1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/malloc.h> 40 #include <sys/endian.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/if_media.h> 47 #include <net/ethernet.h> 48 #include <net/if_llc.h> 49 #include <net/if_vlan_var.h> 50 51 #include <net80211/ieee80211_var.h> 52 53 #include <net/bpf.h> 54 55 #ifdef IEEE80211_DEBUG 56 #include <machine/stdarg.h> 57 58 /* 59 * Decide if a received management frame should be 60 * printed when debugging is enabled. This filters some 61 * of the less interesting frames that come frequently 62 * (e.g. beacons). 63 */ 64 static __inline int 65 doprint(struct ieee80211com *ic, int subtype) 66 { 67 switch (subtype) { 68 case IEEE80211_FC0_SUBTYPE_BEACON: 69 return (ic->ic_flags & IEEE80211_F_SCAN); 70 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 71 return (ic->ic_opmode == IEEE80211_M_IBSS); 72 } 73 return 1; 74 } 75 76 /* 77 * Emit a debug message about discarding a frame or information 78 * element. One format is for extracting the mac address from 79 * the frame header; the other is for when a header is not 80 * available or otherwise appropriate. 81 */ 82 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 83 if ((_ic)->ic_debug & (_m)) \ 84 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 85 } while (0) 86 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 87 if ((_ic)->ic_debug & (_m)) \ 88 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 89 } while (0) 90 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 91 if ((_ic)->ic_debug & (_m)) \ 92 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 93 } while (0) 94 95 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 96 const struct ieee80211_frame *); 97 static void ieee80211_discard_frame(struct ieee80211com *, 98 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 99 static void ieee80211_discard_ie(struct ieee80211com *, 100 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 101 static void ieee80211_discard_mac(struct ieee80211com *, 102 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 103 const char *fmt, ...); 104 #else 105 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 106 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 107 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 108 #endif /* IEEE80211_DEBUG */ 109 110 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 111 struct ieee80211_node *, struct mbuf *); 112 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *); 113 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 114 static void ieee80211_recv_pspoll(struct ieee80211com *, 115 struct ieee80211_node *, struct mbuf *); 116 117 /* 118 * Process a received frame. The node associated with the sender 119 * should be supplied. If nothing was found in the node table then 120 * the caller is assumed to supply a reference to ic_bss instead. 121 * The RSSI and a timestamp are also supplied. The RSSI data is used 122 * during AP scanning to select a AP to associate with; it can have 123 * any units so long as values have consistent units and higher values 124 * mean ``better signal''. The receive timestamp is currently not used 125 * by the 802.11 layer. 126 */ 127 void 128 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 129 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 130 { 131 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 132 #define HAS_SEQ(type) ((type & 0x4) == 0) 133 struct ifnet *ifp = ic->ic_ifp; 134 struct ieee80211_frame *wh; 135 struct ieee80211_key *key; 136 struct ether_header *eh; 137 int len, hdrsize, off; 138 u_int8_t dir, type, subtype; 139 u_int8_t *bssid; 140 u_int16_t rxseq; 141 142 KASSERT(ni != NULL, ("null node")); 143 ni->ni_inact = ni->ni_inact_reload; 144 145 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 146 if (m->m_flags & M_HASFCS) { 147 m_adj(m, -IEEE80211_CRC_LEN); 148 m->m_flags &= ~M_HASFCS; 149 } 150 KASSERT(m->m_pkthdr.len >= sizeof(struct ieee80211_frame_min), 151 ("frame length too short: %u", m->m_pkthdr.len)); 152 153 /* 154 * In monitor mode, send everything directly to bpf. 155 * XXX may want to include the CRC 156 */ 157 if (ic->ic_opmode == IEEE80211_M_MONITOR) 158 goto out; 159 160 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 161 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 162 ni->ni_macaddr, NULL, 163 "too short (1): len %u", m->m_pkthdr.len); 164 ic->ic_stats.is_rx_tooshort++; 165 goto out; 166 } 167 /* 168 * Bit of a cheat here, we use a pointer for a 3-address 169 * frame format but don't reference fields past outside 170 * ieee80211_frame_min w/o first validating the data is 171 * present. 172 */ 173 wh = mtod(m, struct ieee80211_frame *); 174 175 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 176 IEEE80211_FC0_VERSION_0) { 177 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 178 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 179 ic->ic_stats.is_rx_badversion++; 180 goto err; 181 } 182 183 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 184 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 185 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 186 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 187 switch (ic->ic_opmode) { 188 case IEEE80211_M_STA: 189 bssid = wh->i_addr2; 190 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 191 /* not interested in */ 192 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 193 bssid, NULL, "%s", "not to bss"); 194 ic->ic_stats.is_rx_wrongbss++; 195 goto out; 196 } 197 break; 198 case IEEE80211_M_IBSS: 199 case IEEE80211_M_AHDEMO: 200 case IEEE80211_M_HOSTAP: 201 if (dir != IEEE80211_FC1_DIR_NODS) 202 bssid = wh->i_addr1; 203 else if (type == IEEE80211_FC0_TYPE_CTL) 204 bssid = wh->i_addr1; 205 else { 206 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 207 IEEE80211_DISCARD_MAC(ic, 208 IEEE80211_MSG_ANY, ni->ni_macaddr, 209 NULL, "too short (2): len %u", 210 m->m_pkthdr.len); 211 ic->ic_stats.is_rx_tooshort++; 212 goto out; 213 } 214 bssid = wh->i_addr3; 215 } 216 if (type != IEEE80211_FC0_TYPE_DATA) 217 break; 218 /* 219 * Data frame, validate the bssid. 220 */ 221 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 222 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 223 /* not interested in */ 224 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 225 bssid, NULL, "%s", "not to bss"); 226 ic->ic_stats.is_rx_wrongbss++; 227 goto out; 228 } 229 /* 230 * For adhoc mode we cons up a node when it doesn't 231 * exist. This should probably done after an ACL check. 232 */ 233 if (ni == ic->ic_bss && 234 ic->ic_opmode != IEEE80211_M_HOSTAP) { 235 /* 236 * Fake up a node for this newly 237 * discovered member of the IBSS. 238 */ 239 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 240 type == IEEE80211_FC0_TYPE_CTL ? 241 wh->i_addr1 : wh->i_addr2); 242 if (ni == NULL) { 243 /* NB: stat kept for alloc failure */ 244 goto err; 245 } 246 } 247 break; 248 default: 249 goto out; 250 } 251 ni->ni_rssi = rssi; 252 ni->ni_rstamp = rstamp; 253 if (HAS_SEQ(type)) { 254 u_int8_t tid; 255 if (IEEE80211_QOS_HAS_SEQ(wh)) { 256 tid = ((struct ieee80211_qosframe *)wh)-> 257 i_qos[0] & IEEE80211_QOS_TID; 258 if (tid >= WME_AC_VI) 259 ic->ic_wme.wme_hipri_traffic++; 260 tid++; 261 } else 262 tid = 0; 263 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 264 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 265 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 266 /* duplicate, discard */ 267 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 268 bssid, "duplicate", 269 "seqno <%u,%u> fragno <%u,%u> tid %u", 270 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 271 ni->ni_rxseqs[tid] >> 272 IEEE80211_SEQ_SEQ_SHIFT, 273 rxseq & IEEE80211_SEQ_FRAG_MASK, 274 ni->ni_rxseqs[tid] & 275 IEEE80211_SEQ_FRAG_MASK, 276 tid); 277 ic->ic_stats.is_rx_dup++; 278 IEEE80211_NODE_STAT(ni, rx_dup); 279 goto out; 280 } 281 ni->ni_rxseqs[tid] = rxseq; 282 } 283 } 284 285 switch (type) { 286 case IEEE80211_FC0_TYPE_DATA: 287 hdrsize = ieee80211_hdrsize(wh); 288 if (ic->ic_flags & IEEE80211_F_DATAPAD) 289 hdrsize = roundup(hdrsize, sizeof(u_int32_t)); 290 if (m->m_len < hdrsize && 291 (m = m_pullup(m, hdrsize)) == NULL) { 292 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 293 wh, "data", "too short: len %u, expecting %u", 294 m->m_pkthdr.len, hdrsize); 295 ic->ic_stats.is_rx_tooshort++; 296 goto out; /* XXX */ 297 } 298 if (subtype & IEEE80211_FC0_SUBTYPE_QOS) { 299 /* XXX discard if node w/o IEEE80211_NODE_QOS? */ 300 /* 301 * Strip QoS control and any padding so only a 302 * stock 802.11 header is at the front. 303 */ 304 /* XXX 4-address QoS frame */ 305 off = hdrsize - sizeof(struct ieee80211_frame); 306 ovbcopy(mtod(m, u_int8_t *), mtod(m, u_int8_t *) + off, 307 hdrsize - off); 308 m_adj(m, off); 309 wh = mtod(m, struct ieee80211_frame *); 310 wh->i_fc[0] &= ~IEEE80211_FC0_SUBTYPE_QOS; 311 } else { 312 /* XXX copy up for 4-address frames w/ padding */ 313 } 314 switch (ic->ic_opmode) { 315 case IEEE80211_M_STA: 316 if (dir != IEEE80211_FC1_DIR_FROMDS) { 317 ic->ic_stats.is_rx_wrongdir++; 318 goto out; 319 } 320 if ((ifp->if_flags & IFF_SIMPLEX) && 321 IEEE80211_IS_MULTICAST(wh->i_addr1) && 322 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 323 /* 324 * In IEEE802.11 network, multicast packet 325 * sent from me is broadcasted from AP. 326 * It should be silently discarded for 327 * SIMPLEX interface. 328 */ 329 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 330 wh, NULL, "%s", "multicast echo"); 331 ic->ic_stats.is_rx_mcastecho++; 332 goto out; 333 } 334 break; 335 case IEEE80211_M_IBSS: 336 case IEEE80211_M_AHDEMO: 337 if (dir != IEEE80211_FC1_DIR_NODS) { 338 ic->ic_stats.is_rx_wrongdir++; 339 goto out; 340 } 341 /* XXX no power-save support */ 342 break; 343 case IEEE80211_M_HOSTAP: 344 if (dir != IEEE80211_FC1_DIR_TODS) { 345 ic->ic_stats.is_rx_wrongdir++; 346 goto out; 347 } 348 /* check if source STA is associated */ 349 if (ni == ic->ic_bss) { 350 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 351 wh, "data", "%s", "unknown src"); 352 /* NB: caller deals with reference */ 353 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 354 if (ni != NULL) { 355 IEEE80211_SEND_MGMT(ic, ni, 356 IEEE80211_FC0_SUBTYPE_DEAUTH, 357 IEEE80211_REASON_NOT_AUTHED); 358 ieee80211_free_node(ni); 359 } 360 ic->ic_stats.is_rx_notassoc++; 361 goto err; 362 } 363 if (ni->ni_associd == 0) { 364 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 365 wh, "data", "%s", "unassoc src"); 366 IEEE80211_SEND_MGMT(ic, ni, 367 IEEE80211_FC0_SUBTYPE_DISASSOC, 368 IEEE80211_REASON_NOT_ASSOCED); 369 ic->ic_stats.is_rx_notassoc++; 370 goto err; 371 } 372 373 /* 374 * Check for power save state change. 