397 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 398 1.16 dyoung if (dir != IEEE80211_FC1_DIR_TODS) { 399 1.47 skrll IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 400 1.47 skrll wh, "data", "%s", "unknown dir 0x%x", dir); 401 1.16 dyoung ic->ic_stats.is_rx_wrongdir++; 402 1.1 dyoung goto out; 403 1.16 dyoung } 404 1.1 dyoung /* check if source STA is associated */ 405 1.1 dyoung if (ni == ic->ic_bss) { 406 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 407 1.40 dyoung wh, "data", "%s", "unknown src"); 408 1.44 dyoung ieee80211_send_error(ic, ni, wh->i_addr2, 409 1.44 dyoung IEEE80211_FC0_SUBTYPE_DEAUTH, 410 1.44 dyoung IEEE80211_REASON_NOT_AUTHED); 411 1.16 dyoung ic->ic_stats.is_rx_notassoc++; 412 1.1 dyoung goto err; 413 1.1 dyoung } 414 1.1 dyoung if (ni->ni_associd == 0) { 415 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 416 1.40 dyoung wh, "data", "%s", "unassoc src"); 417 1.1 dyoung IEEE80211_SEND_MGMT(ic, ni, 418 1.1 dyoung IEEE80211_FC0_SUBTYPE_DISASSOC, 419 1.1 dyoung IEEE80211_REASON_NOT_ASSOCED); 420 1.16 dyoung ic->ic_stats.is_rx_notassoc++; 421 1.1 dyoung goto err; 422 1.1 dyoung } 423 1.40 dyoung 424 1.40 dyoung /* 425 1.40 dyoung * Check for power save state change. 426 1.40 dyoung */ 427 1.40 dyoung if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 428 1.40 dyoung (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 429 1.40 dyoung ieee80211_node_pwrsave(ni, 430 1.40 dyoung wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 431 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 432 1.1 dyoung break; 433 1.40 dyoung default: 434 1.40 dyoung /* XXX here to keep compiler happy */ 435 1.40 dyoung goto out; 436 1.1 dyoung } 437 1.40 dyoung 438 1.40 dyoung /* 439 1.40 dyoung * Handle privacy requirements. Note that we 440 1.40 dyoung * must not be preempted from here until after 441 1.40 dyoung * we (potentially) call ieee80211_crypto_demic; 442 1.40 dyoung * otherwise we may violate assumptions in the 443 1.40 dyoung * crypto cipher modules used to do delayed update 444 1.40 dyoung * of replay sequence numbers. 445 1.40 dyoung */ 446 1.1 dyoung if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 447 1.40 dyoung if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 448 1.40 dyoung /* 449 1.40 dyoung * Discard encrypted frames when privacy is off. 450 1.40 dyoung */ 451 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 452 1.40 dyoung wh, "WEP", "%s", "PRIVACY off"); 453 1.40 dyoung ic->ic_stats.is_rx_noprivacy++; 454 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_noprivacy); 455 1.40 dyoung goto out; 456 1.40 dyoung } 457 1.91 maxv key = ieee80211_crypto_decap(ic, ni, &m, hdrspace); 458 1.40 dyoung if (key == NULL) { 459 1.40 dyoung /* NB: stats+msgs handled in crypto_decap */ 460 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_wepfail); 461 1.40 dyoung goto out; 462 1.40 dyoung } 463 1.40 dyoung wh = mtod(m, struct ieee80211_frame *); 464 1.40 dyoung wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 465 1.40 dyoung } else { 466 1.40 dyoung key = NULL; 467 1.40 dyoung } 468 1.40 dyoung 469 1.40 dyoung /* 470 1.40 dyoung * Next up, any fragmentation. 471 1.40 dyoung */ 472 1.40 dyoung if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 473 1.44 dyoung m = ieee80211_defrag(ic, ni, m, hdrspace); 474 1.40 dyoung if (m == NULL) { 475 1.40 dyoung /* Fragment dropped or frame not complete yet */ 476 1.1 dyoung goto out; 477 1.16 dyoung } 478 1.1 dyoung } 479 1.40 dyoung wh = NULL; /* no longer valid, catch any uses */ 480 1.40 dyoung 481 1.40 dyoung /* 482 1.40 dyoung * Next strip any MSDU crypto bits. 483 1.40 dyoung */ 484 1.44 dyoung if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 485 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 486 1.40 dyoung ni->ni_macaddr, "data", "%s", "demic error"); 487 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_demicfail); 488 1.40 dyoung goto out; 489 1.40 dyoung } 490 1.40 dyoung 491 1.1 dyoung /* copy to listener after decrypt */ 492 1.70 joerg bpf_mtap3(ic->ic_rawbpf, m); 493 1.40 dyoung 494 1.40 dyoung /* 495 1.40 dyoung * Finally, strip the 802.11 header. 496 1.40 dyoung */ 497 1.44 dyoung m = ieee80211_decap(ic, m, hdrspace); 498 1.15 dyoung if (m == NULL) { 499 1.40 dyoung /* don't count Null data frames as errors */ 500 1.40 dyoung if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 501 1.40 dyoung goto out; 502 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 503 1.40 dyoung ni->ni_macaddr, "data", "%s", "decap error"); 504 1.16 dyoung ic->ic_stats.is_rx_decap++; 505 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_decap); 506 1.1 dyoung goto err; 507 1.15 dyoung } 508 1.40 dyoung eh = mtod(m, struct ether_header *); 509 1.40 dyoung if (!ieee80211_node_is_authorized(ni)) { 510 1.40 dyoung /* 511 1.40 dyoung * Deny any non-PAE frames received prior to 512 1.40 dyoung * authorization. For open/shared-key 513 1.40 dyoung * authentication the port is mark authorized 514 1.40 dyoung * after authentication completes. For 802.1x 515 1.40 dyoung * the port is not marked authorized by the 516 1.40 dyoung * authenticator until the handshake has completed. 517 1.40 dyoung */ 518 1.40 dyoung if (eh->ether_type != htons(ETHERTYPE_PAE)) { 519 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 520 1.40 dyoung eh->ether_shost, "data", 521 1.40 dyoung "unauthorized port: ether type 0x%x len %u", 522 1.40 dyoung eh->ether_type, m->m_pkthdr.len); 523 1.40 dyoung ic->ic_stats.is_rx_unauth++; 524 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_unauth); 525 1.40 dyoung goto err; 526 1.40 dyoung } 527 1.40 dyoung } else { 528 1.40 dyoung /* 529 1.40 dyoung * When denying unencrypted frames, discard 530 1.40 dyoung * any non-PAE frames received without encryption. 531 1.40 dyoung */ 532 1.40 dyoung if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 533 1.40 dyoung key == NULL && 534 1.40 dyoung eh->ether_type != htons(ETHERTYPE_PAE)) { 535 1.40 dyoung /* 536 1.40 dyoung * Drop unencrypted frames. 537 1.40 dyoung */ 538 1.40 dyoung ic->ic_stats.is_rx_unencrypted++; 539 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_unencrypted); 540 1.40 dyoung goto out; 541 1.40 dyoung } 542 1.40 dyoung } 543 1.1 dyoung ifp->if_ipackets++; 544 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_data); 545 1.40 dyoung IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 546 1.1 dyoung 547 1.47 skrll ieee80211_deliver_data(ic, ni, m); 548 1.40 dyoung return IEEE80211_FC0_TYPE_DATA; 549 1.1 dyoung 550 1.1 dyoung case IEEE80211_FC0_TYPE_MGT: 551 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_mgmt); 552 1.16 dyoung if (dir != IEEE80211_FC1_DIR_NODS) { 553 1.47 skrll IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 554 1.47 skrll wh, "data", "%s", "unknown dir 0x%x", dir); 555 1.16 dyoung ic->ic_stats.is_rx_wrongdir++; 556 1.1 dyoung goto err; 557 1.16 dyoung } 558 1.40 dyoung if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 559 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 560 1.40 dyoung ni->ni_macaddr, "mgt", "too short: len %u", 561 1.40 dyoung m->m_pkthdr.len); 562 1.40 dyoung ic->ic_stats.is_rx_tooshort++; 563 1.1 dyoung goto out; 564 1.16 dyoung } 565 1.1 dyoung #ifdef IEEE80211_DEBUG 566 1.26 mycroft if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 567 1.26 mycroft ieee80211_msg_dumppkts(ic)) { 568 1.40 dyoung if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 569 1.40 dyoung ieee80211_mgt_subtype_name[subtype >> 570 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 571 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 572 1.85 christos rssi); 573 1.26 mycroft } 574 1.1 dyoung #endif 575 1.40 dyoung if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 576 1.40 dyoung if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 577 1.40 dyoung /* 578 1.40 dyoung * Only shared key auth frames with a challenge 579 1.40 dyoung * should be encrypted, discard all others. 580 1.40 dyoung */ 581 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 582 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> 583 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 584 1.40 dyoung "%s", "WEP set but not permitted"); 585 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 586 1.40 dyoung goto out; 587 1.40 dyoung } 588 1.40 dyoung if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 589 1.40 dyoung /* 590 1.40 dyoung * Discard encrypted frames when privacy is off. 591 1.40 dyoung */ 592 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 593 1.40 dyoung wh, "mgt", "%s", "WEP set but PRIVACY off"); 594 1.40 dyoung ic->ic_stats.is_rx_noprivacy++; 595 1.40 dyoung goto out; 596 1.40 dyoung } 597 1.44 dyoung hdrspace = ieee80211_hdrspace(ic, wh); 598 1.91 maxv key = ieee80211_crypto_decap(ic, ni, &m, hdrspace); 599 1.40 dyoung if (key == NULL) { 600 1.40 dyoung /* NB: stats+msgs handled in crypto_decap */ 601 1.40 dyoung goto out; 602 1.40 dyoung } 603 1.40 dyoung wh = mtod(m, struct ieee80211_frame *); 604 1.40 dyoung wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 605 1.40 dyoung } 606 1.70 joerg bpf_mtap3(ic->ic_rawbpf, m); 607 1.1 dyoung (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 608 1.1 dyoung m_freem(m); 609 1.40 dyoung return type; 610 1.1 dyoung 611 1.1 dyoung case IEEE80211_FC0_TYPE_CTL: 612 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_ctrl); 613 1.16 dyoung ic->ic_stats.is_rx_ctl++; 614 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 615 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 616 1.40 dyoung switch (subtype) { 617 1.40 dyoung case IEEE80211_FC0_SUBTYPE_PS_POLL: 618 1.40 dyoung ieee80211_recv_pspoll(ic, ni, m); 619 1.40 dyoung break; 620 1.40 dyoung } 621 1.5 dyoung } 622 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 623 1.5 dyoung goto out; 624 1.1 dyoung default: 625 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 626 1.40 dyoung wh, NULL, "bad frame type 0x%x", type); 627 1.1 dyoung /* should not come here */ 628 1.1 dyoung break; 629 1.1 dyoung } 630 1.40 dyoung err: 631 1.1 dyoung ifp->if_ierrors++; 632 1.40 dyoung out: 633 1.1 dyoung if (m != NULL) { 634 1.70 joerg bpf_mtap3(ic->ic_rawbpf, m); 635 1.1 dyoung m_freem(m); 636 1.1 dyoung } 637 1.40 dyoung return type; 638 1.40 dyoung #undef SEQ_LEQ 639 1.40 dyoung } 640 1.40 dyoung 641 1.40 dyoung /* 642 1.40 dyoung * This function reassemble fragments. 643 1.40 dyoung */ 644 1.40 dyoung static struct mbuf * 645 1.64 christos ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 646 1.44 dyoung struct mbuf *m, int hdrspace) 647 1.40 dyoung { 648 1.40 dyoung struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 649 1.40 dyoung struct ieee80211_frame *lwh; 650 1.40 dyoung u_int16_t rxseq; 651 1.40 dyoung u_int8_t fragno; 652 1.40 dyoung u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 653 1.40 dyoung struct mbuf *mfrag; 654 1.40 dyoung 655 1.40 dyoung IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 656 1.40 dyoung 657 1.40 dyoung rxseq = le16toh(*(u_int16_t *)wh->i_seq); 658 1.40 dyoung fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 659 1.40 dyoung 660 1.40 dyoung /* Quick way out, if there's nothing to defragment */ 661 1.40 dyoung if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 662 1.40 dyoung return m; 663 1.40 dyoung 664 1.40 dyoung /* 665 1.40 dyoung * Remove frag to insure it doesn't get reaped by timer. 666 1.40 dyoung */ 667 1.40 dyoung if (ni->ni_table == NULL) { 668 1.40 dyoung /* 669 1.40 dyoung * Should never happen. If the node is orphaned (not in 670 1.40 dyoung * the table) then input packets should not reach here. 671 1.40 dyoung * Otherwise, a concurrent request that yanks the table 672 1.40 dyoung * should be blocked by other interlocking and/or by first 673 1.40 dyoung * shutting the driver down. Regardless, be defensive 674 1.40 dyoung * here and just bail 675 1.40 dyoung */ 676 1.40 dyoung /* XXX need msg+stat */ 677 1.40 dyoung m_freem(m); 678 1.40 dyoung return NULL; 679 1.40 dyoung } 680 1.40 dyoung IEEE80211_NODE_LOCK(ni->ni_table); 681 1.40 dyoung mfrag = ni->ni_rxfrag[0]; 682 1.40 dyoung ni->ni_rxfrag[0] = NULL; 683 1.40 dyoung IEEE80211_NODE_UNLOCK(ni->ni_table); 684 1.40 dyoung 685 1.40 dyoung /* 686 1.40 dyoung * Validate new fragment is in order and 687 1.40 dyoung * related to the previous ones. 688 1.40 dyoung */ 689 1.40 dyoung if (mfrag != NULL) { 690 1.40 dyoung u_int16_t last_rxseq; 691 1.40 dyoung 692 1.40 dyoung lwh = mtod(mfrag, struct ieee80211_frame *); 693 1.40 dyoung last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 694 1.40 dyoung /* NB: check seq # and frag together */ 695 1.40 dyoung if (rxseq != last_rxseq+1 || 696 1.40 dyoung !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 697 1.40 dyoung !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 698 1.40 dyoung /* 699 1.40 dyoung * Unrelated fragment or no space for it, 700 1.40 dyoung * clear current fragments. 