ieee80211_input.c revision 1.31
1 /* $NetBSD: ieee80211_input.c,v 1.31 2004/07/24 23:53:49 dyoung Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.20 2004/04/02 23:35:24 sam Exp $"); 37 #else 38 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.31 2004/07/24 23:53:49 dyoung Exp $"); 39 #endif 40 41 #include "opt_inet.h" 42 43 #ifdef __NetBSD__ 44 #include "bpfilter.h" 45 #endif /* __NetBSD__ */ 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/kernel.h> 52 #include <sys/socket.h> 53 #include <sys/sockio.h> 54 #include <sys/endian.h> 55 #include <sys/errno.h> 56 #ifdef __FreeBSD__ 57 #include <sys/bus.h> 58 #endif 59 #include <sys/proc.h> 60 #include <sys/sysctl.h> 61 62 #ifdef __FreeBSD__ 63 #include <machine/atomic.h> 64 #endif 65 66 #include <net/if.h> 67 #include <net/if_dl.h> 68 #include <net/if_media.h> 69 #include <net/if_arp.h> 70 #ifdef __FreeBSD__ 71 #include <net/ethernet.h> 72 #else 73 #include <net/if_ether.h> 74 #endif 75 #include <net/if_llc.h> 76 77 #include <net80211/ieee80211_var.h> 78 #include <net80211/ieee80211_compat.h> 79 80 #if NBPFILTER > 0 81 #include <net/bpf.h> 82 #endif 83 84 #ifdef INET 85 #include <netinet/in.h> 86 #ifdef __FreeBSD__ 87 #include <netinet/if_ether.h> 88 #else 89 #include <net/if_ether.h> 90 #endif 91 #endif 92 93 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 94 95 static void ieee80211_recv_pspoll(struct ieee80211com *, 96 struct mbuf *, int, u_int32_t); 97 98 #ifdef IEEE80211_DEBUG 99 /* 100 * Decide if a received management frame should be 101 * printed when debugging is enabled. This filters some 102 * of the less interesting frames that come frequently 103 * (e.g. beacons). 104 */ 105 static __inline int 106 doprint(struct ieee80211com *ic, int subtype) 107 { 108 switch (subtype) { 109 case IEEE80211_FC0_SUBTYPE_BEACON: 110 return (ic->ic_state == IEEE80211_S_SCAN); 111 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 112 return (ic->ic_opmode == IEEE80211_M_IBSS); 113 } 114 return 1; 115 } 116 #endif 117 118 /* 119 * Process a received frame. The node associated with the sender 120 * should be supplied. If nothing was found in the node table then 121 * the caller is assumed to supply a reference to ic_bss instead. 122 * The RSSI and a timestamp are also supplied. The RSSI data is used 123 * during AP scanning to select a AP to associate with; it can have 124 * any units so long as values have consistent units and higher values 125 * mean ``better signal''. The receive timestamp is currently not used 126 * by the 802.11 layer. 127 */ 128 void 129 ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, 130 int rssi, u_int32_t rstamp) 131 { 132 struct ieee80211com *ic = (void *)ifp; 133 struct ieee80211_frame *wh; 134 struct ether_header *eh; 135 struct mbuf *m1; 136 int len; 137 u_int8_t dir, type, subtype; 138 u_int8_t *bssid; 139 u_int16_t rxseq; 140 ALTQ_DECL(struct altq_pktattr pktattr;) 141 142 IASSERT(ni != NULL, ("null node")); 143 144 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 145 if (m->m_flags & M_HASFCS) { 146 m_adj(m, -IEEE80211_CRC_LEN); 147 m->m_flags &= ~M_HASFCS; 148 } 149 150 /* 151 * In monitor mode, send everything directly to bpf. 152 * Also do not process frames w/o i_addr2 any further. 153 * XXX may want to include the CRC 154 */ 155 if (ic->ic_opmode == IEEE80211_M_MONITOR || 156 m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 157 goto out; 158 159 wh = mtod(m, struct ieee80211_frame *); 160 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 161 IEEE80211_FC0_VERSION_0) { 162 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 163 ("receive packet with wrong version: %x\n", 164 wh->i_fc[0])); 165 ic->ic_stats.is_rx_badversion++; 166 goto err; 167 } 168 169 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 170 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 171 /* 172 * NB: We are not yet prepared to handle control frames, 173 * but permitting drivers to send them to us allows 174 * them to go through bpf tapping at the 802.11 layer. 175 */ 176 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 177 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 178 ("%s: frame too short, len %u\n", 179 __func__, m->m_pkthdr.len)); 180 ic->ic_stats.is_rx_tooshort++; 181 goto out; 182 } 183 if (ic->ic_state != IEEE80211_S_SCAN) { 184 switch (ic->ic_opmode) { 185 case IEEE80211_M_STA: 186 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 187 /* not interested in */ 188 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 189 ("%s: discard frame from " 190 "bss %s\n", __func__, 191 ether_sprintf(wh->i_addr2))); 192 ic->ic_stats.is_rx_wrongbss++; 193 goto out; 194 } 195 break; 196 case IEEE80211_M_IBSS: 197 case IEEE80211_M_AHDEMO: 198 case IEEE80211_M_HOSTAP: 199 if (dir == IEEE80211_FC1_DIR_NODS) 200 bssid = wh->i_addr3; 201 else 202 bssid = wh->i_addr1; 203 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 204 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr) && 205 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 206 IEEE80211_FC0_TYPE_DATA) { 207 /* not interested in */ 208 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 209 ("%s: discard data frame from bss %s\n", 210 __func__, ether_sprintf(bssid))); 211 ic->ic_stats.is_rx_wrongbss++; 212 goto out; 213 } 214 break; 215 case IEEE80211_M_MONITOR: 216 goto out; 217 default: 218 /* XXX catch bad values */ 219 break; 220 } 221 ni->ni_rssi = rssi; 222 ni->ni_rstamp = rstamp; 223 rxseq = ni->ni_rxseq; 224 ni->ni_rxseq = 225 le16toh(*(u_int16_t *)wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; 226 /* TODO: fragment */ 227 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 228 rxseq == ni->ni_rxseq) { 229 /* duplicate, silently discarded */ 230 ic->ic_stats.is_rx_dup++; /* XXX per-station stat */ 231 goto out; 232 } 233 ni->ni_inact = 0; 234 } 235 236 if (ic->ic_set_tim != NULL && 237 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) 238 && ni->ni_pwrsave == 0) { 239 /* turn on power save mode */ 240 241 if (ifp->if_flags & IFF_DEBUG) 242 printf("%s: power save mode on for %s\n", 243 ifp->if_xname, ether_sprintf(wh->i_addr2)); 244 245 ni->ni_pwrsave = IEEE80211_PS_SLEEP; 246 } 247 if (ic->ic_set_tim != NULL && 248 (wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) == 0 && 249 