375 */ 376 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 377 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 378 ieee80211_node_pwrsave(ni, 379 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 380 break; 381 default: 382 /* XXX here to keep compiler happy */ 383 goto out; 384 } 385 386 /* 387 * Handle privacy requirements. Note that we 388 * must not be preempted from here until after 389 * we (potentially) call ieee80211_crypto_demic; 390 * otherwise we may violate assumptions in the 391 * crypto cipher modules used to do delayed update 392 * of replay sequence numbers. 393 */ 394 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 395 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 396 /* 397 * Discard encrypted frames when privacy is off. 398 */ 399 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 400 wh, "WEP", "%s", "PRIVACY off"); 401 ic->ic_stats.is_rx_noprivacy++; 402 IEEE80211_NODE_STAT(ni, rx_noprivacy); 403 goto out; 404 } 405 key = ieee80211_crypto_decap(ic, ni, m); 406 if (key == NULL) { 407 /* NB: stats+msgs handled in crypto_decap */ 408 IEEE80211_NODE_STAT(ni, rx_wepfail); 409 goto out; 410 } 411 wh = mtod(m, struct ieee80211_frame *); 412 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 413 } else { 414 key = NULL; 415 } 416 417 /* 418 * Next up, any fragmentation. 419 */ 420 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 421 m = ieee80211_defrag(ic, ni, m); 422 if (m == NULL) { 423 /* Fragment dropped or frame not complete yet */ 424 goto out; 425 } 426 } 427 wh = NULL; /* no longer valid, catch any uses */ 428 429 /* 430 * Next strip any MSDU crypto bits. 431 */ 432 if (key != NULL && !ieee80211_crypto_demic(ic, key, m)) { 433 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 434 ni->ni_macaddr, "data", "%s", "demic error"); 435 IEEE80211_NODE_STAT(ni, rx_demicfail); 436 goto out; 437 } 438 439 /* copy to listener after decrypt */ 440 if (ic->ic_rawbpf) 441 bpf_mtap(ic->ic_rawbpf, m); 442 443 /* 444 * Finally, strip the 802.11 header. 445 */ 446 m = ieee80211_decap(ic, m); 447 if (m == NULL) { 448 /* don't count Null data frames as errors */ 449 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 450 goto out; 451 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 452 ni->ni_macaddr, "data", "%s", "decap error"); 453 ic->ic_stats.is_rx_decap++; 454 IEEE80211_NODE_STAT(ni, rx_decap); 455 goto err; 456 } 457 eh = mtod(m, struct ether_header *); 458 if (!ieee80211_node_is_authorized(ni)) { 459 /* 460 * Deny any non-PAE frames received prior to 461 * authorization. For open/shared-key 462 * authentication the port is mark authorized 463 * after authentication completes. For 802.1x 464 * the port is not marked authorized by the 465 * authenticator until the handshake has completed. 466 */ 467 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 468 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 469 eh->ether_shost, "data", 470 "unauthorized port: ether type 0x%x len %u", 471 eh->ether_type, m->m_pkthdr.len); 472 ic->ic_stats.is_rx_unauth++; 473 IEEE80211_NODE_STAT(ni, rx_unauth); 474 goto err; 475 } 476 } else { 477 /* 478 * When denying unencrypted frames, discard 479 * any non-PAE frames received without encryption. 480 */ 481 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 482 key == NULL && 483 eh->ether_type != htons(ETHERTYPE_PAE)) { 484 /* 485 * Drop unencrypted frames. 486 */ 487 ic->ic_stats.is_rx_unencrypted++; 488 IEEE80211_NODE_STAT(ni, rx_unencrypted); 489 goto out; 490 } 491 } 492 ifp->if_ipackets++; 493 IEEE80211_NODE_STAT(ni, rx_data); 494 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 495 496 /* perform as a bridge within the AP */ 497 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 498 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 499 struct mbuf *m1 = NULL; 500 501 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 502 m1 = m_copypacket(m, M_DONTWAIT); 503 if (m1 == NULL) 504 ifp->if_oerrors++; 505 else 506 m1->m_flags |= M_MCAST; 507 } else { 508 /* XXX this dups work done in ieee80211_encap */ 509 /* check if destination is associated */ 510 struct ieee80211_node *ni1 = 511 ieee80211_find_node(&ic->ic_sta, 512 eh->ether_dhost); 513 if (ni1 != NULL) { 514 /* XXX check if authorized */ 515 if (ni1->ni_associd != 0) { 516 m1 = m; 517 m = NULL; 518 } 519 /* XXX statistic? */ 520 ieee80211_free_node(ni1); 521 } 522 } 523 if (m1 != NULL) { 524 len = m1->m_pkthdr.len; 525 IF_ENQUEUE(&ifp->if_snd, m1); 526 if (m != NULL) 527 ifp->if_omcasts++; 528 ifp->if_obytes += len; 529 } 530 } 531 if (m != NULL) { 532 if (ni->ni_vlan != 0) { 533 /* attach vlan tag */ 534 /* XXX goto err? */ 535 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 536 } 537 (*ifp->if_input)(ifp, m); 538 } 539 return; 540 541 case IEEE80211_FC0_TYPE_MGT: 542 IEEE80211_NODE_STAT(ni, rx_mgmt); 543 if (dir != IEEE80211_FC1_DIR_NODS) { 544 ic->ic_stats.is_rx_wrongdir++; 545 goto err; 546 } 547 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 548 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 549 ni->ni_macaddr, "mgt", "too short: len %u", 550 m->m_pkthdr.len); 551 ic->ic_stats.is_rx_tooshort++; 552 goto out; 553 } 554 #ifdef IEEE80211_DEBUG 555 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 556 ieee80211_msg_dumppkts(ic)) { 557 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 558 ieee80211_mgt_subtype_name[subtype >> 559 IEEE80211_FC0_SUBTYPE_SHIFT], 560 ether_sprintf(wh->i_addr2), rssi); 561 } 562 #endif 563 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 564 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 565 /* 566 * Only shared key auth frames with a challenge 567 * should be encrypted, discard all others. 568 */ 569 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 570 wh, ieee80211_mgt_subtype_name[subtype >> 571 IEEE80211_FC0_SUBTYPE_SHIFT], 572 "%s", "WEP set but not permitted"); 573 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 574 goto out; 575 } 576 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 577 /* 578 * Discard encrypted frames when privacy is off. 579 */ 580 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 581 wh, "mgt", "%s", "WEP set but PRIVACY off"); 582 ic->ic_stats.is_rx_noprivacy++; 583 goto out; 584 } 585 key = ieee80211_crypto_decap(ic, ni, m); 586 if (key == NULL) { 587 /* NB: stats+msgs handled in crypto_decap */ 588 goto out; 589 } 590 wh = mtod(m, struct ieee80211_frame *); 591 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 592 } 593 if (ic->ic_rawbpf) 594 bpf_mtap(ic->ic_rawbpf, m); 595 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 596 m_freem(m); 597 return; 598 599 case IEEE80211_FC0_TYPE_CTL: 600 IEEE80211_NODE_STAT(ni, rx_ctrl); 601 ic->ic_stats.is_rx_ctl++; 602 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 603 switch (subtype) { 604 case IEEE80211_FC0_SUBTYPE_PS_POLL: 605 ieee80211_recv_pspoll(ic, ni, m); 606 break; 607 } 608 } 609 goto out; 610 default: 611 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 612 wh, NULL, "bad frame type 0x%x", type); 613 /* should not come here */ 614 break; 615 } 616 err: 617 ifp->if_ierrors++; 618 out: 619 if (m != NULL) { 620 if (ic->ic_rawbpf) 621 bpf_mtap(ic->ic_rawbpf, m); 622 m_freem(m); 623 } 624 #undef SEQ_LEQ 625 } 626 627 /* 628 * This function reassemble fragments. 629 */ 630 static struct mbuf * 631 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 632 struct mbuf *m) 633 { 634 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 635 struct ieee80211_frame *lwh; 636 u_int16_t rxseq; 637 u_int8_t fragno; 638 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 639 struct mbuf *mfrag; 640 641 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 642 643 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 644 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 645 646 /* Quick way out, if there's nothing to defragment */ 647 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 648 return m; 649 650 /* 651 * Remove frag to insure it doesn't get reaped by timer. 652 */ 653 if (ni->ni_table == NULL) { 654 /* 655 * Should never happen. If the node is orphaned (not in 656 * the table) then input packets should not reach here. 657 * Otherwise, a concurrent request that yanks the table 658 * should be blocked by other interlocking and/or by first 659 * shutting the driver down. Regardless, be defensive 660 * here and just bail 661 */ 662 /* XXX need msg+stat */ 663 m_freem(m); 664 return NULL; 665 } 666 IEEE80211_NODE_LOCK(ni->ni_table); 667 mfrag = ni->ni_rxfrag[0]; 668 ni->ni_rxfrag[0] = NULL; 669 IEEE80211_NODE_UNLOCK(ni->ni_table); 670 671 /* 672 * Validate new fragment is in order and 673 * related to the previous ones. 674 */ 675 if (mfrag != NULL) { 676 u_int16_t last_rxseq; 677 678 lwh = mtod(mfrag, struct ieee80211_frame *); 679 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 680 /* NB: check seq # and frag together */ 681 if (rxseq != last_rxseq+1 || 682 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 683 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 684 /* 685 * Unrelated fragment or no space for it, 686 * clear current fragments. 