701 1.40 dyoung */ 702 1.40 dyoung m_freem(mfrag); 703 1.40 dyoung mfrag = NULL; 704 1.40 dyoung } 705 1.40 dyoung } 706 1.40 dyoung 707 1.40 dyoung if (mfrag == NULL) { 708 1.40 dyoung if (fragno != 0) { /* !first fragment, discard */ 709 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_defrag); 710 1.40 dyoung m_freem(m); 711 1.40 dyoung return NULL; 712 1.40 dyoung } 713 1.40 dyoung mfrag = m; 714 1.40 dyoung } else { /* concatenate */ 715 1.44 dyoung m_adj(m, hdrspace); /* strip header */ 716 1.40 dyoung m_cat(mfrag, m); 717 1.40 dyoung /* NB: m_cat doesn't update the packet header */ 718 1.40 dyoung mfrag->m_pkthdr.len += m->m_pkthdr.len; 719 1.40 dyoung /* track last seqnum and fragno */ 720 1.40 dyoung lwh = mtod(mfrag, struct ieee80211_frame *); 721 1.40 dyoung *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 722 1.40 dyoung } 723 1.40 dyoung if (more_frag) { /* more to come, save */ 724 1.40 dyoung ni->ni_rxfragstamp = ticks; 725 1.40 dyoung ni->ni_rxfrag[0] = mfrag; 726 1.40 dyoung mfrag = NULL; 727 1.40 dyoung } 728 1.40 dyoung return mfrag; 729 1.1 dyoung } 730 1.1 dyoung 731 1.47 skrll static void 732 1.47 skrll ieee80211_deliver_data(struct ieee80211com *ic, 733 1.47 skrll struct ieee80211_node *ni, struct mbuf *m) 734 1.47 skrll { 735 1.47 skrll struct ether_header *eh = mtod(m, struct ether_header *); 736 1.47 skrll struct ifnet *ifp = ic->ic_ifp; 737 1.68 joerg int error; 738 1.47 skrll 739 1.47 skrll /* perform as a bridge within the AP */ 740 1.47 skrll if (ic->ic_opmode == IEEE80211_M_HOSTAP && 741 1.47 skrll (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 742 1.47 skrll struct mbuf *m1 = NULL; 743 1.47 skrll 744 1.47 skrll if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 745 1.47 skrll m1 = m_copypacket(m, M_DONTWAIT); 746 1.47 skrll if (m1 == NULL) 747 1.47 skrll ifp->if_oerrors++; 748 1.47 skrll else 749 1.47 skrll m1->m_flags |= M_MCAST; 750 1.47 skrll } else { 751 1.47 skrll /* 752 1.47 skrll * Check if the destination is known; if so 753 1.47 skrll * and the port is authorized dispatch directly. 754 1.47 skrll */ 755 1.47 skrll struct ieee80211_node *sta = 756 1.47 skrll ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 757 1.47 skrll if (sta != NULL) { 758 1.47 skrll if (ieee80211_node_is_authorized(sta)) { 759 1.47 skrll /* 760 1.47 skrll * Beware of sending to ourself; this 761 1.47 skrll * needs to happen via the normal 762 1.47 skrll * input path. 763 1.47 skrll */ 764 1.47 skrll if (sta != ic->ic_bss) { 765 1.47 skrll m1 = m; 766 1.47 skrll m = NULL; 767 1.47 skrll } 768 1.47 skrll } else { 769 1.47 skrll ic->ic_stats.is_rx_unauth++; 770 1.47 skrll IEEE80211_NODE_STAT(sta, rx_unauth); 771 1.47 skrll } 772 1.47 skrll ieee80211_free_node(sta); 773 1.47 skrll } 774 1.47 skrll } 775 1.47 skrll if (m1 != NULL) { 776 1.47 skrll int len; 777 1.47 skrll #ifdef ALTQ 778 1.47 skrll if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 779 1.81 knakahar altq_etherclassify(&ifp->if_snd, m1); 780 1.47 skrll } 781 1.47 skrll #endif 782 1.47 skrll len = m1->m_pkthdr.len; 783 1.82 knakahar IFQ_ENQUEUE(&ifp->if_snd, m1, error); 784 1.68 joerg if (error) { 785 1.88 ozaki ifp->if_oerrors++; 786 1.68 joerg m = NULL; 787 1.68 joerg } 788 1.47 skrll ifp->if_obytes += len; 789 1.47 skrll } 790 1.47 skrll } 791 1.47 skrll if (m != NULL) { 792 1.47 skrll 793 1.89 knakahar if (ni->ni_vlan != 0) 794 1.89 knakahar vlan_set_tag(m, ni->ni_vlan); 795 1.80 ozaki 796 1.80 ozaki /* 797 1.80 ozaki * XXX once ieee80211_input (or rxintr itself) runs in softint 798 1.80 ozaki * we have to change here too to use if_input. 799 1.80 ozaki */ 800 1.80 ozaki KASSERT(ifp->if_percpuq); 801 1.80 ozaki if_percpuq_enqueue(ifp->if_percpuq, m); 802 1.47 skrll } 803 1.47 skrll return; 804 1.47 skrll } 805 1.47 skrll 806 1.40 dyoung static struct mbuf * 807 1.64 christos ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 808 1.1 dyoung { 809 1.44 dyoung struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 810 1.1 dyoung struct ether_header *eh; 811 1.1 dyoung struct llc *llc; 812 1.1 dyoung 813 1.44 dyoung if (m->m_len < hdrlen + sizeof(*llc) && 814 1.44 dyoung (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 815 1.40 dyoung /* XXX stat, msg */ 816 1.40 dyoung return NULL; 817 1.1 dyoung } 818 1.65 christos memcpy(&wh, mtod(m, void *), hdrlen); 819 1.65 christos llc = (struct llc *)(mtod(m, char *) + hdrlen); 820 1.1 dyoung if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 821 1.1 dyoung llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 822 1.1 dyoung llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 823 1.44 dyoung m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 824 1.1 dyoung llc = NULL; 825 1.1 dyoung } else { 826 1.44 dyoung m_adj(m, hdrlen - sizeof(*eh)); 827 1.1 dyoung } 828 1.1 dyoung eh = mtod(m, struct ether_header *); 829 1.1 dyoung switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 830 1.1 dyoung case IEEE80211_FC1_DIR_NODS: 831 1.1 dyoung IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 832 1.1 dyoung IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 833 1.1 dyoung break; 834 1.1 dyoung case IEEE80211_FC1_DIR_TODS: 835 1.1 dyoung IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 836 1.1 dyoung IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 837 1.1 dyoung break; 838 1.1 dyoung case IEEE80211_FC1_DIR_FROMDS: 839 1.1 dyoung IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 840 1.1 dyoung IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 841 1.1 dyoung break; 842 1.1 dyoung case IEEE80211_FC1_DIR_DSTODS: 843 1.44 dyoung IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 844 1.44 dyoung IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 845 1.44 dyoung break; 846 1.1 dyoung } 847 1.1 dyoung #ifdef ALIGNED_POINTER 848 1.66 christos if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) { 849 1.1 dyoung struct mbuf *n, *n0, **np; 850 1.65 christos char *newdata; 851 1.1 dyoung int off, pktlen; 852 1.1 dyoung 853 1.1 dyoung n0 = NULL; 854 1.1 dyoung np = &n0; 855 1.1 dyoung off = 0; 856 1.1 dyoung pktlen = m->m_pkthdr.len; 857 1.1 dyoung while (pktlen > off) { 858 1.1 dyoung if (n0 == NULL) { 859 1.1 dyoung MGETHDR(n, M_DONTWAIT, MT_DATA); 860 1.1 dyoung if (n == NULL) { 861 1.1 dyoung m_freem(m); 862 1.1 dyoung return NULL; 863 1.1 dyoung } 864 1.45 yamt M_MOVE_PKTHDR(n, m); 865 1.1 dyoung n->m_len = MHLEN; 866 1.1 dyoung } else { 867 1.1 dyoung MGET(n, M_DONTWAIT, MT_DATA); 868 1.1 dyoung if (n == NULL) { 869 1.1 dyoung m_freem(m); 870 1.1 dyoung m_freem(n0); 871 1.1 dyoung return NULL; 872 1.1 dyoung } 873 1.1 dyoung n->m_len = MLEN; 874 1.1 dyoung } 875 1.1 dyoung if (pktlen - off >= MINCLSIZE) { 876 1.1 dyoung MCLGET(n, M_DONTWAIT); 877 1.1 dyoung if (n->m_flags & M_EXT) 878 1.1 dyoung n->m_len = n->m_ext.ext_size; 879 1.1 dyoung } 880 1.1 dyoung if (n0 == NULL) { 881 1.1 dyoung newdata = 882 1.65 christos (char *)ALIGN(n->m_data + sizeof(*eh)) - 883 1.1 dyoung sizeof(*eh); 884 1.1 dyoung n->m_len -= newdata - n->m_data; 885 1.1 dyoung n->m_data = newdata; 886 1.1 dyoung } 887 1.1 dyoung if (n->m_len > pktlen - off) 888 1.1 dyoung n->m_len = pktlen - off; 889 1.65 christos m_copydata(m, off, n->m_len, mtod(n, void *)); 890 1.1 dyoung off += n->m_len; 891 1.1 dyoung *np = n; 892 1.1 dyoung np = &n->m_next; 893 1.1 dyoung } 894 1.1 dyoung m_freem(m); 895 1.1 dyoung m = n0; 896 1.1 dyoung } 897 1.1 dyoung #endif /* ALIGNED_POINTER */ 898 1.1 dyoung if (llc != NULL) { 899 1.1 dyoung eh = mtod(m, struct ether_header *); 900 1.1 dyoung eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 901 1.1 dyoung } 902 1.1 dyoung return m; 903 1.1 dyoung } 904 1.1 dyoung 905 1.1 dyoung /* 906 1.1 dyoung * Install received rate set information in the node's state block. 907 1.1 dyoung */ 908 1.47 skrll int 909 1.47 skrll ieee80211_setup_rates(struct ieee80211_node *ni, 910 1.47 skrll const u_int8_t *rates, const u_int8_t *xrates, int flags) 911 1.1 dyoung { 912 1.47 skrll struct ieee80211com *ic = ni->ni_ic; 913 1.1 dyoung struct ieee80211_rateset *rs = &ni->ni_rates; 914 1.1 dyoung 915 1.1 dyoung memset(rs, 0, sizeof(*rs)); 916 1.1 dyoung rs->rs_nrates = rates[1]; 917 1.1 dyoung memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 918 1.1 dyoung if (xrates != NULL) { 919 1.1 dyoung u_int8_t nxrates; 920 1.1 dyoung /* 921 1.1 dyoung * Tack on 11g extended supported rate element. 922 1.1 dyoung */ 923 1.1 dyoung nxrates = xrates[1]; 924 1.1 dyoung if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 925 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 926 1.1 dyoung nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 927 1.25 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 928 1.40 dyoung "[%s] extended rate set too large;" 929 1.40 dyoung " only using %u of %u rates\n", 930 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 931 1.85 christos nxrates, xrates[1]); 932 1.16 dyoung ic->ic_stats.is_rx_rstoobig++; 933 1.1 dyoung } 934 1.1 dyoung memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 935 1.1 dyoung rs->rs_nrates += nxrates; 936 1.1 dyoung } 937 1.47 skrll return ieee80211_fix_rate(ni, flags); 938 1.1 dyoung } 939 1.1 dyoung 940 1.7 dyoung static void 941 1.7 dyoung ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 942 1.64 christos struct ieee80211_node *ni, int rssi, u_int32_t rstamp, 943 1.63 christos u_int16_t seq, u_int16_t status) 944 1.7 dyoung { 945 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 946 1.40 dyoung 947 1.44 dyoung if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 948 1.44 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 949 1.44 dyoung ni->ni_macaddr, "open auth", 950 1.44 dyoung "bad sta auth mode %u", ni->ni_authmode); 951 1.44 dyoung ic->ic_stats.is_rx_bad_auth++; /* XXX */ 952 1.44 dyoung if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 953 1.44 dyoung /* XXX hack to workaround calling convention */ 954 1.74 christos ieee80211_send_error(ic, ni, wh->i_addr2, 955 1.44 dyoung IEEE80211_FC0_SUBTYPE_AUTH, 956 1.44 dyoung (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 957 1.44 dyoung } 958 1.44 dyoung return; 959 1.44 dyoung } 960 1.7 dyoung switch (ic->ic_opmode) { 961 1.7 dyoung case IEEE80211_M_IBSS: 962 1.7 dyoung case IEEE80211_M_AHDEMO: 963 1.44 dyoung case IEEE80211_M_MONITOR: 964 1.7 dyoung /* should not come here */ 965 1.44 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 966 1.44 dyoung ni->ni_macaddr, "open auth", 967 1.44 dyoung "bad operating mode %u", ic->ic_opmode); 968 1.7 dyoung break; 969 1.7 dyoung 970 1.7 dyoung case IEEE80211_M_HOSTAP: 971 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 972 1.11 mycroft if (ic->ic_state != IEEE80211_S_RUN || 973 1.16 dyoung seq != IEEE80211_AUTH_OPEN_REQUEST) { 974 1.16 dyoung ic->ic_stats.is_rx_bad_auth++; 975 1.7 dyoung return; 976 1.16 dyoung } 977 1.40 dyoung /* always accept open authentication requests */ 978 1.7 dyoung if (ni == ic->ic_bss) { 979 1.40 dyoung ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 980 1.40 dyoung if (ni == NULL) 981 1.7 dyoung return; 982 1.44 dyoung } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 983 1.40 dyoung (void) ieee80211_ref_node(ni); 984 1.44 dyoung /* 985 1.78 snj * Mark the node as referenced to reflect that its 986 1.44 dyoung * reference count has been bumped to insure it remains 987 1.44 dyoung * after the transaction completes. 988 1.44 dyoung */ 989 1.44 dyoung ni->ni_flags |= IEEE80211_NODE_AREF; 990 1.44 dyoung 991 1.7 dyoung IEEE80211_SEND_MGMT(ic, ni, 992 1.7 dyoung IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 993 1.26 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 994 1.40 dyoung "[%s] station authenticated (open)\n", 995 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 996 1.44 dyoung /* 997 1.44 dyoung * When 802.1x is not in use mark the port 998 1.44 dyoung * authorized at this point so traffic can flow. 999 1.44 dyoung */ 1000 1.44 dyoung if (ni->ni_authmode != IEEE80211_AUTH_8021X) 1001 1.47 skrll ieee80211_node_authorize(ni); 1002 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 1003 1.7 dyoung break; 1004 1.26 mycroft 1005 1.7 dyoung case IEEE80211_M_STA: 1006 1.7 dyoung if (ic->ic_state != IEEE80211_S_AUTH || 1007 1.16 dyoung seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1008 1.16 dyoung ic->ic_stats.is_rx_bad_auth++; 1009 1.7 dyoung return; 1010 1.16 dyoung } 1011 1.7 dyoung if (status != 0) { 1012 1.85 christos 1013 1.26 mycroft IEEE80211_DPRINTF(ic, 1014 1.26 mycroft IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1015 1.40 dyoung "[%s] open auth failed (reason %d)\n", 1016 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 1017 1.85 christos status); 1018 1.40 dyoung /* XXX can this happen? */ 1019 1.7 dyoung if (ni != ic->ic_bss) 1020 1.7 dyoung ni->ni_fails++; 1021 1.16 dyoung ic->ic_stats.is_rx_auth_fail++; 1022 1.44 dyoung ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1023 1.44 dyoung } else 1024 1.44 dyoung ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1025 1.44 dyoung wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1026 1.7 dyoung break; 1027 1.7 dyoung } 1028 1.7 dyoung } 1029 1.7 dyoung 1030 1.44 dyoung /* 1031 1.44 dyoung * Send a management frame error response to the specified 1032 1.44 dyoung * station. If ni is associated with the station then use 1033 1.44 dyoung * it; otherwise allocate a temporary node suitable for 1034 1.44 dyoung * transmitting the frame and then free the reference so 1035 1.44 dyoung * it will go away as soon as the frame has been transmitted. 