ieee80211_input.c revision 1.47
1 /* $NetBSD: ieee80211_input.c,v 1.47 2005/11/18 16:40:08 skrll Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.47 2005/11/18 16:40:08 skrll Exp $"); 40 #endif 41 42 #include "opt_inet.h" 43 44 #ifdef __NetBSD__ 45 #include "bpfilter.h" 46 #endif /* __NetBSD__ */ 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/mbuf.h> 51 #include <sys/malloc.h> 52 #include <sys/endian.h> 53 #include <sys/kernel.h> 54 55 #include <sys/socket.h> 56 #include <sys/sockio.h> 57 #include <sys/endian.h> 58 #include <sys/errno.h> 59 #include <sys/proc.h> 60 #include <sys/sysctl.h> 61 62 #include <net/if.h> 63 #include <net/if_media.h> 64 #include <net/if_arp.h> 65 #include <net/if_ether.h> 66 #include <net/if_llc.h> 67 68 #include <net80211/ieee80211_netbsd.h> 69 #include <net80211/ieee80211_var.h> 70 71 #if NBPFILTER > 0 72 #include <net/bpf.h> 73 #endif 74 75 #ifdef INET 76 #include <netinet/in.h> 77 #include <net/if_ether.h> 78 #endif 79 80 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0}; 81 82 #ifdef IEEE80211_DEBUG 83 #include <machine/stdarg.h> 84 85 /* 86 * Decide if a received management frame should be 87 * printed when debugging is enabled. This filters some 88 * of the less interesting frames that come frequently 89 * (e.g. beacons). 90 */ 91 static __inline int 92 doprint(struct ieee80211com *ic, int subtype) 93 { 94 switch (subtype) { 95 case IEEE80211_FC0_SUBTYPE_BEACON: 96 return (ic->ic_flags & IEEE80211_F_SCAN); 97 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 98 return (ic->ic_opmode == IEEE80211_M_IBSS); 99 } 100 return 1; 101 } 102 103 /* 104 * Emit a debug message about discarding a frame or information 105 * element. One format is for extracting the mac address from 106 * the frame header; the other is for when a header is not 107 * available or otherwise appropriate. 108 */ 109 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 110 if ((_ic)->ic_debug & (_m)) \ 111 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 112 } while (0) 113 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 114 if ((_ic)->ic_debug & (_m)) \ 115 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 116 } while (0) 117 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 118 if ((_ic)->ic_debug & (_m)) \ 119 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 120 } while (0) 121 122 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 123 const struct ieee80211_frame *); 124 static void ieee80211_discard_frame(struct ieee80211com *, 125 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 126 static void ieee80211_discard_ie(struct ieee80211com *, 127 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 128 static void ieee80211_discard_mac(struct ieee80211com *, 129 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 130 const char *fmt, ...); 131 #else 132 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 133 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 134 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 135 #endif /* IEEE80211_DEBUG */ 136 137 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 138 struct ieee80211_node *, struct mbuf *, int); 139 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 140 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 141 const u_int8_t *mac, int subtype, int arg); 142 #ifndef IEEE80211_NO_HOSTAP 143 static void ieee80211_deliver_data(struct ieee80211com *, 144 struct ieee80211_node *, struct mbuf *); 145 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 146 static void ieee80211_recv_pspoll(struct ieee80211com *, 147 struct ieee80211_node *, struct mbuf *); 148 #endif /* !IEEE80211_NO_HOSTAP */ 149 150 /* 151 * Process a received frame. The node associated with the sender 152 * should be supplied. If nothing was found in the node table then 153 * the caller is assumed to supply a reference to ic_bss instead. 154 * The RSSI and a timestamp are also supplied. The RSSI data is used 155 * during AP scanning to select a AP to associate with; it can have 156 * any units so long as values have consistent units and higher values 157 * mean ``better signal''. The receive timestamp is currently not used 158 * by the 802.11 layer. 159 */ 160 int 161 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 162 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 163 { 164 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 165 #define HAS_SEQ(type) ((type & 0x4) == 0) 166 struct ifnet *ifp = ic->ic_ifp; 167 struct ieee80211_frame *wh; 168 struct ieee80211_key *key; 169 struct ether_header *eh; 170 int hdrspace; 171 u_int8_t dir, type, subtype; 172 u_int8_t *bssid; 173 u_int16_t rxseq; 174 ALTQ_DECL(struct altq_pktattr pktattr;) 175 176 IASSERT(ni != NULL, ("null node")); 177 ni->ni_inact = ni->ni_inact_reload; 178 179 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 180 if (m->m_flags & M_HASFCS) { 181 m_adj(m, -IEEE80211_CRC_LEN); 182 m->m_flags &= ~M_HASFCS; 183 } 184 type = -1; /* undefined */ 185 /* 186 * In monitor mode, send everything directly to bpf. 187 * XXX may want to include the CRC 188 */ 189 if (ic->ic_opmode == IEEE80211_M_MONITOR) 190 goto out; 191 192 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 193 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 194 ni->ni_macaddr, NULL, 195 "too short (1): len %u", m->m_pkthdr.len); 196 ic->ic_stats.is_rx_tooshort++; 197 goto out; 198 } 199 /* 200 * Bit of a cheat here, we use a pointer for a 3-address 201 * frame format but don't reference fields past outside 202 * ieee80211_frame_min w/o first validating the data is 203 * present. 204 */ 205 wh = mtod(m, struct ieee80211_frame *); 206 207 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 208 IEEE80211_FC0_VERSION_0) { 209 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 210 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 211 ic->ic_stats.is_rx_badversion++; 212 goto err; 213 } 214 215 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 216 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 217 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 218 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 219 switch (ic->ic_opmode) { 220 case IEEE80211_M_STA: 221 bssid = wh->i_addr2; 222 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 223 /* not interested in */ 224 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 225 bssid, NULL, "%s", "not to bss"); 226 ic->ic_stats.is_rx_wrongbss++; 227 goto out; 228 } 229 break; 230 case IEEE80211_M_IBSS: 231 case IEEE80211_M_AHDEMO: 232 case IEEE80211_M_HOSTAP: 233 if (dir != IEEE80211_FC1_DIR_NODS) 234 bssid = wh->i_addr1; 235 else if (type == IEEE80211_FC0_TYPE_CTL) 236 bssid = wh->i_addr1; 237 else { 238 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 239 IEEE80211_DISCARD_MAC(ic, 240 IEEE80211_MSG_ANY, ni->ni_macaddr, 241 NULL, "too short (2): len %u", 242 m->m_pkthdr.len); 243 ic->ic_stats.is_rx_tooshort++; 244 goto out; 245 } 246 bssid = wh->i_addr3; 247 } 248 if (type != IEEE80211_FC0_TYPE_DATA) 249 break; 250 /* 251 * Data frame, validate the bssid. 252 */ 253 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 254 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 255 /* not interested in */ 256 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 257 bssid, NULL, "%s", "not to bss"); 258 ic->ic_stats.is_rx_wrongbss++; 259 goto out; 260 } 261 /* 262 * For adhoc mode we cons up a node when it doesn't 263 * exist. This should probably done after an ACL check. 264 */ 265 if (ni == ic->ic_bss && 266 ic->ic_opmode != IEEE80211_M_HOSTAP) { 267 /* 268 * Fake up a node for this newly 269 * discovered member of the IBSS. 270 */ 271 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 272 wh->i_addr2); 273 if (ni == NULL) { 274 /* NB: stat kept for alloc failure */ 275 goto err; 276 } 277 } 278 break; 279 default: 280 goto out; 281 } 282 ni->ni_rssi = rssi; 283 ni->ni_rstamp = rstamp; 284 if (HAS_SEQ(type)) { 285 u_int8_t tid; 286 if (IEEE80211_QOS_HAS_SEQ(wh)) { 287 tid = ((struct ieee80211_qosframe *)wh)-> 288 i_qos[0] & IEEE80211_QOS_TID; 289 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 290 ic->ic_wme.wme_hipri_traffic++; 291 tid++; 292 } else 293 tid = 0; 294 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 295 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 296 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 297 /* duplicate, discard */ 298 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 299 bssid, "duplicate", 300 "seqno <%u,%u> fragno <%u,%u> tid %u", 301 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 302 ni->ni_rxseqs[tid] >> 303 IEEE80211_SEQ_SEQ_SHIFT, 304 rxseq & IEEE80211_SEQ_FRAG_MASK, 305 ni->ni_rxseqs[tid] & 306 IEEE80211_SEQ_FRAG_MASK, 307 tid); 308 ic->ic_stats.is_rx_dup++; 309 IEEE80211_NODE_STAT(ni, rx_dup); 310 goto out; 311 } 312 ni->ni_rxseqs[tid] = rxseq; 313 } 314 } 315 316 switch (type) { 317 case IEEE80211_FC0_TYPE_DATA: 318 hdrspace = ieee80211_hdrspace(ic, wh); 319 if (m->m_len < hdrspace && 320 (m = m_pullup(m, hdrspace)) == NULL) { 321 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 322 ni->ni_macaddr, NULL, 323 "data too short: expecting %u", hdrspace); 324 ic->ic_stats.is_rx_tooshort++; 325 goto out; /* XXX */ 326 } 327 switch (ic->ic_opmode) { 328 case IEEE80211_M_STA: 329 if (dir != IEEE80211_FC1_DIR_FROMDS) { 330 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 331 wh, "data", "%s", "unknown dir 0x%x", dir); 332 ic->ic_stats.is_rx_wrongdir++; 333 goto out; 334 } 335 if ((ifp->if_flags & IFF_SIMPLEX) && 336 IEEE80211_IS_MULTICAST(wh->i_addr1) && 337 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 338 /* 339 * In IEEE802.11 network, multicast packet 340 * sent from me is broadcasted from AP. 341 * It should be silently discarded for 342 * SIMPLEX interface. 343 */ 344 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 345 wh, NULL, "%s", "multicast echo"); 346 ic->ic_stats.is_rx_mcastecho++; 347 goto out; 348 } 349 break; 350 case IEEE80211_M_IBSS: 351 case IEEE80211_M_AHDEMO: 352 if (dir != IEEE80211_FC1_DIR_NODS) { 353 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 354 wh, "data", "%s", "unknown dir 0x%x", dir); 355 ic->ic_stats.is_rx_wrongdir++; 356 goto out; 357 } 358 /* XXX no power-save support */ 359 break; 360 case IEEE80211_M_HOSTAP: 361 #ifndef IEEE80211_NO_HOSTAP 362 if (dir != IEEE80211_FC1_DIR_TODS) { 363 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 364 wh, "data", "%s", "unknown dir 0x%x", dir); 365 ic->ic_stats.is_rx_wrongdir++; 366 goto out; 367 } 368 /* check if source STA is associated */ 369 if (ni == ic->ic_bss) { 370 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 371 wh, "data", "%s", "unknown src"); 372 ieee80211_send_error(ic, ni, wh->i_addr2, 373 IEEE80211_FC0_SUBTYPE_DEAUTH, 374 IEEE80211_REASON_NOT_AUTHED); 375 ic->ic_stats.is_rx_notassoc++; 376 goto err; 377 } 378 if (ni->ni_associd == 0) { 379 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 380 wh, "data", "%s", "unassoc src"); 381 IEEE80211_SEND_MGMT(ic, ni, 382 IEEE80211_FC0_SUBTYPE_DISASSOC, 383 IEEE80211_REASON_NOT_ASSOCED); 384 ic->ic_stats.is_rx_notassoc++; 385 goto err; 386 } 387 388 /* 389 * Check for power save state change. 