687 */ 688 m_freem(mfrag); 689 mfrag = NULL; 690 } 691 } 692 693 if (mfrag == NULL) { 694 if (fragno != 0) { /* !first fragment, discard */ 695 IEEE80211_NODE_STAT(ni, rx_defrag); 696 m_freem(m); 697 return NULL; 698 } 699 mfrag = m; 700 } else { /* concatenate */ 701 m_cat(mfrag, m); 702 /* NB: m_cat doesn't update the packet header */ 703 mfrag->m_pkthdr.len += m->m_pkthdr.len; 704 /* track last seqnum and fragno */ 705 lwh = mtod(mfrag, struct ieee80211_frame *); 706 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 707 } 708 if (more_frag) { /* more to come, save */ 709 ni->ni_rxfragstamp = ticks; 710 ni->ni_rxfrag[0] = mfrag; 711 mfrag = NULL; 712 } 713 return mfrag; 714 } 715 716 static struct mbuf * 717 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m) 718 { 719 struct ieee80211_frame wh; /* NB: QoS stripped above */ 720 struct ether_header *eh; 721 struct llc *llc; 722 723 if (m->m_len < sizeof(wh) + sizeof(*llc) && 724 (m = m_pullup(m, sizeof(wh) + sizeof(*llc))) == NULL) { 725 /* XXX stat, msg */ 726 return NULL; 727 } 728 memcpy(&wh, mtod(m, caddr_t), sizeof(wh)); 729 llc = (struct llc *)(mtod(m, caddr_t) + sizeof(wh)); 730 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 731 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 732 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 733 m_adj(m, sizeof(wh) + sizeof(struct llc) - sizeof(*eh)); 734 llc = NULL; 735 } else { 736 m_adj(m, sizeof(wh) - sizeof(*eh)); 737 } 738 eh = mtod(m, struct ether_header *); 739 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 740 case IEEE80211_FC1_DIR_NODS: 741 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 742 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 743 break; 744 case IEEE80211_FC1_DIR_TODS: 745 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 746 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 747 break; 748 case IEEE80211_FC1_DIR_FROMDS: 749 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 750 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 751 break; 752 case IEEE80211_FC1_DIR_DSTODS: 753 /* not yet supported */ 754 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 755 &wh, "data", "%s", "DS to DS not supported"); 756 m_freem(m); 757 return NULL; 758 } 759 #ifdef ALIGNED_POINTER 760 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 761 struct mbuf *n, *n0, **np; 762 caddr_t newdata; 763 int off, pktlen; 764 765 n0 = NULL; 766 np = &n0; 767 off = 0; 768 pktlen = m->m_pkthdr.len; 769 while (pktlen > off) { 770 if (n0 == NULL) { 771 MGETHDR(n, M_DONTWAIT, MT_DATA); 772 if (n == NULL) { 773 m_freem(m); 774 return NULL; 775 } 776 M_MOVE_PKTHDR(n, m); 777 n->m_len = MHLEN; 778 } else { 779 MGET(n, M_DONTWAIT, MT_DATA); 780 if (n == NULL) { 781 m_freem(m); 782 m_freem(n0); 783 return NULL; 784 } 785 n->m_len = MLEN; 786 } 787 if (pktlen - off >= MINCLSIZE) { 788 MCLGET(n, M_DONTWAIT); 789 if (n->m_flags & M_EXT) 790 n->m_len = n->m_ext.ext_size; 791 } 792 if (n0 == NULL) { 793 newdata = 794 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 795 sizeof(*eh); 796 n->m_len -= newdata - n->m_data; 797 n->m_data = newdata; 798 } 799 if (n->m_len > pktlen - off) 800 n->m_len = pktlen - off; 801 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 802 off += n->m_len; 803 *np = n; 804 np = &n->m_next; 805 } 806 m_freem(m); 807 m = n0; 808 } 809 #endif /* ALIGNED_POINTER */ 810 if (llc != NULL) { 811 eh = mtod(m, struct ether_header *); 812 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 813 } 814 return m; 815 } 816 817 /* 818 * Install received rate set information in the node's state block. 819 */ 820 static int 821 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 822 u_int8_t *rates, u_int8_t *xrates, int flags) 823 { 824 struct ieee80211_rateset *rs = &ni->ni_rates; 825 826 memset(rs, 0, sizeof(*rs)); 827 rs->rs_nrates = rates[1]; 828 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 829 if (xrates != NULL) { 830 u_int8_t nxrates; 831 /* 832 * Tack on 11g extended supported rate element. 833 */ 834 nxrates = xrates[1]; 835 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 836 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 837 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 838 "[%s] extended rate set too large;" 839 " only using %u of %u rates\n", 840 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 841 ic->ic_stats.is_rx_rstoobig++; 842 } 843 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 844 rs->rs_nrates += nxrates; 845 } 846 return ieee80211_fix_rate(ic, ni, flags); 847 } 848 849 static void 850 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 851 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 852 u_int16_t status) 853 { 854 855 switch (ic->ic_opmode) { 856 case IEEE80211_M_IBSS: 857 if (ic->ic_state != IEEE80211_S_RUN || 858 seq != IEEE80211_AUTH_OPEN_REQUEST) { 859 ic->ic_stats.is_rx_bad_auth++; 860 return; 861 } 862 ieee80211_new_state(ic, IEEE80211_S_AUTH, 863 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 864 break; 865 866 case IEEE80211_M_AHDEMO: 867 /* should not come here */ 868 break; 869 870 case IEEE80211_M_HOSTAP: 871 if (ic->ic_state != IEEE80211_S_RUN || 872 seq != IEEE80211_AUTH_OPEN_REQUEST) { 873 ic->ic_stats.is_rx_bad_auth++; 874 return; 875 } 876 /* always accept open authentication requests */ 877 if (ni == ic->ic_bss) { 878 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 879 if (ni == NULL) 880 return; 881 } else 882 (void) ieee80211_ref_node(ni); 883 IEEE80211_SEND_MGMT(ic, ni, 884 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 885 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 886 "[%s] station authenticated (open)\n", 887 ether_sprintf(ni->ni_macaddr)); 888 break; 889 890 case IEEE80211_M_STA: 891 if (ic->ic_state != IEEE80211_S_AUTH || 892 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 893 ic->ic_stats.is_rx_bad_auth++; 894 return; 895 } 896 if (status != 0) { 897 IEEE80211_DPRINTF(ic, 898 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 899 "[%s] open auth failed (reason %d)\n", 900 ether_sprintf(ni->ni_macaddr), status); 901 /* XXX can this happen? */ 902 if (ni != ic->ic_bss) 903 ni->ni_fails++; 904 ic->ic_stats.is_rx_auth_fail++; 905 return; 906 } 907 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 908 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 909 break; 910 case IEEE80211_M_MONITOR: 911 break; 912 } 913 } 914 915 static int 916 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 917 { 918 if (ni->ni_challenge == NULL) 919 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN, 920 M_DEVBUF, M_NOWAIT); 921 if (ni->ni_challenge == NULL) { 922 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 923 "[%s] shared key challenge alloc failed\n", 924 ether_sprintf(ni->ni_macaddr)); 925 /* XXX statistic */ 926 } 927 return (ni->ni_challenge != NULL); 928 } 929 930 /* XXX TODO: add statistics */ 931 static void 932 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 933 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 934 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 935 { 936 u_int8_t *challenge; 937 int allocbs, estatus; 938 939 /* 940 * NB: this can happen as we allow pre-shared key 941 * authentication to be enabled w/o wep being turned 942 * on so that configuration of these can be done 943 * in any order. It may be better to enforce the 944 * ordering in which case this check would just be 945 * for sanity/consistency. 946 */ 947 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 948 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 949 ni->ni_macaddr, "shared key auth", 950 "%s", " PRIVACY is disabled"); 951 estatus = IEEE80211_STATUS_ALG; 952 goto bad; 953 } 954 /* 955 * Pre-shared key authentication is evil; accept 956 * it only if explicitly configured (it is supported 957 * mainly for compatibility with clients like OS X). 958 */ 959 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 960 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 961 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 962 ni->ni_macaddr, "shared key auth", 963 "bad sta auth mode %u", ni->ni_authmode); 964 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 965 estatus = IEEE80211_STATUS_ALG; 966 goto bad; 967 } 968 969 challenge = NULL; 970 if (frm + 1 < efrm) { 971 if ((frm[1] + 2) > (efrm - frm)) { 972 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 973 ni->ni_macaddr, "shared key auth", 974 "ie %d/%d too long", 975 frm[0], (frm[1] + 2) - (efrm - frm)); 976 ic->ic_stats.is_rx_bad_auth++; 977 estatus = IEEE80211_STATUS_CHALLENGE; 978 goto bad; 979 } 980 if (*frm == IEEE80211_ELEMID_CHALLENGE) 981 challenge = frm; 982 frm += frm[1] + 2; 983 } 984 switch (seq) { 985 case IEEE80211_AUTH_SHARED_CHALLENGE: 986 case IEEE80211_AUTH_SHARED_RESPONSE: 987 if (challenge == NULL) { 988 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 989 ni->ni_macaddr, "shared key auth", 990 "%s", "no challenge"); 991 ic->ic_stats.is_rx_bad_auth++; 992 estatus = IEEE80211_STATUS_CHALLENGE; 993 goto bad; 994 } 995 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 996 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 997 ni->ni_macaddr, "shared key auth", 998 "bad challenge len %d", challenge[1]); 999 ic->ic_stats.is_rx_bad_auth++; 1000 estatus = IEEE80211_STATUS_CHALLENGE; 1001 goto bad; 1002 } 1003 default: 1004 break; 1005 } 1006 switch (ic->ic_opmode) { 1007 case IEEE80211_M_MONITOR: 1008 case IEEE80211_M_AHDEMO: 1009 case IEEE80211_M_IBSS: 1010 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1011 ni->ni_macaddr, "shared key auth", 1012 "bad operating mode %u", ic->ic_opmode); 1013 return; 1014 case IEEE80211_M_HOSTAP: 1015 if (ic->ic_state != IEEE80211_S_RUN) { 1016 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1017 ni->ni_macaddr, "shared key auth", 1018 "bad state %u", ic->ic_state); 1019 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1020 goto bad; 1021 } 1022 switch (seq) { 1023 case IEEE80211_AUTH_SHARED_REQUEST: 1024 if (ni == ic->ic_bss) { 1025 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1026 if (ni == NULL) { 1027 /* NB: no way to return an error */ 1028 return; 1029 } 1030 allocbs = 1; 1031 } else { 1032 (void) ieee80211_ref_node(ni); 1033 allocbs = 0; 1034 } 1035 ni->ni_rssi = rssi; 1036 ni->ni_rstamp = rstamp; 1037 if (!alloc_challenge(ic, ni)) { 1038 /* NB: don't return error so they rexmit */ 1039 return; 1040 } 1041 get_random_bytes(ni->ni_challenge, 1042 IEEE80211_CHALLENGE_LEN); 1043 IEEE80211_DPRINTF(ic, 1044 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1045 "[%s] shared key %sauth request\n", 1046 ether_sprintf(ni->ni_macaddr), 1047 allocbs ? "" : "re"); 1048 break; 1049 case IEEE80211_AUTH_SHARED_RESPONSE: 1050 if (ni == ic->ic_bss) { 1051 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1052 