1036 1.44 dyoung */ 1037 1.44 dyoung static void 1038 1.44 dyoung ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1039 1.44 dyoung const u_int8_t *mac, int subtype, int arg) 1040 1.44 dyoung { 1041 1.44 dyoung int istmp; 1042 1.44 dyoung 1043 1.44 dyoung if (ni == ic->ic_bss) { 1044 1.47 skrll ni = ieee80211_tmp_node(ic, mac); 1045 1.44 dyoung if (ni == NULL) { 1046 1.44 dyoung /* XXX msg */ 1047 1.44 dyoung return; 1048 1.44 dyoung } 1049 1.44 dyoung istmp = 1; 1050 1.44 dyoung } else 1051 1.44 dyoung istmp = 0; 1052 1.44 dyoung IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1053 1.44 dyoung if (istmp) 1054 1.44 dyoung ieee80211_free_node(ni); 1055 1.44 dyoung } 1056 1.44 dyoung 1057 1.40 dyoung static int 1058 1.40 dyoung alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1059 1.40 dyoung { 1060 1.40 dyoung if (ni->ni_challenge == NULL) 1061 1.67 cegger ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN, 1062 1.40 dyoung M_DEVBUF, M_NOWAIT); 1063 1.40 dyoung if (ni->ni_challenge == NULL) { 1064 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1065 1.85 christos 1066 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1067 1.40 dyoung "[%s] shared key challenge alloc failed\n", 1068 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1069 1.40 dyoung /* XXX statistic */ 1070 1.40 dyoung } 1071 1.40 dyoung return (ni->ni_challenge != NULL); 1072 1.40 dyoung } 1073 1.40 dyoung 1074 1.40 dyoung /* XXX TODO: add statistics */ 1075 1.7 dyoung static void 1076 1.7 dyoung ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1077 1.7 dyoung u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1078 1.7 dyoung u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1079 1.7 dyoung { 1080 1.40 dyoung u_int8_t *challenge; 1081 1.41 dyoung int estatus; 1082 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1083 1.7 dyoung 1084 1.40 dyoung /* 1085 1.40 dyoung * NB: this can happen as we allow pre-shared key 1086 1.40 dyoung * authentication to be enabled w/o wep being turned 1087 1.40 dyoung * on so that configuration of these can be done 1088 1.40 dyoung * in any order. It may be better to enforce the 1089 1.40 dyoung * ordering in which case this check would just be 1090 1.40 dyoung * for sanity/consistency. 1091 1.40 dyoung */ 1092 1.28 mycroft if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1093 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1094 1.40 dyoung ni->ni_macaddr, "shared key auth", 1095 1.40 dyoung "%s", " PRIVACY is disabled"); 1096 1.40 dyoung estatus = IEEE80211_STATUS_ALG; 1097 1.40 dyoung goto bad; 1098 1.40 dyoung } 1099 1.40 dyoung /* 1100 1.40 dyoung * Pre-shared key authentication is evil; accept 1101 1.40 dyoung * it only if explicitly configured (it is supported 1102 1.40 dyoung * mainly for compatibility with clients like OS X). 1103 1.40 dyoung */ 1104 1.40 dyoung if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1105 1.40 dyoung ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1106 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1107 1.40 dyoung ni->ni_macaddr, "shared key auth", 1108 1.40 dyoung "bad sta auth mode %u", ni->ni_authmode); 1109 1.40 dyoung ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1110 1.40 dyoung estatus = IEEE80211_STATUS_ALG; 1111 1.40 dyoung goto bad; 1112 1.7 dyoung } 1113 1.7 dyoung 1114 1.40 dyoung challenge = NULL; 1115 1.7 dyoung if (frm + 1 < efrm) { 1116 1.40 dyoung if ((frm[1] + 2) > (efrm - frm)) { 1117 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1118 1.40 dyoung ni->ni_macaddr, "shared key auth", 1119 1.40 dyoung "ie %d/%d too long", 1120 1.40 dyoung frm[0], (frm[1] + 2) - (efrm - frm)); 1121 1.16 dyoung ic->ic_stats.is_rx_bad_auth++; 1122 1.40 dyoung estatus = IEEE80211_STATUS_CHALLENGE; 1123 1.40 dyoung goto bad; 1124 1.7 dyoung } 1125 1.7 dyoung if (*frm == IEEE80211_ELEMID_CHALLENGE) 1126 1.7 dyoung challenge = frm; 1127 1.7 dyoung frm += frm[1] + 2; 1128 1.7 dyoung } 1129 1.7 dyoung switch (seq) { 1130 1.7 dyoung case IEEE80211_AUTH_SHARED_CHALLENGE: 1131 1.7 dyoung case IEEE80211_AUTH_SHARED_RESPONSE: 1132 1.7 dyoung if (challenge == NULL) { 1133 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1134 1.40 dyoung ni->ni_macaddr, "shared key auth", 1135 1.40 dyoung "%s", "no challenge"); 1136 1.16 dyoung ic->ic_stats.is_rx_bad_auth++; 1137 1.40 dyoung estatus = IEEE80211_STATUS_CHALLENGE; 1138 1.40 dyoung goto bad; 1139 1.7 dyoung } 1140 1.7 dyoung if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1141 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1142 1.40 dyoung ni->ni_macaddr, "shared key auth", 1143 1.40 dyoung "bad challenge len %d", challenge[1]); 1144 1.16 dyoung ic->ic_stats.is_rx_bad_auth++; 1145 1.40 dyoung estatus = IEEE80211_STATUS_CHALLENGE; 1146 1.40 dyoung goto bad; 1147 1.7 dyoung } 1148 1.7 dyoung default: 1149 1.7 dyoung break; 1150 1.7 dyoung } 1151 1.7 dyoung switch (ic->ic_opmode) { 1152 1.7 dyoung case IEEE80211_M_MONITOR: 1153 1.7 dyoung case IEEE80211_M_AHDEMO: 1154 1.7 dyoung case IEEE80211_M_IBSS: 1155 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1156 1.40 dyoung ni->ni_macaddr, "shared key auth", 1157 1.40 dyoung "bad operating mode %u", ic->ic_opmode); 1158 1.7 dyoung return; 1159 1.7 dyoung case IEEE80211_M_HOSTAP: 1160 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 1161 1.41 dyoung { 1162 1.41 dyoung int allocbs; 1163 1.7 dyoung if (ic->ic_state != IEEE80211_S_RUN) { 1164 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1165 1.40 dyoung ni->ni_macaddr, "shared key auth", 1166 1.40 dyoung "bad state %u", ic->ic_state); 1167 1.40 dyoung estatus = IEEE80211_STATUS_ALG; /* XXX */ 1168 1.40 dyoung goto bad; 1169 1.7 dyoung } 1170 1.7 dyoung switch (seq) { 1171 1.7 dyoung case IEEE80211_AUTH_SHARED_REQUEST: 1172 1.7 dyoung if (ni == ic->ic_bss) { 1173 1.40 dyoung ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1174 1.16 dyoung if (ni == NULL) { 1175 1.40 dyoung /* NB: no way to return an error */ 1176 1.7 dyoung return; 1177 1.16 dyoung } 1178 1.40 dyoung allocbs = 1; 1179 1.40 dyoung } else { 1180 1.44 dyoung if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1181 1.44 dyoung (void) ieee80211_ref_node(ni); 1182 1.40 dyoung allocbs = 0; 1183 1.40 dyoung } 1184 1.85 christos __USE(allocbs); 1185 1.44 dyoung /* 1186 1.78 snj * Mark the node as referenced to reflect that its 1187 1.44 dyoung * reference count has been bumped to insure it remains 1188 1.44 dyoung * after the transaction completes. 1189 1.44 dyoung */ 1190 1.44 dyoung ni->ni_flags |= IEEE80211_NODE_AREF; 1191 1.40 dyoung ni->ni_rssi = rssi; 1192 1.40 dyoung ni->ni_rstamp = rstamp; 1193 1.40 dyoung if (!alloc_challenge(ic, ni)) { 1194 1.40 dyoung /* NB: don't return error so they rexmit */ 1195 1.40 dyoung return; 1196 1.40 dyoung } 1197 1.40 dyoung get_random_bytes(ni->ni_challenge, 1198 1.40 dyoung IEEE80211_CHALLENGE_LEN); 1199 1.40 dyoung IEEE80211_DPRINTF(ic, 1200 1.40 dyoung IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1201 1.40 dyoung "[%s] shared key %sauth request\n", 1202 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 1203 1.85 christos ni->ni_macaddr), 1204 1.40 dyoung allocbs ? "" : "re"); 1205 1.40 dyoung break; 1206 1.40 dyoung case IEEE80211_AUTH_SHARED_RESPONSE: 1207 1.40 dyoung if (ni == ic->ic_bss) { 1208 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1209 1.40 dyoung ni->ni_macaddr, "shared key response", 1210 1.40 dyoung "%s", "unknown station"); 1211 1.40 dyoung /* NB: don't send a response */ 1212 1.40 dyoung return; 1213 1.40 dyoung } 1214 1.7 dyoung if (ni->ni_challenge == NULL) { 1215 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1216 1.40 dyoung ni->ni_macaddr, "shared key response", 1217 1.40 dyoung "%s", "no challenge recorded"); 1218 1.40 dyoung ic->ic_stats.is_rx_bad_auth++; 1219 1.40 dyoung estatus = IEEE80211_STATUS_CHALLENGE; 1220 1.40 dyoung goto bad; 1221 1.40 dyoung } 1222 1.40 dyoung if (memcmp(ni->ni_challenge, &challenge[2], 1223 1.40 dyoung challenge[1]) != 0) { 1224 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1225 1.40 dyoung ni->ni_macaddr, "shared key response", 1226 1.40 dyoung "%s", "challenge mismatch"); 1227 1.40 dyoung ic->ic_stats.is_rx_auth_fail++; 1228 1.40 dyoung estatus = IEEE80211_STATUS_CHALLENGE; 1229 1.40 dyoung goto bad; 1230 1.40 dyoung } 1231 1.40 dyoung IEEE80211_DPRINTF(ic, 1232 1.40 dyoung IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1233 1.40 dyoung "[%s] station authenticated (shared key)\n", 1234 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 1235 1.47 skrll ieee80211_node_authorize(ni); 1236 1.40 dyoung break; 1237 1.40 dyoung default: 1238 1.40 dyoung IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1239 1.40 dyoung ni->ni_macaddr, "shared key auth", 1240 1.40 dyoung "bad seq %d", seq); 1241 1.40 dyoung ic->ic_stats.is_rx_bad_auth++; 1242 1.40 dyoung estatus = IEEE80211_STATUS_SEQUENCE; 1243 1.40 dyoung goto bad; 1244 1.40 dyoung } 1245 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, 1246 1.40 dyoung IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1247 1.41 dyoung } 1248 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 1249 1.40 dyoung break; 1250 1.40 dyoung 1251 1.40 dyoung case IEEE80211_M_STA: 1252 1.40 dyoung if (ic->ic_state != IEEE80211_S_AUTH) 1253 1.40 dyoung return; 1254 1.40 dyoung switch (seq) { 1255 1.40 dyoung case IEEE80211_AUTH_SHARED_PASS: 1256 1.40 dyoung if (ni->ni_challenge != NULL) { 1257 1.67 cegger free(ni->ni_challenge, M_DEVBUF); 1258 1.40 dyoung ni->ni_challenge = NULL; 1259 1.40 dyoung } 1260 1.40 dyoung if (status != 0) { 1261 1.40 dyoung IEEE80211_DPRINTF(ic, 1262 1.40 dyoung IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1263 1.40 dyoung "[%s] shared key auth failed (reason %d)\n", 1264 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 1265 1.85 christos ieee80211_getbssid(ic, wh)), 1266 1.40 dyoung status); 1267 1.40 dyoung /* XXX can this happen? */ 1268 1.40 dyoung if (ni != ic->ic_bss) 1269 1.40 dyoung ni->ni_fails++; 1270 1.40 dyoung ic->ic_stats.is_rx_auth_fail++; 1271 1.7 dyoung return; 1272 1.7 dyoung } 1273 1.40 dyoung ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1274 1.40 dyoung wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1275 1.40 dyoung break; 1276 1.40 dyoung case IEEE80211_AUTH_SHARED_CHALLENGE: 1277 1.40 dyoung if (!alloc_challenge(ic, ni)) 1278 1.40 dyoung return; 1279 1.40 dyoung /* XXX could optimize by passing recvd challenge */ 1280 1.40 dyoung memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1281 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, 1282 1.40 dyoung IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1283 1.40 dyoung break; 1284 1.40 dyoung default: 1285 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1286 1.40 dyoung wh, "shared key auth", "bad seq %d", seq); 1287 1.40 dyoung ic->ic_stats.is_rx_bad_auth++; 1288 1.40 dyoung return; 1289 1.40 dyoung } 1290 1.40 dyoung break; 1291 1.40 dyoung } 1292 1.40 dyoung return; 1293 1.40 dyoung bad: 1294 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 1295 1.40 dyoung /* 1296 1.40 dyoung * Send an error response; but only when operating as an AP. 1297 1.40 dyoung */ 1298 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1299 1.40 dyoung /* XXX hack to workaround calling convention */ 1300 1.44 dyoung ieee80211_send_error(ic, ni, wh->i_addr2, 1301 1.44 dyoung IEEE80211_FC0_SUBTYPE_AUTH, 1302 1.44 dyoung (seq + 1) | (estatus<<16)); 1303 1.44 dyoung } else if (ic->ic_opmode == IEEE80211_M_STA) { 1304 1.44 dyoung /* 1305 1.44 dyoung * Kick the state machine. This short-circuits 1306 1.44 dyoung * using the mgt frame timeout to trigger the 1307 1.44 dyoung * state transition. 1308 1.44 dyoung */ 1309 1.44 dyoung if (ic->ic_state == IEEE80211_S_AUTH) 1310 1.44 dyoung ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1311 1.40 dyoung } 1312 1.41 dyoung #else 1313 1.41 dyoung ; 1314 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 1315 1.40 dyoung } 1316 1.40 dyoung 1317 1.40 dyoung /* Verify the existence and length of __elem or get out. */ 1318 1.40 dyoung #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1319 1.40 dyoung if ((__elem) == NULL) { \ 1320 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1321 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> \ 1322 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], \ 1323 1.40 dyoung "%s", "no " #__elem ); \ 1324 1.40 dyoung ic->ic_stats.is_rx_elem_missing++; \ 1325 1.40 dyoung return; \ 1326 1.40 dyoung } \ 1327 1.40 dyoung if ((__elem)[1] > (__maxlen)) { \ 1328 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1329 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> \ 1330 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], \ 1331 1.40 dyoung "bad " #__elem " len %d", (__elem)[1]); \ 1332 1.40 dyoung ic->ic_stats.is_rx_elem_toobig++; \ 1333 1.40 dyoung return; \ 1334 1.40 dyoung } \ 1335 1.40 dyoung } while (0) 1336 1.40 dyoung 1337 1.40 dyoung #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1338 1.40 dyoung if ((_len) < (_minlen)) { \ 1339 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1340 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> \ 1341 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], \ 1342 1.40 dyoung "%s", "ie too short"); \ 1343 1.40 dyoung ic->ic_stats.is_rx_elem_toosmall++; \ 1344 1.40 dyoung return; \ 1345 1.40 dyoung } \ 1346 1.40 dyoung } while (0) 1347 1.40 dyoung 1348 1.40 dyoung #ifdef IEEE80211_DEBUG 1349 1.40 dyoung static void 1350 1.64 christos ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1351 1.40 dyoung u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1352 1.40 dyoung { 1353 1.85 christos char ebuf[3 * ETHER_ADDR_LEN]; 1354 1.85 christos 1355 1.40 dyoung printf("[%s] discard %s frame, ssid mismatch: ", 1356 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), mac), tag); 1357 1.40 dyoung ieee80211_print_essid(ssid + 2, ssid[1]); 1358 1.40 dyoung printf("\n"); 1359 1.40 dyoung } 1360 1.40 dyoung 1361 1.40 dyoung #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1362 1.40 dyoung if ((_ssid)[1] != 0 && \ 1363 1.40 dyoung ((_ssid)[1] != (_ni)->ni_esslen || \ 1364 1.40 dyoung memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1365 1.40 dyoung if (ieee80211_msg_input(ic)) \ 1366 1.40 dyoung ieee80211_ssid_mismatch(ic, \ 1367 1.40 dyoung ieee80211_mgt_subtype_name[subtype >> \ 1368 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], \ 1369 1.40 dyoung wh->i_addr2, _ssid); \ 1370 1.40 dyoung ic->ic_stats.is_rx_ssidmismatch++; \ 1371 1.40 dyoung return; \ 1372 1.40 dyoung } \ 1373 1.40 dyoung } while (0) 1374 1.40 dyoung #else /* !IEEE80211_DEBUG */ 1375 1.40 dyoung #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1376 1.40 dyoung if ((_ssid)[1] != 0 && \ 1377 1.40 dyoung ((_ssid)[1] != (_ni)->ni_esslen || \ 1378 1.40 dyoung memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1379 1.40 dyoung ic->ic_stats.is_rx_ssidmismatch++; \ 1380 1.40 dyoung return; \ 1381 1.40 dyoung } \ 1382 1.40 dyoung } while (0) 1383 1.40 dyoung #endif /* !IEEE80211_DEBUG */ 1384 1.40 dyoung 1385 1.76 christos /* unaligned little endian access */ 1386 1.40 dyoung #define LE_READ_2(p) \ 1387 1.40 dyoung ((u_int16_t) \ 1388 1.40 dyoung ((((const u_int8_t *)(p))[0] ) | \ 1389 1.40 dyoung (((const u_int8_t *)(p))[1] << 8))) 1390 1.40 dyoung #define LE_READ_4(p) \ 1391 1.40 dyoung ((u_int32_t) \ 1392 1.40 dyoung ((((const u_int8_t *)(p))[0] ) | \ 1393 1.40 dyoung (((const u_int8_t *)(p))[1] << 8) | \ 1394 1.40 dyoung (((const u_int8_t *)(p))[2] << 16) | \ 1395 1.40 dyoung (((const u_int8_t *)(p))[3] << 24))) 1396 1.40 dyoung 1397 1.62 christos static __inline int 1398 1.40 dyoung iswpaoui(const u_int8_t *frm) 1399 1.40 dyoung { 1400 1.40 dyoung return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1401 1.40 dyoung } 1402 1.40 dyoung 1403 1.62 christos static __inline int 1404 1.40 dyoung iswmeoui(const u_int8_t *frm) 1405 1.40 dyoung { 1406 1.40 dyoung return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1407 1.40 dyoung } 1408 1.40 dyoung 1409 1.62 christos static __inline int 1410 1.40 dyoung iswmeparam(const u_int8_t *frm) 1411 1.40 dyoung { 1412 1.40 dyoung return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1413 1.40 dyoung frm[6] == WME_PARAM_OUI_SUBTYPE; 1414 1.40 dyoung } 1415 1.40 dyoung 1416 1.62 christos static __inline int 1417 1.40 dyoung iswmeinfo(const u_int8_t *frm) 1418 1.40 dyoung { 1419 1.40 dyoung return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1420 1.40 dyoung frm[6] == WME_INFO_OUI_SUBTYPE; 1421 1.40 dyoung } 1422 1.40 dyoung 1423 1.40 dyoung /* 1424 1.40 dyoung * Convert a WPA cipher selector OUI to an internal 1425 1.40 dyoung * cipher algorithm. Where appropriate we also 1426 1.40 dyoung * record any key length. 