390 */ 391 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 392 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 393 ieee80211_node_pwrsave(ni, 394 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 395 #endif /* !IEEE80211_NO_HOSTAP */ 396 break; 397 default: 398 /* XXX here to keep compiler happy */ 399 goto out; 400 } 401 402 /* 403 * Handle privacy requirements. Note that we 404 * must not be preempted from here until after 405 * we (potentially) call ieee80211_crypto_demic; 406 * otherwise we may violate assumptions in the 407 * crypto cipher modules used to do delayed update 408 * of replay sequence numbers. 409 */ 410 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 411 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 412 /* 413 * Discard encrypted frames when privacy is off. 414 */ 415 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 416 wh, "WEP", "%s", "PRIVACY off"); 417 ic->ic_stats.is_rx_noprivacy++; 418 IEEE80211_NODE_STAT(ni, rx_noprivacy); 419 goto out; 420 } 421 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 422 if (key == NULL) { 423 /* NB: stats+msgs handled in crypto_decap */ 424 IEEE80211_NODE_STAT(ni, rx_wepfail); 425 goto out; 426 } 427 wh = mtod(m, struct ieee80211_frame *); 428 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 429 } else { 430 key = NULL; 431 } 432 433 /* 434 * Next up, any fragmentation. 435 */ 436 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 437 m = ieee80211_defrag(ic, ni, m, hdrspace); 438 if (m == NULL) { 439 /* Fragment dropped or frame not complete yet */ 440 goto out; 441 } 442 } 443 wh = NULL; /* no longer valid, catch any uses */ 444 445 /* 446 * Next strip any MSDU crypto bits. 447 */ 448 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 449 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 450 ni->ni_macaddr, "data", "%s", "demic error"); 451 IEEE80211_NODE_STAT(ni, rx_demicfail); 452 goto out; 453 } 454 455 #if NBPFILTER > 0 456 /* copy to listener after decrypt */ 457 if (ic->ic_rawbpf) 458 bpf_mtap(ic->ic_rawbpf, m); 459 #endif 460 461 /* 462 * Finally, strip the 802.11 header. 463 */ 464 m = ieee80211_decap(ic, m, hdrspace); 465 if (m == NULL) { 466 /* don't count Null data frames as errors */ 467 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 468 goto out; 469 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 470 ni->ni_macaddr, "data", "%s", "decap error"); 471 ic->ic_stats.is_rx_decap++; 472 IEEE80211_NODE_STAT(ni, rx_decap); 473 goto err; 474 } 475 eh = mtod(m, struct ether_header *); 476 if (!ieee80211_node_is_authorized(ni)) { 477 /* 478 * Deny any non-PAE frames received prior to 479 * authorization. For open/shared-key 480 * authentication the port is mark authorized 481 * after authentication completes. For 802.1x 482 * the port is not marked authorized by the 483 * authenticator until the handshake has completed. 484 */ 485 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 486 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 487 eh->ether_shost, "data", 488 "unauthorized port: ether type 0x%x len %u", 489 eh->ether_type, m->m_pkthdr.len); 490 ic->ic_stats.is_rx_unauth++; 491 IEEE80211_NODE_STAT(ni, rx_unauth); 492 goto err; 493 } 494 } else { 495 /* 496 * When denying unencrypted frames, discard 497 * any non-PAE frames received without encryption. 498 */ 499 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 500 key == NULL && 501 eh->ether_type != htons(ETHERTYPE_PAE)) { 502 /* 503 * Drop unencrypted frames. 504 */ 505 ic->ic_stats.is_rx_unencrypted++; 506 IEEE80211_NODE_STAT(ni, rx_unencrypted); 507 goto out; 508 } 509 } 510 ifp->if_ipackets++; 511 IEEE80211_NODE_STAT(ni, rx_data); 512 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 513 514 ieee80211_deliver_data(ic, ni, m); 515 return IEEE80211_FC0_TYPE_DATA; 516 517 case IEEE80211_FC0_TYPE_MGT: 518 IEEE80211_NODE_STAT(ni, rx_mgmt); 519 if (dir != IEEE80211_FC1_DIR_NODS) { 520 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 521 wh, "data", "%s", "unknown dir 0x%x", dir); 522 ic->ic_stats.is_rx_wrongdir++; 523 goto err; 524 } 525 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 526 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 527 ni->ni_macaddr, "mgt", "too short: len %u", 528 m->m_pkthdr.len); 529 ic->ic_stats.is_rx_tooshort++; 530 goto out; 531 } 532 #ifdef IEEE80211_DEBUG 533 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 534 ieee80211_msg_dumppkts(ic)) { 535 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 536 ieee80211_mgt_subtype_name[subtype >> 537 IEEE80211_FC0_SUBTYPE_SHIFT], 538 ether_sprintf(wh->i_addr2), rssi); 539 } 540 #endif 541 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 542 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 543 /* 544 * Only shared key auth frames with a challenge 545 * should be encrypted, discard all others. 546 */ 547 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 548 wh, ieee80211_mgt_subtype_name[subtype >> 549 IEEE80211_FC0_SUBTYPE_SHIFT], 550 "%s", "WEP set but not permitted"); 551 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 552 goto out; 553 } 554 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 555 /* 556 * Discard encrypted frames when privacy is off. 557 */ 558 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 559 wh, "mgt", "%s", "WEP set but PRIVACY off"); 560 ic->ic_stats.is_rx_noprivacy++; 561 goto out; 562 } 563 hdrspace = ieee80211_hdrspace(ic, wh); 564 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 565 if (key == NULL) { 566 /* NB: stats+msgs handled in crypto_decap */ 567 goto out; 568 } 569 wh = mtod(m, struct ieee80211_frame *); 570 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 571 } 572 #if NBPFILTER > 0 573 if (ic->ic_rawbpf) 574 bpf_mtap(ic->ic_rawbpf, m); 575 #endif 576 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 577 m_freem(m); 578 return type; 579 580 case IEEE80211_FC0_TYPE_CTL: 581 IEEE80211_NODE_STAT(ni, rx_ctrl); 582 ic->ic_stats.is_rx_ctl++; 583 #ifndef IEEE80211_NO_HOSTAP 584 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 585 switch (subtype) { 586 case IEEE80211_FC0_SUBTYPE_PS_POLL: 587 ieee80211_recv_pspoll(ic, ni, m); 588 break; 589 } 590 } 591 #endif /* !IEEE80211_NO_HOSTAP */ 592 goto out; 593 default: 594 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 595 wh, NULL, "bad frame type 0x%x", type); 596 /* should not come here */ 597 break; 598 } 599 err: 600 ifp->if_ierrors++; 601 out: 602 if (m != NULL) { 603 #if NBPFILTER > 0 604 if (ic->ic_rawbpf) 605 bpf_mtap(ic->ic_rawbpf, m); 606 #endif 607 m_freem(m); 608 } 609 return type; 610 #undef SEQ_LEQ 611 } 612 613 /* 614 * This function reassemble fragments. 615 */ 616 static struct mbuf * 617 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 618 struct mbuf *m, int hdrspace) 619 { 620 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 621 struct ieee80211_frame *lwh; 622 u_int16_t rxseq; 623 u_int8_t fragno; 624 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 625 struct mbuf *mfrag; 626 627 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 628 629 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 630 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 631 632 /* Quick way out, if there's nothing to defragment */ 633 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 634 return m; 635 636 /* 637 * Remove frag to insure it doesn't get reaped by timer. 638 */ 639 if (ni->ni_table == NULL) { 640 /* 641 * Should never happen. If the node is orphaned (not in 642 * the table) then input packets should not reach here. 643 * Otherwise, a concurrent request that yanks the table 644 * should be blocked by other interlocking and/or by first 645 * shutting the driver down. Regardless, be defensive 646 * here and just bail 647 */ 648 /* XXX need msg+stat */ 649 m_freem(m); 650 return NULL; 651 } 652 IEEE80211_NODE_LOCK(ni->ni_table); 653 mfrag = ni->ni_rxfrag[0]; 654 ni->ni_rxfrag[0] = NULL; 655 IEEE80211_NODE_UNLOCK(ni->ni_table); 656 657 /* 658 * Validate new fragment is in order and 659 * related to the previous ones. 660 */ 661 if (mfrag != NULL) { 662 u_int16_t last_rxseq; 663 664 lwh = mtod(mfrag, struct ieee80211_frame *); 665 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 666 /* NB: check seq # and frag together */ 667 if (rxseq != last_rxseq+1 || 668 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 669 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 670 /* 671 * Unrelated fragment or no space for it, 672 * clear current fragments. 673 */ 674 m_freem(mfrag); 675 mfrag = NULL; 676 } 677 } 678 679 if (mfrag == NULL) { 680 if (fragno != 0) { /* !first fragment, discard */ 681 IEEE80211_NODE_STAT(ni, rx_defrag); 682 m_freem(m); 683 return NULL; 684 } 685 mfrag = m; 686 } else { /* concatenate */ 687 m_adj(m, hdrspace); /* strip header */ 688 m_cat(mfrag, m); 689 /* NB: m_cat doesn't update the packet header */ 690 mfrag->m_pkthdr.len += m->m_pkthdr.len; 691 /* track last seqnum and fragno */ 692 lwh = mtod(mfrag, struct ieee80211_frame *); 693 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 694 } 695 if (more_frag) { /* more to come, save */ 696 ni->ni_rxfragstamp = ticks; 697 ni->ni_rxfrag[0] = mfrag; 698 mfrag = NULL; 699 } 700 return mfrag; 701 } 702 703 static void 704 ieee80211_deliver_data(struct ieee80211com *ic, 705 struct ieee80211_node *ni, struct mbuf *m) 706 { 707 struct ether_header *eh = mtod(m, struct ether_header *); 708 struct ifnet *ifp = ic->ic_ifp; 709 710 /* perform as a bridge within the AP */ 711 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 712 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 713 struct mbuf *m1 = NULL; 714 715 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 716 m1 = m_copypacket(m, M_DONTWAIT); 717 if (m1 == NULL) 718 ifp->if_oerrors++; 719 else 720 m1->m_flags |= M_MCAST; 721 } else { 722 /* 723 * Check if the destination is known; if so 724 * and the port is authorized dispatch directly. 