ni->ni_pwrsave != 0) { 250 /* turn off power save mode, dequeue stored packets */ 251 252 ni->ni_pwrsave = 0; 253 if (ic->ic_set_tim) 254 ic->ic_set_tim(ic, ni->ni_associd, 0); 255 256 if (ifp->if_flags & IFF_DEBUG) 257 printf("%s: power save mode off for %s\n", 258 ifp->if_xname, ether_sprintf(wh->i_addr2)); 259 260 while (!IF_IS_EMPTY(&ni->ni_savedq)) { 261 struct mbuf *m; 262 IF_DEQUEUE(&ni->ni_savedq, m); 263 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 264 (*ifp->if_start)(ifp); 265 } 266 } 267 268 switch (type) { 269 case IEEE80211_FC0_TYPE_DATA: 270 switch (ic->ic_opmode) { 271 case IEEE80211_M_STA: 272 if (dir != IEEE80211_FC1_DIR_FROMDS) { 273 ic->ic_stats.is_rx_wrongdir++; 274 goto out; 275 } 276 if ((ifp->if_flags & IFF_SIMPLEX) && 277 IEEE80211_IS_MULTICAST(wh->i_addr1) && 278 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 279 /* 280 * In IEEE802.11 network, multicast packet 281 * sent from me is broadcasted from AP. 282 * It should be silently discarded for 283 * SIMPLEX interface. 284 */ 285 ic->ic_stats.is_rx_mcastecho++; 286 goto out; 287 } 288 break; 289 case IEEE80211_M_IBSS: 290 case IEEE80211_M_AHDEMO: 291 if (dir != IEEE80211_FC1_DIR_NODS) { 292 ic->ic_stats.is_rx_wrongdir++; 293 goto out; 294 } 295 break; 296 case IEEE80211_M_HOSTAP: 297 if (dir != IEEE80211_FC1_DIR_TODS) { 298 ic->ic_stats.is_rx_wrongdir++; 299 goto out; 300 } 301 /* check if source STA is associated */ 302 if (ni == ic->ic_bss) { 303 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 304 ("%s: data from unknown src %s\n", 305 __func__, ether_sprintf(wh->i_addr2))); 306 /* NB: caller deals with reference */ 307 ni = ieee80211_dup_bss(ic, wh->i_addr2); 308 if (ni != NULL) { 309 IEEE80211_SEND_MGMT(ic, ni, 310 IEEE80211_FC0_SUBTYPE_DEAUTH, 311 IEEE80211_REASON_NOT_AUTHED); 312 ieee80211_free_node(ic, ni); 313 } 314 ic->ic_stats.is_rx_notassoc++; 315 goto err; 316 } 317 if (ni->ni_associd == 0) { 318 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 319 ("%s: data from unassoc src %s\n", 320 __func__, ether_sprintf(wh->i_addr2))); 321 IEEE80211_SEND_MGMT(ic, ni, 322 IEEE80211_FC0_SUBTYPE_DISASSOC, 323 IEEE80211_REASON_NOT_ASSOCED); 324 ieee80211_unref_node(&ni); 325 ic->ic_stats.is_rx_notassoc++; 326 goto err; 327 } 328 break; 329 case IEEE80211_M_MONITOR: 330 break; 331 } 332 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 333 if (ic->ic_flags & IEEE80211_F_PRIVACY) { 334 m = ieee80211_wep_crypt(ifp, m, 0); 335 if (m == NULL) { 336 ic->ic_stats.is_rx_wepfail++; 337 goto err; 338 } 339 wh = mtod(m, struct ieee80211_frame *); 340 } else { 341 ic->ic_stats.is_rx_nowep++; 342 goto out; 343 } 344 } 345 #if NBPFILTER > 0 346 /* copy to listener after decrypt */ 347 if (ic->ic_rawbpf) 348 bpf_mtap(ic->ic_rawbpf, m); 349 #endif 350 m = ieee80211_decap(ifp, m); 351 if (m == NULL) { 352 IEEE80211_DPRINTF(ic, IEEE80211_MSG_INPUT, 353 ("%s: decapsulation error for src %s\n", 354 __func__, ether_sprintf(wh->i_addr2))); 355 ic->ic_stats.is_rx_decap++; 356 goto err; 357 } 358 ifp->if_ipackets++; 359 360 /* perform as a bridge within the AP */ 361 m1 = NULL; 362 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 363 eh = mtod(m, struct ether_header *); 364 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 365 m1 = m_copypacket(m, M_DONTWAIT); 366 if (m1 == NULL) 367 ifp->if_oerrors++; 368 else 369 m1->m_flags |= M_MCAST; 370 } else { 371 ni = ieee80211_find_node(ic, eh->ether_dhost); 372 if (ni != NULL) { 373 if (ni->ni_associd != 0) { 374 m1 = m; 375 m = NULL; 376 } 377 ieee80211_free_node(ic, ni); 378 } 379 } 380 if (m1 != NULL) { 381 #ifdef ALTQ 382 if (ALTQ_IS_ENABLED(&ifp->if_snd)) 383 altq_etherclassify(&ifp->if_snd, m1, 384 &pktattr); 385 #endif 386 len = m1->m_pkthdr.len; 387 IF_ENQUEUE(&ifp->if_snd, m1); 388 if (m != NULL) 389 ifp->if_omcasts++; 390 ifp->if_obytes += len; 391 } 392 } 393 if (m != NULL) { 394 #if NBPFILTER > 0 395 /* 396 * If we forward packet into transmitter of the AP, 397 * we don't need to duplicate for DLT_EN10MB. 398 */ 399 if (ifp->if_bpf && m1 == NULL) 400 bpf_mtap(ifp->if_bpf, m); 401 #endif 402 (*ifp->if_input)(ifp, m); 403 } 404 return; 405 406 case IEEE80211_FC0_TYPE_MGT: 407 if (dir != IEEE80211_FC1_DIR_NODS) { 408 ic->ic_stats.is_rx_wrongdir++; 409 goto err; 410 } 411 if (ic->ic_opmode == IEEE80211_M_AHDEMO) { 412 ic->ic_stats.is_rx_ahdemo_mgt++; 413 goto out; 414 } 415 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 416 417 /* drop frames without interest */ 418 if (ic->ic_state == IEEE80211_S_SCAN) { 419 if (subtype != IEEE80211_FC0_SUBTYPE_BEACON && 420 subtype != IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 421 ic->ic_stats.is_rx_mgtdiscard++; 422 goto out; 423 } 424 } else { 425 if (ic->ic_opmode != IEEE80211_M_IBSS && 426 subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 427 ic->ic_stats.is_rx_mgtdiscard++; 428 goto out; 429 } 430 } 431 432 #ifdef IEEE80211_DEBUG 433 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 434 ieee80211_msg_dumppkts(ic)) { 435 if_printf(ifp, "received %s from %s rssi %d\n", 436 ieee80211_mgt_subtype_name[subtype 437 >> IEEE80211_FC0_SUBTYPE_SHIFT], 438 ether_sprintf(wh->i_addr2), rssi); 439 } 440 #endif 441 #if NBPFILTER > 0 442 if (ic->ic_rawbpf) 443 bpf_mtap(ic->ic_rawbpf, m); 444 #endif 445 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 446 m_freem(m); 447 return; 448 449 case IEEE80211_FC0_TYPE_CTL: 450 ic->ic_stats.is_rx_ctl++; 451 if (ic->ic_opmode != IEEE80211_M_HOSTAP) 452 goto out; 453 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 454 if (subtype == IEEE80211_FC0_SUBTYPE_PS_POLL) { 455 /* XXX statistic */ 456 /* Dump out a single packet from the host */ 457 if (ifp->if_flags & IFF_DEBUG) 458 printf("%s: got power save probe from %s\n", 459 ifp->if_xname, 460 ether_sprintf(wh->i_addr2)); 461 ieee80211_recv_pspoll(ic, m, rssi, rstamp); 462 } 463 goto out; 464 default: 465 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 466 ("%s: bad frame type %x\n", __func__, type)); 467 /* should not come here */ 468 break; 469 } 470 err: 471 ifp->if_ierrors++; 472 out: 473 if (m != NULL) { 474 #if NBPFILTER > 0 475 if (ic->ic_rawbpf) 476 bpf_mtap(ic->ic_rawbpf, m); 477 #endif 478 m_freem(m); 479 } 480 } 481 482 struct mbuf * 483 ieee80211_decap(struct ifnet *ifp, struct