1427 1.40 dyoung */ 1428 1.40 dyoung static int 1429 1.40 dyoung wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1430 1.40 dyoung { 1431 1.40 dyoung #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1432 1.40 dyoung u_int32_t w = LE_READ_4(sel); 1433 1.40 dyoung 1434 1.40 dyoung switch (w) { 1435 1.40 dyoung case WPA_SEL(WPA_CSE_NULL): 1436 1.40 dyoung return IEEE80211_CIPHER_NONE; 1437 1.40 dyoung case WPA_SEL(WPA_CSE_WEP40): 1438 1.40 dyoung if (keylen) 1439 1.40 dyoung *keylen = 40 / NBBY; 1440 1.40 dyoung return IEEE80211_CIPHER_WEP; 1441 1.40 dyoung case WPA_SEL(WPA_CSE_WEP104): 1442 1.40 dyoung if (keylen) 1443 1.40 dyoung *keylen = 104 / NBBY; 1444 1.40 dyoung return IEEE80211_CIPHER_WEP; 1445 1.40 dyoung case WPA_SEL(WPA_CSE_TKIP): 1446 1.40 dyoung return IEEE80211_CIPHER_TKIP; 1447 1.40 dyoung case WPA_SEL(WPA_CSE_CCMP): 1448 1.40 dyoung return IEEE80211_CIPHER_AES_CCM; 1449 1.40 dyoung } 1450 1.40 dyoung return 32; /* NB: so 1<< is discarded */ 1451 1.40 dyoung #undef WPA_SEL 1452 1.40 dyoung } 1453 1.40 dyoung 1454 1.40 dyoung /* 1455 1.40 dyoung * Convert a WPA key management/authentication algorithm 1456 1.40 dyoung * to an internal code. 1457 1.40 dyoung */ 1458 1.40 dyoung static int 1459 1.40 dyoung wpa_keymgmt(u_int8_t *sel) 1460 1.40 dyoung { 1461 1.40 dyoung #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1462 1.40 dyoung u_int32_t w = LE_READ_4(sel); 1463 1.40 dyoung 1464 1.40 dyoung switch (w) { 1465 1.40 dyoung case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1466 1.40 dyoung return WPA_ASE_8021X_UNSPEC; 1467 1.40 dyoung case WPA_SEL(WPA_ASE_8021X_PSK): 1468 1.40 dyoung return WPA_ASE_8021X_PSK; 1469 1.40 dyoung case WPA_SEL(WPA_ASE_NONE): 1470 1.40 dyoung return WPA_ASE_NONE; 1471 1.40 dyoung } 1472 1.40 dyoung return 0; /* NB: so is discarded */ 1473 1.40 dyoung #undef WPA_SEL 1474 1.40 dyoung } 1475 1.40 dyoung 1476 1.40 dyoung /* 1477 1.40 dyoung * Parse a WPA information element to collect parameters 1478 1.40 dyoung * and validate the parameters against what has been 1479 1.40 dyoung * configured for the system. 1480 1.40 dyoung */ 1481 1.40 dyoung static int 1482 1.40 dyoung ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1483 1.40 dyoung struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1484 1.40 dyoung { 1485 1.40 dyoung u_int8_t len = frm[1]; 1486 1.40 dyoung u_int32_t w; 1487 1.40 dyoung int n; 1488 1.40 dyoung 1489 1.40 dyoung /* 1490 1.40 dyoung * Check the length once for fixed parts: OUI, type, 1491 1.40 dyoung * version, mcast cipher, and 2 selector counts. 1492 1.40 dyoung * Other, variable-length data, must be checked separately. 1493 1.40 dyoung */ 1494 1.47 skrll if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1495 1.47 skrll IEEE80211_DISCARD_IE(ic, 1496 1.47 skrll IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1497 1.47 skrll wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1498 1.47 skrll return IEEE80211_REASON_IE_INVALID; 1499 1.47 skrll } 1500 1.40 dyoung if (len < 14) { 1501 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1502 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1503 1.40 dyoung wh, "WPA", "too short, len %u", len); 1504 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1505 1.40 dyoung } 1506 1.40 dyoung frm += 6, len -= 4; /* NB: len is payload only */ 1507 1.40 dyoung /* NB: iswapoui already validated the OUI and type */ 1508 1.40 dyoung w = LE_READ_2(frm); 1509 1.40 dyoung if (w != WPA_VERSION) { 1510 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1511 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1512 1.40 dyoung wh, "WPA", "bad version %u", w); 1513 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1514 1.40 dyoung } 1515 1.40 dyoung frm += 2, len -= 2; 1516 1.40 dyoung 1517 1.40 dyoung /* multicast/group cipher */ 1518 1.40 dyoung w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1519 1.40 dyoung if (w != rsn->rsn_mcastcipher) { 1520 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1521 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1522 1.40 dyoung wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1523 1.40 dyoung w, rsn->rsn_mcastcipher); 1524 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1525 1.40 dyoung } 1526 1.40 dyoung frm += 4, len -= 4; 1527 1.40 dyoung 1528 1.40 dyoung /* unicast ciphers */ 1529 1.40 dyoung n = LE_READ_2(frm); 1530 1.40 dyoung frm += 2, len -= 2; 1531 1.40 dyoung if (len < n*4+2) { 1532 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1533 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1534 1.40 dyoung wh, "WPA", "ucast cipher data too short; len %u, n %u", 1535 1.40 dyoung len, n); 1536 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1537 1.40 dyoung } 1538 1.40 dyoung w = 0; 1539 1.40 dyoung for (; n > 0; n--) { 1540 1.40 dyoung w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1541 1.40 dyoung frm += 4, len -= 4; 1542 1.40 dyoung } 1543 1.40 dyoung w &= rsn->rsn_ucastcipherset; 1544 1.40 dyoung if (w == 0) { 1545 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1546 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1547 1.40 dyoung wh, "WPA", "%s", "ucast cipher set empty"); 1548 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1549 1.40 dyoung } 1550 1.40 dyoung if (w & (1<<IEEE80211_CIPHER_TKIP)) 1551 1.40 dyoung rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1552 1.40 dyoung else 1553 1.40 dyoung rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1554 1.40 dyoung 1555 1.40 dyoung /* key management algorithms */ 1556 1.40 dyoung n = LE_READ_2(frm); 1557 1.40 dyoung frm += 2, len -= 2; 1558 1.40 dyoung if (len < n*4) { 1559 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1560 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1561 1.40 dyoung wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1562 1.40 dyoung len, n); 1563 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1564 1.40 dyoung } 1565 1.40 dyoung w = 0; 1566 1.40 dyoung for (; n > 0; n--) { 1567 1.40 dyoung w |= wpa_keymgmt(frm); 1568 1.40 dyoung frm += 4, len -= 4; 1569 1.40 dyoung } 1570 1.40 dyoung w &= rsn->rsn_keymgmtset; 1571 1.40 dyoung if (w == 0) { 1572 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1573 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1574 1.40 dyoung wh, "WPA", "%s", "no acceptable key mgmt alg"); 1575 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1576 1.40 dyoung } 1577 1.40 dyoung if (w & WPA_ASE_8021X_UNSPEC) 1578 1.40 dyoung rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1579 1.40 dyoung else 1580 1.40 dyoung rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1581 1.40 dyoung 1582 1.40 dyoung if (len > 2) /* optional capabilities */ 1583 1.40 dyoung rsn->rsn_caps = LE_READ_2(frm); 1584 1.40 dyoung 1585 1.40 dyoung return 0; 1586 1.40 dyoung } 1587 1.40 dyoung 1588 1.40 dyoung /* 1589 1.40 dyoung * Convert an RSN cipher selector OUI to an internal 1590 1.40 dyoung * cipher algorithm. Where appropriate we also 1591 1.40 dyoung * record any key length. 1592 1.40 dyoung */ 1593 1.40 dyoung static int 1594 1.40 dyoung rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1595 1.40 dyoung { 1596 1.40 dyoung #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1597 1.40 dyoung u_int32_t w = LE_READ_4(sel); 1598 1.40 dyoung 1599 1.40 dyoung switch (w) { 1600 1.40 dyoung case RSN_SEL(RSN_CSE_NULL): 1601 1.40 dyoung return IEEE80211_CIPHER_NONE; 1602 1.40 dyoung case RSN_SEL(RSN_CSE_WEP40): 1603 1.40 dyoung if (keylen) 1604 1.40 dyoung *keylen = 40 / NBBY; 1605 1.40 dyoung return IEEE80211_CIPHER_WEP; 1606 1.40 dyoung case RSN_SEL(RSN_CSE_WEP104): 1607 1.40 dyoung if (keylen) 1608 1.40 dyoung *keylen = 104 / NBBY; 1609 1.40 dyoung return IEEE80211_CIPHER_WEP; 1610 1.40 dyoung case RSN_SEL(RSN_CSE_TKIP): 1611 1.40 dyoung return IEEE80211_CIPHER_TKIP; 1612 1.40 dyoung case RSN_SEL(RSN_CSE_CCMP): 1613 1.40 dyoung return IEEE80211_CIPHER_AES_CCM; 1614 1.40 dyoung case RSN_SEL(RSN_CSE_WRAP): 1615 1.40 dyoung return IEEE80211_CIPHER_AES_OCB; 1616 1.40 dyoung } 1617 1.40 dyoung return 32; /* NB: so 1<< is discarded */ 1618 1.40 dyoung #undef WPA_SEL 1619 1.40 dyoung } 1620 1.40 dyoung 1621 1.40 dyoung /* 1622 1.40 dyoung * Convert an RSN key management/authentication algorithm 1623 1.40 dyoung * to an internal code. 1624 1.40 dyoung */ 1625 1.40 dyoung static int 1626 1.40 dyoung rsn_keymgmt(u_int8_t *sel) 1627 1.40 dyoung { 1628 1.40 dyoung #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1629 1.40 dyoung u_int32_t w = LE_READ_4(sel); 1630 1.40 dyoung 1631 1.40 dyoung switch (w) { 1632 1.40 dyoung case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1633 1.40 dyoung return RSN_ASE_8021X_UNSPEC; 1634 1.40 dyoung case RSN_SEL(RSN_ASE_8021X_PSK): 1635 1.40 dyoung return RSN_ASE_8021X_PSK; 1636 1.40 dyoung case RSN_SEL(RSN_ASE_NONE): 1637 1.40 dyoung return RSN_ASE_NONE; 1638 1.40 dyoung } 1639 1.40 dyoung return 0; /* NB: so is discarded */ 1640 1.40 dyoung #undef RSN_SEL 1641 1.40 dyoung } 1642 1.40 dyoung 1643 1.40 dyoung /* 1644 1.40 dyoung * Parse a WPA/RSN information element to collect parameters 1645 1.40 dyoung * and validate the parameters against what has been 1646 1.40 dyoung * configured for the system. 1647 1.40 dyoung */ 1648 1.40 dyoung static int 1649 1.40 dyoung ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1650 1.40 dyoung struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1651 1.40 dyoung { 1652 1.40 dyoung u_int8_t len = frm[1]; 1653 1.40 dyoung u_int32_t w; 1654 1.40 dyoung int n; 1655 1.40 dyoung 1656 1.40 dyoung /* 1657 1.74 christos * Check the length once for fixed parts: 1658 1.40 dyoung * version, mcast cipher, and 2 selector counts. 1659 1.40 dyoung * Other, variable-length data, must be checked separately. 