725 */ 726 struct ieee80211_node *sta = 727 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 728 if (sta != NULL) { 729 if (ieee80211_node_is_authorized(sta)) { 730 /* 731 * Beware of sending to ourself; this 732 * needs to happen via the normal 733 * input path. 734 */ 735 if (sta != ic->ic_bss) { 736 m1 = m; 737 m = NULL; 738 } 739 } else { 740 ic->ic_stats.is_rx_unauth++; 741 IEEE80211_NODE_STAT(sta, rx_unauth); 742 } 743 ieee80211_free_node(sta); 744 } 745 } 746 if (m1 != NULL) { 747 int len; 748 #ifdef ALTQ 749 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 750 altq_etherclassify(&ifp->if_snd, m1, 751 &pktattr); 752 } 753 #endif 754 len = m1->m_pkthdr.len; 755 IF_ENQUEUE(&ifp->if_snd, m1); 756 if (m != NULL) 757 ifp->if_omcasts++; 758 ifp->if_obytes += len; 759 } 760 } 761 if (m != NULL) { 762 #if NBPFILTER > 0 763 /* 764 * XXX If we forward packet into transmitter of the AP, 765 * we don't need to duplicate for DLT_EN10MB. 766 */ 767 if (ifp->if_bpf) 768 bpf_mtap(ifp->if_bpf, m); 769 #endif 770 771 if (ni->ni_vlan != 0) { 772 /* attach vlan tag */ 773 /* XXX goto err? */ 774 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 775 } 776 (*ifp->if_input)(ifp, m); 777 } 778 return; 779 out: 780 if (m != NULL) { 781 if (ic->ic_rawbpf) 782 bpf_mtap(ic->ic_rawbpf, m); 783 m_freem(m); 784 } 785 } 786 787 static struct mbuf * 788 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 789 { 790 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 791 struct ether_header *eh; 792 struct llc *llc; 793 794 if (m->m_len < hdrlen + sizeof(*llc) && 795 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 796 /* XXX stat, msg */ 797 return NULL; 798 } 799 memcpy(&wh, mtod(m, caddr_t), hdrlen); 800 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 801 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 802 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 803 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 804 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 805 llc = NULL; 806 } else { 807 m_adj(m, hdrlen - sizeof(*eh)); 808 } 809 eh = mtod(m, struct ether_header *); 810 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 811 case IEEE80211_FC1_DIR_NODS: 812 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 813 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 814 break; 815 case IEEE80211_FC1_DIR_TODS: 816 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 817 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 818 break; 819 case IEEE80211_FC1_DIR_FROMDS: 820 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 821 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 822 break; 823 case IEEE80211_FC1_DIR_DSTODS: 824 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 825 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 826 break; 827 } 828 #ifdef ALIGNED_POINTER 829 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 830 struct mbuf *n, *n0, **np; 831 caddr_t newdata; 832 int off, pktlen; 833 834 n0 = NULL; 835 np = &n0; 836 off = 0; 837 pktlen = m->m_pkthdr.len; 838 while (pktlen > off) { 839 if (n0 == NULL) { 840 MGETHDR(n, M_DONTWAIT, MT_DATA); 841 if (n == NULL) { 842 m_freem(m); 843 return NULL; 844 } 845 M_MOVE_PKTHDR(n, m); 846 n->m_len = MHLEN; 847 } else { 848 MGET(n, M_DONTWAIT, MT_DATA); 849 if (n == NULL) { 850 m_freem(m); 851 m_freem(n0); 852 return NULL; 853 } 854 n->m_len = MLEN; 855 } 856 if (pktlen - off >= MINCLSIZE) { 857 MCLGET(n, M_DONTWAIT); 858 if (n->m_flags & M_EXT) 859 n->m_len = n->m_ext.ext_size; 860 } 861 if (n0 == NULL) { 862 newdata = 863 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 864 sizeof(*eh); 865 n->m_len -= newdata - n->m_data; 866 n->m_data = newdata; 867 } 868 if (n->m_len > pktlen - off) 869 n->m_len = pktlen - off; 870 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 871 off += n->m_len; 872 *np = n; 873 np = &n->m_next; 874 } 875 m_freem(m); 876 m = n0; 877 } 878 #endif /* ALIGNED_POINTER */ 879 if (llc != NULL) { 880 eh = mtod(m, struct ether_header *); 881 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 882 } 883 return m; 884 } 885 886 /* 887 * Install received rate set information in the node's state block. 888 */ 889 int 890 ieee80211_setup_rates(struct ieee80211_node *ni, 891 const u_int8_t *rates, const u_int8_t *xrates, int flags) 892 { 893 struct ieee80211com *ic = ni->ni_ic; 894 struct ieee80211_rateset *rs = &ni->ni_rates; 895 896 memset(rs, 0, sizeof(*rs)); 897 rs->rs_nrates = rates[1]; 898 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 899 if (xrates != NULL) { 900 u_int8_t nxrates; 901 /* 902 * Tack on 11g extended supported rate element. 903 */ 904 nxrates = xrates[1]; 905 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 906 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 907 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 908 "[%s] extended rate set too large;" 909 " only using %u of %u rates\n", 910 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 911 ic->ic_stats.is_rx_rstoobig++; 912 } 913 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 914 rs->rs_nrates += nxrates; 915 } 916 return ieee80211_fix_rate(ni, flags); 917 } 918 919 static void 920 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 921 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 922 u_int16_t status) 923 { 924 925 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 926 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 927 ni->ni_macaddr, "open auth", 928 "bad sta auth mode %u", ni->ni_authmode); 929 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 930 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 931 /* XXX hack to workaround calling convention */ 932 ieee80211_send_error(ic, ni, wh->i_addr2, 933 IEEE80211_FC0_SUBTYPE_AUTH, 934 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 935 } 936 return; 937 } 938 switch (ic->ic_opmode) { 939 case IEEE80211_M_IBSS: 940 case IEEE80211_M_AHDEMO: 941 case IEEE80211_M_MONITOR: 942 /* should not come here */ 943 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 944 ni->ni_macaddr, "open auth", 945 "bad operating mode %u", ic->ic_opmode); 946 break; 947 948 case IEEE80211_M_HOSTAP: 949 #ifndef IEEE80211_NO_HOSTAP 950 if (ic->ic_state != IEEE80211_S_RUN || 951 seq != IEEE80211_AUTH_OPEN_REQUEST) { 952 ic->ic_stats.is_rx_bad_auth++; 953 return; 954 } 955 /* always accept open authentication requests */ 956 if (ni == ic->ic_bss) { 957 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 958 if (ni == NULL) 959 return; 960 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 961 (void) ieee80211_ref_node(ni); 962 /* 963 * Mark the node as referenced to reflect that it's 964 * reference count has been bumped to insure it remains 965 * after the transaction completes. 966 */ 967 ni->ni_flags |= IEEE80211_NODE_AREF; 968 969 IEEE80211_SEND_MGMT(ic, ni, 970 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 971 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 972 "[%s] station authenticated (open)\n", 973 ether_sprintf(ni->ni_macaddr)); 974 /* 975 * When 802.1x is not in use mark the port 976 * authorized at this point so traffic can flow. 977 */ 978 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 979 ieee80211_node_authorize(ni); 980 #endif /* !IEEE80211_NO_HOSTAP */ 981 break; 982 983 case IEEE80211_M_STA: 984 if (ic->ic_state != IEEE80211_S_AUTH || 985 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 986 ic->ic_stats.is_rx_bad_auth++; 987 return; 988 } 989 if (status != 0) { 990 IEEE80211_DPRINTF(ic, 991 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 992 "[%s] open auth failed (reason %d)\n", 993 ether_sprintf(ni->ni_macaddr), status); 994 /* XXX can this happen? */ 995 if (ni != ic->ic_bss) 996 ni->ni_fails++; 997 ic->ic_stats.is_rx_auth_fail++; 998 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 999 } else 1000 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1001 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1002 break; 1003 } 1004 } 1005 1006 /* 1007 * Send a management frame error response to the specified 1008 * station. If ni is associated with the station then use 1009 * it; otherwise allocate a temporary node suitable for 1010 * transmitting the frame and then free the reference so 1011 * it will go away as soon as the frame has been transmitted. 1012 */ 1013 static void 1014 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 1015 const u_int8_t *mac, int subtype, int arg) 1016 { 1017 int istmp; 1018 1019 if (ni == ic->ic_bss) { 1020 ni = ieee80211_tmp_node(ic, mac); 1021 if (ni == NULL) { 1022 /* XXX msg */ 1023 return; 1024 } 1025 istmp = 1; 1026 } else 1027 istmp = 0; 1028 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 1029 if (istmp) 1030 ieee80211_free_node(ni); 1031 } 1032 1033 static int 1034 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 1035 { 1036 if (ni->ni_challenge == NULL) 1037 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN, 1038 M_DEVBUF, M_NOWAIT); 1039 if (ni->ni_challenge == NULL) { 1040 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1041 "[%s] shared key challenge alloc failed\n", 1042 ether_sprintf(ni->ni_macaddr)); 1043 /* XXX statistic */ 1044 } 1045 return (ni->ni_challenge != NULL); 1046 } 1047 1048 /* XXX TODO: add statistics */ 1049 static void 1050 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 1051 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 1052 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 1053 { 1054 u_int8_t *challenge; 1055 int estatus; 1056 1057 /* 1058 * NB: this can happen as we allow pre-shared key 1059 * authentication to be enabled w/o wep being turned 1060 * on so that configuration of these can be done 1061 * in any order. It may be better to enforce the 1062 * ordering in which case this check would just be 1063 * for sanity/consistency. 1064 */ 1065 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1066 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1067 ni->ni_macaddr, "shared key auth", 1068 "%s", " PRIVACY is disabled"); 1069 estatus = IEEE80211_STATUS_ALG; 1070 goto bad; 1071 } 1072 /* 1073 * Pre-shared key authentication is evil; accept 1074 * it only if explicitly configured (it is supported 1075 * mainly for compatibility with clients like OS X). 