mbuf *m) 484 { 485 struct ether_header *eh; 486 struct ieee80211_frame wh; 487 struct llc *llc; 488 489 if (m->m_len < sizeof(wh) + sizeof(*llc)) { 490 m = m_pullup(m, sizeof(wh) + sizeof(*llc)); 491 if (m == NULL) 492 return NULL; 493 } 494 memcpy(&wh, mtod(m, caddr_t), sizeof(wh)); 495 llc = (struct llc *)(mtod(m, caddr_t) + sizeof(wh)); 496 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 497 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 498 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 499 m_adj(m, sizeof(wh) + sizeof(struct llc) - sizeof(*eh)); 500 llc = NULL; 501 } else { 502 m_adj(m, sizeof(wh) - sizeof(*eh)); 503 } 504 eh = mtod(m, struct ether_header *); 505 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 506 case IEEE80211_FC1_DIR_NODS: 507 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 508 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 509 break; 510 case IEEE80211_FC1_DIR_TODS: 511 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 512 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 513 break; 514 case IEEE80211_FC1_DIR_FROMDS: 515 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 516 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 517 break; 518 case IEEE80211_FC1_DIR_DSTODS: 519 /* not yet supported */ 520 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 521 ("%s: discard DS to DS frame\n", __func__)); 522 m_freem(m); 523 return NULL; 524 } 525 #ifdef ALIGNED_POINTER 526 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 527 struct mbuf *n, *n0, **np; 528 caddr_t newdata; 529 int off, pktlen; 530 531 n0 = NULL; 532 np = &n0; 533 off = 0; 534 pktlen = m->m_pkthdr.len; 535 while (pktlen > off) { 536 if (n0 == NULL) { 537 MGETHDR(n, M_DONTWAIT, MT_DATA); 538 if (n == NULL) { 539 m_freem(m); 540 return NULL; 541 } 542 #ifdef __FreeBSD__ 543 M_MOVE_PKTHDR(n, m); 544 #else 545 M_COPY_PKTHDR(n, m); 546 #endif 547 n->m_len = MHLEN; 548 } else { 549 MGET(n, M_DONTWAIT, MT_DATA); 550 if (n == NULL) { 551 m_freem(m); 552 m_freem(n0); 553 return NULL; 554 } 555 n->m_len = MLEN; 556 } 557 if (pktlen - off >= MINCLSIZE) { 558 MCLGET(n, M_DONTWAIT); 559 if (n->m_flags & M_EXT) 560 n->m_len = n->m_ext.ext_size; 561 } 562 if (n0 == NULL) { 563 newdata = 564 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 565 sizeof(*eh); 566 n->m_len -= newdata - n->m_data; 567 n->m_data = newdata; 568 } 569 if (n->m_len > pktlen - off) 570 n->m_len = pktlen - off; 571 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 572 off += n->m_len; 573 *np = n; 574 np = &n->m_next; 575 } 576 m_freem(m); 577 m = n0; 578 } 579 #endif /* ALIGNED_POINTER */ 580 if (llc != NULL) { 581 eh = mtod(m, struct ether_header *); 582 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 583 } 584 return m; 585 } 586 587 /* 588 * Install received rate set information in the node's state block. 589 */ 590 static int 591 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 592 u_int8_t *rates, u_int8_t *xrates, int flags) 593 { 594 struct ieee80211_rateset *rs = &ni->ni_rates; 595 596 memset(rs, 0, sizeof(*rs)); 597 rs->rs_nrates = rates[1]; 598 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 599 if (xrates != NULL) { 600 u_int8_t nxrates; 601 /* 602 * Tack on 11g extended supported rate element. 603 */ 604 nxrates = xrates[1]; 605 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 606 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 607 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 608 ("%s: extended rate set too large;" 609 " only using %u of %u rates\n", 610 __func__, nxrates, xrates[1])); 611 ic->ic_stats.is_rx_rstoobig++; 612 } 613 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 614 rs->rs_nrates += nxrates; 615 } 616 return ieee80211_fix_rate(ic, ni, flags); 617 } 618 619 /* Verify the existence and length of __elem or get out. */ 620 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 621 if ((__elem) == NULL) { \ 622 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 623 ("%s: no " #__elem "in %s frame\n", \ 624 __func__, ieee80211_mgt_subtype_name[subtype >> \ 625 IEEE80211_FC0_SUBTYPE_SHIFT])); \ 626 ic->ic_stats.is_rx_elem_missing++; \ 627 return; \ 628 } \ 629 if ((__elem)[1] > (__maxlen)) { \ 630 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 631 ("%s: bad " #__elem " len %d in %s frame from %s\n",\ 632 __func__, (__elem)[1], \ 633 ieee80211_mgt_subtype_name[subtype >> \ 634 IEEE80211_FC0_SUBTYPE_SHIFT], \ 635 ether_sprintf(wh->i_addr2))); \ 636 ic->ic_stats.is_rx_elem_toobig++; \ 637 return; \ 638 } \ 639 } while (0) 640 641 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 642 if ((_len) < (_minlen)) { \ 643 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, \ 644 ("%s: %s frame too short from %s\n", \ 645 __func__, \ 646 ieee80211_mgt_subtype_name[subtype >> \ 647 IEEE80211_FC0_SUBTYPE_SHIFT], \ 648 ether_sprintf(wh->i_addr2))); \ 649 ic->ic_stats.is_rx_elem_toosmall++; \ 650 return; \ 651 } \ 652 } while (0) 653 654 #ifdef IEEE80211_DEBUG 655 static void 656 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 657 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 658 { 659 printf("[%s] %s req ssid mismatch: ", ether_sprintf(mac), tag); 660 ieee80211_print_essid(ssid + 2, ssid[1]); 661 printf("\n"); 662 } 663 664 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 665 if ((_ssid)[1] != 0 && \ 666 ((_ssid)[1] != (_ni)->ni_esslen || \ 667 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 668 if (ieee80211_msg_input(ic)) \ 669 ieee80211_ssid_mismatch(ic, _packet_type, \ 670 wh->i_addr2, _ssid); \ 671 ic->ic_stats.is_rx_ssidmismatch++; \ 672 return; \ 673 } \ 674 } while (0) 675 #else /* !IEEE80211_DEBUG */ 676 #define IEEE80211_VERIFY_SSID(_ni, _ssid, _packet_type) do { \ 677 if ((_ssid)[1] != 0 && \ 678 ((_ssid)[1] != (_ni)->ni_esslen || \ 679 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 680 ic->ic_stats.is_rx_ssidmismatch++; \ 681 return; \ 682 } \ 683 } while (0) 684 #endif /* !IEEE80211_DEBUG */ 685 686 static void 687 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 688 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 689 u_int16_t status) 690 { 691 int allocbs; 692 switch (ic->ic_opmode) { 693 case IEEE80211_M_IBSS: 694 if (ic->ic_state != IEEE80211_S_RUN || 695 