ni->ni_macaddr, "shared key response", 1053 "%s", "unknown station"); 1054 /* NB: don't send a response */ 1055 return; 1056 } 1057 if (ni->ni_challenge == NULL) { 1058 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1059 ni->ni_macaddr, "shared key response", 1060 "%s", "no challenge recorded"); 1061 ic->ic_stats.is_rx_bad_auth++; 1062 estatus = IEEE80211_STATUS_CHALLENGE; 1063 goto bad; 1064 } 1065 if (memcmp(ni->ni_challenge, &challenge[2], 1066 challenge[1]) != 0) { 1067 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1068 ni->ni_macaddr, "shared key response", 1069 "%s", "challenge mismatch"); 1070 ic->ic_stats.is_rx_auth_fail++; 1071 estatus = IEEE80211_STATUS_CHALLENGE; 1072 goto bad; 1073 } 1074 IEEE80211_DPRINTF(ic, 1075 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1076 "[%s] station authenticated (shared key)\n", 1077 ether_sprintf(ni->ni_macaddr)); 1078 break; 1079 default: 1080 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1081 ni->ni_macaddr, "shared key auth", 1082 "bad seq %d", seq); 1083 ic->ic_stats.is_rx_bad_auth++; 1084 estatus = IEEE80211_STATUS_SEQUENCE; 1085 goto bad; 1086 } 1087 IEEE80211_SEND_MGMT(ic, ni, 1088 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1089 break; 1090 1091 case IEEE80211_M_STA: 1092 if (ic->ic_state != IEEE80211_S_AUTH) 1093 return; 1094 switch (seq) { 1095 case IEEE80211_AUTH_SHARED_PASS: 1096 if (ni->ni_challenge != NULL) { 1097 FREE(ni->ni_challenge, M_DEVBUF); 1098 ni->ni_challenge = NULL; 1099 } 1100 if (status != 0) { 1101 IEEE80211_DPRINTF(ic, 1102 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1103 "[%s] shared key auth failed (reason %d)\n", 1104 ether_sprintf(ieee80211_getbssid(ic, wh)), 1105 status); 1106 /* XXX can this happen? */ 1107 if (ni != ic->ic_bss) 1108 ni->ni_fails++; 1109 ic->ic_stats.is_rx_auth_fail++; 1110 return; 1111 } 1112 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1113 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1114 break; 1115 case IEEE80211_AUTH_SHARED_CHALLENGE: 1116 if (!alloc_challenge(ic, ni)) 1117 return; 1118 /* XXX could optimize by passing recvd challenge */ 1119 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1120 IEEE80211_SEND_MGMT(ic, ni, 1121 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1122 break; 1123 default: 1124 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1125 wh, "shared key auth", "bad seq %d", seq); 1126 ic->ic_stats.is_rx_bad_auth++; 1127 return; 1128 } 1129 break; 1130 } 1131 return; 1132 bad: 1133 /* 1134 * Send an error response; but only when operating as an AP. 1135 */ 1136 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1137 /* XXX hack to workaround calling convention */ 1138 IEEE80211_SEND_MGMT(ic, ni, 1139 IEEE80211_FC0_SUBTYPE_AUTH, 1140 (seq + 1) | (estatus<<16)); 1141 } 1142 } 1143 1144 /* Verify the existence and length of __elem or get out. */ 1145 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1146 if ((__elem) == NULL) { \ 1147 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1148 wh, ieee80211_mgt_subtype_name[subtype >> \ 1149 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1150 "%s", "no " #__elem ); \ 1151 ic->ic_stats.is_rx_elem_missing++; \ 1152 return; \ 1153 } \ 1154 if ((__elem)[1] > (__maxlen)) { \ 1155 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1156 wh, ieee80211_mgt_subtype_name[subtype >> \ 1157 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1158 "bad " #__elem " len %d", (__elem)[1]); \ 1159 ic->ic_stats.is_rx_elem_toobig++; \ 1160 return; \ 1161 } \ 1162 } while (0) 1163 1164 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1165 if ((_len) < (_minlen)) { \ 1166 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1167 wh, ieee80211_mgt_subtype_name[subtype >> \ 1168 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1169 "%s", "ie too short"); \ 1170 ic->ic_stats.is_rx_elem_toosmall++; \ 1171 return; \ 1172 } \ 1173 } while (0) 1174 1175 #ifdef IEEE80211_DEBUG 1176 static void 1177 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1178 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1179 { 1180 printf("[%s] discard %s frame, ssid mismatch: ", 1181 ether_sprintf(mac), tag); 1182 ieee80211_print_essid(ssid + 2, ssid[1]); 1183 printf("\n"); 1184 } 1185 1186 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1187 if ((_ssid)[1] != 0 && \ 1188 ((_ssid)[1] != (_ni)->ni_esslen || \ 1189 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1190 if (ieee80211_msg_input(ic)) \ 1191 ieee80211_ssid_mismatch(ic, \ 1192 ieee80211_mgt_subtype_name[subtype >> \ 1193 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1194 wh->i_addr2, _ssid); \ 1195 ic->ic_stats.is_rx_ssidmismatch++; \ 1196 return; \ 1197 } \ 1198 } while (0) 1199 #else /* !IEEE80211_DEBUG */ 1200 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1201 if ((_ssid)[1] != 0 && \ 1202 ((_ssid)[1] != (_ni)->ni_esslen || \ 1203 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1204 ic->ic_stats.is_rx_ssidmismatch++; \ 1205 return; \ 1206 } \ 1207 } while (0) 1208 #endif /* !IEEE80211_DEBUG */ 1209 1210 /* unalligned little endian access */ 1211 #define LE_READ_2(p) \ 1212 ((u_int16_t) \ 1213 ((((const u_int8_t *)(p))[0] ) | \ 1214 (((const u_int8_t *)(p))[1] << 8))) 1215 #define LE_READ_4(p) \ 1216 ((u_int32_t) \ 1217 ((((const u_int8_t *)(p))[0] ) | \ 1218 (((const u_int8_t *)(p))[1] << 8) | \ 1219 (((const u_int8_t *)(p))[2] << 16) | \ 1220 (((const u_int8_t *)(p))[3] << 24))) 1221 1222 static int __inline 1223 iswpaoui(const u_int8_t *frm) 1224 { 1225 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1226 } 1227 1228 static int __inline 1229 iswmeoui(const u_int8_t *frm) 1230 { 1231 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1232 } 1233 1234 static int __inline 1235 iswmeparam(const u_int8_t *frm) 1236 { 1237 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1238 frm[6] == WME_PARAM_OUI_SUBTYPE; 1239 } 1240 1241 static int __inline 1242 iswmeinfo(const u_int8_t *frm) 1243 { 1244 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1245 frm[6] == WME_INFO_OUI_SUBTYPE; 1246 } 1247 1248 static int __inline 1249 isatherosoui(const u_int8_t *frm) 1250 { 1251 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1252 } 1253 1254 /* 1255 * Convert a WPA cipher selector OUI to an internal 1256 * cipher algorithm. Where appropriate we also 1257 * record any key length. 1258 */ 1259 static int 1260 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1261 { 1262 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1263 u_int32_t w = LE_READ_4(sel); 1264 1265 switch (w) { 1266 case WPA_SEL(WPA_CSE_NULL): 1267 return IEEE80211_CIPHER_NONE; 1268 case WPA_SEL(WPA_CSE_WEP40): 1269 if (keylen) 1270 *keylen = 40 / NBBY; 1271 return IEEE80211_CIPHER_WEP; 1272 case WPA_SEL(WPA_CSE_WEP104): 1273 if (keylen) 1274 *keylen = 104 / NBBY; 1275 return IEEE80211_CIPHER_WEP; 1276 case WPA_SEL(WPA_CSE_TKIP): 1277 return IEEE80211_CIPHER_TKIP; 1278 case WPA_SEL(WPA_CSE_CCMP): 1279 return IEEE80211_CIPHER_AES_CCM; 1280 } 1281 return 32; /* NB: so 1<< is discarded */ 1282 #undef WPA_SEL 1283 } 1284 1285 /* 1286 * Convert a WPA key management/authentication algorithm 1287 * to an internal code. 1288 */ 1289 static int 1290 wpa_keymgmt(u_int8_t *sel) 1291 { 1292 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1293 u_int32_t w = LE_READ_4(sel); 1294 1295 switch (w) { 1296 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1297 return WPA_ASE_8021X_UNSPEC; 1298 case WPA_SEL(WPA_ASE_8021X_PSK): 1299 return WPA_ASE_8021X_PSK; 1300 case WPA_SEL(WPA_ASE_NONE): 1301 return WPA_ASE_NONE; 1302 } 1303 return 0; /* NB: so is discarded */ 1304 #undef WPA_SEL 1305 } 1306 1307 /* 1308 * Parse a WPA information element to collect parameters 1309 * and validate the parameters against what has been 1310 * configured for the system. 1311 */ 1312 static int 1313 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1314 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1315 { 1316 u_int8_t len = frm[1]; 1317 u_int32_t w; 1318 int n; 1319 1320 /* 1321 * Check the length once for fixed parts: OUI, type, 1322 * version, mcast cipher, and 2 selector counts. 1323 * Other, variable-length data, must be checked separately. 1324 */ 1325 KASSERT(ic->ic_flags & IEEE80211_F_WPA1, 1326 ("not WPA, flags 0x%x", ic->ic_flags)); 1327 if (len < 14) { 1328 IEEE80211_DISCARD_IE(ic, 1329 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1330 wh, "WPA", "too short, len %u", len); 1331 return IEEE80211_REASON_IE_INVALID; 1332 } 1333 frm += 6, len -= 4; /* NB: len is payload only */ 1334 /* NB: iswapoui already validated the OUI and type */ 1335 w = LE_READ_2(frm); 1336 if (w != WPA_VERSION) { 1337 IEEE80211_DISCARD_IE(ic, 1338 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1339 wh, "WPA", "bad version %u", w); 1340 return IEEE80211_REASON_IE_INVALID; 1341 } 1342 frm += 2, len -= 2; 1343 1344 /* multicast/group cipher */ 1345 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1346 if (w != rsn->rsn_mcastcipher) { 1347 IEEE80211_DISCARD_IE(ic, 1348 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1349 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1350 w, rsn->rsn_mcastcipher); 1351 return IEEE80211_REASON_IE_INVALID; 1352 } 1353 frm += 4, len -= 4; 1354 1355 /* unicast ciphers */ 1356 n = LE_READ_2(frm); 1357 frm += 2, len -= 2; 1358 if (len < n*4+2) { 1359 IEEE80211_DISCARD_IE(ic, 1360 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1361 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1362 len, n); 1363 return IEEE80211_REASON_IE_INVALID; 1364 } 1365 w = 0; 1366 for (; n > 0; n--) { 1367 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1368 frm += 4, len -= 4; 1369 } 1370 w &= rsn->rsn_ucastcipherset; 1371 if (w == 0) { 1372 IEEE80211_DISCARD_IE(ic, 1373 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1374 wh, "WPA", "%s", "ucast cipher set empty"); 1375 return IEEE80211_REASON_IE_INVALID; 1376 } 1377 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1378 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1379 else 1380 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1381 1382 /* key management algorithms */ 1383 n = LE_READ_2(frm); 1384 frm += 2, len -= 2; 1385 if (len < n*4) { 1386 IEEE80211_DISCARD_IE(ic, 1387 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1388 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1389 len, n); 1390 return IEEE80211_REASON_IE_INVALID; 1391 } 1392 w = 0; 1393 for (; n > 0; n--) { 1394 w |= wpa_keymgmt(frm); 1395 frm += 4, len -= 4; 1396 } 1397 w &= rsn->rsn_keymgmtset; 1398 if (w == 0) { 1399 IEEE80211_DISCARD_IE(ic, 1400 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1401 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1402 return IEEE80211_REASON_IE_INVALID; 1403 } 1404 if (w & WPA_ASE_8021X_UNSPEC) 1405 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1406 else 1407 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1408 1409 if (len > 2) /* optional capabilities */ 1410 rsn->rsn_caps = LE_READ_2(frm); 1411 1412 return 0; 1413 } 1414 1415 /* 1416 * Convert an RSN cipher selector OUI to an internal 1417 * cipher algorithm. Where appropriate we also 1418 * record any key length. 