1076 */ 1077 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1078 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1079 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1080 ni->ni_macaddr, "shared key auth", 1081 "bad sta auth mode %u", ni->ni_authmode); 1082 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1083 estatus = IEEE80211_STATUS_ALG; 1084 goto bad; 1085 } 1086 1087 challenge = NULL; 1088 if (frm + 1 < efrm) { 1089 if ((frm[1] + 2) > (efrm - frm)) { 1090 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1091 ni->ni_macaddr, "shared key auth", 1092 "ie %d/%d too long", 1093 frm[0], (frm[1] + 2) - (efrm - frm)); 1094 ic->ic_stats.is_rx_bad_auth++; 1095 estatus = IEEE80211_STATUS_CHALLENGE; 1096 goto bad; 1097 } 1098 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1099 challenge = frm; 1100 frm += frm[1] + 2; 1101 } 1102 switch (seq) { 1103 case IEEE80211_AUTH_SHARED_CHALLENGE: 1104 case IEEE80211_AUTH_SHARED_RESPONSE: 1105 if (challenge == NULL) { 1106 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1107 ni->ni_macaddr, "shared key auth", 1108 "%s", "no challenge"); 1109 ic->ic_stats.is_rx_bad_auth++; 1110 estatus = IEEE80211_STATUS_CHALLENGE; 1111 goto bad; 1112 } 1113 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1114 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1115 ni->ni_macaddr, "shared key auth", 1116 "bad challenge len %d", challenge[1]); 1117 ic->ic_stats.is_rx_bad_auth++; 1118 estatus = IEEE80211_STATUS_CHALLENGE; 1119 goto bad; 1120 } 1121 default: 1122 break; 1123 } 1124 switch (ic->ic_opmode) { 1125 case IEEE80211_M_MONITOR: 1126 case IEEE80211_M_AHDEMO: 1127 case IEEE80211_M_IBSS: 1128 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1129 ni->ni_macaddr, "shared key auth", 1130 "bad operating mode %u", ic->ic_opmode); 1131 return; 1132 case IEEE80211_M_HOSTAP: 1133 #ifndef IEEE80211_NO_HOSTAP 1134 { 1135 int allocbs; 1136 if (ic->ic_state != IEEE80211_S_RUN) { 1137 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1138 ni->ni_macaddr, "shared key auth", 1139 "bad state %u", ic->ic_state); 1140 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1141 goto bad; 1142 } 1143 switch (seq) { 1144 case IEEE80211_AUTH_SHARED_REQUEST: 1145 if (ni == ic->ic_bss) { 1146 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1147 if (ni == NULL) { 1148 /* NB: no way to return an error */ 1149 return; 1150 } 1151 allocbs = 1; 1152 } else { 1153 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1154 (void) ieee80211_ref_node(ni); 1155 allocbs = 0; 1156 } 1157 /* 1158 * Mark the node as referenced to reflect that it's 1159 * reference count has been bumped to insure it remains 1160 * after the transaction completes. 1161 */ 1162 ni->ni_flags |= IEEE80211_NODE_AREF; 1163 ni->ni_rssi = rssi; 1164 ni->ni_rstamp = rstamp; 1165 if (!alloc_challenge(ic, ni)) { 1166 /* NB: don't return error so they rexmit */ 1167 return; 1168 } 1169 get_random_bytes(ni->ni_challenge, 1170 IEEE80211_CHALLENGE_LEN); 1171 IEEE80211_DPRINTF(ic, 1172 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1173 "[%s] shared key %sauth request\n", 1174 ether_sprintf(ni->ni_macaddr), 1175 allocbs ? "" : "re"); 1176 break; 1177 case IEEE80211_AUTH_SHARED_RESPONSE: 1178 if (ni == ic->ic_bss) { 1179 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1180 ni->ni_macaddr, "shared key response", 1181 "%s", "unknown station"); 1182 /* NB: don't send a response */ 1183 return; 1184 } 1185 if (ni->ni_challenge == NULL) { 1186 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1187 ni->ni_macaddr, "shared key response", 1188 "%s", "no challenge recorded"); 1189 ic->ic_stats.is_rx_bad_auth++; 1190 estatus = IEEE80211_STATUS_CHALLENGE; 1191 goto bad; 1192 } 1193 if (memcmp(ni->ni_challenge, &challenge[2], 1194 challenge[1]) != 0) { 1195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1196 ni->ni_macaddr, "shared key response", 1197 "%s", "challenge mismatch"); 1198 ic->ic_stats.is_rx_auth_fail++; 1199 estatus = IEEE80211_STATUS_CHALLENGE; 1200 goto bad; 1201 } 1202 IEEE80211_DPRINTF(ic, 1203 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1204 "[%s] station authenticated (shared key)\n", 1205 ether_sprintf(ni->ni_macaddr)); 1206 ieee80211_node_authorize(ni); 1207 break; 1208 default: 1209 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1210 ni->ni_macaddr, "shared key auth", 1211 "bad seq %d", seq); 1212 ic->ic_stats.is_rx_bad_auth++; 1213 estatus = IEEE80211_STATUS_SEQUENCE; 1214 goto bad; 1215 } 1216 IEEE80211_SEND_MGMT(ic, ni, 1217 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1218 } 1219 #endif /* !IEEE80211_NO_HOSTAP */ 1220 break; 1221 1222 case IEEE80211_M_STA: 1223 if (ic->ic_state != IEEE80211_S_AUTH) 1224 return; 1225 switch (seq) { 1226 case IEEE80211_AUTH_SHARED_PASS: 1227 if (ni->ni_challenge != NULL) { 1228 FREE(ni->ni_challenge, M_DEVBUF); 1229 ni->ni_challenge = NULL; 1230 } 1231 if (status != 0) { 1232 IEEE80211_DPRINTF(ic, 1233 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1234 "[%s] shared key auth failed (reason %d)\n", 1235 ether_sprintf(ieee80211_getbssid(ic, wh)), 1236 status); 1237 /* XXX can this happen? */ 1238 if (ni != ic->ic_bss) 1239 ni->ni_fails++; 1240 ic->ic_stats.is_rx_auth_fail++; 1241 return; 1242 } 1243 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1244 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1245 break; 1246 case IEEE80211_AUTH_SHARED_CHALLENGE: 1247 if (!alloc_challenge(ic, ni)) 1248 return; 1249 /* XXX could optimize by passing recvd challenge */ 1250 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1251 IEEE80211_SEND_MGMT(ic, ni, 1252 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1253 break; 1254 default: 1255 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1256 wh, "shared key auth", "bad seq %d", seq); 1257 ic->ic_stats.is_rx_bad_auth++; 1258 return; 1259 } 1260 break; 1261 } 1262 return; 1263 bad: 1264 #ifndef IEEE80211_NO_HOSTAP 1265 /* 1266 * Send an error response; but only when operating as an AP. 1267 */ 1268 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1269 /* XXX hack to workaround calling convention */ 1270 ieee80211_send_error(ic, ni, wh->i_addr2, 1271 IEEE80211_FC0_SUBTYPE_AUTH, 1272 (seq + 1) | (estatus<<16)); 1273 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1274 /* 1275 * Kick the state machine. This short-circuits 1276 * using the mgt frame timeout to trigger the 1277 * state transition. 1278 */ 1279 if (ic->ic_state == IEEE80211_S_AUTH) 1280 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1281 } 1282 #else 1283 ; 1284 #endif /* !IEEE80211_NO_HOSTAP */ 1285 } 1286 1287 /* Verify the existence and length of __elem or get out. */ 1288 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1289 if ((__elem) == NULL) { \ 1290 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1291 wh, ieee80211_mgt_subtype_name[subtype >> \ 1292 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1293 "%s", "no " #__elem ); \ 1294 ic->ic_stats.is_rx_elem_missing++; \ 1295 return; \ 1296 } \ 1297 if ((__elem)[1] > (__maxlen)) { \ 1298 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1299 wh, ieee80211_mgt_subtype_name[subtype >> \ 1300 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1301 "bad " #__elem " len %d", (__elem)[1]); \ 1302 ic->ic_stats.is_rx_elem_toobig++; \ 1303 return; \ 1304 } \ 1305 } while (0) 1306 1307 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1308 if ((_len) < (_minlen)) { \ 1309 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1310 wh, ieee80211_mgt_subtype_name[subtype >> \ 1311 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1312 "%s", "ie too short"); \ 1313 ic->ic_stats.is_rx_elem_toosmall++; \ 1314 return; \ 1315 } \ 1316 } while (0) 1317 1318 #ifdef IEEE80211_DEBUG 1319 static void 1320 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1321 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1322 { 1323 printf("[%s] discard %s frame, ssid mismatch: ", 1324 ether_sprintf(mac), tag); 1325 ieee80211_print_essid(ssid + 2, ssid[1]); 1326 printf("\n"); 1327 } 1328 1329 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1330 if ((_ssid)[1] != 0 && \ 1331 ((_ssid)[1] != (_ni)->ni_esslen || \ 1332 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1333 if (ieee80211_msg_input(ic)) \ 1334 ieee80211_ssid_mismatch(ic, \ 1335 ieee80211_mgt_subtype_name[subtype >> \ 1336 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1337 wh->i_addr2, _ssid); \ 1338 ic->ic_stats.is_rx_ssidmismatch++; \ 1339 return; \ 1340 } \ 1341 } while (0) 1342 #else /* !IEEE80211_DEBUG */ 1343 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1344 if ((_ssid)[1] != 0 && \ 1345 ((_ssid)[1] != (_ni)->ni_esslen || \ 1346 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1347 ic->ic_stats.is_rx_ssidmismatch++; \ 1348 return; \ 1349 } \ 1350 } while (0) 1351 #endif /* !IEEE80211_DEBUG */ 1352 1353 /* unalligned little endian access */ 1354 #define LE_READ_2(p) \ 1355 ((u_int16_t) \ 1356 ((((const u_int8_t *)(p))[0] ) | \ 1357 (((const u_int8_t *)(p))[1] << 8))) 1358 #define LE_READ_4(p) \ 1359 ((u_int32_t) \ 1360 ((((const u_int8_t *)(p))[0] ) | \ 1361 (((const u_int8_t *)(p))[1] << 8) | \ 1362 (((const u_int8_t *)(p))[2] << 16) | \ 1363 (((const u_int8_t *)(p))[3] << 24))) 1364 1365 static int __inline 1366 iswpaoui(const u_int8_t *frm) 1367 { 1368 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1369 } 1370 1371 static int __inline 1372 iswmeoui(const u_int8_t *frm) 1373 { 1374 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1375 } 1376 1377 static int __inline 1378 iswmeparam(const u_int8_t *frm) 1379 { 1380 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1381 frm[6] == WME_PARAM_OUI_SUBTYPE; 1382 } 1383 1384 static int __inline 1385 iswmeinfo(const u_int8_t *frm) 1386 { 1387 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1388 frm[6] == WME_INFO_OUI_SUBTYPE; 1389 } 1390 1391 static int __inline 1392 isatherosoui(const u_int8_t *frm) 1393 { 1394 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1395 } 1396 1397 /* 1398 * Convert a WPA cipher selector OUI to an internal 1399 * cipher algorithm. Where appropriate we also 1400 * record any key length. 1401 */ 1402 static int 1403 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1404 { 1405 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1406 u_int32_t w = LE_READ_4(sel); 1407 1408 switch (w) { 1409 case WPA_SEL(WPA_CSE_NULL): 1410 return IEEE80211_CIPHER_NONE; 1411 case WPA_SEL(WPA_CSE_WEP40): 1412 if (keylen) 1413 *keylen = 40 / NBBY; 1414 return IEEE80211_CIPHER_WEP; 1415 case WPA_SEL(WPA_CSE_WEP104): 1416 if (keylen) 1417 *keylen = 104 / NBBY; 1418 return IEEE80211_CIPHER_WEP; 1419 case WPA_SEL(WPA_CSE_TKIP): 1420 return IEEE80211_CIPHER_TKIP; 1421 case WPA_SEL(WPA_CSE_CCMP): 1422 return IEEE80211_CIPHER_AES_CCM; 1423 } 1424 return 32; /* NB: so 1<< is discarded */ 1425 #undef WPA_SEL 1426 } 1427 1428 /* 1429 * Convert a WPA key management/authentication algorithm 1430 * to an internal code. 1431 */ 1432 static int 1433 wpa_keymgmt(u_int8_t *sel) 1434 { 1435 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1436 u_int32_t w = LE_READ_4(sel); 1437 1438 switch (w) { 1439 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1440 return WPA_ASE_8021X_UNSPEC; 1441 case WPA_SEL(WPA_ASE_8021X_PSK): 1442 return WPA_ASE_8021X_PSK; 1443 case WPA_SEL(WPA_ASE_NONE): 1444 return WPA_ASE_NONE; 1445 } 1446 return 0; /* NB: so is discarded */ 1447 #undef WPA_SEL 1448 } 1449 1450 /* 1451 * Parse a WPA information element to collect parameters 1452 * and validate the parameters against what has been 1453 * configured for the system. 1454 */ 1455 static int 1456 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1457 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1458 { 1459 u_int8_t len = frm[1]; 1460 u_int32_t w; 1461 int n; 1462 1463 /* 1464 * Check the length once for fixed parts: OUI, type, 1465 * version, mcast cipher, and 2 selector counts. 1466 * Other, variable-length data, must be checked separately. 