seq != IEEE80211_AUTH_OPEN_REQUEST) { 696 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 697 ("%s: discard auth from %s; state %u, seq %u\n", 698 __func__, ether_sprintf(wh->i_addr2), 699 ic->ic_state, seq)); 700 ic->ic_stats.is_rx_bad_auth++; 701 return; 702 } 703 ieee80211_new_state(ic, IEEE80211_S_AUTH, 704 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 705 break; 706 707 case IEEE80211_M_AHDEMO: 708 /* should not come here */ 709 break; 710 711 case IEEE80211_M_HOSTAP: 712 if (ic->ic_state != IEEE80211_S_RUN || 713 seq != IEEE80211_AUTH_OPEN_REQUEST) { 714 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 715 ("%s: discard auth from %s; state %u, seq %u\n", 716 __func__, ether_sprintf(wh->i_addr2), 717 ic->ic_state, seq)); 718 ic->ic_stats.is_rx_bad_auth++; 719 return; 720 } 721 if (ni == ic->ic_bss) { 722 ni = ieee80211_alloc_node(ic, wh->i_addr2); 723 if (ni == NULL) { 724 ic->ic_stats.is_rx_nodealloc++; 725 return; 726 } 727 IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); 728 ni->ni_rssi = rssi; 729 ni->ni_rstamp = rstamp; 730 ni->ni_chan = ic->ic_bss->ni_chan; 731 allocbs = 1; 732 } else 733 allocbs = 0; 734 IEEE80211_SEND_MGMT(ic, ni, 735 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 736 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 737 ("station %s %s authenticated (open)\n", 738 ether_sprintf(ni->ni_macaddr), 739 (allocbs ? "newly" : "already"))); 740 break; 741 742 case IEEE80211_M_STA: 743 if (ic->ic_state != IEEE80211_S_AUTH || 744 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 745 ic->ic_stats.is_rx_bad_auth++; 746 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 747 ("%s: discard auth from %s; state %u, seq %u\n", 748 __func__, ether_sprintf(wh->i_addr2), 749 ic->ic_state, seq)); 750 return; 751 } 752 if (status != 0) { 753 IEEE80211_DPRINTF(ic, 754 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 755 ("open authentication failed (reason %d) for %s\n", 756 status, 757 ether_sprintf(wh->i_addr3))); 758 if (ni != ic->ic_bss) 759 ni->ni_fails++; 760 ic->ic_stats.is_rx_auth_fail++; 761 return; 762 } 763 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 764 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 765 break; 766 case IEEE80211_M_MONITOR: 767 break; 768 } 769 } 770 771 /* TBD send appropriate responses on error? */ 772 static void 773 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 774 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 775 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 776 { 777 u_int8_t *challenge = NULL; 778 int allocbs, i; 779 780 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 781 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 782 ("%s: WEP is off\n", __func__)); 783 return; 784 } 785 786 if (frm + 1 < efrm) { 787 if (frm[1] + 2 > efrm - frm) { 788 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 789 ("%s: elt %d %d bytes too long\n", __func__, 790 frm[0], (frm[1] + 2) - (int)(efrm - frm))); 791 ic->ic_stats.is_rx_bad_auth++; 792 return; 793 } 794 if (*frm == IEEE80211_ELEMID_CHALLENGE) 795 challenge = frm; 796 frm += frm[1] + 2; 797 } 798 switch (seq) { 799 case IEEE80211_AUTH_SHARED_CHALLENGE: 800 case IEEE80211_AUTH_SHARED_RESPONSE: 801 if (challenge == NULL) { 802 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 803 ("%s: no challenge sent\n", __func__)); 804 ic->ic_stats.is_rx_bad_auth++; 805 return; 806 } 807 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 808 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 809 ("%s: bad challenge len %d\n", 810 __func__, challenge[1])); 811 ic->ic_stats.is_rx_bad_auth++; 812 return; 813 } 814 default: 815 break; 816 } 817 switch (ic->ic_opmode) { 818 case IEEE80211_M_MONITOR: 819 case IEEE80211_M_AHDEMO: 820 case IEEE80211_M_IBSS: 821 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 822 ("%s: unexpected operating mode\n", __func__)); 823 return; 824 case IEEE80211_M_HOSTAP: 825 if (ic->ic_state != IEEE80211_S_RUN) { 826 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 827 ("%s: not running\n", __func__)); 828 return; 829 } 830 switch (seq) { 831 case IEEE80211_AUTH_SHARED_REQUEST: 832 if (ni == ic->ic_bss) { 833 ni = ieee80211_alloc_node(ic, wh->i_addr2); 834 if (ni == NULL) { 835 ic->ic_stats.is_rx_nodealloc++; 836 return; 837 } 838 IEEE80211_ADDR_COPY(ni->ni_bssid, 839 ic->ic_bss->ni_bssid); 840 ni->ni_rssi = rssi; 841 ni->ni_rstamp = rstamp; 842 ni->ni_chan = ic->ic_bss->ni_chan; 843 allocbs = 1; 844 } else 845 allocbs = 0; 846 if (ni->ni_challenge == NULL) 847 ni->ni_challenge = (u_int32_t*)malloc( 848 IEEE80211_CHALLENGE_LEN, M_DEVBUF, 849 M_NOWAIT); 850 if (ni->ni_challenge == NULL) { 851 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 852 ("%s: challenge alloc failed\n", 853 __func__)); 854 /* XXX statistic */ 855 return; 856 } 857 for (i = IEEE80211_CHALLENGE_LEN / sizeof(u_int32_t); 858 --i >= 0; ) 859 ni->ni_challenge[i] = arc4random(); 860 IEEE80211_DPRINTF(ic, 861 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 862 ("shared key %sauth request from station %s\n", 863 (allocbs ? "" : "re"), 864 ether_sprintf(ni->ni_macaddr))); 865 break; 866 case IEEE80211_AUTH_SHARED_RESPONSE: 867 if (ni == ic->ic_bss) { 868 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 869 ("%s: unknown STA\n", __func__)); 870 return; 871 } 872 if (ni->ni_challenge == NULL) { 873 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 874 ("%s: no challenge recorded\n", 875 __func__)); 876 ic->ic_stats.is_rx_bad_auth++; 877 return; 878 } 879 if (memcmp(ni->ni_challenge, &challenge[2], 880 challenge[1]) != 0) { 881 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 882 ("%s: challenge mismatch\n", __func__)); 883 ic->ic_stats.is_rx_auth_fail++; 884 return; 885 } 886 IEEE80211_DPRINTF(ic, 887 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 888 ("station %s authenticated (shared key)\n", 889 ether_sprintf(ni->ni_macaddr))); 890 break; 891 default: 892 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 893 ("%s: bad shared key auth seq %d from %s\n", 894 __func__, seq, ether_sprintf(wh->i_addr2))); 895 ic->ic_stats.is_rx_bad_auth++; 896 return; 897 } 898 IEEE80211_SEND_MGMT(ic, ni, 899 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 900 break; 901 902 case IEEE80211_M_STA: 