1419 */ 1420 static int 1421 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1422 { 1423 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1424 u_int32_t w = LE_READ_4(sel); 1425 1426 switch (w) { 1427 case RSN_SEL(RSN_CSE_NULL): 1428 return IEEE80211_CIPHER_NONE; 1429 case RSN_SEL(RSN_CSE_WEP40): 1430 if (keylen) 1431 *keylen = 40 / NBBY; 1432 return IEEE80211_CIPHER_WEP; 1433 case RSN_SEL(RSN_CSE_WEP104): 1434 if (keylen) 1435 *keylen = 104 / NBBY; 1436 return IEEE80211_CIPHER_WEP; 1437 case RSN_SEL(RSN_CSE_TKIP): 1438 return IEEE80211_CIPHER_TKIP; 1439 case RSN_SEL(RSN_CSE_CCMP): 1440 return IEEE80211_CIPHER_AES_CCM; 1441 case RSN_SEL(RSN_CSE_WRAP): 1442 return IEEE80211_CIPHER_AES_OCB; 1443 } 1444 return 32; /* NB: so 1<< is discarded */ 1445 #undef WPA_SEL 1446 } 1447 1448 /* 1449 * Convert an RSN key management/authentication algorithm 1450 * to an internal code. 1451 */ 1452 static int 1453 rsn_keymgmt(u_int8_t *sel) 1454 { 1455 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1456 u_int32_t w = LE_READ_4(sel); 1457 1458 switch (w) { 1459 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1460 return RSN_ASE_8021X_UNSPEC; 1461 case RSN_SEL(RSN_ASE_8021X_PSK): 1462 return RSN_ASE_8021X_PSK; 1463 case RSN_SEL(RSN_ASE_NONE): 1464 return RSN_ASE_NONE; 1465 } 1466 return 0; /* NB: so is discarded */ 1467 #undef RSN_SEL 1468 } 1469 1470 /* 1471 * Parse a WPA/RSN information element to collect parameters 1472 * and validate the parameters against what has been 1473 * configured for the system. 1474 */ 1475 static int 1476 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1477 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1478 { 1479 u_int8_t len = frm[1]; 1480 u_int32_t w; 1481 int n; 1482 1483 /* 1484 * Check the length once for fixed parts: 1485 * version, mcast cipher, and 2 selector counts. 1486 * Other, variable-length data, must be checked separately. 1487 */ 1488 KASSERT(ic->ic_flags & IEEE80211_F_WPA2, 1489 ("not RSN, flags 0x%x", ic->ic_flags)); 1490 if (len < 10) { 1491 IEEE80211_DISCARD_IE(ic, 1492 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1493 wh, "RSN", "too short, len %u", len); 1494 return IEEE80211_REASON_IE_INVALID; 1495 } 1496 frm += 2; 1497 w = LE_READ_2(frm); 1498 if (w != RSN_VERSION) { 1499 IEEE80211_DISCARD_IE(ic, 1500 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1501 wh, "RSN", "bad version %u", w); 1502 return IEEE80211_REASON_IE_INVALID; 1503 } 1504 frm += 2, len -= 2; 1505 1506 /* multicast/group cipher */ 1507 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1508 if (w != rsn->rsn_mcastcipher) { 1509 IEEE80211_DISCARD_IE(ic, 1510 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1511 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1512 w, rsn->rsn_mcastcipher); 1513 return IEEE80211_REASON_IE_INVALID; 1514 } 1515 frm += 4, len -= 4; 1516 1517 /* unicast ciphers */ 1518 n = LE_READ_2(frm); 1519 frm += 2, len -= 2; 1520 if (len < n*4+2) { 1521 IEEE80211_DISCARD_IE(ic, 1522 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1523 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1524 len, n); 1525 return IEEE80211_REASON_IE_INVALID; 1526 } 1527 w = 0; 1528 for (; n > 0; n--) { 1529 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1530 frm += 4, len -= 4; 1531 } 1532 w &= rsn->rsn_ucastcipherset; 1533 if (w == 0) { 1534 IEEE80211_DISCARD_IE(ic, 1535 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1536 wh, "RSN", "%s", "ucast cipher set empty"); 1537 return IEEE80211_REASON_IE_INVALID; 1538 } 1539 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1540 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1541 else 1542 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1543 1544 /* key management algorithms */ 1545 n = LE_READ_2(frm); 1546 frm += 2, len -= 2; 1547 if (len < n*4) { 1548 IEEE80211_DISCARD_IE(ic, 1549 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1550 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1551 len, n); 1552 return IEEE80211_REASON_IE_INVALID; 1553 } 1554 w = 0; 1555 for (; n > 0; n--) { 1556 w |= rsn_keymgmt(frm); 1557 frm += 4, len -= 4; 1558 } 1559 w &= rsn->rsn_keymgmtset; 1560 if (w == 0) { 1561 IEEE80211_DISCARD_IE(ic, 1562 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1563 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1564 return IEEE80211_REASON_IE_INVALID; 1565 } 1566 if (w & RSN_ASE_8021X_UNSPEC) 1567 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1568 else 1569 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1570 1571 /* optional RSN capabilities */ 1572 if (len > 2) 1573 rsn->rsn_caps = LE_READ_2(frm); 1574 /* XXXPMKID */ 1575 1576 return 0; 1577 } 1578 1579 static int 1580 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1581 const struct ieee80211_frame *wh) 1582 { 1583 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1584 struct ieee80211_wme_state *wme = &ic->ic_wme; 1585 u_int len = frm[1], qosinfo; 1586 int i; 1587 1588 if (len < sizeof(struct ieee80211_wme_param)-2) { 1589 IEEE80211_DISCARD_IE(ic, 1590 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1591 wh, "WME", "too short, len %u", len); 1592 return -1; 1593 } 1594 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1595 qosinfo &= WME_QOSINFO_COUNT; 1596 /* XXX do proper check for wraparound */ 1597 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1598 return 0; 1599 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1600 for (i = 0; i < WME_NUM_AC; i++) { 1601 struct wmeParams *wmep = 1602 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1603 /* NB: ACI not used */ 1604 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1605 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1606 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1607 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1608 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1609 frm += 4; 1610 } 1611 wme->wme_wmeChanParams.cap_info = qosinfo; 1612 return 1; 1613 #undef MS 1614 } 1615 1616 static void 1617 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1618 { 1619 u_int ielen = ie[1]+2; 1620 /* 1621 * Record information element for later use. 1622 */ 1623 if (*iep == NULL || (*iep)[1] != ie[1]) { 1624 if (*iep != NULL) 1625 FREE(*iep, M_DEVBUF); 1626 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1627 } 1628 if (*iep != NULL) 1629 memcpy(*iep, ie, ielen); 1630 /* XXX note failure */ 1631 } 1632 1633 #ifdef IEEE80211_DEBUG 1634 static void 1635 dump_probe_beacon(u_int8_t subtype, int isnew, 1636 const u_int8_t mac[IEEE80211_ADDR_LEN], 1637 u_int8_t chan, u_int8_t bchan, u_int16_t capinfo, u_int16_t bintval, 1638 u_int8_t erp, u_int8_t *ssid, u_int8_t *country) 1639 { 1640 printf("[%s] %s%s on chan %u (bss chan %u) ", 1641 ether_sprintf(mac), isnew ? "new " : "", 1642 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 1643 chan, bchan); 1644 ieee80211_print_essid(ssid + 2, ssid[1]); 1645 printf("\n"); 1646 1647 if (isnew) { 1648 printf("[%s] caps 0x%x bintval %u erp 0x%x", 1649 ether_sprintf(mac), capinfo, bintval, erp); 1650 if (country) { 1651 #ifdef __FreeBSD__ 1652 printf(" country info %*D", country[1], country+2, " "); 1653 #else 1654 int i; 1655 printf(" country info"); 1656 for (i = 0; i < country[1]; i++) 1657 printf(" %02x", country[i+2]); 1658 #endif 1659 } 1660 printf("\n"); 1661 } 1662 } 1663 #endif /* IEEE80211_DEBUG */ 1664 1665 void 1666 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1667 struct ieee80211_node *ni, 1668 int subtype, int rssi, u_int32_t rstamp) 1669 { 1670 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1671 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1672 struct ieee80211_frame *wh; 1673 u_int8_t *frm, *efrm; 1674 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1675 int reassoc, resp, allocbs; 1676 1677 wh = mtod(m0, struct ieee80211_frame *); 1678 frm = (u_int8_t *)&wh[1]; 1679 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1680 switch (subtype) { 1681 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1682 case IEEE80211_FC0_SUBTYPE_BEACON: { 1683 u_int8_t *tstamp, *country; 1684 u_int8_t chan, bchan, fhindex, erp; 1685 u_int16_t capinfo, bintval, timoff; 1686 u_int16_t fhdwell; 1687 1688 /* 1689 * We process beacon/probe response frames: 1690 * o when scanning, or 1691 * o station mode when associated (to collect state 1692 * updates such as 802.11g slot time), or 1693 * o adhoc mode (to discover neighbors) 1694 * Frames otherwise received are discarded. 