1467 */ 1468 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1469 IEEE80211_DISCARD_IE(ic, 1470 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1471 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1472 return IEEE80211_REASON_IE_INVALID; 1473 } 1474 if (len < 14) { 1475 IEEE80211_DISCARD_IE(ic, 1476 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1477 wh, "WPA", "too short, len %u", len); 1478 return IEEE80211_REASON_IE_INVALID; 1479 } 1480 frm += 6, len -= 4; /* NB: len is payload only */ 1481 /* NB: iswapoui already validated the OUI and type */ 1482 w = LE_READ_2(frm); 1483 if (w != WPA_VERSION) { 1484 IEEE80211_DISCARD_IE(ic, 1485 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1486 wh, "WPA", "bad version %u", w); 1487 return IEEE80211_REASON_IE_INVALID; 1488 } 1489 frm += 2, len -= 2; 1490 1491 /* multicast/group cipher */ 1492 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1493 if (w != rsn->rsn_mcastcipher) { 1494 IEEE80211_DISCARD_IE(ic, 1495 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1496 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1497 w, rsn->rsn_mcastcipher); 1498 return IEEE80211_REASON_IE_INVALID; 1499 } 1500 frm += 4, len -= 4; 1501 1502 /* unicast ciphers */ 1503 n = LE_READ_2(frm); 1504 frm += 2, len -= 2; 1505 if (len < n*4+2) { 1506 IEEE80211_DISCARD_IE(ic, 1507 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1508 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1509 len, n); 1510 return IEEE80211_REASON_IE_INVALID; 1511 } 1512 w = 0; 1513 for (; n > 0; n--) { 1514 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1515 frm += 4, len -= 4; 1516 } 1517 w &= rsn->rsn_ucastcipherset; 1518 if (w == 0) { 1519 IEEE80211_DISCARD_IE(ic, 1520 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1521 wh, "WPA", "%s", "ucast cipher set empty"); 1522 return IEEE80211_REASON_IE_INVALID; 1523 } 1524 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1525 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1526 else 1527 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1528 1529 /* key management algorithms */ 1530 n = LE_READ_2(frm); 1531 frm += 2, len -= 2; 1532 if (len < n*4) { 1533 IEEE80211_DISCARD_IE(ic, 1534 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1535 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1536 len, n); 1537 return IEEE80211_REASON_IE_INVALID; 1538 } 1539 w = 0; 1540 for (; n > 0; n--) { 1541 w |= wpa_keymgmt(frm); 1542 frm += 4, len -= 4; 1543 } 1544 w &= rsn->rsn_keymgmtset; 1545 if (w == 0) { 1546 IEEE80211_DISCARD_IE(ic, 1547 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1548 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1549 return IEEE80211_REASON_IE_INVALID; 1550 } 1551 if (w & WPA_ASE_8021X_UNSPEC) 1552 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1553 else 1554 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1555 1556 if (len > 2) /* optional capabilities */ 1557 rsn->rsn_caps = LE_READ_2(frm); 1558 1559 return 0; 1560 } 1561 1562 /* 1563 * Convert an RSN cipher selector OUI to an internal 1564 * cipher algorithm. Where appropriate we also 1565 * record any key length. 1566 */ 1567 static int 1568 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1569 { 1570 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1571 u_int32_t w = LE_READ_4(sel); 1572 1573 switch (w) { 1574 case RSN_SEL(RSN_CSE_NULL): 1575 return IEEE80211_CIPHER_NONE; 1576 case RSN_SEL(RSN_CSE_WEP40): 1577 if (keylen) 1578 *keylen = 40 / NBBY; 1579 return IEEE80211_CIPHER_WEP; 1580 case RSN_SEL(RSN_CSE_WEP104): 1581 if (keylen) 1582 *keylen = 104 / NBBY; 1583 return IEEE80211_CIPHER_WEP; 1584 case RSN_SEL(RSN_CSE_TKIP): 1585 return IEEE80211_CIPHER_TKIP; 1586 case RSN_SEL(RSN_CSE_CCMP): 1587 return IEEE80211_CIPHER_AES_CCM; 1588 case RSN_SEL(RSN_CSE_WRAP): 1589 return IEEE80211_CIPHER_AES_OCB; 1590 } 1591 return 32; /* NB: so 1<< is discarded */ 1592 #undef WPA_SEL 1593 } 1594 1595 /* 1596 * Convert an RSN key management/authentication algorithm 1597 * to an internal code. 1598 */ 1599 static int 1600 rsn_keymgmt(u_int8_t *sel) 1601 { 1602 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1603 u_int32_t w = LE_READ_4(sel); 1604 1605 switch (w) { 1606 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1607 return RSN_ASE_8021X_UNSPEC; 1608 case RSN_SEL(RSN_ASE_8021X_PSK): 1609 return RSN_ASE_8021X_PSK; 1610 case RSN_SEL(RSN_ASE_NONE): 1611 return RSN_ASE_NONE; 1612 } 1613 return 0; /* NB: so is discarded */ 1614 #undef RSN_SEL 1615 } 1616 1617 /* 1618 * Parse a WPA/RSN information element to collect parameters 1619 * and validate the parameters against what has been 1620 * configured for the system. 1621 */ 1622 static int 1623 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1624 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1625 { 1626 u_int8_t len = frm[1]; 1627 u_int32_t w; 1628 int n; 1629 1630 /* 1631 * Check the length once for fixed parts: 1632 * version, mcast cipher, and 2 selector counts. 1633 * Other, variable-length data, must be checked separately. 1634 */ 1635 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1636 IEEE80211_DISCARD_IE(ic, 1637 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1638 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1639 return IEEE80211_REASON_IE_INVALID; 1640 } 1641 if (len < 10) { 1642 IEEE80211_DISCARD_IE(ic, 1643 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1644 wh, "RSN", "too short, len %u", len); 1645 return IEEE80211_REASON_IE_INVALID; 1646 } 1647 frm += 2; 1648 w = LE_READ_2(frm); 1649 if (w != RSN_VERSION) { 1650 IEEE80211_DISCARD_IE(ic, 1651 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1652 wh, "RSN", "bad version %u", w); 1653 return IEEE80211_REASON_IE_INVALID; 1654 } 1655 frm += 2, len -= 2; 1656 1657 /* multicast/group cipher */ 1658 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1659 if (w != rsn->rsn_mcastcipher) { 1660 IEEE80211_DISCARD_IE(ic, 1661 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1662 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1663 w, rsn->rsn_mcastcipher); 1664 return IEEE80211_REASON_IE_INVALID; 1665 } 1666 frm += 4, len -= 4; 1667 1668 /* unicast ciphers */ 1669 n = LE_READ_2(frm); 1670 frm += 2, len -= 2; 1671 if (len < n*4+2) { 1672 IEEE80211_DISCARD_IE(ic, 1673 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1674 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1675 len, n); 1676 return IEEE80211_REASON_IE_INVALID; 1677 } 1678 w = 0; 1679 for (; n > 0; n--) { 1680 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1681 frm += 4, len -= 4; 1682 } 1683 w &= rsn->rsn_ucastcipherset; 1684 if (w == 0) { 1685 IEEE80211_DISCARD_IE(ic, 1686 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1687 wh, "RSN", "%s", "ucast cipher set empty"); 1688 return IEEE80211_REASON_IE_INVALID; 1689 } 1690 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1691 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1692 else 1693 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1694 1695 /* key management algorithms */ 1696 n = LE_READ_2(frm); 1697 frm += 2, len -= 2; 1698 if (len < n*4) { 1699 IEEE80211_DISCARD_IE(ic, 1700 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1701 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1702 len, n); 1703 return IEEE80211_REASON_IE_INVALID; 1704 } 1705 w = 0; 1706 for (; n > 0; n--) { 1707 w |= rsn_keymgmt(frm); 1708 frm += 4, len -= 4; 1709 } 1710 w &= rsn->rsn_keymgmtset; 1711 if (w == 0) { 1712 IEEE80211_DISCARD_IE(ic, 1713 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1714 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1715 return IEEE80211_REASON_IE_INVALID; 1716 } 1717 if (w & RSN_ASE_8021X_UNSPEC) 1718 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1719 else 1720 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1721 1722 /* optional RSN capabilities */ 1723 if (len > 2) 1724 rsn->rsn_caps = LE_READ_2(frm); 1725 /* XXXPMKID */ 1726 1727 return 0; 1728 } 1729 1730 static int 1731 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1732 const struct ieee80211_frame *wh) 1733 { 1734 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1735 struct ieee80211_wme_state *wme = &ic->ic_wme; 1736 u_int len = frm[1], qosinfo; 1737 int i; 1738 1739 if (len < sizeof(struct ieee80211_wme_param)-2) { 1740 IEEE80211_DISCARD_IE(ic, 1741 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1742 wh, "WME", "too short, len %u", len); 1743 return -1; 1744 } 1745 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1746 qosinfo &= WME_QOSINFO_COUNT; 1747 /* XXX do proper check for wraparound */ 1748 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1749 return 0; 1750 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1751 for (i = 0; i < WME_NUM_AC; i++) { 1752 struct wmeParams *wmep = 1753 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1754 /* NB: ACI not used */ 1755 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1756 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1757 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1758 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1759 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1760 frm += 4; 1761 } 1762 wme->wme_wmeChanParams.cap_info = qosinfo; 1763 return 1; 1764 #undef MS 1765 } 1766 1767 void 1768 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1769 { 1770 u_int ielen = ie[1]+2; 1771 /* 1772 * Record information element for later use. 1773 */ 1774 if (*iep == NULL || (*iep)[1] != ie[1]) { 1775 if (*iep != NULL) 1776 FREE(*iep, M_DEVBUF); 1777 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1778 } 1779 if (*iep != NULL) 1780 memcpy(*iep, ie, ielen); 1781 /* XXX note failure */ 1782 } 1783 1784 void 1785 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1786 struct ieee80211_node *ni, 1787 int subtype, int rssi, u_int32_t rstamp) 1788 { 1789 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1790 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1791 struct ieee80211_frame *wh; 1792 u_int8_t *frm, *efrm; 1793 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1794 int reassoc, resp, allocbs; 1795 u_int8_t rate; 1796 1797 wh = mtod(m0, struct ieee80211_frame *); 1798 frm = (u_int8_t *)&wh[1]; 1799 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1800 switch (subtype) { 1801 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1802 case IEEE80211_FC0_SUBTYPE_BEACON: { 1803 struct ieee80211_scanparams scan; 1804 1805 /* 1806 * We process beacon/probe response frames: 1807 * o when scanning, or 1808 * o station mode when associated (to collect state 1809 * updates such as 802.11g slot time), or 1810 * o adhoc mode (to discover neighbors) 1811 * Frames otherwise received are discarded. 