903 if (ic->ic_state != IEEE80211_S_AUTH) 904 return; 905 switch (seq) { 906 case IEEE80211_AUTH_SHARED_PASS: 907 if (ni->ni_challenge != NULL) { 908 FREE(ni->ni_challenge, M_DEVBUF); 909 ni->ni_challenge = NULL; 910 } 911 if (status != 0) { 912 IEEE80211_DPRINTF(ic, 913 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 914 ("%s: auth failed (reason %d) for %s\n", 915 __func__, status, 916 ether_sprintf(wh->i_addr3))); 917 if (ni != ic->ic_bss) 918 ni->ni_fails++; 919 ic->ic_stats.is_rx_auth_fail++; 920 return; 921 } 922 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 923 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 924 break; 925 case IEEE80211_AUTH_SHARED_CHALLENGE: 926 if (ni->ni_challenge == NULL) 927 ni->ni_challenge = (u_int32_t*)malloc( 928 challenge[1], M_DEVBUF, M_NOWAIT); 929 if (ni->ni_challenge == NULL) { 930 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 931 ("%s: challenge alloc failed\n", __func__)); 932 /* XXX statistic */ 933 return; 934 } 935 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 936 IEEE80211_SEND_MGMT(ic, ni, 937 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 938 break; 939 default: 940 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 941 ("%s: bad seq %d from %s\n", __func__, seq, 942 ether_sprintf(wh->i_addr2))); 943 ic->ic_stats.is_rx_bad_auth++; 944 return; 945 } 946 break; 947 } 948 } 949 950 void 951 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 952 struct ieee80211_node *ni, 953 int subtype, int rssi, u_int32_t rstamp) 954 { 955 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 956 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 957 struct ieee80211_frame *wh; 958 u_int8_t *frm, *efrm; 959 u_int8_t *ssid, *rates, *xrates; 960 int reassoc, resp, allocbs; 961 962 wh = mtod(m0, struct ieee80211_frame *); 963 frm = (u_int8_t *)&wh[1]; 964 efrm = mtod(m0, u_int8_t *) + m0->m_len; 965 switch (subtype) { 966 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 967 case IEEE80211_FC0_SUBTYPE_BEACON: { 968 u_int8_t *tstamp, *bintval, *capinfo, *country; 969 u_int8_t chan, bchan, fhindex, erp; 970 u_int16_t fhdwell; 971 972 if (ic->ic_opmode != IEEE80211_M_IBSS && 973 ic->ic_state != IEEE80211_S_SCAN) { 974 /* XXX: may be useful for background scan */ 975 return; 976 } 977 978 /* 979 * beacon/probe response frame format 980 * [8] time stamp 981 * [2] beacon interval 982 * [2] capability information 983 * [tlv] ssid 984 * [tlv] supported rates 985 * [tlv] country information 986 * [tlv] parameter set (FH/DS) 987 * [tlv] erp information 988 * [tlv] extended supported rates 989 */ 990 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 991 tstamp = frm; frm += 8; 992 bintval = frm; frm += 2; 993 capinfo = frm; frm += 2; 994 ssid = rates = xrates = country = NULL; 995 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 996 chan = bchan; 997 fhdwell = 0; 998 fhindex = 0; 999 erp = 0; 1000 while (frm < efrm) { 1001 switch (*frm) { 1002 case IEEE80211_ELEMID_SSID: 1003 ssid = frm; 1004 break; 1005 case IEEE80211_ELEMID_RATES: 1006 rates = frm; 1007 break; 1008 case IEEE80211_ELEMID_COUNTRY: 1009 country = frm; 1010 break; 1011 case IEEE80211_ELEMID_FHPARMS: 1012 if (ic->ic_phytype == IEEE80211_T_FH) { 1013 fhdwell = (frm[3] << 8) | frm[2]; 1014 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1015 fhindex = frm[6]; 1016 } 1017 break; 1018 case IEEE80211_ELEMID_DSPARMS: 1019 /* 1020 * XXX hack this since depending on phytype 1021 * is problematic for multi-mode devices. 1022 */ 1023 if (ic->ic_phytype != IEEE80211_T_FH) 1024 chan = frm[2]; 1025 break; 1026 case IEEE80211_ELEMID_TIM: 1027 break; 1028 case IEEE80211_ELEMID_IBSSPARMS: 1029 break; 1030 case IEEE80211_ELEMID_XRATES: 1031 xrates = frm; 1032 break; 1033 case IEEE80211_ELEMID_ERP: 1034 if (frm[1] != 1) { 1035 IEEE80211_DPRINTF(ic, 1036 IEEE80211_MSG_ELEMID, 1037 ("%s: invalid ERP element; " 1038 "length %u, expecting 1\n", 1039 __func__, frm[1])); 1040 ic->ic_stats.is_rx_elem_toobig++; 1041 break; 1042 } 1043 erp = frm[2]; 1044 break; 1045 default: 1046 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1047 ("%s: element id %u/len %u ignored\n", 1048 __func__, *frm, frm[1])); 1049 ic->ic_stats.is_rx_elem_unknown++; 1050 break; 1051 } 1052 frm += frm[1] + 2; 1053 } 1054 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1055 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1056 if ( 1057 #if IEEE80211_CHAN_MAX < 255 1058 chan > IEEE80211_CHAN_MAX || 1059 #endif 1060 isclr(ic->ic_chan_active, chan)) { 1061 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1062 ("%s: ignore %s with invalid channel %u\n", 1063 __func__, 1064 ISPROBE(subtype) ? "probe response" : "beacon", 1065 chan)); 1066 ic->ic_stats.is_rx_badchan++; 1067 return; 1068 } 1069 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1070 /* 1071 * Frame was received on a channel different from the 1072 * one indicated in the DS params element id; 1073 * silently discard it. 1074 * 1075 * NB: this can happen due to signal leakage. 1076 * But we should take it for FH phy because 1077 * the rssi value should be correct even for 1078 * different hop pattern in FH. 1079 */ 1080 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ELEMID, 1081 ("%s: ignore %s on channel %u marked " 1082 "for channel %u\n", __func__, 1083 ISPROBE(subtype) ? "probe response" : "beacon", 1084 bchan, chan)); 1085 ic->ic_stats.is_rx_chanmismatch++; 1086 return; 1087 } 1088 1089 /* 1090 * Use mac and channel for lookup so we collect all 1091 * potential AP's when scanning. Otherwise we may 1092 * see the same AP on multiple channels and will only 1093 * record the last one. We could filter APs here based 1094 * on rssi, etc. but leave that to the end of the scan 1095 * so we can keep the selection criteria in one spot. 1096 * This may result in a bloat of the scanned AP list but 1097 * it shouldn't be too much. 1098 */ 1099 ni = ieee80211_find_node_with_channel(ic, wh->i_addr2, 1100 &ic->ic_channels[chan]); 1101 #ifdef IEEE80211_DEBUG 1102 if (ieee80211_debug && 1103 (ni == NULL || ic->ic_state == IEEE80211_S_SCAN)) { 1104 printf("%s: %s%s on chan %u (bss chan %u) ", 1105 __func__, (ni == NULL ? "new " : ""), 1106 ISPROBE(subtype) ? "probe response" : "beacon", 1107 chan, bchan); 1108 ieee80211_print_essid(ssid + 2, ssid[1]); 1109 printf(" from %s\n", ether_sprintf(wh->i_addr2)); 1110 printf("%s: caps 0x%x bintval %u erp 0x%x\n", 1111 __func__, le16toh(*(u_int16_t *)capinfo), 1112 le16toh(*(u_int16_t *)bintval), erp); 1113 if (country) { 1114 int i; 1115 printf("%s: country info", __func__); 1116 for (i = 0; i < country[1]; i++) 1117 printf(" %02x", country[i+2]); 1118 printf("\n"); 1119 } 1120 } 1121 #endif 1122 if (ni == NULL) { 1123 ni = ieee80211_alloc_node(ic, wh->i_addr2); 1124 if (ni == NULL) 1125 return; 1126 ni->ni_esslen = ssid[1]; 1127 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1128 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1129 allocbs = 1; 1130 } else if (ssid[1] != 0 && 1131 (ISPROBE(subtype) || ni->ni_esslen == 0)) { 1132 /* 1133 * Update ESSID at probe response to adopt hidden AP by 1134 * Lucent/Cisco, which announces null ESSID in beacon. 