1660 1.40 dyoung */ 1661 1.47 skrll if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1662 1.47 skrll IEEE80211_DISCARD_IE(ic, 1663 1.47 skrll IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1664 1.47 skrll wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1665 1.47 skrll return IEEE80211_REASON_IE_INVALID; 1666 1.47 skrll } 1667 1.40 dyoung if (len < 10) { 1668 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1669 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1670 1.40 dyoung wh, "RSN", "too short, len %u", len); 1671 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1672 1.40 dyoung } 1673 1.40 dyoung frm += 2; 1674 1.40 dyoung w = LE_READ_2(frm); 1675 1.40 dyoung if (w != RSN_VERSION) { 1676 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1677 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1678 1.40 dyoung wh, "RSN", "bad version %u", w); 1679 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1680 1.40 dyoung } 1681 1.40 dyoung frm += 2, len -= 2; 1682 1.40 dyoung 1683 1.40 dyoung /* multicast/group cipher */ 1684 1.40 dyoung w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1685 1.40 dyoung if (w != rsn->rsn_mcastcipher) { 1686 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1687 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1688 1.40 dyoung wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1689 1.40 dyoung w, rsn->rsn_mcastcipher); 1690 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1691 1.40 dyoung } 1692 1.40 dyoung frm += 4, len -= 4; 1693 1.40 dyoung 1694 1.40 dyoung /* unicast ciphers */ 1695 1.40 dyoung n = LE_READ_2(frm); 1696 1.40 dyoung frm += 2, len -= 2; 1697 1.40 dyoung if (len < n*4+2) { 1698 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1699 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1700 1.40 dyoung wh, "RSN", "ucast cipher data too short; len %u, n %u", 1701 1.40 dyoung len, n); 1702 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1703 1.40 dyoung } 1704 1.40 dyoung w = 0; 1705 1.40 dyoung for (; n > 0; n--) { 1706 1.40 dyoung w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1707 1.40 dyoung frm += 4, len -= 4; 1708 1.40 dyoung } 1709 1.40 dyoung w &= rsn->rsn_ucastcipherset; 1710 1.40 dyoung if (w == 0) { 1711 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1712 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1713 1.40 dyoung wh, "RSN", "%s", "ucast cipher set empty"); 1714 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1715 1.40 dyoung } 1716 1.40 dyoung if (w & (1<<IEEE80211_CIPHER_TKIP)) 1717 1.40 dyoung rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1718 1.40 dyoung else 1719 1.40 dyoung rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1720 1.40 dyoung 1721 1.40 dyoung /* key management algorithms */ 1722 1.40 dyoung n = LE_READ_2(frm); 1723 1.40 dyoung frm += 2, len -= 2; 1724 1.40 dyoung if (len < n*4) { 1725 1.74 christos IEEE80211_DISCARD_IE(ic, 1726 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1727 1.40 dyoung wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1728 1.40 dyoung len, n); 1729 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1730 1.40 dyoung } 1731 1.40 dyoung w = 0; 1732 1.40 dyoung for (; n > 0; n--) { 1733 1.40 dyoung w |= rsn_keymgmt(frm); 1734 1.40 dyoung frm += 4, len -= 4; 1735 1.40 dyoung } 1736 1.40 dyoung w &= rsn->rsn_keymgmtset; 1737 1.40 dyoung if (w == 0) { 1738 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1739 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1740 1.40 dyoung wh, "RSN", "%s", "no acceptable key mgmt alg"); 1741 1.40 dyoung return IEEE80211_REASON_IE_INVALID; 1742 1.40 dyoung } 1743 1.40 dyoung if (w & RSN_ASE_8021X_UNSPEC) 1744 1.40 dyoung rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1745 1.40 dyoung else 1746 1.40 dyoung rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1747 1.40 dyoung 1748 1.40 dyoung /* optional RSN capabilities */ 1749 1.40 dyoung if (len > 2) 1750 1.40 dyoung rsn->rsn_caps = LE_READ_2(frm); 1751 1.40 dyoung /* XXXPMKID */ 1752 1.40 dyoung 1753 1.40 dyoung return 0; 1754 1.40 dyoung } 1755 1.40 dyoung 1756 1.40 dyoung static int 1757 1.40 dyoung ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1758 1.40 dyoung const struct ieee80211_frame *wh) 1759 1.40 dyoung { 1760 1.40 dyoung #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1761 1.40 dyoung struct ieee80211_wme_state *wme = &ic->ic_wme; 1762 1.40 dyoung u_int len = frm[1], qosinfo; 1763 1.40 dyoung int i; 1764 1.40 dyoung 1765 1.40 dyoung if (len < sizeof(struct ieee80211_wme_param)-2) { 1766 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1767 1.40 dyoung IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1768 1.40 dyoung wh, "WME", "too short, len %u", len); 1769 1.40 dyoung return -1; 1770 1.40 dyoung } 1771 1.72 christos qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1772 1.40 dyoung qosinfo &= WME_QOSINFO_COUNT; 1773 1.40 dyoung /* XXX do proper check for wraparound */ 1774 1.40 dyoung if (qosinfo == wme->wme_wmeChanParams.cap_info) 1775 1.40 dyoung return 0; 1776 1.72 christos frm += offsetof(struct ieee80211_wme_param, params_acParams); 1777 1.40 dyoung for (i = 0; i < WME_NUM_AC; i++) { 1778 1.40 dyoung struct wmeParams *wmep = 1779 1.40 dyoung &wme->wme_wmeChanParams.cap_wmeParams[i]; 1780 1.40 dyoung /* NB: ACI not used */ 1781 1.40 dyoung wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1782 1.40 dyoung wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1783 1.40 dyoung wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1784 1.40 dyoung wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1785 1.40 dyoung wmep->wmep_txopLimit = LE_READ_2(frm+2); 1786 1.40 dyoung frm += 4; 1787 1.40 dyoung } 1788 1.40 dyoung wme->wme_wmeChanParams.cap_info = qosinfo; 1789 1.40 dyoung return 1; 1790 1.40 dyoung #undef MS 1791 1.40 dyoung } 1792 1.40 dyoung 1793 1.47 skrll void 1794 1.40 dyoung ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1795 1.40 dyoung { 1796 1.40 dyoung u_int ielen = ie[1]+2; 1797 1.40 dyoung /* 1798 1.40 dyoung * Record information element for later use. 1799 1.40 dyoung */ 1800 1.40 dyoung if (*iep == NULL || (*iep)[1] != ie[1]) { 1801 1.40 dyoung if (*iep != NULL) 1802 1.67 cegger free(*iep, M_DEVBUF); 1803 1.58 christos *iep = malloc(ielen, M_DEVBUF, M_NOWAIT); 1804 1.40 dyoung } 1805 1.40 dyoung if (*iep != NULL) 1806 1.40 dyoung memcpy(*iep, ie, ielen); 1807 1.40 dyoung /* XXX note failure */ 1808 1.40 dyoung } 1809 1.40 dyoung 1810 1.56 dyoung static void 1811 1.56 dyoung ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni, 1812 1.56 dyoung struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi, 1813 1.56 dyoung u_int32_t rstamp) 1814 1.56 dyoung { 1815 1.56 dyoung if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 1816 1.56 dyoung /* 1817 1.56 dyoung * Create a new entry in the neighbor table. 1818 1.56 dyoung * Records the TSF. 1819 1.56 dyoung */ 1820 1.56 dyoung if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL) 1821 1.56 dyoung return; 1822 1.56 dyoung } else if (ni->ni_capinfo == 0) { 1823 1.56 dyoung /* 1824 1.56 dyoung * Initialize a node that was "faked up." Records 1825 1.56 dyoung * the TSF. 1826 1.56 dyoung * 1827 1.56 dyoung * No need to check for a change of BSSID: ni could 1828 1.56 dyoung * not have been the IBSS (ic_bss) 1829 1.56 dyoung */ 1830 1.56 dyoung ieee80211_init_neighbor(ic, ni, wh, scan, 0); 1831 1.56 dyoung } else { 1832 1.56 dyoung /* Record TSF for potential resync. */ 1833 1.56 dyoung memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp)); 1834 1.56 dyoung } 1835 1.56 dyoung 1836 1.56 dyoung ni->ni_rssi = rssi; 1837 1.56 dyoung ni->ni_rstamp = rstamp; 1838 1.56 dyoung 1839 1.56 dyoung /* Mark a neighbor's change of BSSID. */ 1840 1.56 dyoung if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid)) 1841 1.56 dyoung return; 1842 1.56 dyoung 1843 1.56 dyoung IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1844 1.56 dyoung 1845 1.56 dyoung if (ni != ic->ic_bss) 1846 1.56 dyoung return; 1847 1.56 dyoung else if (ic->ic_flags & IEEE80211_F_DESBSSID) { 1848 1.56 dyoung /* 1849 1.56 dyoung * Now, ni does not represent a network we 1850 1.56 dyoung * want to belong to, so start a scan. 1851 1.56 dyoung */ 1852 1.56 dyoung ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1853 1.56 dyoung return; 1854 1.56 dyoung } else { 1855 1.56 dyoung /* 1856 1.56 dyoung * A RUN->RUN transition lets the driver 1857 1.56 dyoung * reprogram its BSSID filter. 1858 1.56 dyoung * 1859 1.56 dyoung * No need to SCAN, we already belong to 1860 1.56 dyoung * an IBSS that meets our criteria: channel, 1861 1.56 dyoung * SSID, etc. It could be harmful to scan, 1862 1.56 dyoung * too: if a scan does not detect nodes 1863 1.56 dyoung * belonging to my current IBSS, then we 1864 1.56 dyoung * will create a new IBSS at the end of 1865 1.56 dyoung * the scan, needlessly splitting the 1866 1.56 dyoung * network. 1867 1.56 dyoung */ 1868 1.56 dyoung ieee80211_new_state(ic, IEEE80211_S_RUN, 0); 1869 1.56 dyoung } 1870 1.56 dyoung } 1871 1.56 dyoung 1872 1.1 dyoung void 1873 1.1 dyoung ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1874 1.1 dyoung struct ieee80211_node *ni, 1875 1.1 dyoung int subtype, int rssi, u_int32_t rstamp) 1876 1.1 dyoung { 1877 1.26 mycroft #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1878 1.26 mycroft #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1879 1.1 dyoung struct ieee80211_frame *wh; 1880 1.1 dyoung u_int8_t *frm, *efrm; 1881 1.40 dyoung u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1882 1.40 dyoung int reassoc, resp, allocbs; 1883 1.44 dyoung u_int8_t rate; 1884 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 1885 1.1 dyoung 1886 1.1 dyoung wh = mtod(m0, struct ieee80211_frame *); 1887 1.1 dyoung frm = (u_int8_t *)&wh[1]; 1888 1.1 dyoung efrm = mtod(m0, u_int8_t *) + m0->m_len; 1889 1.1 dyoung switch (subtype) { 1890 1.1 dyoung case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1891 1.1 dyoung case IEEE80211_FC0_SUBTYPE_BEACON: { 1892 1.47 skrll struct ieee80211_scanparams scan; 1893 1.1 dyoung 1894 1.33 mycroft /* 1895 1.40 dyoung * We process beacon/probe response frames: 1896 1.40 dyoung * o when scanning, or 1897 1.40 dyoung * o station mode when associated (to collect state 1898 1.40 dyoung * updates such as 802.11g slot time), or 1899 1.40 dyoung * o adhoc mode (to discover neighbors) 1900 1.40 dyoung * Frames otherwise received are discarded. 1901 1.74 christos */ 1902 1.40 dyoung if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1903 1.40 dyoung (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1904 1.40 dyoung ic->ic_opmode == IEEE80211_M_IBSS)) { 1905 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 1906 1.40 dyoung return; 1907 1.1 dyoung } 1908 1.1 dyoung /* 1909 1.1 dyoung * beacon/probe response frame format 1910 1.1 dyoung * [8] time stamp 1911 1.1 dyoung * [2] beacon interval 1912 1.1 dyoung * [2] capability information 1913 1.1 dyoung * [tlv] ssid 1914 1.1 dyoung * [tlv] supported rates 1915 1.1 dyoung * [tlv] country information 1916 1.1 dyoung * [tlv] parameter set (FH/DS) 1917 1.1 dyoung * [tlv] erp information 1918 1.1 dyoung * [tlv] extended supported rates 1919 1.40 dyoung * [tlv] WME 1920 1.40 dyoung * [tlv] WPA or RSN 1921 1.1 dyoung */ 1922 1.1 dyoung IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1923 1.47 skrll memset(&scan, 0, sizeof(scan)); 1924 1.47 skrll scan.tstamp = frm; frm += 8; 1925 1.47 skrll scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1926 1.47 skrll scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1927 1.47 skrll scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1928 1.47 skrll scan.chan = scan.bchan; 1929 1.47 skrll 1930 1.1 dyoung while (frm < efrm) { 1931 1.1 dyoung switch (*frm) { 1932 1.1 dyoung case IEEE80211_ELEMID_SSID: 1933 1.47 skrll scan.ssid = frm; 1934 1.1 dyoung break; 1935 1.1 dyoung case IEEE80211_ELEMID_RATES: 1936 1.47 skrll scan.rates = frm; 1937 1.1 dyoung break; 1938 1.1 dyoung case IEEE80211_ELEMID_COUNTRY: 1939 1.47 skrll scan.country = frm; 1940 1.1 dyoung break; 1941 1.1 dyoung case IEEE80211_ELEMID_FHPARMS: 1942 1.1 dyoung if (ic->ic_phytype == IEEE80211_T_FH) { 1943 1.47 skrll scan.fhdwell = LE_READ_2(&frm[2]); 1944 1.47 skrll scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1945 1.47 skrll scan.fhindex = frm[6]; 1946 1.1 dyoung } 1947 1.1 dyoung break; 1948 1.1 dyoung case IEEE80211_ELEMID_DSPARMS: 1949 1.1 dyoung /* 1950 1.1 dyoung * XXX hack this since depending on phytype 1951 1.1 dyoung * is problematic for multi-mode devices. 1952 1.1 dyoung */ 1953 1.1 dyoung if (ic->ic_phytype != IEEE80211_T_FH) 1954 1.47 skrll scan.chan = frm[2]; 1955 1.1 dyoung break; 1956 1.1 dyoung case IEEE80211_ELEMID_TIM: 1957 1.40 dyoung /* XXX ATIM? */ 1958 1.47 skrll scan.tim = frm; 1959 1.47 skrll scan.timoff = frm - mtod(m0, u_int8_t *); 1960 1.1 dyoung break; 1961 1.22 dyoung case IEEE80211_ELEMID_IBSSPARMS: 1962 1.22 dyoung break; 1963 1.1 dyoung case IEEE80211_ELEMID_XRATES: 1964 1.47 skrll scan.xrates = frm; 1965 1.1 dyoung break; 1966 1.1 dyoung case IEEE80211_ELEMID_ERP: 1967 1.1 dyoung if (frm[1] != 1) { 1968 1.40 dyoung IEEE80211_DISCARD_IE(ic, 1969 1.40 dyoung IEEE80211_MSG_ELEMID, wh, "ERP", 1970 1.40 dyoung "bad len %u", frm[1]); 1971 1.16 dyoung ic->ic_stats.is_rx_elem_toobig++; 1972 1.1 dyoung break; 1973 1.1 dyoung } 1974 1.47 skrll scan.erp = frm[2]; 1975 1.1 dyoung break; 1976 1.40 dyoung case IEEE80211_ELEMID_RSN: 1977 1.47 skrll scan.wpa = frm; 1978 1.40 dyoung break; 1979 1.40 dyoung case IEEE80211_ELEMID_VENDOR: 1980 1.40 dyoung if (iswpaoui(frm)) 1981 1.47 skrll scan.wpa = frm; 1982 1.40 dyoung else if (iswmeparam(frm) || iswmeinfo(frm)) 1983 1.47 skrll scan.wme = frm; 1984 1.40 dyoung /* XXX Atheros OUI support */ 1985 1.40 dyoung break; 1986 1.1 dyoung default: 1987 1.40 dyoung IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1988 1.40 dyoung wh, "unhandled", 1989 1.40 dyoung "id %u, len %u", *frm, frm[1]); 1990 1.16 dyoung ic->ic_stats.is_rx_elem_unknown++; 1991 1.1 dyoung break; 1992 1.1 dyoung } 1993 1.1 dyoung frm += frm[1] + 2; 1994 1.1 dyoung } 1995 1.47 skrll IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1996 1.47 skrll IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1997 1.1 dyoung if ( 1998 1.1 dyoung #if IEEE80211_CHAN_MAX < 255 1999 1.47 skrll scan.chan > IEEE80211_CHAN_MAX || 2000 1.1 dyoung #endif 2001 1.47 skrll isclr(ic->ic_chan_active, scan.chan)) { 2002 1.47 skrll IEEE80211_DISCARD(ic, 2003 1.47 skrll IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2004 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> 2005 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 2006 1.47 skrll "invalid channel %u", scan.chan); 2007 1.16 dyoung ic->ic_stats.is_rx_badchan++; 2008 1.1 dyoung return; 2009 1.1 dyoung } 2010 1.47 skrll if (scan.chan != scan.bchan && 2011 1.47 skrll ic->ic_phytype != IEEE80211_T_FH) { 2012 1.1 dyoung /* 2013 1.1 dyoung * Frame was received on a channel different from the 2014 1.19 onoe * one indicated in the DS params element id; 2015 1.1 dyoung * silently discard it. 2016 1.1 dyoung * 2017 1.1 dyoung * NB: this can happen due to signal leakage. 