1695 */ 1696 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1697 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1698 ic->ic_opmode == IEEE80211_M_IBSS)) { 1699 ic->ic_stats.is_rx_mgtdiscard++; 1700 return; 1701 } 1702 /* 1703 * beacon/probe response frame format 1704 * [8] time stamp 1705 * [2] beacon interval 1706 * [2] capability information 1707 * [tlv] ssid 1708 * [tlv] supported rates 1709 * [tlv] country information 1710 * [tlv] parameter set (FH/DS) 1711 * [tlv] erp information 1712 * [tlv] extended supported rates 1713 * [tlv] WME 1714 * [tlv] WPA or RSN 1715 */ 1716 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1717 tstamp = frm; frm += 8; 1718 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1719 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1720 ssid = rates = xrates = country = wpa = wme = NULL; 1721 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1722 chan = bchan; 1723 fhdwell = 0; 1724 fhindex = 0; 1725 erp = 0; 1726 timoff = 0; 1727 while (frm < efrm) { 1728 switch (*frm) { 1729 case IEEE80211_ELEMID_SSID: 1730 ssid = frm; 1731 break; 1732 case IEEE80211_ELEMID_RATES: 1733 rates = frm; 1734 break; 1735 case IEEE80211_ELEMID_COUNTRY: 1736 country = frm; 1737 break; 1738 case IEEE80211_ELEMID_FHPARMS: 1739 if (ic->ic_phytype == IEEE80211_T_FH) { 1740 fhdwell = LE_READ_2(&frm[2]); 1741 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1742 fhindex = frm[6]; 1743 } 1744 break; 1745 case IEEE80211_ELEMID_DSPARMS: 1746 /* 1747 * XXX hack this since depending on phytype 1748 * is problematic for multi-mode devices. 1749 */ 1750 if (ic->ic_phytype != IEEE80211_T_FH) 1751 chan = frm[2]; 1752 break; 1753 case IEEE80211_ELEMID_TIM: 1754 /* XXX ATIM? */ 1755 timoff = frm - mtod(m0, u_int8_t *); 1756 break; 1757 case IEEE80211_ELEMID_IBSSPARMS: 1758 break; 1759 case IEEE80211_ELEMID_XRATES: 1760 xrates = frm; 1761 break; 1762 case IEEE80211_ELEMID_ERP: 1763 if (frm[1] != 1) { 1764 IEEE80211_DISCARD_IE(ic, 1765 IEEE80211_MSG_ELEMID, wh, "ERP", 1766 "bad len %u", frm[1]); 1767 ic->ic_stats.is_rx_elem_toobig++; 1768 break; 1769 } 1770 erp = frm[2]; 1771 break; 1772 case IEEE80211_ELEMID_RSN: 1773 wpa = frm; 1774 break; 1775 case IEEE80211_ELEMID_VENDOR: 1776 if (iswpaoui(frm)) 1777 wpa = frm; 1778 else if (iswmeparam(frm) || iswmeinfo(frm)) 1779 wme = frm; 1780 /* XXX Atheros OUI support */ 1781 break; 1782 default: 1783 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1784 wh, "unhandled", 1785 "id %u, len %u", *frm, frm[1]); 1786 ic->ic_stats.is_rx_elem_unknown++; 1787 break; 1788 } 1789 frm += frm[1] + 2; 1790 } 1791 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1792 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1793 if ( 1794 #if IEEE80211_CHAN_MAX < 255 1795 chan > IEEE80211_CHAN_MAX || 1796 #endif 1797 isclr(ic->ic_chan_active, chan)) { 1798 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1799 wh, ieee80211_mgt_subtype_name[subtype >> 1800 IEEE80211_FC0_SUBTYPE_SHIFT], 1801 "invalid channel %u", chan); 1802 ic->ic_stats.is_rx_badchan++; 1803 return; 1804 } 1805 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1806 /* 1807 * Frame was received on a channel different from the 1808 * one indicated in the DS params element id; 1809 * silently discard it. 1810 * 1811 * NB: this can happen due to signal leakage. 1812 * But we should take it for FH phy because 1813 * the rssi value should be correct even for 1814 * different hop pattern in FH. 1815 */ 1816 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1817 wh, ieee80211_mgt_subtype_name[subtype >> 1818 IEEE80211_FC0_SUBTYPE_SHIFT], 1819 "for off-channel %u", chan); 1820 ic->ic_stats.is_rx_chanmismatch++; 1821 return; 1822 } 1823 1824 /* 1825 * Count frame now that we know it's to be processed. 1826 */ 1827 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1828 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1829 IEEE80211_NODE_STAT(ni, rx_beacons); 1830 } else 1831 IEEE80211_NODE_STAT(ni, rx_proberesp); 1832 1833 /* 1834 * When operating in station mode, check for state updates. 1835 * Be careful to ignore beacons received while doing a 1836 * background scan. We consider only 11g/WMM stuff right now. 1837 */ 1838 if (ic->ic_opmode == IEEE80211_M_STA && 1839 ni->ni_associd != 0 && 1840 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1841 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1842 if (ni->ni_erp != erp) { 1843 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1844 "[%s] erp change: was 0x%x, now 0x%x\n", 1845 ether_sprintf(wh->i_addr2), 1846 ni->ni_erp, erp); 1847 if (erp & IEEE80211_ERP_USE_PROTECTION) 1848 ic->ic_flags |= IEEE80211_F_USEPROT; 1849 else 1850 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1851 ni->ni_erp = erp; 1852 /* XXX statistic */ 1853 } 1854 if ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1855 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1856 "[%s] capabilities change: before 0x%x," 1857 " now 0x%x\n", 1858 ether_sprintf(wh->i_addr2), 1859 ni->ni_capinfo, capinfo); 1860 /* 1861 * NB: we assume short preamble doesn't 1862 * change dynamically 1863 */ 1864 ieee80211_set_shortslottime(ic, 1865 ic->ic_curmode == IEEE80211_MODE_11A || 1866 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1867 ni->ni_capinfo = capinfo; 1868 /* XXX statistic */ 1869 } 1870 if (wme != NULL && 1871 ieee80211_parse_wmeparams(ic, wme, wh) > 0) 1872 ieee80211_wme_updateparams(ic); 1873 /* NB: don't need the rest of this */ 1874 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) 1875 return; 1876 } 1877 1878 if (ni == ic->ic_bss) { 1879 #ifdef IEEE80211_DEBUG 1880 if (ieee80211_msg_scan(ic)) 1881 dump_probe_beacon(subtype, 1, 1882 wh->i_addr2, chan, bchan, capinfo, 1883 bintval, erp, ssid, country); 1884 #endif 1885 /* 1886 * Create a new entry. If scanning the entry goes 1887 * in the scan cache. Otherwise, be particular when 1888 * operating in adhoc mode--only take nodes marked 1889 * as ibss participants so we don't populate our 1890 * neighbor table with unintersting sta's. 1891 */ 1892 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1893 if ((capinfo & IEEE80211_CAPINFO_IBSS) == 0) 1894 return; 1895 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 1896 wh->i_addr2); 1897 } else 1898 ni = ieee80211_dup_bss(&ic->ic_scan, wh->i_addr2); 1899 if (ni == NULL) 1900 return; 1901 ni->ni_esslen = ssid[1]; 1902 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1903 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1904 } else if (ssid[1] != 0 && 1905 (ISPROBE(subtype) || ni->ni_esslen == 0)) { 1906 /* 1907 * Update ESSID at probe response to adopt 1908 * hidden AP by Lucent/Cisco, which announces 1909 * null ESSID in beacon. 1910 */ 1911 #ifdef IEEE80211_DEBUG 1912 if (ieee80211_msg_scan(ic) || 1913 ieee80211_msg_debug(ic)) 1914 dump_probe_beacon(subtype, 0, 1915 wh->i_addr2, chan, bchan, capinfo, 1916 bintval, erp, ssid, country); 1917 #endif 1918 ni->ni_esslen = ssid[1]; 1919 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1920 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1921 } 1922 ni->ni_scangen = ic->ic_scan.nt_scangen; 1923 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1924 ni->ni_rssi = rssi; 1925 ni->ni_rstamp = rstamp; 1926 memcpy(ni->ni_tstamp.data, tstamp, sizeof(ni->ni_tstamp)); 1927 ni->ni_intval = bintval; 1928 ni->ni_capinfo = capinfo; 1929 ni->ni_chan = &ic->ic_channels[chan]; 1930 ni->ni_fhdwell = fhdwell; 1931 ni->ni_fhindex = fhindex; 1932 ni->ni_erp = erp; 1933 /* 1934 * Record the byte offset from the mac header to 1935 * the start of the TIM information element for 1936 * use by hardware and/or to speedup software 1937 * processing of beacon frames. 1938 */ 1939 ni->ni_timoff = timoff; 1940 /* 1941 * Record optional information elements that might be 1942 * used by applications or drivers. 1943 */ 1944 if (wme != NULL) 1945 ieee80211_saveie(&ni->ni_wme_ie, wme); 1946 if (wpa != NULL) 1947 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 1948 /* NB: must be after ni_chan is setup */ 1949 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 1950 break; 1951 } 1952 1953 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: { 1954 u_int8_t rate; 1955 1956 if (ic->ic_opmode == IEEE80211_M_STA || 1957 ic->ic_state != IEEE80211_S_RUN) { 1958 ic->ic_stats.is_rx_mgtdiscard++; 1959 return; 1960 } 1961 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 1962 /* frame must be directed */ 1963 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 1964 return; 1965 } 1966 1967 /* 1968 * prreq frame format 1969 * [tlv] ssid 1970 * [tlv] supported rates 1971 * [tlv] extended supported rates 1972 */ 1973 ssid = rates = xrates = NULL; 1974 while (frm < efrm) { 1975 switch (*frm) { 1976 case IEEE80211_ELEMID_SSID: 1977 ssid = frm; 1978 break; 1979 case IEEE80211_ELEMID_RATES: 1980 rates = frm; 1981 break; 1982 case IEEE80211_ELEMID_XRATES: 1983 xrates = frm; 1984 break; 1985 } 1986 frm += frm[1] + 2; 1987 } 1988 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1989 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1990 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 1991 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 1992 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 1993 wh, ieee80211_mgt_subtype_name[subtype >> 1994 IEEE80211_FC0_SUBTYPE_SHIFT], 1995 "%s", "no ssid with ssid suppression enabled"); 1996 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 1997 return; 1998 } 1999 2000 if (ni == ic->ic_bss) { 2001 if (ic->ic_opmode == IEEE80211_M_IBSS) { 2002 /* 2003 * XXX Cannot tell if the sender is operating 2004 * in ibss mode. But we need a new node to 2005 * send the response so blindly add them to the 2006 * neighbor table. 2007 */ 2008 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2009 wh->i_addr2); 2010 } else 2011 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 2012 if (ni == NULL) 2013 return; 2014 allocbs = 1; 2015 } else 2016 allocbs = 0; 2017 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2018 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2019 ni->ni_rssi = rssi; 2020 ni->ni_rstamp = rstamp; 2021 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2022 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2023 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2024 if (rate & IEEE80211_RATE_BASIC) { 2025 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2026 wh, ieee80211_mgt_subtype_name[subtype >> 2027 IEEE80211_FC0_SUBTYPE_SHIFT], 2028 "%s", "recv'd rate set invalid"); 2029 } else { 2030 IEEE80211_SEND_MGMT(ic, ni, 2031 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2032 } 2033 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2034 /* reclaim immediately */ 2035 ieee80211_free_node(ni); 2036 } 2037 break; 2038 } 2039 2040 case IEEE80211_FC0_SUBTYPE_AUTH: { 2041 u_int16_t algo, seq, status; 2042 /* 2043 * auth frame format 2044 * [2] algorithm 2045 * [2] sequence 2046 * [2] status 2047 * [tlv*] challenge 2048 */ 2049 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2050 algo = le16toh(*(u_int16_t *)frm); 2051 seq = le16toh(*(u_int16_t *)(frm + 2)); 2052 status = le16toh(*(u_int16_t *)(frm + 4)); 2053 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2054 "[%s] recv auth frame with algorithm %d seq %d\n", 2055 ether_sprintf(wh->i_addr2), algo, seq); 2056 /* 2057 * Consult the ACL policy module if setup. 