1135 */ 1136 ni->ni_esslen = ssid[1]; 1137 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1138 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1139 allocbs = 0; 1140 } else 1141 allocbs = 0; 1142 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1143 ni->ni_rssi = rssi; 1144 ni->ni_rstamp = rstamp; 1145 memcpy(ni->ni_tstamp, tstamp, sizeof(ni->ni_tstamp)); 1146 ni->ni_intval = le16toh(*(u_int16_t *)bintval); 1147 ni->ni_capinfo = le16toh(*(u_int16_t *)capinfo); 1148 /* XXX validate channel # */ 1149 ni->ni_chan = &ic->ic_channels[chan]; 1150 ni->ni_fhdwell = fhdwell; 1151 ni->ni_fhindex = fhindex; 1152 ni->ni_erp = erp; 1153 /* NB: must be after ni_chan is setup */ 1154 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1155 /* 1156 * When scanning we record results (nodes) with a zero 1157 * refcnt. Otherwise we want to hold the reference for 1158 * ibss neighbors so the nodes don't get released prematurely. 1159 * Anything else can be discarded (XXX and should be handled 1160 * above so we don't do so much work). 1161 */ 1162 if (ic->ic_state == IEEE80211_S_SCAN) 1163 ieee80211_unref_node(&ni); /* NB: do not free */ 1164 else if (ic->ic_opmode == IEEE80211_M_IBSS && 1165 allocbs && ISPROBE(subtype)) { 1166 /* 1167 * Fake an association so the driver can setup it's 1168 * private state. The rate set has been setup above; 1169 * there is no handshake as in ap/station operation. 1170 */ 1171 if (ic->ic_newassoc) 1172 (*ic->ic_newassoc)(ic, ni, 1); 1173 /* NB: hold reference */ 1174 } else { 1175 /* XXX optimize to avoid work done above */ 1176 ieee80211_free_node(ic, ni); 1177 } 1178 break; 1179 } 1180 1181 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 1182 u_int8_t rate; 1183 1184 if (ic->ic_opmode == IEEE80211_M_STA) 1185 return; 1186 if (ic->ic_state != IEEE80211_S_RUN) 1187 return; 1188 1189 /* 1190 * prreq frame format 1191 * [tlv] ssid 1192 * [tlv] supported rates 1193 * [tlv] extended supported rates 1194 */ 1195 ssid = rates = xrates = NULL; 1196 while (frm < efrm) { 1197 switch (*frm) { 1198 case IEEE80211_ELEMID_SSID: 1199 ssid = frm; 1200 break; 1201 case IEEE80211_ELEMID_RATES: 1202 rates = frm; 1203 break; 1204 case IEEE80211_ELEMID_XRATES: 1205 xrates = frm; 1206 break; 1207 } 1208 frm += frm[1] + 2; 1209 } 1210 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1211 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1212 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, "probe"); 1213 1214 if (ni == ic->ic_bss) { 1215 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1216 if (ni == NULL) 1217 return; 1218 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1219 ("%s: new probe req from %s\n", 1220 __func__, ether_sprintf(wh->i_addr2))); 1221 allocbs = 1; 1222 } else 1223 allocbs = 0; 1224 ni->ni_rssi = rssi; 1225 ni->ni_rstamp = rstamp; 1226 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 1227 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 1228 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1229 if (rate & IEEE80211_RATE_BASIC) { 1230 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 1231 ("%s: rate negotiation failed: %s\n", 1232 __func__,ether_sprintf(wh->i_addr2))); 1233 } else { 1234 IEEE80211_SEND_MGMT(ic, ni, 1235 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 1236 } 1237 if (allocbs) 1238 ieee80211_free_node(ic, ni); 1239 break; 1240 } 1241 1242 case IEEE80211_FC0_SUBTYPE_AUTH: { 1243 u_int16_t algo, seq, status; 1244 /* 1245 * auth frame format 1246 * [2] algorithm 1247 * [2] sequence 1248 * [2] status 1249 * [tlv*] challenge 1250 */ 1251 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1252 algo = le16toh(*(u_int16_t *)frm); 1253 seq = le16toh(*(u_int16_t *)(frm + 2)); 1254 status = le16toh(*(u_int16_t *)(frm + 4)); 1255 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1256 ("%s: algorithm %d seq %d from %s\n", 1257 __func__, algo, seq, ether_sprintf(wh->i_addr2))); 1258 1259 if (algo == IEEE80211_AUTH_ALG_SHARED) 1260 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 1261 rstamp, seq, status); 1262 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1263 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 1264 status); 1265 else { 1266 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1267 ("%s: unsupported auth algorithm %d from %s\n", 1268 __func__, algo, ether_sprintf(wh->i_addr2))); 1269 ic->ic_stats.is_rx_auth_unsupported++; 1270 return; 1271 } 1272 break; 1273 } 1274 1275 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1276 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 1277 u_int16_t capinfo, bintval; 1278 1279 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 1280 (ic->ic_state != IEEE80211_S_RUN)) 1281 return; 1282 1283 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1284 reassoc = 1; 1285 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 1286 } else { 1287 reassoc = 0; 1288 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 1289 } 1290 /* 1291 * asreq frame format 1292 * [2] capability information 1293 * [2] listen interval 1294 * [6*] current AP address (reassoc only) 1295 * [tlv] ssid 1296 * [tlv] supported rates 1297 * [tlv] extended supported rates 1298 */ 1299 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 1300 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 1301 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1302 ("%s: ignore assoc