1812 */ 1813 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1814 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1815 ic->ic_opmode == IEEE80211_M_IBSS)) { 1816 ic->ic_stats.is_rx_mgtdiscard++; 1817 return; 1818 } 1819 /* 1820 * beacon/probe response frame format 1821 * [8] time stamp 1822 * [2] beacon interval 1823 * [2] capability information 1824 * [tlv] ssid 1825 * [tlv] supported rates 1826 * [tlv] country information 1827 * [tlv] parameter set (FH/DS) 1828 * [tlv] erp information 1829 * [tlv] extended supported rates 1830 * [tlv] WME 1831 * [tlv] WPA or RSN 1832 */ 1833 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1834 memset(&scan, 0, sizeof(scan)); 1835 scan.tstamp = frm; frm += 8; 1836 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1837 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1838 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); 1839 scan.chan = scan.bchan; 1840 1841 while (frm < efrm) { 1842 switch (*frm) { 1843 case IEEE80211_ELEMID_SSID: 1844 scan.ssid = frm; 1845 break; 1846 case IEEE80211_ELEMID_RATES: 1847 scan.rates = frm; 1848 break; 1849 case IEEE80211_ELEMID_COUNTRY: 1850 scan.country = frm; 1851 break; 1852 case IEEE80211_ELEMID_FHPARMS: 1853 if (ic->ic_phytype == IEEE80211_T_FH) { 1854 scan.fhdwell = LE_READ_2(&frm[2]); 1855 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1856 scan.fhindex = frm[6]; 1857 } 1858 break; 1859 case IEEE80211_ELEMID_DSPARMS: 1860 /* 1861 * XXX hack this since depending on phytype 1862 * is problematic for multi-mode devices. 1863 */ 1864 if (ic->ic_phytype != IEEE80211_T_FH) 1865 scan.chan = frm[2]; 1866 break; 1867 case IEEE80211_ELEMID_TIM: 1868 /* XXX ATIM? */ 1869 scan.tim = frm; 1870 scan.timoff = frm - mtod(m0, u_int8_t *); 1871 break; 1872 case IEEE80211_ELEMID_IBSSPARMS: 1873 break; 1874 case IEEE80211_ELEMID_XRATES: 1875 scan.xrates = frm; 1876 break; 1877 case IEEE80211_ELEMID_ERP: 1878 if (frm[1] != 1) { 1879 IEEE80211_DISCARD_IE(ic, 1880 IEEE80211_MSG_ELEMID, wh, "ERP", 1881 "bad len %u", frm[1]); 1882 ic->ic_stats.is_rx_elem_toobig++; 1883 break; 1884 } 1885 scan.erp = frm[2]; 1886 break; 1887 case IEEE80211_ELEMID_RSN: 1888 scan.wpa = frm; 1889 break; 1890 case IEEE80211_ELEMID_VENDOR: 1891 if (iswpaoui(frm)) 1892 scan.wpa = frm; 1893 else if (iswmeparam(frm) || iswmeinfo(frm)) 1894 scan.wme = frm; 1895 /* XXX Atheros OUI support */ 1896 break; 1897 default: 1898 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1899 wh, "unhandled", 1900 "id %u, len %u", *frm, frm[1]); 1901 ic->ic_stats.is_rx_elem_unknown++; 1902 break; 1903 } 1904 frm += frm[1] + 2; 1905 } 1906 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE); 1907 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN); 1908 if ( 1909 #if IEEE80211_CHAN_MAX < 255 1910 scan.chan > IEEE80211_CHAN_MAX || 1911 #endif 1912 isclr(ic->ic_chan_active, scan.chan)) { 1913 IEEE80211_DISCARD(ic, 1914 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1915 wh, ieee80211_mgt_subtype_name[subtype >> 1916 IEEE80211_FC0_SUBTYPE_SHIFT], 1917 "invalid channel %u", scan.chan); 1918 ic->ic_stats.is_rx_badchan++; 1919 return; 1920 } 1921 if (scan.chan != scan.bchan && 1922 ic->ic_phytype != IEEE80211_T_FH) { 1923 /* 1924 * Frame was received on a channel different from the 1925 * one indicated in the DS params element id; 1926 * silently discard it. 1927 * 1928 * NB: this can happen due to signal leakage. 1929 * But we should take it for FH phy because 1930 * the rssi value should be correct even for 1931 * different hop pattern in FH. 1932 */ 1933 IEEE80211_DISCARD(ic, 1934 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1935 wh, ieee80211_mgt_subtype_name[subtype >> 1936 IEEE80211_FC0_SUBTYPE_SHIFT], 1937 "for off-channel %u", scan.chan); 1938 ic->ic_stats.is_rx_chanmismatch++; 1939 return; 1940 } 1941 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval && 1942 scan.bintval <= IEEE80211_BINTVAL_MAX)) { 1943 IEEE80211_DISCARD(ic, 1944 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1945 wh, ieee80211_mgt_subtype_name[subtype >> 1946 IEEE80211_FC0_SUBTYPE_SHIFT], 1947 "bogus beacon interval", scan.bintval); 1948 ic->ic_stats.is_rx_badbintval++; 1949 return; 1950 } 1951 1952 if (ni != ic->ic_bss) { 1953 ni = ieee80211_refine_node_for_beacon(ic, ni, 1954 &ic->ic_channels[scan.chan], scan.ssid); 1955 } 1956 /* 1957 * Count frame now that we know it's to be processed. 1958 */ 1959 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1960 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1961 IEEE80211_NODE_STAT(ni, rx_beacons); 1962 } else 1963 IEEE80211_NODE_STAT(ni, rx_proberesp); 1964 1965 /* 1966 * When operating in station mode, check for state updates. 1967 * Be careful to ignore beacons received while doing a 1968 * background scan. We consider only 11g/WMM stuff right now. 1969 */ 1970 if (ic->ic_opmode == IEEE80211_M_STA && 1971 ni->ni_associd != 0 && 1972 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1973 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1974 /* record tsf of last beacon */ 1975 memcpy(ni->ni_tstamp.data, scan.tstamp, 1976 sizeof(ni->ni_tstamp)); 1977 if (ni->ni_erp != scan.erp) { 1978 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1979 "[%s] erp change: was 0x%x, now 0x%x\n", 1980 ether_sprintf(wh->i_addr2), 1981 ni->ni_erp, scan.erp); 1982 if (ic->ic_curmode == IEEE80211_MODE_11G && 1983 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1984 ic->ic_flags |= IEEE80211_F_USEPROT; 1985 else 1986 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1987 ni->ni_erp = scan.erp; 1988 /* XXX statistic */ 1989 } 1990 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1991 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1992 "[%s] capabilities change: before 0x%x," 1993 " now 0x%x\n", 1994 ether_sprintf(wh->i_addr2), 1995 ni->ni_capinfo, scan.capinfo); 1996 /* 1997 * NB: we assume short preamble doesn't 1998 * change dynamically 1999 */ 2000 ieee80211_set_shortslottime(ic, 2001 ic->ic_curmode == IEEE80211_MODE_11A || 2002 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2003 ni->ni_capinfo = scan.capinfo; 2004 /* XXX statistic */ 2005 } 2006 if (scan.wme != NULL && 2007 (ni->ni_flags & IEEE80211_NODE_QOS) && 2008 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0) 2009 ieee80211_wme_updateparams(ic); 2010 if (scan.tim != NULL) { 2011 struct ieee80211_tim_ie *ie = 2012 (struct ieee80211_tim_ie *) scan.tim; 2013 2014 ni->ni_dtim_count = ie->tim_count; 2015 ni->ni_dtim_period = ie->tim_period; 2016 } 2017 if (ic->ic_flags & IEEE80211_F_SCAN) 2018 ieee80211_add_scan(ic, &scan, wh, 2019 subtype, rssi, rstamp); 2020 return; 2021 } 2022 /* 2023 * If scanning, just pass information to the scan module. 2024 */ 2025 if (ic->ic_flags & IEEE80211_F_SCAN) { 2026 ieee80211_add_scan(ic, &scan, wh, 2027 subtype, rssi, rstamp); 2028 return; 2029 } 2030 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 2031 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 2032 /* 2033 * Create a new entry in the neighbor table. 2034 */ 2035 ni = ieee80211_add_neighbor(ic, wh, &scan); 2036 } else { 2037 /* 2038 * Record tsf for potential resync. 2039 */ 2040 memcpy(ni->ni_tstamp.data, scan.tstamp, 2041 sizeof(ni->ni_tstamp)); 2042 } 2043 if (ni != NULL) { 2044 ni->ni_rssi = rssi; 2045 ni->ni_rstamp = rstamp; 2046 } 2047 } 2048 break; 2049 } 2050 2051 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2052 if (ic->ic_opmode == IEEE80211_M_STA || 2053 ic->ic_state != IEEE80211_S_RUN) { 2054 ic->ic_stats.is_rx_mgtdiscard++; 2055 return; 2056 } 2057 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2058 /* frame must be directed */ 2059 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2060 return; 2061 } 2062 2063 /* 2064 * prreq frame format 2065 * [tlv] ssid 2066 * [tlv] supported rates 2067 * [tlv] extended supported rates 2068 */ 2069 ssid = rates = xrates = NULL; 2070 while (frm < efrm) { 2071 switch (*frm) { 2072 case IEEE80211_ELEMID_SSID: 2073 ssid = frm; 2074 break; 2075 case IEEE80211_ELEMID_RATES: 2076 rates = frm; 2077 break; 2078 case IEEE80211_ELEMID_XRATES: 2079 xrates = frm; 2080 break; 2081 } 2082 frm += frm[1] + 2; 2083 } 2084 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2085 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2086 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2087 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2088 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2089 wh, ieee80211_mgt_subtype_name[subtype >> 2090 IEEE80211_FC0_SUBTYPE_SHIFT], 2091 "%s", "no ssid with ssid suppression enabled"); 2092 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2093 return; 2094 } 2095 2096 if (ni == ic->ic_bss) { 2097 if (ic->ic_opmode == IEEE80211_M_IBSS) { 2098 /* 2099 * XXX Cannot tell if the sender is operating 2100 * in ibss mode. But we need a new node to 2101 * send the response so blindly add them to the 2102 * neighbor table. 2103 */ 2104 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2105 wh->i_addr2); 2106 } else 2107 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2108 if (ni == NULL) 2109 return; 2110 allocbs = 1; 2111 } else 2112 allocbs = 0; 2113 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2114 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2115 ni->ni_rssi = rssi; 2116 ni->ni_rstamp = rstamp; 2117 rate = ieee80211_setup_rates(ni, rates, xrates, 2118 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2119 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2120 if (rate & IEEE80211_RATE_BASIC) { 2121 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2122 wh, ieee80211_mgt_subtype_name[subtype >> 2123 IEEE80211_FC0_SUBTYPE_SHIFT], 2124 "%s", "recv'd rate set invalid"); 2125 } else { 2126 IEEE80211_SEND_MGMT(ic, ni, 2127 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2128 } 2129 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2130 /* reclaim immediately */ 2131 ieee80211_free_node(ni); 2132 } 2133 break; 2134 2135 case IEEE80211_FC0_SUBTYPE_AUTH: { 2136 u_int16_t algo, seq, status; 2137 /* 2138 * auth frame format 2139 * [2] algorithm 2140 * [2] sequence 2141 * [2] status 2142 * [tlv*] challenge 2143 */ 2144 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2145 algo = le16toh(*(u_int16_t *)frm); 2146 seq = le16toh(*(u_int16_t *)(frm + 2)); 2147 status = le16toh(*(u_int16_t *)(frm + 4)); 2148 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2149 "[%s] recv auth frame with algorithm %d seq %d\n", 2150 ether_sprintf(wh->i_addr2), algo, seq); 2151 /* 2152 * Consult the ACL policy module if setup. 