2058 */ 2059 if (ic->ic_acl != NULL && 2060 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2061 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2062 wh, "auth", "%s", "disallowed by ACL"); 2063 ic->ic_stats.is_rx_acl++; 2064 return; 2065 } 2066 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2067 IEEE80211_DISCARD(ic, 2068 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2069 wh, "auth", "%s", "TKIP countermeasures enabled"); 2070 ic->ic_stats.is_rx_auth_countermeasures++; 2071 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2072 IEEE80211_SEND_MGMT(ic, ni, 2073 IEEE80211_FC0_SUBTYPE_AUTH, 2074 IEEE80211_REASON_MIC_FAILURE); 2075 } 2076 return; 2077 } 2078 if (algo == IEEE80211_AUTH_ALG_SHARED) 2079 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2080 rstamp, seq, status); 2081 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2082 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2083 status); 2084 else { 2085 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2086 wh, "auth", "unsupported alg %d", algo); 2087 ic->ic_stats.is_rx_auth_unsupported++; 2088 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2089 /* XXX not right */ 2090 IEEE80211_SEND_MGMT(ic, ni, 2091 IEEE80211_FC0_SUBTYPE_AUTH, 2092 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2093 } 2094 return; 2095 } 2096 break; 2097 } 2098 2099 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2100 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2101 u_int16_t capinfo, bintval; 2102 struct ieee80211_rsnparms rsn; 2103 u_int8_t reason; 2104 2105 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2106 ic->ic_state != IEEE80211_S_RUN) { 2107 ic->ic_stats.is_rx_mgtdiscard++; 2108 return; 2109 } 2110 2111 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2112 reassoc = 1; 2113 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2114 } else { 2115 reassoc = 0; 2116 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2117 } 2118 /* 2119 * asreq frame format 2120 * [2] capability information 2121 * [2] listen interval 2122 * [6*] current AP address (reassoc only) 2123 * [tlv] ssid 2124 * [tlv] supported rates 2125 * [tlv] extended supported rates 2126 * [tlv] WPA or RSN 2127 */ 2128 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2129 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2130 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2131 wh, ieee80211_mgt_subtype_name[subtype >> 2132 IEEE80211_FC0_SUBTYPE_SHIFT], 2133 "%s", "wrong bssid"); 2134 ic->ic_stats.is_rx_assoc_bss++; 2135 return; 2136 } 2137 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2138 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 2139 if (reassoc) 2140 frm += 6; /* ignore current AP info */ 2141 ssid = rates = xrates = wpa = wme = NULL; 2142 while (frm < efrm) { 2143 switch (*frm) { 2144 case IEEE80211_ELEMID_SSID: 2145 ssid = frm; 2146 break; 2147 case IEEE80211_ELEMID_RATES: 2148 rates = frm; 2149 break; 2150 case IEEE80211_ELEMID_XRATES: 2151 xrates = frm; 2152 break; 2153 /* XXX verify only one of RSN and WPA ie's? */ 2154 case IEEE80211_ELEMID_RSN: 2155 wpa = frm; 2156 break; 2157 case IEEE80211_ELEMID_VENDOR: 2158 if (iswpaoui(frm)) { 2159 if (ic->ic_flags & IEEE80211_F_WPA1) 2160 wpa = frm; 2161 } else if (iswmeinfo(frm)) 2162 wme = frm; 2163 /* XXX Atheros OUI support */ 2164 break; 2165 } 2166 frm += frm[1] + 2; 2167 } 2168 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2169 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2170 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2171 2172 if (ni == ic->ic_bss) { 2173 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2174 "[%s] deny %s request, sta not authenticated\n", 2175 ether_sprintf(wh->i_addr2), 2176 reassoc ? "reassoc" : "assoc"); 2177 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 2178 if (ni != NULL) { 2179 IEEE80211_SEND_MGMT(ic, ni, 2180 IEEE80211_FC0_SUBTYPE_DEAUTH, 2181 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2182 ieee80211_free_node(ni); 2183 } 2184 ic->ic_stats.is_rx_assoc_notauth++; 2185 return; 2186 } 2187 if (wpa != NULL) { 2188 /* 2189 * Parse WPA information element. Note that 2190 * we initialize the param block from the node 2191 * state so that information in the IE overrides 2192 * our defaults. The resulting parameters are 2193 * installed below after the association is assured. 2194 */ 2195 rsn = ni->ni_rsn; 2196 if (wpa[0] != IEEE80211_ELEMID_RSN) 2197 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2198 else 2199 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2200 if (reason != 0) { 2201 IEEE80211_SEND_MGMT(ic, ni, 2202 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2203 ieee80211_node_leave(ic, ni); 2204 /* XXX distinguish WPA/RSN? */ 2205 ic->ic_stats.is_rx_assoc_badwpaie++; 2206 return; 2207 } 2208 IEEE80211_DPRINTF(ic, 2209 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2210 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2211 ether_sprintf(wh->i_addr2), 2212 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2213 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2214 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2215 rsn.rsn_keymgmt, rsn.rsn_caps); 2216 } 2217 /* discard challenge after association */ 2218 if (ni->ni_challenge != NULL) { 2219 FREE(ni->ni_challenge, M_DEVBUF); 2220 ni->ni_challenge = NULL; 2221 } 2222 /* XXX some stations use the privacy bit for handling APs 2223 that suport both encrypted and unencrypted traffic */ 2224 /* NB: PRIVACY flag bits are assumed to match */ 2225 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0 || 2226 (capinfo & IEEE80211_CAPINFO_PRIVACY) ^ 2227 (ic->ic_flags & IEEE80211_F_PRIVACY)) { 2228 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2229 "[%s] deny %s request, capability mismatch 0x%x\n", 2230 ether_sprintf(wh->i_addr2), 2231 reassoc ? "reassoc" : "assoc", capinfo); 2232 IEEE80211_SEND_MGMT(ic, ni, resp, 2233 IEEE80211_STATUS_CAPINFO); 2234 ieee80211_node_leave(ic, ni); 2235 ic->ic_stats.is_rx_assoc_capmismatch++; 2236 return; 2237 } 2238 ieee80211_setup_rates(ic, ni, rates, xrates, 2239 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2240 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2241 if (ni->ni_rates.rs_nrates == 0) { 2242 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2243 "[%s] deny %s request, rate set mismatch\n", 2244 ether_sprintf(wh->i_addr2), 2245 reassoc ? "reassoc" : "assoc"); 2246 IEEE80211_SEND_MGMT(ic, ni, resp, 2247 IEEE80211_STATUS_BASIC_RATE); 2248 ieee80211_node_leave(ic, ni); 2249 ic->ic_stats.is_rx_assoc_norate++; 2250 return; 2251 } 2252 ni->ni_rssi = rssi; 2253 ni->ni_rstamp = rstamp; 2254 ni->ni_intval = bintval; 2255 ni->ni_capinfo = capinfo; 2256 ni->ni_chan = ic->ic_bss->ni_chan; 2257 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2258 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2259 if (wpa != NULL) { 2260 /* 2261 * Record WPA/RSN parameters for station, mark 2262 * node as using WPA and record information element 2263 * for applications that require it. 2264 */ 2265 ni->ni_rsn = rsn; 2266 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2267 } else if (ni->ni_wpa_ie != NULL) { 2268 /* 2269 * Flush any state from a previous association. 2270 */ 2271 FREE(ni->ni_wpa_ie, M_DEVBUF); 2272 ni->ni_wpa_ie = NULL; 2273 } 2274 if (wme != NULL) { 2275 /* 2276 * Record WME parameters for station, mark node 2277 * as capable of QoS and record information 2278 * element for applications that require it. 2279 */ 2280 ieee80211_saveie(&ni->ni_wme_ie, wme); 2281 ni->ni_flags |= IEEE80211_NODE_QOS; 2282 } else if (ni->ni_wme_ie != NULL) { 2283 /* 2284 * Flush any state from a previous association. 2285 */ 2286 FREE(ni->ni_wme_ie, M_DEVBUF); 2287 ni->ni_wme_ie = NULL; 2288 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2289 } 2290 ieee80211_node_join(ic, ni, resp); 2291 break; 2292 } 2293 2294 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2295 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2296 u_int16_t capinfo, associd; 2297 u_int16_t status; 2298 2299 if (ic->ic_opmode != IEEE80211_M_STA || 2300 ic->ic_state != IEEE80211_S_ASSOC) { 2301 ic->ic_stats.is_rx_mgtdiscard++; 2302 return; 2303 } 2304 2305 /* 2306 * asresp frame format 2307 * [2] capability information 2308 * [2] status 2309 * [2] association ID 2310 * [tlv] supported rates 2311 * [tlv] extended supported rates 2312 * [tlv] WME 2313 */ 2314 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2315 ni = ic->ic_bss; 2316 capinfo = le16toh(*(u_int16_t *)frm); 2317 frm += 2; 2318 status = le16toh(*(u_int16_t *)frm); 2319 frm += 2; 2320 if (status != 0) { 2321 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2322 "[%s] %sassoc failed (reason %d)\n", 2323 ether_sprintf(wh->i_addr2), 2324 ISREASSOC(subtype) ? "re" : "", status); 2325 if (ni != ic->ic_bss) /* XXX never true? */ 2326 ni->ni_fails++; 2327 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2328 return; 2329 } 2330 associd = le16toh(*(u_int16_t *)frm); 2331 frm += 2; 2332 2333 rates = xrates = wpa = wme = NULL; 2334 while (frm < efrm) { 2335 switch (*frm) { 2336 case IEEE80211_ELEMID_RATES: 2337 rates = frm; 2338 break; 2339 case IEEE80211_ELEMID_XRATES: 2340 xrates = frm; 2341 break; 2342 case IEEE80211_ELEMID_VENDOR: 2343 if (iswmeoui(frm)) 2344 wme = frm; 2345 /* XXX Atheros OUI support */ 2346 break; 2347 } 2348 frm += frm[1] + 2; 2349 } 2350 2351 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2352 ieee80211_setup_rates(ic, ni, rates, xrates, 2353 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2354 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2355 if (ni->ni_rates.rs_nrates == 0) { 2356 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2357 "[%s] %sassoc failed (rate set mismatch)\n", 2358 ether_sprintf(wh->i_addr2), 2359 ISREASSOC(subtype) ? "re" : ""); 2360 if (ni != ic->ic_bss) /* XXX never true? */ 2361 ni->ni_fails++; 2362 ic->ic_stats.is_rx_assoc_norate++; 2363 return; 2364 } 2365 2366 ni->ni_capinfo = capinfo; 2367 ni->ni_associd = associd; 2368 if (wme != NULL && 2369 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2370 ni->ni_flags |= IEEE80211_NODE_QOS; 2371 ieee80211_wme_updateparams(ic); 2372 } else 2373 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2374 /* 2375 * Configure state now that we are associated. 