2018 1.19 onoe * But we should take it for FH phy because 2019 1.19 onoe * the rssi value should be correct even for 2020 1.19 onoe * different hop pattern in FH. 2021 1.1 dyoung */ 2022 1.47 skrll IEEE80211_DISCARD(ic, 2023 1.47 skrll IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2024 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> 2025 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 2026 1.47 skrll "for off-channel %u", scan.chan); 2027 1.16 dyoung ic->ic_stats.is_rx_chanmismatch++; 2028 1.1 dyoung return; 2029 1.1 dyoung } 2030 1.47 skrll if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 2031 1.47 skrll scan.bintval <= IEEE80211_BINTVAL_MAX)) { 2032 1.47 skrll IEEE80211_DISCARD(ic, 2033 1.47 skrll IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 2034 1.47 skrll wh, ieee80211_mgt_subtype_name[subtype >> 2035 1.47 skrll IEEE80211_FC0_SUBTYPE_SHIFT], 2036 1.47 skrll "bogus beacon interval", scan.bintval); 2037 1.47 skrll ic->ic_stats.is_rx_badbintval++; 2038 1.47 skrll return; 2039 1.47 skrll } 2040 1.1 dyoung 2041 1.42 dyoung if (ni != ic->ic_bss) { 2042 1.42 dyoung ni = ieee80211_refine_node_for_beacon(ic, ni, 2043 1.47 skrll &ic->ic_channels[scan.chan], scan.ssid); 2044 1.42 dyoung } 2045 1.1 dyoung /* 2046 1.40 dyoung * Count frame now that we know it's to be processed. 2047 1.40 dyoung */ 2048 1.40 dyoung if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 2049 1.40 dyoung ic->ic_stats.is_rx_beacon++; /* XXX remove */ 2050 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_beacons); 2051 1.40 dyoung } else 2052 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_proberesp); 2053 1.40 dyoung 2054 1.40 dyoung /* 2055 1.40 dyoung * When operating in station mode, check for state updates. 2056 1.40 dyoung * Be careful to ignore beacons received while doing a 2057 1.40 dyoung * background scan. We consider only 11g/WMM stuff right now. 2058 1.1 dyoung */ 2059 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_STA && 2060 1.40 dyoung ni->ni_associd != 0 && 2061 1.40 dyoung ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 2062 1.40 dyoung IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 2063 1.44 dyoung /* record tsf of last beacon */ 2064 1.47 skrll memcpy(ni->ni_tstamp.data, scan.tstamp, 2065 1.44 dyoung sizeof(ni->ni_tstamp)); 2066 1.47 skrll if (ni->ni_erp != scan.erp) { 2067 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2068 1.40 dyoung "[%s] erp change: was 0x%x, now 0x%x\n", 2069 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 2070 1.85 christos wh->i_addr2), ni->ni_erp, scan.erp); 2071 1.44 dyoung if (ic->ic_curmode == IEEE80211_MODE_11G && 2072 1.44 dyoung (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2073 1.40 dyoung ic->ic_flags |= IEEE80211_F_USEPROT; 2074 1.40 dyoung else 2075 1.40 dyoung ic->ic_flags &= ~IEEE80211_F_USEPROT; 2076 1.47 skrll ni->ni_erp = scan.erp; 2077 1.40 dyoung /* XXX statistic */ 2078 1.40 dyoung } 2079 1.47 skrll if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 2080 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2081 1.40 dyoung "[%s] capabilities change: before 0x%x," 2082 1.40 dyoung " now 0x%x\n", 2083 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 2084 1.85 christos wh->i_addr2), 2085 1.47 skrll ni->ni_capinfo, scan.capinfo); 2086 1.40 dyoung /* 2087 1.40 dyoung * NB: we assume short preamble doesn't 2088 1.40 dyoung * change dynamically 2089 1.40 dyoung */ 2090 1.40 dyoung ieee80211_set_shortslottime(ic, 2091 1.40 dyoung ic->ic_curmode == IEEE80211_MODE_11A || 2092 1.40 dyoung (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2093 1.47 skrll ni->ni_capinfo = scan.capinfo; 2094 1.40 dyoung /* XXX statistic */ 2095 1.4 dyoung } 2096 1.47 skrll if (scan.wme != NULL && 2097 1.44 dyoung (ni->ni_flags & IEEE80211_NODE_QOS) && 2098 1.47 skrll ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2099 1.40 dyoung ieee80211_wme_updateparams(ic); 2100 1.47 skrll if (scan.tim != NULL) { 2101 1.44 dyoung struct ieee80211_tim_ie *ie = 2102 1.47 skrll (struct ieee80211_tim_ie *) scan.tim; 2103 1.44 dyoung 2104 1.44 dyoung ni->ni_dtim_count = ie->tim_count; 2105 1.44 dyoung ni->ni_dtim_period = ie->tim_period; 2106 1.44 dyoung } 2107 1.47 skrll if (ic->ic_flags & IEEE80211_F_SCAN) 2108 1.47 skrll ieee80211_add_scan(ic, &scan, wh, 2109 1.47 skrll subtype, rssi, rstamp); 2110 1.57 dyoung ic->ic_bmiss_count = 0; 2111 1.47 skrll return; 2112 1.1 dyoung } 2113 1.47 skrll /* 2114 1.47 skrll * If scanning, just pass information to the scan module. 2115 1.47 skrll */ 2116 1.47 skrll if (ic->ic_flags & IEEE80211_F_SCAN) { 2117 1.60 tacha if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 2118 1.60 tacha /* 2119 1.60 tacha * Actively scanning a channel marked passive; 2120 1.60 tacha * send a probe request now that we know there 2121 1.60 tacha * is 802.11 traffic present. 2122 1.60 tacha * 2123 1.60 tacha * XXX check if the beacon we recv'd gives 2124 1.60 tacha * us what we need and suppress the probe req 2125 1.60 tacha */ 2126 1.60 tacha ieee80211_probe_curchan(ic, 1); 2127 1.60 tacha ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 2128 1.60 tacha } 2129 1.47 skrll ieee80211_add_scan(ic, &scan, wh, 2130 1.47 skrll subtype, rssi, rstamp); 2131 1.47 skrll return; 2132 1.33 mycroft } 2133 1.56 dyoung if (scan.capinfo & IEEE80211_CAPINFO_IBSS) 2134 1.56 dyoung ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi, 2135 1.56 dyoung rstamp); 2136 1.1 dyoung break; 2137 1.1 dyoung } 2138 1.1 dyoung 2139 1.44 dyoung case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2140 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_STA || 2141 1.40 dyoung ic->ic_state != IEEE80211_S_RUN) { 2142 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2143 1.1 dyoung return; 2144 1.40 dyoung } 2145 1.40 dyoung if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2146 1.40 dyoung /* frame must be directed */ 2147 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2148 1.1 dyoung return; 2149 1.40 dyoung } 2150 1.1 dyoung 2151 1.1 dyoung /* 2152 1.1 dyoung * prreq frame format 2153 1.1 dyoung * [tlv] ssid 2154 1.1 dyoung * [tlv] supported rates 2155 1.1 dyoung * [tlv] extended supported rates 2156 1.1 dyoung */ 2157 1.1 dyoung ssid = rates = xrates = NULL; 2158 1.1 dyoung while (frm < efrm) { 2159 1.1 dyoung switch (*frm) { 2160 1.1 dyoung case IEEE80211_ELEMID_SSID: 2161 1.1 dyoung ssid = frm; 2162 1.1 dyoung break; 2163 1.1 dyoung case IEEE80211_ELEMID_RATES: 2164 1.1 dyoung rates = frm; 2165 1.1 dyoung break; 2166 1.1 dyoung case IEEE80211_ELEMID_XRATES: 2167 1.1 dyoung xrates = frm; 2168 1.1 dyoung break; 2169 1.1 dyoung } 2170 1.1 dyoung frm += frm[1] + 2; 2171 1.1 dyoung } 2172 1.1 dyoung IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2173 1.1 dyoung IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2174 1.40 dyoung IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2175 1.40 dyoung if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2176 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2177 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> 2178 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 2179 1.40 dyoung "%s", "no ssid with ssid suppression enabled"); 2180 1.40 dyoung ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2181 1.40 dyoung return; 2182 1.40 dyoung } 2183 1.1 dyoung 2184 1.1 dyoung if (ni == ic->ic_bss) { 2185 1.50 dyoung if (ic->ic_opmode != IEEE80211_M_IBSS) 2186 1.50 dyoung ni = ieee80211_tmp_node(ic, wh->i_addr2); 2187 1.50 dyoung else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) 2188 1.50 dyoung ; 2189 1.50 dyoung else { 2190 1.40 dyoung /* 2191 1.40 dyoung * XXX Cannot tell if the sender is operating 2192 1.40 dyoung * in ibss mode. But we need a new node to 2193 1.40 dyoung * send the response so blindly add them to the 2194 1.40 dyoung * neighbor table. 2195 1.40 dyoung */ 2196 1.40 dyoung ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2197 1.40 dyoung wh->i_addr2); 2198 1.50 dyoung } 2199 1.22 dyoung if (ni == NULL) 2200 1.1 dyoung return; 2201 1.40 dyoung allocbs = 1; 2202 1.40 dyoung } else 2203 1.40 dyoung allocbs = 0; 2204 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2205 1.85 christos "[%s] recv probe req\n", ether_snprintf( 2206 1.85 christos ebuf, sizeof(ebuf), wh->i_addr2)); 2207 1.1 dyoung ni->ni_rssi = rssi; 2208 1.1 dyoung ni->ni_rstamp = rstamp; 2209 1.47 skrll rate = ieee80211_setup_rates(ni, rates, xrates, 2210 1.73 christos IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE 2211 1.73 christos | IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2212 1.1 dyoung if (rate & IEEE80211_RATE_BASIC) { 2213 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2214 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> 2215 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 2216 1.40 dyoung "%s", "recv'd rate set invalid"); 2217 1.1 dyoung } else { 2218 1.1 dyoung IEEE80211_SEND_MGMT(ic, ni, 2219 1.1 dyoung IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2220 1.1 dyoung } 2221 1.40 dyoung if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2222 1.40 dyoung /* reclaim immediately */ 2223 1.40 dyoung ieee80211_free_node(ni); 2224 1.40 dyoung } 2225 1.1 dyoung break; 2226 1.1 dyoung 2227 1.1 dyoung case IEEE80211_FC0_SUBTYPE_AUTH: { 2228 1.1 dyoung u_int16_t algo, seq, status; 2229 1.1 dyoung /* 2230 1.1 dyoung * auth frame format 2231 1.1 dyoung * [2] algorithm 2232 1.1 dyoung * [2] sequence 2233 1.1 dyoung * [2] status 2234 1.1 dyoung * [tlv*] challenge 2235 1.1 dyoung */ 2236 1.1 dyoung IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2237 1.1 dyoung algo = le16toh(*(u_int16_t *)frm); 2238 1.1 dyoung seq = le16toh(*(u_int16_t *)(frm + 2)); 2239 1.1 dyoung status = le16toh(*(u_int16_t *)(frm + 4)); 2240 1.25 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2241 1.40 dyoung "[%s] recv auth frame with algorithm %d seq %d\n", 2242 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq); 2243 1.40 dyoung /* 2244 1.40 dyoung * Consult the ACL policy module if setup. 2245 1.40 dyoung */ 2246 1.40 dyoung if (ic->ic_acl != NULL && 2247 1.40 dyoung !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2248 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2249 1.40 dyoung wh, "auth", "%s", "disallowed by ACL"); 2250 1.40 dyoung ic->ic_stats.is_rx_acl++; 2251 1.47 skrll if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2252 1.47 skrll IEEE80211_SEND_MGMT(ic, ni, 2253 1.47 skrll IEEE80211_FC0_SUBTYPE_AUTH, 2254 1.47 skrll (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2255 1.47 skrll } 2256 1.40 dyoung return; 2257 1.40 dyoung } 2258 1.40 dyoung if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2259 1.40 dyoung IEEE80211_DISCARD(ic, 2260 1.40 dyoung IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2261 1.40 dyoung wh, "auth", "%s", "TKIP countermeasures enabled"); 2262 1.40 dyoung ic->ic_stats.is_rx_auth_countermeasures++; 2263 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 2264 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2265 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, 2266 1.40 dyoung IEEE80211_FC0_SUBTYPE_AUTH, 2267 1.40 dyoung IEEE80211_REASON_MIC_FAILURE); 2268 1.40 dyoung } 2269 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 2270 1.40 dyoung return; 2271 1.40 dyoung } 2272 1.7 dyoung if (algo == IEEE80211_AUTH_ALG_SHARED) 2273 1.7 dyoung ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2274 1.7 dyoung rstamp, seq, status); 2275 1.7 dyoung else if (algo == IEEE80211_AUTH_ALG_OPEN) 2276 1.7 dyoung ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2277 1.7 dyoung status); 2278 1.7 dyoung else { 2279 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2280 1.40 dyoung wh, "auth", "unsupported alg %d", algo); 2281 1.16 dyoung ic->ic_stats.is_rx_auth_unsupported++; 2282 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 2283 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2284 1.40 dyoung /* XXX not right */ 2285 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, 2286 1.40 dyoung IEEE80211_FC0_SUBTYPE_AUTH, 2287 1.40 dyoung (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2288 1.40 dyoung } 2289 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 2290 1.1 dyoung return; 2291 1.74 christos } 2292 1.1 dyoung break; 2293 1.1 dyoung } 2294 1.1 dyoung 2295 1.1 dyoung case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2296 1.1 dyoung case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2297 1.47 skrll u_int16_t capinfo, lintval; 2298 1.40 dyoung struct ieee80211_rsnparms rsn; 2299 1.40 dyoung u_int8_t reason; 2300 1.1 dyoung 2301 1.1 dyoung if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2302 1.40 dyoung ic->ic_state != IEEE80211_S_RUN) { 2303 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2304 1.1 dyoung return; 2305 1.40 dyoung } 2306 1.1 dyoung 2307 1.1 dyoung if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2308 1.1 dyoung reassoc = 1; 2309 1.1 dyoung resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2310 1.1 dyoung } else { 2311 1.1 dyoung reassoc = 0; 2312 1.1 dyoung resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2313 1.1 dyoung } 2314 1.1 dyoung /* 2315 1.1 dyoung * asreq frame format 2316 1.1 dyoung * [2] capability information 2317 1.1 dyoung * [2] listen interval 2318 1.1 dyoung * [6*] current AP address (reassoc only) 2319 1.1 dyoung * [tlv] ssid 2320 1.1 dyoung * [tlv] supported rates 2321 1.1 dyoung * [tlv] extended supported rates 2322 1.40 dyoung * [tlv] WPA or RSN 2323 1.1 dyoung */ 2324 1.1 dyoung IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2325 1.1 dyoung if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2326 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2327 1.40 dyoung wh, ieee80211_mgt_subtype_name[subtype >> 2328 1.40 dyoung IEEE80211_FC0_SUBTYPE_SHIFT], 2329 1.40 dyoung "%s", "wrong bssid"); 2330 1.16 dyoung ic->ic_stats.is_rx_assoc_bss++; 2331 1.1 dyoung return; 2332 1.1 dyoung } 2333 1.1 dyoung capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2334 1.47 skrll lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2335 1.1 dyoung if (reassoc) 2336 1.1 dyoung frm += 6; /* ignore current AP info */ 2337 1.40 dyoung ssid = rates = xrates = wpa = wme = NULL; 2338 1.1 dyoung while (frm < efrm) { 2339 1.1 dyoung switch (*frm) { 2340 1.1 dyoung case