request with bss %s not " 1303 "our own\n", 1304 __func__, ether_sprintf(wh->i_addr2))); 1305 ic->ic_stats.is_rx_assoc_bss++; 1306 return; 1307 } 1308 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1309 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1310 if (reassoc) 1311 frm += 6; /* ignore current AP info */ 1312 ssid = rates = xrates = NULL; 1313 while (frm < efrm) { 1314 switch (*frm) { 1315 case IEEE80211_ELEMID_SSID: 1316 ssid = frm; 1317 break; 1318 case IEEE80211_ELEMID_RATES: 1319 rates = frm; 1320 break; 1321 case IEEE80211_ELEMID_XRATES: 1322 xrates = frm; 1323 break; 1324 } 1325 frm += frm[1] + 2; 1326 } 1327 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1328 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1329 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid, 1330 reassoc ? "reassoc" : "assoc"); 1331 1332 if (ni == ic->ic_bss) { 1333 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1334 ("%s: deny %sassoc from %s, not authenticated\n", 1335 __func__, reassoc ? "re" : "", 1336 ether_sprintf(wh->i_addr2))); 1337 ni = ieee80211_dup_bss(ic, wh->i_addr2); 1338 if (ni != NULL) { 1339 IEEE80211_SEND_MGMT(ic, ni, 1340 IEEE80211_FC0_SUBTYPE_DEAUTH, 1341 IEEE80211_REASON_ASSOC_NOT_AUTHED); 1342 ieee80211_free_node(ic, ni); 1343 } 1344 ic->ic_stats.is_rx_assoc_notauth++; 1345 return; 1346 } 1347 /* discard challenge after association */ 1348 if (ni->ni_challenge != NULL) { 1349 FREE(ni->ni_challenge, M_DEVBUF); 1350 ni->ni_challenge = NULL; 1351 } 1352 /* XXX per-node cipher suite */ 1353 /* XXX some stations use the privacy bit for handling APs 1354 that suport both encrypted and unencrypted traffic */ 1355 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0 || 1356 (capinfo & IEEE80211_CAPINFO_PRIVACY) != 1357 ((ic->ic_flags & IEEE80211_F_PRIVACY) ? 1358 IEEE80211_CAPINFO_PRIVACY : 0)) { 1359 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1360 ("%s: capability mismatch %x for %s\n", 1361 __func__, capinfo, ether_sprintf(wh->i_addr2))); 1362 IEEE80211_SEND_MGMT(ic, ni, resp, 1363 IEEE80211_STATUS_CAPINFO); 1364 ieee80211_node_leave(ic, ni); 1365 ic->ic_stats.is_rx_assoc_capmismatch++; 1366 return; 1367 } 1368 ieee80211_setup_rates(ic, ni, rates, xrates, 1369 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1370 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1371 if (ni->ni_rates.rs_nrates == 0) { 1372 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1373 ("%s: rate mismatch for %s\n", 1374 __func__, ether_sprintf(wh->i_addr2))); 1375 IEEE80211_SEND_MGMT(ic, ni, resp, 1376 IEEE80211_STATUS_BASIC_RATE); 1377 ieee80211_node_leave(ic, ni); 1378 ic->ic_stats.is_rx_assoc_norate++; 1379 return; 1380 } 1381 ni->ni_rssi = rssi; 1382 ni->ni_rstamp = rstamp; 1383 ni->ni_intval = bintval; 1384 ni->ni_capinfo = capinfo; 1385 ni->ni_chan = ic->ic_bss->ni_chan; 1386 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 1387 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 1388 ieee80211_node_join(ic, ni, resp); 1389 break; 1390 } 1391 1392 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1393 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 1394 u_int16_t status; 1395 1396 if (ic->ic_opmode != IEEE80211_M_STA || 1397 ic->ic_state != IEEE80211_S_ASSOC) { 1398 ic->ic_stats.is_rx_mgtdiscard++; 1399 return; 1400 } 1401 1402 /* 1403 * asresp frame format 1404 * [2] capability information 1405 * [2] status 1406 * [2] association ID 1407 * [tlv] supported rates 1408 * [tlv] extended supported rates 1409 */ 1410 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 1411 ni = ic->ic_bss; 1412 ni->ni_capinfo = le16toh(*(u_int16_t *)frm); 1413 frm += 2; 1414 1415 status = le16toh(*(u_int16_t *)frm); 1416 frm += 2; 1417 if (status != 0) { 1418 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1419 ("%sassociation failed (reason %d) for %s\n", 1420 ISREASSOC(subtype) ? "re" : "", 1421 status, ether_sprintf(wh->i_addr3))); 1422 if (ni != ic->ic_bss) 1423 ni->ni_fails++; 1424 ic->ic_stats.is_rx_auth_fail++; 1425 return; 1426 } 1427 ni->ni_associd = le16toh(*(u_int16_t *)frm); 1428 frm += 2; 1429 1430 rates = xrates = NULL; 1431 while (frm < efrm) { 1432 switch (*frm) { 1433 case IEEE80211_ELEMID_RATES: 1434 rates = frm; 1435 break; 1436 case IEEE80211_ELEMID_XRATES: 1437 xrates = frm; 1438 break; 1439 } 1440 frm += frm[1] + 2; 1441 } 1442 1443 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1444 ieee80211_setup_rates(ic, ni, rates, xrates, 1445 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1446 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1447 if (ni->ni_rates.rs_nrates != 0) 1448 ieee80211_new_state(ic, IEEE80211_S_RUN, 1449 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1450 break; 1451 } 1452 1453 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 1454 u_int16_t reason; 1455 /* 1456 * deauth frame format 1457 * [2] reason 1458 */ 1459 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1460 reason = le16toh(*(u_int16_t *)frm); 1461 ic->ic_stats.is_rx_deauth++; 1462 switch (ic->ic_opmode) { 1463 case IEEE80211_M_STA: 1464 ieee80211_new_state(ic, IEEE80211_S_AUTH, 1465 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1466 break; 1467 case IEEE80211_M_HOSTAP: 1468 if (ni != ic->ic_bss) { 1469 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1470 ("station %s deauthenticated by " 1471 "peer (reason %d)\n", 1472 ether_sprintf(ni->ni_macaddr), reason)); 1473 ieee80211_node_leave(ic, ni); 1474 } 1475 break; 1476 default: 1477 break; 1478 } 1479 break; 1480 } 1481 1482 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 1483 u_int16_t reason; 1484 /* 1485 * disassoc frame format 1486 * [2] reason 1487 */ 1488 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 1489 reason = le16toh(*(u_int16_t *)frm); 1490 ic->ic_stats.is_rx_disassoc++; 1491 switch (ic->ic_opmode) { 1492 case IEEE80211_M_STA: 1493 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1494 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1495 break; 1496 case IEEE80211_M_HOSTAP: 1497 if (ni != ic->ic_bss) { 1498 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1499 ("station %s disassociated by " 1500 "peer (reason %d)\n", 1501 ether_sprintf(ni->ni_macaddr), reason)); 1502 ieee80211_node_leave(ic, ni); 1503 } 1504 break; 1505 default: 