2376 * 2377 * XXX may need different/additional driver callbacks? 2378 */ 2379 if (ic->ic_curmode == IEEE80211_MODE_11A || 2380 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2381 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2382 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2383 } else { 2384 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2385 ic->ic_flags |= IEEE80211_F_USEBARKER; 2386 } 2387 ieee80211_set_shortslottime(ic, 2388 ic->ic_curmode == IEEE80211_MODE_11A || 2389 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2390 /* 2391 * Honor ERP protection. 2392 * 2393 * NB: ni_erp should zero for non-11g operation. 2394 * XXX check ic_curmode anyway? 2395 */ 2396 if (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION) 2397 ic->ic_flags |= IEEE80211_F_USEPROT; 2398 else 2399 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2400 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2401 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2402 ether_sprintf(wh->i_addr2), 2403 ISREASSOC(subtype) ? "re" : "", 2404 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2405 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2406 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2407 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2408 ); 2409 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2410 break; 2411 } 2412 2413 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2414 u_int16_t reason; 2415 2416 if (ic->ic_state == IEEE80211_S_SCAN) { 2417 ic->ic_stats.is_rx_mgtdiscard++; 2418 return; 2419 } 2420 /* 2421 * deauth frame format 2422 * [2] reason 2423 */ 2424 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2425 reason = le16toh(*(u_int16_t *)frm); 2426 ic->ic_stats.is_rx_deauth++; 2427 IEEE80211_NODE_STAT(ni, rx_deauth); 2428 switch (ic->ic_opmode) { 2429 case IEEE80211_M_STA: 2430 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2431 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2432 break; 2433 case IEEE80211_M_HOSTAP: 2434 if (ni != ic->ic_bss) { 2435 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2436 "station %s deauthenticated by peer " 2437 "(reason %d)\n", 2438 ether_sprintf(ni->ni_macaddr), reason); 2439 ieee80211_node_leave(ic, ni); 2440 } 2441 break; 2442 default: 2443 ic->ic_stats.is_rx_mgtdiscard++; 2444 break; 2445 } 2446 break; 2447 } 2448 2449 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2450 u_int16_t reason; 2451 2452 if (ic->ic_state != IEEE80211_S_RUN && 2453 ic->ic_state != IEEE80211_S_AUTH) { 2454 ic->ic_stats.is_rx_mgtdiscard++; 2455 return; 2456 } 2457 /* 2458 * disassoc frame format 2459 * [2] reason 2460 */ 2461 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2462 reason = le16toh(*(u_int16_t *)frm); 2463 ic->ic_stats.is_rx_disassoc++; 2464 IEEE80211_NODE_STAT(ni, rx_disassoc); 2465 switch (ic->ic_opmode) { 2466 case IEEE80211_M_STA: 2467 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2468 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2469 break; 2470 case IEEE80211_M_HOSTAP: 2471 if (ni != ic->ic_bss) { 2472 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2473 "[%s] sta disassociated by peer (reason %d)\n", 2474 ether_sprintf(ni->ni_macaddr), reason); 2475 ieee80211_node_leave(ic, ni); 2476 } 2477 break; 2478 default: 2479 ic->ic_stats.is_rx_mgtdiscard++; 2480 break; 2481 } 2482 break; 2483 } 2484 default: 2485 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2486 wh, "mgt", "subtype 0x%x not handled", subtype); 2487 ic->ic_stats.is_rx_badsubtype++; 2488 break; 2489 } 2490 #undef ISREASSOC 2491 #undef ISPROBE 2492 } 2493 #undef IEEE80211_VERIFY_LENGTH 2494 #undef IEEE80211_VERIFY_ELEMENT 2495 2496 /* 2497 * Handle station power-save state change. 2498 */ 2499 static void 2500 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2501 { 2502 struct ieee80211com *ic = ni->ni_ic; 2503 struct mbuf *m; 2504 2505 if (enable) { 2506 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2507 ic->ic_ps_sta++; 2508 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2509 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2510 "[%s] power save mode on, %u sta's in ps mode\n", 2511 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2512 return; 2513 } 2514 2515 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2516 ic->ic_ps_sta--; 2517 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2518 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2519 "[%s] power save mode off, %u sta's in ps mode\n", 2520 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2521 /* XXX if no stations in ps mode, flush mc frames */ 2522 2523 /* 2524 * Flush queued unicast frames. 2525 */ 2526 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2527 ic->ic_set_tim(ic, ni, 0); /* just in case */ 2528 return; 2529 } 2530 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2531 "[%s] flush ps queue, %u packets queued\n", 2532 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2533 for (;;) { 2534 int qlen; 2535 2536 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2537 if (m == NULL) 2538 break; 2539 /* 2540 * If this is the last packet, turn off the TIM bit. 2541 * If there are more packets, set the more packets bit 2542 * in the packet dispatched to the station. 2543 */ 2544 if (qlen != 0) { 2545 struct ieee80211_frame_min *wh = 2546 mtod(m, struct ieee80211_frame_min *); 2547 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2548 } 2549 /* XXX need different driver interface */ 2550 /* XXX bypasses q max */ 2551 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2552 } 2553 } 2554 2555 /* 2556 * Process a received ps-poll frame. 2557 */ 2558 static void 2559 ieee80211_recv_pspoll(struct ieee80211com *ic, 2560 struct ieee80211_node *ni, struct mbuf *m0) 2561 { 2562 struct ieee80211_frame_min *wh; 2563 struct mbuf *m; 2564 u_int16_t aid; 2565 int qlen; 2566 2567 wh = mtod(m0, struct ieee80211_frame_min *); 2568 if (ni->ni_associd == 0) { 2569 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2570 (struct ieee80211_frame *) wh, "ps-poll", 2571 "%s", "unassociated station"); 2572 ic->ic_stats.is_ps_unassoc++; 2573 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2574 IEEE80211_REASON_NOT_ASSOCED); 2575 return; 2576 } 2577 2578 aid = le16toh(*(u_int16_t *)wh->i_dur); 2579 if (aid != ni->ni_associd) { 2580 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2581 (struct ieee80211_frame *) wh, "ps-poll", 2582 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2583 ni->ni_associd, aid); 2584 ic->ic_stats.is_ps_badaid++; 2585 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2586 IEEE80211_REASON_NOT_ASSOCED); 2587 return; 2588 } 2589 2590 /* Okay, take the first queued packet and put it out... */ 2591 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2592 if (m == NULL) { 2593 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2594 "[%s] recv ps-poll, but queue empty\n", 2595 ether_sprintf(wh->i_addr2)); 2596 ieee80211_send_nulldata(ic, ni); 2597 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2598 ic->ic_set_tim(ic, ni, 0); /* just in case */ 2599 return; 2600 } 2601 /* 2602 * If there are more packets, set the more packets bit 2603 * in the packet dispatched to the station; otherwise 2604 * turn off the TIM bit. 2605 */ 2606 if (qlen != 0) { 2607 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2608 "[%s] recv ps-poll, send packet, %u still queued\n", 2609 ether_sprintf(ni->ni_macaddr), qlen); 2610 wh = mtod(m, struct ieee80211_frame_min *); 2611 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2612 } else { 2613 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2614 "[%s] recv ps-poll, send packet, queue empty\n", 2615 ether_sprintf(ni->ni_macaddr)); 2616 ic->ic_set_tim(ic, ni, 0); 2617 } 2618 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2619 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2620 } 2621 2622 #ifdef IEEE80211_DEBUG 2623 /* 2624 * Debugging support. 2625 */ 2626 2627 /* 2628 * Return the bssid of a frame. 2629 */ 2630 static const u_int8_t * 2631 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2632 { 2633 if (ic->ic_opmode == IEEE80211_M_STA) 2634 return wh->i_addr2; 2635 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2636 return wh->i_addr1; 2637 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2638 return wh->i_addr1; 2639 return wh->i_addr3; 2640 } 2641 2642 static void 2643 ieee80211_discard_frame(struct ieee80211com *ic, 2644 const struct ieee80211_frame *wh, 2645 const char *type, const char *fmt, ...) 2646 { 2647 va_list ap; 2648 2649 printf("[%s] discard ", ether_sprintf(ieee80211_getbssid(ic, wh))); 2650 if (type != NULL) 2651 printf(" %s frame, ", type); 2652 else 2653 printf(" frame, "); 2654 va_start(ap, fmt); 2655 vprintf(fmt, ap); 2656 va_end(ap); 2657 printf("\n"); 2658 } 2659 2660 static void 2661 ieee80211_discard_ie(struct ieee80211com *ic, 2662 const struct ieee80211_frame *wh, 2663 const char *type, const char *fmt, ...) 2664 { 2665 va_list ap; 2666 2667 printf("[%s] discard ", ether_sprintf(ieee80211_getbssid(ic, wh))); 2668 if (type != NULL) 2669 printf(" %s information element, ", type); 2670 else 2671 printf(" information element, "); 2672 va_start(ap, fmt); 2673 vprintf(fmt, ap); 2674 va_end(ap); 2675 printf("\n"); 2676 } 2677 2678 static void 2679 ieee80211_discard_mac(struct ieee80211com *ic, 2680 const u_int8_t mac[IEEE80211_ADDR_LEN], 2681 const char *type, const char *fmt, ...) 2682 { 2683 va_list ap; 2684 2685 printf("[%s] discard ", ether_sprintf(mac)); 2686 if (type != NULL) 2687 printf(" %s frame, ", type); 2688 else 2689 printf(" frame, "); 2690 va_start(ap, fmt); 2691 vprintf(fmt, ap); 2692 va_end(ap); 2693 printf("\n"); 2694 } 2695 #endif /* IEEE80211_DEBUG */ 2696