IEEE80211_ELEMID_SSID: 2341 1.1 dyoung ssid = frm; 2342 1.1 dyoung break; 2343 1.1 dyoung case IEEE80211_ELEMID_RATES: 2344 1.1 dyoung rates = frm; 2345 1.1 dyoung break; 2346 1.1 dyoung case IEEE80211_ELEMID_XRATES: 2347 1.1 dyoung xrates = frm; 2348 1.1 dyoung break; 2349 1.40 dyoung /* XXX verify only one of RSN and WPA ie's? */ 2350 1.40 dyoung case IEEE80211_ELEMID_RSN: 2351 1.40 dyoung wpa = frm; 2352 1.40 dyoung break; 2353 1.40 dyoung case IEEE80211_ELEMID_VENDOR: 2354 1.47 skrll if (iswpaoui(frm)) 2355 1.47 skrll wpa = frm; 2356 1.47 skrll else if (iswmeinfo(frm)) 2357 1.40 dyoung wme = frm; 2358 1.40 dyoung /* XXX Atheros OUI support */ 2359 1.40 dyoung break; 2360 1.1 dyoung } 2361 1.1 dyoung frm += frm[1] + 2; 2362 1.1 dyoung } 2363 1.1 dyoung IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2364 1.1 dyoung IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2365 1.40 dyoung IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2366 1.27 mycroft 2367 1.40 dyoung if (ni == ic->ic_bss) { 2368 1.25 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2369 1.40 dyoung "[%s] deny %s request, sta not authenticated\n", 2370 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2371 1.40 dyoung reassoc ? "reassoc" : "assoc"); 2372 1.44 dyoung ieee80211_send_error(ic, ni, wh->i_addr2, 2373 1.44 dyoung IEEE80211_FC0_SUBTYPE_DEAUTH, 2374 1.44 dyoung IEEE80211_REASON_ASSOC_NOT_AUTHED); 2375 1.16 dyoung ic->ic_stats.is_rx_assoc_notauth++; 2376 1.1 dyoung return; 2377 1.7 dyoung } 2378 1.40 dyoung /* assert right associstion security credentials */ 2379 1.40 dyoung if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2380 1.40 dyoung IEEE80211_DPRINTF(ic, 2381 1.40 dyoung IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2382 1.40 dyoung "[%s] no WPA/RSN IE in association request\n", 2383 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2384 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, 2385 1.40 dyoung IEEE80211_FC0_SUBTYPE_DEAUTH, 2386 1.40 dyoung IEEE80211_REASON_RSN_REQUIRED); 2387 1.40 dyoung ieee80211_node_leave(ic, ni); 2388 1.40 dyoung /* XXX distinguish WPA/RSN? */ 2389 1.40 dyoung ic->ic_stats.is_rx_assoc_badwpaie++; 2390 1.74 christos return; 2391 1.40 dyoung } 2392 1.40 dyoung if (wpa != NULL) { 2393 1.40 dyoung /* 2394 1.40 dyoung * Parse WPA information element. Note that 2395 1.40 dyoung * we initialize the param block from the node 2396 1.40 dyoung * state so that information in the IE overrides 2397 1.40 dyoung * our defaults. The resulting parameters are 2398 1.40 dyoung * installed below after the association is assured. 2399 1.40 dyoung */ 2400 1.40 dyoung rsn = ni->ni_rsn; 2401 1.40 dyoung if (wpa[0] != IEEE80211_ELEMID_RSN) 2402 1.40 dyoung reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2403 1.40 dyoung else 2404 1.40 dyoung reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2405 1.40 dyoung if (reason != 0) { 2406 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, 2407 1.40 dyoung IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2408 1.40 dyoung ieee80211_node_leave(ic, ni); 2409 1.40 dyoung /* XXX distinguish WPA/RSN? */ 2410 1.40 dyoung ic->ic_stats.is_rx_assoc_badwpaie++; 2411 1.40 dyoung return; 2412 1.40 dyoung } 2413 1.40 dyoung IEEE80211_DPRINTF(ic, 2414 1.40 dyoung IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2415 1.40 dyoung "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2416 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2417 1.40 dyoung wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2418 1.40 dyoung rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2419 1.40 dyoung rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2420 1.40 dyoung rsn.rsn_keymgmt, rsn.rsn_caps); 2421 1.40 dyoung } 2422 1.7 dyoung /* discard challenge after association */ 2423 1.7 dyoung if (ni->ni_challenge != NULL) { 2424 1.67 cegger free(ni->ni_challenge, M_DEVBUF); 2425 1.7 dyoung ni->ni_challenge = NULL; 2426 1.1 dyoung } 2427 1.44 dyoung /* NB: 802.11 spec says to ignore station's privacy bit */ 2428 1.44 dyoung if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2429 1.25 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2430 1.40 dyoung "[%s] deny %s request, capability mismatch 0x%x\n", 2431 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2432 1.40 dyoung reassoc ? "reassoc" : "assoc", capinfo); 2433 1.1 dyoung IEEE80211_SEND_MGMT(ic, ni, resp, 2434 1.1 dyoung IEEE80211_STATUS_CAPINFO); 2435 1.29 mycroft ieee80211_node_leave(ic, ni); 2436 1.16 dyoung ic->ic_stats.is_rx_assoc_capmismatch++; 2437 1.1 dyoung return; 2438 1.1 dyoung } 2439 1.47 skrll rate = ieee80211_setup_rates(ni, rates, xrates, 2440 1.73 christos IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2441 1.73 christos IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2442 1.44 dyoung /* 2443 1.44 dyoung * If constrained to 11g-only stations reject an 2444 1.44 dyoung * 11b-only station. We cheat a bit here by looking 2445 1.44 dyoung * at the max negotiated xmit rate and assuming anyone 2446 1.44 dyoung * with a best rate <24Mb/s is an 11b station. 2447 1.44 dyoung */ 2448 1.44 dyoung if ((rate & IEEE80211_RATE_BASIC) || 2449 1.44 dyoung ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2450 1.25 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2451 1.40 dyoung "[%s] deny %s request, rate set mismatch\n", 2452 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2453 1.40 dyoung reassoc ? "reassoc" : "assoc"); 2454 1.1 dyoung IEEE80211_SEND_MGMT(ic, ni, resp, 2455 1.1 dyoung IEEE80211_STATUS_BASIC_RATE); 2456 1.29 mycroft ieee80211_node_leave(ic, ni); 2457 1.16 dyoung ic->ic_stats.is_rx_assoc_norate++; 2458 1.1 dyoung return; 2459 1.1 dyoung } 2460 1.1 dyoung ni->ni_rssi = rssi; 2461 1.1 dyoung ni->ni_rstamp = rstamp; 2462 1.47 skrll ni->ni_intval = lintval; 2463 1.1 dyoung ni->ni_capinfo = capinfo; 2464 1.1 dyoung ni->ni_chan = ic->ic_bss->ni_chan; 2465 1.1 dyoung ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2466 1.1 dyoung ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2467 1.40 dyoung if (wpa != NULL) { 2468 1.40 dyoung /* 2469 1.40 dyoung * Record WPA/RSN parameters for station, mark 2470 1.40 dyoung * node as using WPA and record information element 2471 1.40 dyoung * for applications that require it. 2472 1.40 dyoung */ 2473 1.40 dyoung ni->ni_rsn = rsn; 2474 1.40 dyoung ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2475 1.40 dyoung } else if (ni->ni_wpa_ie != NULL) { 2476 1.40 dyoung /* 2477 1.40 dyoung * Flush any state from a previous association. 2478 1.40 dyoung */ 2479 1.67 cegger free(ni->ni_wpa_ie, M_DEVBUF); 2480 1.40 dyoung ni->ni_wpa_ie = NULL; 2481 1.40 dyoung } 2482 1.40 dyoung if (wme != NULL) { 2483 1.40 dyoung /* 2484 1.40 dyoung * Record WME parameters for station, mark node 2485 1.40 dyoung * as capable of QoS and record information 2486 1.40 dyoung * element for applications that require it. 2487 1.40 dyoung */ 2488 1.40 dyoung ieee80211_saveie(&ni->ni_wme_ie, wme); 2489 1.40 dyoung ni->ni_flags |= IEEE80211_NODE_QOS; 2490 1.40 dyoung } else if (ni->ni_wme_ie != NULL) { 2491 1.40 dyoung /* 2492 1.40 dyoung * Flush any state from a previous association. 2493 1.40 dyoung */ 2494 1.67 cegger free(ni->ni_wme_ie, M_DEVBUF); 2495 1.40 dyoung ni->ni_wme_ie = NULL; 2496 1.40 dyoung ni->ni_flags &= ~IEEE80211_NODE_QOS; 2497 1.40 dyoung } 2498 1.29 mycroft ieee80211_node_join(ic, ni, resp); 2499 1.1 dyoung break; 2500 1.1 dyoung } 2501 1.1 dyoung 2502 1.1 dyoung case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2503 1.1 dyoung case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2504 1.40 dyoung u_int16_t capinfo, associd; 2505 1.1 dyoung u_int16_t status; 2506 1.1 dyoung 2507 1.1 dyoung if (ic->ic_opmode != IEEE80211_M_STA || 2508 1.26 mycroft ic->ic_state != IEEE80211_S_ASSOC) { 2509 1.26 mycroft ic->ic_stats.is_rx_mgtdiscard++; 2510 1.1 dyoung return; 2511 1.26 mycroft } 2512 1.1 dyoung 2513 1.1 dyoung /* 2514 1.1 dyoung * asresp frame format 2515 1.1 dyoung * [2] capability information 2516 1.1 dyoung * [2] status 2517 1.1 dyoung * [2] association ID 2518 1.1 dyoung * [tlv] supported rates 2519 1.1 dyoung * [tlv] extended supported rates 2520 1.40 dyoung * [tlv] WME 2521 1.1 dyoung */ 2522 1.1 dyoung IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2523 1.1 dyoung ni = ic->ic_bss; 2524 1.40 dyoung capinfo = le16toh(*(u_int16_t *)frm); 2525 1.1 dyoung frm += 2; 2526 1.1 dyoung status = le16toh(*(u_int16_t *)frm); 2527 1.1 dyoung frm += 2; 2528 1.1 dyoung if (status != 0) { 2529 1.26 mycroft IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2530 1.40 dyoung "[%s] %sassoc failed (reason %d)\n", 2531 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2532 1.40 dyoung ISREASSOC(subtype) ? "re" : "", status); 2533 1.40 dyoung if (ni != ic->ic_bss) /* XXX never true? */ 2534 1.1 dyoung ni->ni_fails++; 2535 1.40 dyoung ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2536 1.1 dyoung return; 2537 1.1 dyoung } 2538 1.40 dyoung associd = le16toh(*(u_int16_t *)frm); 2539 1.1 dyoung frm += 2; 2540 1.1 dyoung 2541 1.40 dyoung rates = xrates = wpa = wme = NULL; 2542 1.1 dyoung while (frm < efrm) { 2543 1.1 dyoung switch (*frm) { 2544 1.1 dyoung case IEEE80211_ELEMID_RATES: 2545 1.1 dyoung rates = frm; 2546 1.1 dyoung break; 2547 1.1 dyoung case IEEE80211_ELEMID_XRATES: 2548 1.1 dyoung xrates = frm; 2549 1.1 dyoung break; 2550 1.40 dyoung case IEEE80211_ELEMID_VENDOR: 2551 1.40 dyoung if (iswmeoui(frm)) 2552 1.40 dyoung wme = frm; 2553 1.40 dyoung /* XXX Atheros OUI support */ 2554 1.40 dyoung break; 2555 1.1 dyoung } 2556 1.1 dyoung frm += frm[1] + 2; 2557 1.1 dyoung } 2558 1.1 dyoung 2559 1.1 dyoung IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2560 1.47 skrll rate = ieee80211_setup_rates(ni, rates, xrates, 2561 1.73 christos IEEE80211_R_DOSORT | IEEE80211_R_DOFRATE | 2562 1.73 christos IEEE80211_R_DONEGO | IEEE80211_R_DODEL); 2563 1.44 dyoung if (rate & IEEE80211_RATE_BASIC) { 2564 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2565 1.40 dyoung "[%s] %sassoc failed (rate set mismatch)\n", 2566 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2567 1.40 dyoung ISREASSOC(subtype) ? "re" : ""); 2568 1.40 dyoung if (ni != ic->ic_bss) /* XXX never true? */ 2569 1.40 dyoung ni->ni_fails++; 2570 1.40 dyoung ic->ic_stats.is_rx_assoc_norate++; 2571 1.44 dyoung ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2572 1.40 dyoung return; 2573 1.40 dyoung } 2574 1.40 dyoung 2575 1.40 dyoung ni->ni_capinfo = capinfo; 2576 1.40 dyoung ni->ni_associd = associd; 2577 1.40 dyoung if (wme != NULL && 2578 1.40 dyoung ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2579 1.40 dyoung ni->ni_flags |= IEEE80211_NODE_QOS; 2580 1.40 dyoung ieee80211_wme_updateparams(ic); 2581 1.40 dyoung } else 2582 1.40 dyoung ni->ni_flags &= ~IEEE80211_NODE_QOS; 2583 1.40 dyoung /* 2584 1.40 dyoung * Configure state now that we are associated. 2585 1.40 dyoung * 2586 1.40 dyoung * XXX may need different/additional driver callbacks? 2587 1.40 dyoung */ 2588 1.40 dyoung if (ic->ic_curmode == IEEE80211_MODE_11A || 2589 1.40 dyoung (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2590 1.40 dyoung ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2591 1.40 dyoung ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2592 1.40 dyoung } else { 2593 1.40 dyoung ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2594 1.40 dyoung ic->ic_flags |= IEEE80211_F_USEBARKER; 2595 1.40 dyoung } 2596 1.40 dyoung ieee80211_set_shortslottime(ic, 2597 1.40 dyoung ic->ic_curmode == IEEE80211_MODE_11A || 2598 1.40 dyoung (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2599 1.40 dyoung /* 2600 1.40 dyoung * Honor ERP protection. 2601 1.40 dyoung * 2602 1.40 dyoung * NB: ni_erp should zero for non-11g operation. 2603 1.40 dyoung * XXX check ic_curmode anyway? 