2153 */ 2154 if (ic->ic_acl != NULL && 2155 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2156 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2157 wh, "auth", "%s", "disallowed by ACL"); 2158 ic->ic_stats.is_rx_acl++; 2159 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2160 IEEE80211_SEND_MGMT(ic, ni, 2161 IEEE80211_FC0_SUBTYPE_AUTH, 2162 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2163 } 2164 return; 2165 } 2166 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2167 IEEE80211_DISCARD(ic, 2168 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2169 wh, "auth", "%s", "TKIP countermeasures enabled"); 2170 ic->ic_stats.is_rx_auth_countermeasures++; 2171 #ifndef IEEE80211_NO_HOSTAP 2172 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2173 IEEE80211_SEND_MGMT(ic, ni, 2174 IEEE80211_FC0_SUBTYPE_AUTH, 2175 IEEE80211_REASON_MIC_FAILURE); 2176 } 2177 #endif /* !IEEE80211_NO_HOSTAP */ 2178 return; 2179 } 2180 if (algo == IEEE80211_AUTH_ALG_SHARED) 2181 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2182 rstamp, seq, status); 2183 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2184 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2185 status); 2186 else { 2187 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2188 wh, "auth", "unsupported alg %d", algo); 2189 ic->ic_stats.is_rx_auth_unsupported++; 2190 #ifndef IEEE80211_NO_HOSTAP 2191 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2192 /* XXX not right */ 2193 IEEE80211_SEND_MGMT(ic, ni, 2194 IEEE80211_FC0_SUBTYPE_AUTH, 2195 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2196 } 2197 #endif /* !IEEE80211_NO_HOSTAP */ 2198 return; 2199 } 2200 break; 2201 } 2202 2203 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2204 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2205 u_int16_t capinfo, lintval; 2206 struct ieee80211_rsnparms rsn; 2207 u_int8_t reason; 2208 2209 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2210 ic->ic_state != IEEE80211_S_RUN) { 2211 ic->ic_stats.is_rx_mgtdiscard++; 2212 return; 2213 } 2214 2215 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2216 reassoc = 1; 2217 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2218 } else { 2219 reassoc = 0; 2220 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2221 } 2222 /* 2223 * asreq frame format 2224 * [2] capability information 2225 * [2] listen interval 2226 * [6*] current AP address (reassoc only) 2227 * [tlv] ssid 2228 * [tlv] supported rates 2229 * [tlv] extended supported rates 2230 * [tlv] WPA or RSN 2231 */ 2232 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2233 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2234 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2235 wh, ieee80211_mgt_subtype_name[subtype >> 2236 IEEE80211_FC0_SUBTYPE_SHIFT], 2237 "%s", "wrong bssid"); 2238 ic->ic_stats.is_rx_assoc_bss++; 2239 return; 2240 } 2241 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2242 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2243 if (reassoc) 2244 frm += 6; /* ignore current AP info */ 2245 ssid = rates = xrates = wpa = wme = NULL; 2246 while (frm < efrm) { 2247 switch (*frm) { 2248 case IEEE80211_ELEMID_SSID: 2249 ssid = frm; 2250 break; 2251 case IEEE80211_ELEMID_RATES: 2252 rates = frm; 2253 break; 2254 case IEEE80211_ELEMID_XRATES: 2255 xrates = frm; 2256 break; 2257 /* XXX verify only one of RSN and WPA ie's? */ 2258 case IEEE80211_ELEMID_RSN: 2259 wpa = frm; 2260 break; 2261 case IEEE80211_ELEMID_VENDOR: 2262 if (iswpaoui(frm)) 2263 wpa = frm; 2264 else if (iswmeinfo(frm)) 2265 wme = frm; 2266 /* XXX Atheros OUI support */ 2267 break; 2268 } 2269 frm += frm[1] + 2; 2270 } 2271 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2272 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2273 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2274 2275 if (ni == ic->ic_bss) { 2276 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2277 "[%s] deny %s request, sta not authenticated\n", 2278 ether_sprintf(wh->i_addr2), 2279 reassoc ? "reassoc" : "assoc"); 2280 ieee80211_send_error(ic, ni, wh->i_addr2, 2281 IEEE80211_FC0_SUBTYPE_DEAUTH, 2282 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2283 ic->ic_stats.is_rx_assoc_notauth++; 2284 return; 2285 } 2286 /* assert right associstion security credentials */ 2287 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2288 IEEE80211_DPRINTF(ic, 2289 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2290 "[%s] no WPA/RSN IE in association request\n", 2291 ether_sprintf(wh->i_addr2)); 2292 IEEE80211_SEND_MGMT(ic, ni, 2293 IEEE80211_FC0_SUBTYPE_DEAUTH, 2294 IEEE80211_REASON_RSN_REQUIRED); 2295 ieee80211_node_leave(ic, ni); 2296 /* XXX distinguish WPA/RSN? */ 2297 ic->ic_stats.is_rx_assoc_badwpaie++; 2298 return; 2299 } 2300 if (wpa != NULL) { 2301 /* 2302 * Parse WPA information element. Note that 2303 * we initialize the param block from the node 2304 * state so that information in the IE overrides 2305 * our defaults. The resulting parameters are 2306 * installed below after the association is assured. 2307 */ 2308 rsn = ni->ni_rsn; 2309 if (wpa[0] != IEEE80211_ELEMID_RSN) 2310 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2311 else 2312 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2313 if (reason != 0) { 2314 IEEE80211_SEND_MGMT(ic, ni, 2315 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2316 ieee80211_node_leave(ic, ni); 2317 /* XXX distinguish WPA/RSN? */ 2318 ic->ic_stats.is_rx_assoc_badwpaie++; 2319 return; 2320 } 2321 IEEE80211_DPRINTF(ic, 2322 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2323 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2324 ether_sprintf(wh->i_addr2), 2325 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2326 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2327 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2328 rsn.rsn_keymgmt, rsn.rsn_caps); 2329 } 2330 /* discard challenge after association */ 2331 if (ni->ni_challenge != NULL) { 2332 FREE(ni->ni_challenge, M_DEVBUF); 2333 ni->ni_challenge = NULL; 2334 } 2335 /* NB: 802.11 spec says to ignore station's privacy bit */ 2336 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2337 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2338 "[%s] deny %s request, capability mismatch 0x%x\n", 2339 ether_sprintf(wh->i_addr2), 2340 reassoc ? "reassoc" : "assoc", capinfo); 2341 IEEE80211_SEND_MGMT(ic, ni, resp, 2342 IEEE80211_STATUS_CAPINFO); 2343 ieee80211_node_leave(ic, ni); 2344 ic->ic_stats.is_rx_assoc_capmismatch++; 2345 return; 2346 } 2347 rate = ieee80211_setup_rates(ni, rates, xrates, 2348 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2349 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2350 /* 2351 * If constrained to 11g-only stations reject an 2352 * 11b-only station. We cheat a bit here by looking 2353 * at the max negotiated xmit rate and assuming anyone 2354 * with a best rate <24Mb/s is an 11b station. 2355 */ 2356 if ((rate & IEEE80211_RATE_BASIC) || 2357 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2358 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2359 "[%s] deny %s request, rate set mismatch\n", 2360 ether_sprintf(wh->i_addr2), 2361 reassoc ? "reassoc" : "assoc"); 2362 IEEE80211_SEND_MGMT(ic, ni, resp, 2363 IEEE80211_STATUS_BASIC_RATE); 2364 ieee80211_node_leave(ic, ni); 2365 ic->ic_stats.is_rx_assoc_norate++; 2366 return; 2367 } 2368 ni->ni_rssi = rssi; 2369 ni->ni_rstamp = rstamp; 2370 ni->ni_intval = lintval; 2371 ni->ni_capinfo = capinfo; 2372 ni->ni_chan = ic->ic_bss->ni_chan; 2373 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2374 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2375 if (wpa != NULL) { 2376 /* 2377 * Record WPA/RSN parameters for station, mark 2378 * node as using WPA and record information element 2379 * for applications that require it. 2380 */ 2381 ni->ni_rsn = rsn; 2382 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2383 } else if (ni->ni_wpa_ie != NULL) { 2384 /* 2385 * Flush any state from a previous association. 2386 */ 2387 FREE(ni->ni_wpa_ie, M_DEVBUF); 2388 ni->ni_wpa_ie = NULL; 2389 } 2390 if (wme != NULL) { 2391 /* 2392 * Record WME parameters for station, mark node 2393 * as capable of QoS and record information 2394 * element for applications that require it. 2395 */ 2396 ieee80211_saveie(&ni->ni_wme_ie, wme); 2397 ni->ni_flags |= IEEE80211_NODE_QOS; 2398 } else if (ni->ni_wme_ie != NULL) { 2399 /* 2400 * Flush any state from a previous association. 2401 */ 2402 FREE(ni->ni_wme_ie, M_DEVBUF); 2403 ni->ni_wme_ie = NULL; 2404 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2405 } 2406 ieee80211_node_join(ic, ni, resp); 2407 break; 2408 } 2409 2410 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2411 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2412 u_int16_t capinfo, associd; 2413 u_int16_t status; 2414 2415 if (ic->ic_opmode != IEEE80211_M_STA || 2416 ic->ic_state != IEEE80211_S_ASSOC) { 2417 ic->ic_stats.is_rx_mgtdiscard++; 2418 return; 2419 } 2420 2421 /* 2422 * asresp frame format 2423 * [2] capability information 2424 * [2] status 2425 * [2] association ID 2426 * [tlv] supported rates 2427 * [tlv] extended supported rates 2428 * [tlv] WME 2429 */ 2430 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2431 ni = ic->ic_bss; 2432 capinfo = le16toh(*(u_int16_t *)frm); 2433 frm += 2; 2434 status = le16toh(*(u_int16_t *)frm); 2435 frm += 2; 2436 if (status != 0) { 2437 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2438 "[%s] %sassoc failed (reason %d)\n", 2439 ether_sprintf(wh->i_addr2), 2440 ISREASSOC(subtype) ? "re" : "", status); 2441 if (ni != ic->ic_bss) /* XXX never true? */ 2442 ni->ni_fails++; 2443 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2444 return; 2445 } 2446 associd = le16toh(*(u_int16_t *)frm); 2447 frm += 2; 2448 2449 rates = xrates = wpa = wme = NULL; 2450 while (frm < efrm) { 2451 switch (*frm) { 2452 case IEEE80211_ELEMID_RATES: 2453 rates = frm; 2454 break; 2455 case IEEE80211_ELEMID_XRATES: 2456 xrates = frm; 2457 break; 2458 case IEEE80211_ELEMID_VENDOR: 2459 if (iswmeoui(frm)) 2460 wme = frm; 2461 /* XXX Atheros OUI support */ 2462 break; 2463 } 2464 frm += frm[1] + 2; 2465 } 2466 2467 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2468 rate = ieee80211_setup_rates(ni, rates, xrates, 2469 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2470 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2471 if (rate & IEEE80211_RATE_BASIC) { 2472 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2473 "[%s] %sassoc failed (rate set mismatch)\n", 2474 ether_sprintf(wh->i_addr2), 2475 ISREASSOC(subtype) ? "re" : ""); 2476 if (ni != ic->ic_bss) /* XXX never true? */ 2477 ni->ni_fails++; 2478 ic->ic_stats.is_rx_assoc_norate++; 2479 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2480 return; 2481 } 2482 2483 ni->ni_capinfo = capinfo; 2484 ni->ni_associd = associd; 2485 if (wme != NULL && 2486 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2487 ni->ni_flags |= IEEE80211_NODE_QOS; 2488 ieee80211_wme_updateparams(ic); 2489 } else 2490 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2491 /* 2492 * Configure state now that we are associated. 2493 * 2494 * XXX may need different/additional driver callbacks? 