1506 break; 1507 } 1508 break; 1509 } 1510 default: 1511 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1512 ("%s: mgmt frame with subtype 0x%x not handled\n", 1513 __func__, subtype)); 1514 ic->ic_stats.is_rx_badsubtype++; 1515 break; 1516 } 1517 } 1518 1519 static void 1520 ieee80211_recv_pspoll(struct ieee80211com *ic, struct mbuf *m0, int rssi, 1521 u_int32_t rstamp) 1522 { 1523 struct ifnet *ifp = &ic->ic_if; 1524 struct ieee80211_frame *wh; 1525 struct ieee80211_node *ni; 1526 struct mbuf *m; 1527 u_int16_t aid; 1528 1529 if (ic->ic_set_tim == NULL) /* No powersaving functionality */ 1530 return; 1531 1532 wh = mtod(m0, struct ieee80211_frame *); 1533 1534 if ((ni = ieee80211_find_node(ic, wh->i_addr2)) == NULL) { 1535 if (ifp->if_flags & IFF_DEBUG) 1536 printf("%s: station %s sent bogus power save poll\n", 1537 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1538 return; 1539 } 1540 1541 memcpy(&aid, wh->i_dur, sizeof(wh->i_dur)); 1542 if ((aid & 0xc000) != 0xc000) { 1543 if (ifp->if_flags & IFF_DEBUG) 1544 printf("%s: station %s sent bogus aid %x\n", 1545 ifp->if_xname, ether_sprintf(wh->i_addr2), aid); 1546 return; 1547 } 1548 1549 if (aid != ni->ni_associd) { 1550 if (ifp->if_flags & IFF_DEBUG) 1551 printf("%s: station %s aid %x doesn't match pspoll " 1552 "aid %x\n", 1553 ifp->if_xname, ether_sprintf(wh->i_addr2), 1554 ni->ni_associd, aid); 1555 return; 1556 } 1557 1558 /* Okay, take the first queued packet and put it out... */ 1559 1560 IF_DEQUEUE(&ni->ni_savedq, m); 1561 if (m == NULL) { 1562 if (ifp->if_flags & IFF_DEBUG) 1563 printf("%s: station %s sent pspoll, " 1564 "but no packets are saved\n", 1565 ifp->if_xname, ether_sprintf(wh->i_addr2)); 1566 return; 1567 } 1568 wh = mtod(m, struct ieee80211_frame *); 1569 1570 /* 1571 * If this is the last packet, turn off the TIM fields. 1572 * If there are more packets, set the more packets bit. 1573 */ 1574 1575 if (IF_IS_EMPTY(&ni->ni_savedq)) { 1576 if (ic->ic_set_tim) 1577 ic->ic_set_tim(ic, ni->ni_associd, 0); 1578 } else { 1579 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1580 } 1581 1582 if (ifp->if_flags & IFF_DEBUG) 1583 printf("%s: enqueued power saving packet for station %s\n", 1584 ifp->if_xname, ether_sprintf(ni->ni_macaddr)); 1585 1586 IF_ENQUEUE(&ic->ic_pwrsaveq, m); 1587 (*ifp->if_start)(ifp); 1588 } 1589 1590 static int 1591 do_slow_print(struct ieee80211com *ic, int *did_print) 1592 { 1593 if ((ic->ic_if.if_flags & IFF_LINK0) == 0) 1594 return 0; 1595 if (!*did_print && (ic->ic_if.if_flags & IFF_DEBUG) == 0 && 1596 !ratecheck(&ic->ic_last_merge_print, &ieee80211_merge_print_intvl)) 1597 return 0; 1598 1599 *did_print = 1; 1600 return 1; 1601 } 1602 1603 /* ieee80211_ibss_merge helps merge 802.11 ad hoc networks. The 1604 * convention, set by the Wireless Ethernet Compatibility Alliance 1605 * (WECA), is that an 802.11 station will change its BSSID to match 1606 * the "oldest" 802.11 ad hoc network, on the same channel, that 1607 * has the station's desired SSID. The "oldest" 802.11 network 1608 * sends beacons with the greatest TSF timestamp. 1609 * 1610 * XXX Perhaps we should compensate for the time that elapses 1611 * between the MAC receiving the beacon and the host processing it 1612 * in ieee80211_ibss_merge. 1613 */ 1614 void 1615 ieee80211_ibss_merge(struct ieee80211com *ic, 1616 void (*recv_mgmt)(struct ieee80211com *, struct mbuf *, 1617 struct ieee80211_node *, int, int, u_int32_t), 1618 struct mbuf *m0, 1619 struct ieee80211_node *ni, int subtype, int rssi, u_int32_t rstamp) 1620 { 1621 struct ieee80211_frame *wh; 1622 uint32_t tsftl, tsfth; 1623 uint32_t bcn_tsftl, bcn_tsfth; 1624 int did_print = 0, sign; 1625 union { 1626 uint32_t words[2]; 1627 uint8_t tstamp[8]; 1628 } u; 1629 1630 KASSERT(ic->ic_get_tsft != NULL && ic->ic_change_ibss != NULL); 1631 1632 (*recv_mgmt)(ic, m0, ni, subtype, rssi, rstamp); 1633 1634 (*ic->ic_get_tsft)(ic, &tsfth, &tsftl); 1635 1636 (void)memcpy(&u, &ni->ni_tstamp[0], sizeof(u)); 1637 bcn_tsftl = le32toh(u.words[0]); 1638 bcn_tsfth = le32toh(u.words[1]); 1639 1640 /* we are faster, let the other guy catch up */ 1641 if (bcn_tsfth < tsfth) 1642 sign = -1; 1643 else if (bcn_tsfth == tsfth && bcn_tsftl < tsftl) 1644 sign = -1; 1645 else 1646 sign = 1; 1647 1648 if (memcmp(ni->ni_bssid, ic->ic_bss->ni_bssid, 1649 IEEE80211_ADDR_LEN) == 0) { 1650 if (!do_slow_print(ic, &did_print)) 1651 return; 1652 printf("%s: tsft offset %s%" PRIu64 "\n", ic->ic_if.if_xname, 1653 (sign < 0) ? "-" : "", 1654 (sign < 0) 1655 ? ((((uint64_t)tsfth << 32) | tsftl) - 1656 (((uint64_t)bcn_tsfth << 32) | bcn_tsftl)) 1657 : ((((uint64_t)bcn_tsfth << 32) | bcn_tsftl) - 1658 (((uint64_t)tsfth << 32) | tsftl))); 1659 return; 1660 } 1661 1662 if (sign < 0) 1663 return; 1664 1665 if (ieee80211_match_bss(ic, ni) != 0) 1666 return; 1667 1668 if (do_slow_print(ic, &did_print)) { 1669 printf("%s: atw_recv_beacon: bssid mismatch %s\n", 1670 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1671 } 1672 1673 if (do_slow_print(ic, &did_print)) { 1674 printf("%s: my tsft %" PRIu64 " beacon tsft %" PRIu64 "\n", 1675 ic->ic_if.if_xname, ((uint64_t)tsfth << 32) | tsftl, 1676 ((uint64_t)bcn_tsfth << 32) | bcn_tsftl); 1677 } 1678 1679 wh = mtod(m0, struct ieee80211_frame *); 1680 1681 if (do_slow_print(ic, &did_print)) { 1682 printf("%s: sync TSF with %s\n", 1683 ic->ic_if.if_xname, ether_sprintf(wh->i_addr2)); 1684 } 1685 1686 ic->ic_flags &= ~IEEE80211_F_SIBSS; 1687 1688 /* negotiate rates with new IBSS */ 1689 ieee80211_fix_rate(ic, ni, IEEE80211_F_DOFRATE | 1690 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1691 if (ni->ni_rates.rs_nrates == 0) { 1692 if (do_slow_print(ic, &did_print)) { 1693 printf("%s: rates mismatch, BSSID %s\n", 1694 ic->ic_if.if_xname, ether_sprintf(ni->ni_bssid)); 1695 } 1696 return; 1697 } 1698 1699 if (do_slow_print(ic, &did_print)) { 1700 printf("%s: sync BSSID %s -> ", 1701 ic->ic_if.if_xname, ether_sprintf(ic->ic_bss->ni_bssid)); 1702 printf("%s ", ether_sprintf(ni->ni_bssid)); 1703 printf("(from %s)\n", ether_sprintf(wh->i_addr2)); 1704 } 1705 1706 (*ic->ic_node_copy)(ic, ic->ic_bss, ni); 1707 1708 (*ic->ic_change_ibss)(ic); 1709 } 1710 #undef IEEE80211_VERIFY_LENGTH 1711 #undef IEEE80211_VERIFY_ELEMENT 1712
Indexes created Wed Sep 24 05:09:52 GMT 2025