1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/malloc.h> 40 #include <sys/endian.h> 41 #include <sys/kernel.h> 42 43 #include <sys/socket.h> 44 45 #include <net/if.h> 46 #include <net/if_media.h> 47 #include <net/ethernet.h> 48 #include <net/if_llc.h> 49 #include <net/if_vlan_var.h> 50 51 #include <net80211/ieee80211_var.h> 52 53 #include <net/bpf.h> 54 55 #ifdef IEEE80211_DEBUG 56 #include <machine/stdarg.h> 57 58 /* 59 * Decide if a received management frame should be 60 * printed when debugging is enabled. This filters some 61 * of the less interesting frames that come frequently 62 * (e.g. beacons). 63 */ 64 static __inline int 65 doprint(struct ieee80211com *ic, int subtype) 66 { 67 switch (subtype) { 68 case IEEE80211_FC0_SUBTYPE_BEACON: 69 return (ic->ic_flags & IEEE80211_F_SCAN); 70 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 71 return (ic->ic_opmode == IEEE80211_M_IBSS); 72 } 73 return 1; 74 } 75 76 /* 77 * Emit a debug message about discarding a frame or information 78 * element. One format is for extracting the mac address from 79 * the frame header; the other is for when a header is not 80 * available or otherwise appropriate. 81 */ 82 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 83 if ((_ic)->ic_debug & (_m)) \ 84 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 85 } while (0) 86 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 87 if ((_ic)->ic_debug & (_m)) \ 88 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 89 } while (0) 90 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 91 if ((_ic)->ic_debug & (_m)) \ 92 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 93 } while (0) 94 95 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 96 const struct ieee80211_frame *); 97 static void ieee80211_discard_frame(struct ieee80211com *, 98 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 99 static void ieee80211_discard_ie(struct ieee80211com *, 100 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 101 static void ieee80211_discard_mac(struct ieee80211com *, 102 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 103 const char *fmt, ...); 104 #else 105 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 106 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 107 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 108 #endif /* IEEE80211_DEBUG */ 109 110 static struct mbuf *ieee80211_defrag(struct ieee80211com *, 111 struct ieee80211_node *, struct mbuf *, int); 112 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 113 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 114 const u_int8_t *mac, int subtype, int arg); 115 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 116 static void ieee80211_recv_pspoll(struct ieee80211com *, 117 struct ieee80211_node *, struct mbuf *); 118 119 /* 120 * Process a received frame. The node associated with the sender 121 * should be supplied. If nothing was found in the node table then 122 * the caller is assumed to supply a reference to ic_bss instead. 123 * The RSSI and a timestamp are also supplied. The RSSI data is used 124 * during AP scanning to select a AP to associate with; it can have 125 * any units so long as values have consistent units and higher values 126 * mean ``better signal''. The receive timestamp is currently not used 127 * by the 802.11 layer. 128 */ 129 int 130 ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 131 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 132 { 133 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 134 #define HAS_SEQ(type) ((type & 0x4) == 0) 135 struct ifnet *ifp = ic->ic_ifp; 136 struct ieee80211_frame *wh; 137 struct ieee80211_key *key; 138 struct ether_header *eh; 139 int hdrspace; 140 u_int8_t dir, type, subtype; 141 u_int8_t *bssid; 142 u_int16_t rxseq; 143 144 KASSERT(ni != NULL, ("null node")); 145 ni->ni_inact = ni->ni_inact_reload; 146 147 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 148 if (m->m_flags & M_HASFCS) { 149 m_adj(m, -IEEE80211_CRC_LEN); 150 m->m_flags &= ~M_HASFCS; 151 } 152 type = -1; /* undefined */ 153 /* 154 * In monitor mode, send everything directly to bpf. 155 * XXX may want to include the CRC 156 */ 157 if (ic->ic_opmode == IEEE80211_M_MONITOR) 158 goto out; 159 160 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 161 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 162 ni->ni_macaddr, NULL, 163 "too short (1): len %u", m->m_pkthdr.len); 164 ic->ic_stats.is_rx_tooshort++; 165 goto out; 166 } 167 /* 168 * Bit of a cheat here, we use a pointer for a 3-address 169 * frame format but don't reference fields past outside 170 * ieee80211_frame_min w/o first validating the data is 171 * present. 