2495 */ 2496 if (ic->ic_curmode == IEEE80211_MODE_11A || 2497 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2498 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2499 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2500 } else { 2501 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2502 ic->ic_flags |= IEEE80211_F_USEBARKER; 2503 } 2504 ieee80211_set_shortslottime(ic, 2505 ic->ic_curmode == IEEE80211_MODE_11A || 2506 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2507 /* 2508 * Honor ERP protection. 2509 * 2510 * NB: ni_erp should zero for non-11g operation. 2511 * XXX check ic_curmode anyway? 2512 */ 2513 if (ic->ic_curmode == IEEE80211_MODE_11G && 2514 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2515 ic->ic_flags |= IEEE80211_F_USEPROT; 2516 else 2517 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2518 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2519 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2520 ether_sprintf(wh->i_addr2), 2521 ISREASSOC(subtype) ? "re" : "", 2522 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2523 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2524 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2525 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2526 ); 2527 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2528 break; 2529 } 2530 2531 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2532 u_int16_t reason; 2533 2534 if (ic->ic_state == IEEE80211_S_SCAN) { 2535 ic->ic_stats.is_rx_mgtdiscard++; 2536 return; 2537 } 2538 /* 2539 * deauth frame format 2540 * [2] reason 2541 */ 2542 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2543 reason = le16toh(*(u_int16_t *)frm); 2544 ic->ic_stats.is_rx_deauth++; 2545 IEEE80211_NODE_STAT(ni, rx_deauth); 2546 2547 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2548 "[%s] recv deauthenticate (reason %d)\n", 2549 ether_sprintf(ni->ni_macaddr), reason); 2550 switch (ic->ic_opmode) { 2551 case IEEE80211_M_STA: 2552 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2553 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2554 break; 2555 case IEEE80211_M_HOSTAP: 2556 #ifndef IEEE80211_NO_HOSTAP 2557 if (ni != ic->ic_bss) 2558 ieee80211_node_leave(ic, ni); 2559 #endif /* !IEEE80211_NO_HOSTAP */ 2560 break; 2561 default: 2562 ic->ic_stats.is_rx_mgtdiscard++; 2563 break; 2564 } 2565 break; 2566 } 2567 2568 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2569 u_int16_t reason; 2570 2571 if (ic->ic_state != IEEE80211_S_RUN && 2572 ic->ic_state != IEEE80211_S_ASSOC && 2573 ic->ic_state != IEEE80211_S_AUTH) { 2574 ic->ic_stats.is_rx_mgtdiscard++; 2575 return; 2576 } 2577 /* 2578 * disassoc frame format 2579 * [2] reason 2580 */ 2581 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2582 reason = le16toh(*(u_int16_t *)frm); 2583 ic->ic_stats.is_rx_disassoc++; 2584 IEEE80211_NODE_STAT(ni, rx_disassoc); 2585 2586 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2587 "[%s] recv disassociate (reason %d)\n", 2588 ether_sprintf(ni->ni_macaddr), reason); 2589 switch (ic->ic_opmode) { 2590 case IEEE80211_M_STA: 2591 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2592 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2593 break; 2594 case IEEE80211_M_HOSTAP: 2595 #ifndef IEEE80211_NO_HOSTAP 2596 if (ni != ic->ic_bss) 2597 ieee80211_node_leave(ic, ni); 2598 #endif /* !IEEE80211_NO_HOSTAP */ 2599 break; 2600 default: 2601 ic->ic_stats.is_rx_mgtdiscard++; 2602 break; 2603 } 2604 break; 2605 } 2606 default: 2607 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2608 wh, "mgt", "subtype 0x%x not handled", subtype); 2609 ic->ic_stats.is_rx_badsubtype++; 2610 break; 2611 } 2612 #undef ISREASSOC 2613 #undef ISPROBE 2614 } 2615 #undef IEEE80211_VERIFY_LENGTH 2616 #undef IEEE80211_VERIFY_ELEMENT 2617 2618 #ifndef IEEE80211_NO_HOSTAP 2619 /* 2620 * Handle station power-save state change. 2621 */ 2622 static void 2623 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2624 { 2625 struct ieee80211com *ic = ni->ni_ic; 2626 struct mbuf *m; 2627 2628 if (enable) { 2629 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2630 ic->ic_ps_sta++; 2631 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2632 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2633 "[%s] power save mode on, %u sta's in ps mode\n", 2634 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2635 return; 2636 } 2637 2638 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2639 ic->ic_ps_sta--; 2640 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2641 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2642 "[%s] power save mode off, %u sta's in ps mode\n", 2643 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2644 /* XXX if no stations in ps mode, flush mc frames */ 2645 2646 /* 2647 * Flush queued unicast frames. 2648 */ 2649 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2650 if (ic->ic_set_tim != NULL) 2651 ic->ic_set_tim(ni, 0); /* just in case */ 2652 return; 2653 } 2654 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2655 "[%s] flush ps queue, %u packets queued\n", 2656 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2657 for (;;) { 2658 int qlen; 2659 2660 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2661 if (m == NULL) 2662 break; 2663 /* 2664 * If this is the last packet, turn off the TIM bit. 2665 * If there are more packets, set the more packets bit 2666 * in the mbuf so ieee80211_encap will mark the 802.11 2667 * head to indicate more data frames will follow. 2668 */ 2669 if (qlen != 0) 2670 m->m_flags |= M_MORE_DATA; 2671 /* XXX need different driver interface */ 2672 /* XXX bypasses q max */ 2673 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2674 } 2675 if (ic->ic_set_tim != NULL) 2676 ic->ic_set_tim(ni, 0); 2677 } 2678 2679 /* 2680 * Process a received ps-poll frame. 2681 */ 2682 static void 2683 ieee80211_recv_pspoll(struct ieee80211com *ic, 2684 struct ieee80211_node *ni, struct mbuf *m0) 2685 { 2686 struct ieee80211_frame_min *wh; 2687 struct mbuf *m; 2688 u_int16_t aid; 2689 int qlen; 2690 2691 wh = mtod(m0, struct ieee80211_frame_min *); 2692 if (ni->ni_associd == 0) { 2693 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2694 (struct ieee80211_frame *) wh, "ps-poll", 2695 "%s", "unassociated station"); 2696 ic->ic_stats.is_ps_unassoc++; 2697 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2698 IEEE80211_REASON_NOT_ASSOCED); 2699 return; 2700 } 2701 2702 aid = le16toh(*(u_int16_t *)wh->i_dur); 2703 if (aid != ni->ni_associd) { 2704 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2705 (struct ieee80211_frame *) wh, "ps-poll", 2706 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2707 ni->ni_associd, aid); 2708 ic->ic_stats.is_ps_badaid++; 2709 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2710 IEEE80211_REASON_NOT_ASSOCED); 2711 return; 2712 } 2713 2714 /* Okay, take the first queued packet and put it out... */ 2715 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2716 if (m == NULL) { 2717 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2718 "[%s] recv ps-poll, but queue empty\n", 2719 ether_sprintf(wh->i_addr2)); 2720 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2721 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2722 if (ic->ic_set_tim != NULL) 2723 ic->ic_set_tim(ni, 0); /* just in case */ 2724 return; 2725 } 2726 /* 2727 * If there are more packets, set the more packets bit 2728 * in the packet dispatched to the station; otherwise 2729 * turn off the TIM bit. 2730 */ 2731 if (qlen != 0) { 2732 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2733 "[%s] recv ps-poll, send packet, %u still queued\n", 2734 ether_sprintf(ni->ni_macaddr), qlen); 2735 m->m_flags |= M_MORE_DATA; 2736 } else { 2737 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2738 "[%s] recv ps-poll, send packet, queue empty\n", 2739 ether_sprintf(ni->ni_macaddr)); 2740 if (ic->ic_set_tim != NULL) 2741 ic->ic_set_tim(ni, 0); 2742 } 2743 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2744 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2745 } 2746 #endif /* !IEEE80211_NO_HOSTAP */ 2747 2748 #ifdef IEEE80211_DEBUG 2749 /* 2750 * Debugging support. 2751 */ 2752 2753 /* 2754 * Return the bssid of a frame. 2755 */ 2756 static const u_int8_t * 2757 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2758 { 2759 if (ic->ic_opmode == IEEE80211_M_STA) 2760 return wh->i_addr2; 2761 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2762 return wh->i_addr1; 2763 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2764 return wh->i_addr1; 2765 return wh->i_addr3; 2766 } 2767 2768 void 2769 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2770 { 2771 char buf[128]; /* XXX */ 2772 va_list ap; 2773 2774 va_start(ap, fmt); 2775 vsnprintf(buf, sizeof(buf), fmt, ap); 2776 va_end(ap); 2777 2778 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2779 } 2780 2781 void 2782 ieee80211_note_frame(struct ieee80211com *ic, 2783 const struct ieee80211_frame *wh, 2784 const char *fmt, ...) 2785 { 2786 char buf[128]; /* XXX */ 2787 va_list ap; 2788 2789 va_start(ap, fmt); 2790 vsnprintf(buf, sizeof(buf), fmt, ap); 2791 va_end(ap); 2792 if_printf(ic->ic_ifp, "[%s] %s\n", 2793 ether_sprintf(ieee80211_getbssid(ic, wh)), buf); 2794 } 2795 2796 void 2797 ieee80211_note_mac(struct ieee80211com *ic, 2798 const u_int8_t mac[IEEE80211_ADDR_LEN], 2799 const char *fmt, ...) 2800 { 2801 char buf[128]; /* XXX */ 2802 va_list ap; 2803 2804 va_start(ap, fmt); 2805 vsnprintf(buf, sizeof(buf), fmt, ap); 2806 va_end(ap); 2807 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf); 2808 } 2809 2810 static void 2811 ieee80211_discard_frame(struct ieee80211com *ic, 2812 const struct ieee80211_frame *wh, 2813 const char *type, const char *fmt, ...) 2814 { 2815 va_list ap; 2816 2817 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2818 ether_sprintf(ieee80211_getbssid(ic, wh))); 2819 if (type != NULL) 2820 printf("%s frame, ", type); 2821 else 2822 printf("frame, "); 2823 va_start(ap, fmt); 2824 vprintf(fmt, ap); 2825 va_end(ap); 2826 printf("\n"); 2827 } 2828 2829 static void 2830 ieee80211_discard_ie(struct ieee80211com *ic, 2831 const struct ieee80211_frame *wh, 2832 const char *type, const char *fmt, ...) 2833 { 2834 va_list ap; 2835 2836 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2837 ether_sprintf(ieee80211_getbssid(ic, wh))); 2838 if (type != NULL) 2839 printf("%s information element, ", type); 2840 else 2841 printf("information element, "); 2842 va_start(ap, fmt); 2843 vprintf(fmt, ap); 2844 va_end(ap); 2845 printf("\n"); 2846 } 2847 2848 static void 2849 ieee80211_discard_mac(struct ieee80211com *ic, 2850 const u_int8_t mac[IEEE80211_ADDR_LEN], 2851 const char *type, const char *fmt, ...) 2852 { 2853 va_list ap; 2854 2855 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac)); 2856 if (type != NULL) 2857 printf("%s frame, ", type); 2858 else 2859 printf("frame, "); 2860 va_start(ap, fmt); 2861 vprintf(fmt, ap); 2862 va_end(ap); 2863 printf("\n"); 2864 } 2865 #endif /* IEEE80211_DEBUG */ 2866
Indexes created Mon Sep 22 13:09:51 GMT 2025