2604 1.40 dyoung */ 2605 1.44 dyoung if (ic->ic_curmode == IEEE80211_MODE_11G && 2606 1.44 dyoung (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2607 1.40 dyoung ic->ic_flags |= IEEE80211_F_USEPROT; 2608 1.40 dyoung else 2609 1.40 dyoung ic->ic_flags &= ~IEEE80211_F_USEPROT; 2610 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2611 1.40 dyoung "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2612 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), 2613 1.40 dyoung ISREASSOC(subtype) ? "re" : "", 2614 1.40 dyoung ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2615 1.40 dyoung ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2616 1.40 dyoung ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2617 1.40 dyoung ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2618 1.40 dyoung ); 2619 1.40 dyoung ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2620 1.1 dyoung break; 2621 1.1 dyoung } 2622 1.1 dyoung 2623 1.1 dyoung case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2624 1.1 dyoung u_int16_t reason; 2625 1.40 dyoung 2626 1.40 dyoung if (ic->ic_state == IEEE80211_S_SCAN) { 2627 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2628 1.40 dyoung return; 2629 1.40 dyoung } 2630 1.1 dyoung /* 2631 1.1 dyoung * deauth frame format 2632 1.1 dyoung * [2] reason 2633 1.1 dyoung */ 2634 1.1 dyoung IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2635 1.1 dyoung reason = le16toh(*(u_int16_t *)frm); 2636 1.85 christos __USE(reason); 2637 1.16 dyoung ic->ic_stats.is_rx_deauth++; 2638 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_deauth); 2639 1.44 dyoung 2640 1.61 dyoung if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2641 1.61 dyoung /* Not intended for this station. */ 2642 1.61 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2643 1.61 dyoung break; 2644 1.61 dyoung } 2645 1.44 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2646 1.44 dyoung "[%s] recv deauthenticate (reason %d)\n", 2647 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2648 1.1 dyoung switch (ic->ic_opmode) { 2649 1.1 dyoung case IEEE80211_M_STA: 2650 1.1 dyoung ieee80211_new_state(ic, IEEE80211_S_AUTH, 2651 1.1 dyoung wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2652 1.1 dyoung break; 2653 1.1 dyoung case IEEE80211_M_HOSTAP: 2654 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 2655 1.44 dyoung if (ni != ic->ic_bss) 2656 1.29 mycroft ieee80211_node_leave(ic, ni); 2657 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 2658 1.1 dyoung break; 2659 1.1 dyoung default: 2660 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2661 1.1 dyoung break; 2662 1.1 dyoung } 2663 1.1 dyoung break; 2664 1.1 dyoung } 2665 1.1 dyoung 2666 1.1 dyoung case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2667 1.1 dyoung u_int16_t reason; 2668 1.40 dyoung 2669 1.40 dyoung if (ic->ic_state != IEEE80211_S_RUN && 2670 1.44 dyoung ic->ic_state != IEEE80211_S_ASSOC && 2671 1.40 dyoung ic->ic_state != IEEE80211_S_AUTH) { 2672 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2673 1.40 dyoung return; 2674 1.40 dyoung } 2675 1.1 dyoung /* 2676 1.1 dyoung * disassoc frame format 2677 1.1 dyoung * [2] reason 2678 1.1 dyoung */ 2679 1.1 dyoung IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2680 1.1 dyoung reason = le16toh(*(u_int16_t *)frm); 2681 1.85 christos __USE(reason); 2682 1.16 dyoung ic->ic_stats.is_rx_disassoc++; 2683 1.40 dyoung IEEE80211_NODE_STAT(ni, rx_disassoc); 2684 1.44 dyoung 2685 1.61 dyoung if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) { 2686 1.61 dyoung /* Not intended for this station. */ 2687 1.61 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2688 1.61 dyoung break; 2689 1.61 dyoung } 2690 1.44 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2691 1.47 skrll "[%s] recv disassociate (reason %d)\n", 2692 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason); 2693 1.1 dyoung switch (ic->ic_opmode) { 2694 1.1 dyoung case IEEE80211_M_STA: 2695 1.1 dyoung ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2696 1.1 dyoung wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2697 1.1 dyoung break; 2698 1.1 dyoung case IEEE80211_M_HOSTAP: 2699 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 2700 1.44 dyoung if (ni != ic->ic_bss) 2701 1.29 mycroft ieee80211_node_leave(ic, ni); 2702 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 2703 1.1 dyoung break; 2704 1.1 dyoung default: 2705 1.40 dyoung ic->ic_stats.is_rx_mgtdiscard++; 2706 1.1 dyoung break; 2707 1.1 dyoung } 2708 1.1 dyoung break; 2709 1.1 dyoung } 2710 1.1 dyoung default: 2711 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2712 1.40 dyoung wh, "mgt", "subtype 0x%x not handled", subtype); 2713 1.16 dyoung ic->ic_stats.is_rx_badsubtype++; 2714 1.1 dyoung break; 2715 1.1 dyoung } 2716 1.40 dyoung #undef ISREASSOC 2717 1.40 dyoung #undef ISPROBE 2718 1.5 dyoung } 2719 1.40 dyoung #undef IEEE80211_VERIFY_LENGTH 2720 1.40 dyoung #undef IEEE80211_VERIFY_ELEMENT 2721 1.5 dyoung 2722 1.41 dyoung #ifndef IEEE80211_NO_HOSTAP 2723 1.40 dyoung /* 2724 1.40 dyoung * Handle station power-save state change. 2725 1.40 dyoung */ 2726 1.5 dyoung static void 2727 1.40 dyoung ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2728 1.5 dyoung { 2729 1.40 dyoung struct ieee80211com *ic = ni->ni_ic; 2730 1.5 dyoung struct mbuf *m; 2731 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2732 1.5 dyoung 2733 1.40 dyoung if (enable) { 2734 1.40 dyoung if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2735 1.40 dyoung ic->ic_ps_sta++; 2736 1.40 dyoung ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2737 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2738 1.40 dyoung "[%s] power save mode on, %u sta's in ps mode\n", 2739 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2740 1.85 christos ic->ic_ps_sta); 2741 1.5 dyoung return; 2742 1.40 dyoung } 2743 1.5 dyoung 2744 1.40 dyoung if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2745 1.40 dyoung ic->ic_ps_sta--; 2746 1.40 dyoung ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2747 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2748 1.40 dyoung "[%s] power save mode off, %u sta's in ps mode\n", 2749 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta); 2750 1.40 dyoung /* XXX if no stations in ps mode, flush mc frames */ 2751 1.5 dyoung 2752 1.40 dyoung /* 2753 1.40 dyoung * Flush queued unicast frames. 2754 1.40 dyoung */ 2755 1.40 dyoung if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2756 1.44 dyoung if (ic->ic_set_tim != NULL) 2757 1.47 skrll ic->ic_set_tim(ni, 0); /* just in case */ 2758 1.5 dyoung return; 2759 1.5 dyoung } 2760 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2761 1.40 dyoung "[%s] flush ps queue, %u packets queued\n", 2762 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), 2763 1.85 christos IEEE80211_NODE_SAVEQ_QLEN(ni)); 2764 1.40 dyoung for (;;) { 2765 1.40 dyoung int qlen; 2766 1.40 dyoung 2767 1.40 dyoung IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2768 1.40 dyoung if (m == NULL) 2769 1.40 dyoung break; 2770 1.74 christos /* 2771 1.40 dyoung * If this is the last packet, turn off the TIM bit. 2772 1.40 dyoung * If there are more packets, set the more packets bit 2773 1.44 dyoung * in the mbuf so ieee80211_encap will mark the 802.11 2774 1.44 dyoung * head to indicate more data frames will follow. 2775 1.40 dyoung */ 2776 1.44 dyoung if (qlen != 0) 2777 1.44 dyoung m->m_flags |= M_MORE_DATA; 2778 1.40 dyoung /* XXX need different driver interface */ 2779 1.40 dyoung /* XXX bypasses q max */ 2780 1.40 dyoung IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2781 1.40 dyoung } 2782 1.44 dyoung if (ic->ic_set_tim != NULL) 2783 1.47 skrll ic->ic_set_tim(ni, 0); 2784 1.40 dyoung } 2785 1.5 dyoung 2786 1.40 dyoung /* 2787 1.40 dyoung * Process a received ps-poll frame. 2788 1.40 dyoung */ 2789 1.40 dyoung static void 2790 1.40 dyoung ieee80211_recv_pspoll(struct ieee80211com *ic, 2791 1.40 dyoung struct ieee80211_node *ni, struct mbuf *m0) 2792 1.40 dyoung { 2793 1.40 dyoung struct ieee80211_frame_min *wh; 2794 1.40 dyoung struct mbuf *m; 2795 1.40 dyoung u_int16_t aid; 2796 1.40 dyoung int qlen; 2797 1.85 christos IEEE80211_DEBUGVAR(char ebuf[3 * ETHER_ADDR_LEN]); 2798 1.40 dyoung 2799 1.40 dyoung wh = mtod(m0, struct ieee80211_frame_min *); 2800 1.40 dyoung if (ni->ni_associd == 0) { 2801 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2802 1.40 dyoung (struct ieee80211_frame *) wh, "ps-poll", 2803 1.40 dyoung "%s", "unassociated station"); 2804 1.40 dyoung ic->ic_stats.is_ps_unassoc++; 2805 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2806 1.40 dyoung IEEE80211_REASON_NOT_ASSOCED); 2807 1.5 dyoung return; 2808 1.5 dyoung } 2809 1.5 dyoung 2810 1.40 dyoung aid = le16toh(*(u_int16_t *)wh->i_dur); 2811 1.5 dyoung if (aid != ni->ni_associd) { 2812 1.40 dyoung IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2813 1.40 dyoung (struct ieee80211_frame *) wh, "ps-poll", 2814 1.40 dyoung "aid mismatch: sta aid 0x%x poll aid 0x%x", 2815 1.40 dyoung ni->ni_associd, aid); 2816 1.40 dyoung ic->ic_stats.is_ps_badaid++; 2817 1.40 dyoung IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2818 1.40 dyoung IEEE80211_REASON_NOT_ASSOCED); 2819 1.5 dyoung return; 2820 1.5 dyoung } 2821 1.5 dyoung 2822 1.5 dyoung /* Okay, take the first queued packet and put it out... */ 2823 1.40 dyoung IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2824 1.5 dyoung if (m == NULL) { 2825 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2826 1.40 dyoung "[%s] recv ps-poll, but queue empty\n", 2827 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2)); 2828 1.47 skrll ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2829 1.40 dyoung ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2830 1.44 dyoung if (ic->ic_set_tim != NULL) 2831 1.47 skrll ic->ic_set_tim(ni, 0); /* just in case */ 2832 1.5 dyoung return; 2833 1.5 dyoung } 2834 1.74 christos /* 2835 1.40 dyoung * If there are more packets, set the more packets bit 2836 1.40 dyoung * in the packet dispatched to the station; otherwise 2837 1.40 dyoung * turn off the TIM bit. 2838 1.5 dyoung */ 2839 1.40 dyoung if (qlen != 0) { 2840 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2841 1.40 dyoung "[%s] recv ps-poll, send packet, %u still queued\n", 2842 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen); 2843 1.44 dyoung m->m_flags |= M_MORE_DATA; 2844 1.5 dyoung } else { 2845 1.40 dyoung IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2846 1.40 dyoung "[%s] recv ps-poll, send packet, queue empty\n", 2847 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr)); 2848 1.44 dyoung if (ic->ic_set_tim != NULL) 2849 1.47 skrll ic->ic_set_tim(ni, 0); 2850 1.5 dyoung } 2851 1.40 dyoung m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2852 1.40 dyoung IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2853 1.40 dyoung } 2854 1.41 dyoung #endif /* !IEEE80211_NO_HOSTAP */ 2855 1.5 dyoung 2856 1.40 dyoung #ifdef IEEE80211_DEBUG 2857 1.40 dyoung /* 2858 1.40 dyoung * Debugging support. 2859 1.40 dyoung */ 2860 1.5 dyoung 2861 1.40 dyoung /* 2862 1.40 dyoung * Return the bssid of a frame. 2863 1.40 dyoung */ 2864 1.40 dyoung static const u_int8_t * 2865 1.40 dyoung ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2866 1.40 dyoung { 2867 1.40 dyoung if (ic->ic_opmode == IEEE80211_M_STA) 2868 1.40 dyoung return wh->i_addr2; 2869 1.40 dyoung if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2870 1.40 dyoung return wh->i_addr1; 2871 1.40 dyoung if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2872 1.40 dyoung return wh->i_addr1; 2873 1.40 dyoung return wh->i_addr3; 2874 1.1 dyoung } 2875 1.31 dyoung 2876 1.47 skrll void 2877 1.47 skrll ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2878 1.47 skrll { 2879 1.47 skrll char buf[128]; /* XXX */ 2880 1.47 skrll va_list ap; 2881 1.47 skrll 2882 1.47 skrll va_start(ap, fmt); 2883 1.47 skrll vsnprintf(buf, sizeof(buf), fmt, ap); 2884 1.47 skrll va_end(ap); 2885 1.47 skrll 2886 1.47 skrll if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2887 1.47 skrll } 2888 1.47 skrll 2889 1.47 skrll void 2890 1.47 skrll ieee80211_note_frame(struct ieee80211com *ic, 2891 1.47 skrll const struct ieee80211_frame *wh, 2892 1.47 skrll const char *fmt, ...) 2893 1.47 skrll { 2894 1.47 skrll char buf[128]; /* XXX */ 2895 1.47 skrll va_list ap; 2896 1.85 christos char ebuf[3 * ETHER_ADDR_LEN]; 2897 1.47 skrll 2898 1.47 skrll va_start(ap, fmt); 2899 1.47 skrll vsnprintf(buf, sizeof(buf), fmt, ap); 2900 1.47 skrll va_end(ap); 2901 1.47 skrll if_printf(ic->ic_ifp, "[%s] %s\n", 2902 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), 2903 1.85 christos ieee80211_getbssid(ic, wh)), buf); 2904 1.47 skrll } 2905 1.47 skrll 2906 1.47 skrll void 2907 1.47 skrll ieee80211_note_mac(struct ieee80211com *ic, 2908 1.47 skrll const u_int8_t mac[IEEE80211_ADDR_LEN], 2909 1.47 skrll const char *fmt, ...) 2910 1.47 skrll { 2911 1.47 skrll char buf[128]; /* XXX */ 2912 1.47 skrll va_list ap; 2913 1.85 christos char ebuf[3 * ETHER_ADDR_LEN]; 2914 1.47 skrll 2915 1.47 skrll va_start(ap, fmt); 2916 1.47 skrll vsnprintf(buf, sizeof(buf), fmt, ap); 2917 1.47 skrll va_end(ap); 2918 1.85 christos if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf), 2919 1.85 christos mac), buf); 2920 1.47 skrll } 2921 1.47 skrll 2922 1.40 dyoung static void 2923 1.40 dyoung ieee80211_discard_frame(struct ieee80211com *ic, 2924 1.40 dyoung const struct ieee80211_frame *wh, 2925 1.40 dyoung const char *type, const char *fmt, ...) 2926 1.31 dyoung { 2927 1.40 dyoung va_list ap; 2928 1.85 christos char ebuf[3 * ETHER_ADDR_LEN]; 2929 1.31 dyoung 2930 1.47 skrll printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2931 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2932 1.40 dyoung if (type != NULL) 2933 1.47 skrll printf("%s frame, ", type); 2934 1.40 dyoung else 2935 1.47 skrll printf("frame, "); 2936 1.40 dyoung va_start(ap, fmt); 2937 1.40 dyoung vprintf(fmt, ap); 2938 1.40 dyoung va_end(ap); 2939 1.40 dyoung printf("\n"); 2940 1.31 dyoung } 2941 1.31 dyoung 2942 1.40 dyoung static void 2943 1.40 dyoung ieee80211_discard_ie(struct ieee80211com *ic, 2944 1.40 dyoung const struct ieee80211_frame *wh, 2945 1.40 dyoung const char *type, const char *fmt, ...) 2946 1.31 dyoung { 2947 1.40 dyoung va_list ap; 2948 1.85 christos char ebuf[3 * ETHER_ADDR_LEN]; 2949 1.31 dyoung 2950 1.47 skrll printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2951 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh))); 2952 1.40 dyoung if (type != NULL) 2953 1.47 skrll printf("%s information element, ", type); 2954 1.40 dyoung else 2955 1.47 skrll printf("information element, "); 2956 1.40 dyoung va_start(ap, fmt); 2957 1.40 dyoung vprintf(fmt, ap); 2958 1.40 dyoung va_end(ap); 2959 1.40 dyoung printf("\n"); 2960 1.40 dyoung } 2961 1.31 dyoung 2962 1.40 dyoung static void 2963 1.40 dyoung ieee80211_discard_mac(struct ieee80211com *ic, 2964 1.40 dyoung const u_int8_t mac[IEEE80211_ADDR_LEN], 2965 1.40 dyoung const char *type, const char *fmt, ...) 2966 1.40 dyoung { 2967 1.40 dyoung va_list ap; 2968 1.85 christos char ebuf[3 * ETHER_ADDR_LEN]; 2969 1.31 dyoung 2970 1.85 christos printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2971 1.85 christos ether_snprintf(ebuf, sizeof(ebuf), mac)); 2972 1.40 dyoung if (type != NULL) 2973 1.47 skrll printf("%s frame, ", type); 2974 1.40 dyoung else 2975 1.47 skrll printf("frame, "); 2976 1.40 dyoung va_start(ap, fmt); 2977 1.40 dyoung vprintf(fmt, ap); 2978 1.40 dyoung va_end(ap); 2979 1.40 dyoung printf("\n"); 2980 1.31 dyoung } 2981 1.40 dyoung #endif /* IEEE80211_DEBUG */ 2982
Indexes created Mon Sep 22 05:09:51 GMT 2025