172 */ 173 wh = mtod(m, struct ieee80211_frame *); 174 175 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 176 IEEE80211_FC0_VERSION_0) { 177 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 178 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 179 ic->ic_stats.is_rx_badversion++; 180 goto err; 181 } 182 183 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 184 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 185 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 186 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 187 switch (ic->ic_opmode) { 188 case IEEE80211_M_STA: 189 bssid = wh->i_addr2; 190 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 191 /* not interested in */ 192 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 193 bssid, NULL, "%s", "not to bss"); 194 ic->ic_stats.is_rx_wrongbss++; 195 goto out; 196 } 197 break; 198 case IEEE80211_M_IBSS: 199 case IEEE80211_M_AHDEMO: 200 case IEEE80211_M_HOSTAP: 201 if (dir != IEEE80211_FC1_DIR_NODS) 202 bssid = wh->i_addr1; 203 else if (type == IEEE80211_FC0_TYPE_CTL) 204 bssid = wh->i_addr1; 205 else { 206 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 207 IEEE80211_DISCARD_MAC(ic, 208 IEEE80211_MSG_ANY, ni->ni_macaddr, 209 NULL, "too short (2): len %u", 210 m->m_pkthdr.len); 211 ic->ic_stats.is_rx_tooshort++; 212 goto out; 213 } 214 bssid = wh->i_addr3; 215 } 216 if (type != IEEE80211_FC0_TYPE_DATA) 217 break; 218 /* 219 * Data frame, validate the bssid. 220 */ 221 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 222 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 223 /* not interested in */ 224 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 225 bssid, NULL, "%s", "not to bss"); 226 ic->ic_stats.is_rx_wrongbss++; 227 goto out; 228 } 229 /* 230 * For adhoc mode we cons up a node when it doesn't 231 * exist. This should probably done after an ACL check. 232 */ 233 if (ni == ic->ic_bss && 234 ic->ic_opmode != IEEE80211_M_HOSTAP) { 235 /* 236 * Fake up a node for this newly 237 * discovered member of the IBSS. 238 */ 239 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 240 wh->i_addr2); 241 if (ni == NULL) { 242 /* NB: stat kept for alloc failure */ 243 goto err; 244 } 245 } 246 break; 247 default: 248 goto out; 249 } 250 ni->ni_rssi = rssi; 251 ni->ni_rstamp = rstamp; 252 if (HAS_SEQ(type)) { 253 u_int8_t tid; 254 if (IEEE80211_QOS_HAS_SEQ(wh)) { 255 tid = ((struct ieee80211_qosframe *)wh)-> 256 i_qos[0] & IEEE80211_QOS_TID; 257 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 258 ic->ic_wme.wme_hipri_traffic++; 259 tid++; 260 } else 261 tid = 0; 262 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 263 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 264 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 265 /* duplicate, discard */ 266 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 267 bssid, "duplicate", 268 "seqno <%u,%u> fragno <%u,%u> tid %u", 269 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 270 ni->ni_rxseqs[tid] >> 271 IEEE80211_SEQ_SEQ_SHIFT, 272 rxseq & IEEE80211_SEQ_FRAG_MASK, 273 ni->ni_rxseqs[tid] & 274 IEEE80211_SEQ_FRAG_MASK, 275 tid); 276 ic->ic_stats.is_rx_dup++; 277 IEEE80211_NODE_STAT(ni, rx_dup); 278 goto out; 279 } 280 ni->ni_rxseqs[tid] = rxseq; 281 } 282 } 283 284 switch (type) { 285 case IEEE80211_FC0_TYPE_DATA: 286 hdrspace = ieee80211_hdrspace(ic, wh); 287 if (m->m_len < hdrspace && 288 (m = m_pullup(m, hdrspace)) == NULL) { 289 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 290 ni->ni_macaddr, NULL, 291 "data too short: expecting %u", hdrspace); 292 ic->ic_stats.is_rx_tooshort++; 293 goto out; /* XXX */ 294 } 295 switch (ic->ic_opmode) { 296 case IEEE80211_M_STA: 297 if (dir != IEEE80211_FC1_DIR_FROMDS) { 298 ic->ic_stats.is_rx_wrongdir++; 299 goto out; 300 } 301 if ((ifp->if_flags & IFF_SIMPLEX) && 302 IEEE80211_IS_MULTICAST(wh->i_addr1) && 303 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 304 /* 305 * In IEEE802.11 network, multicast packet 306 * sent from me is broadcasted from AP. 307 * It should be silently discarded for 308 * SIMPLEX interface. 309 */ 310 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 311 wh, NULL, "%s", "multicast echo"); 312 ic->ic_stats.is_rx_mcastecho++; 313 goto out; 314 } 315 break; 316 case IEEE80211_M_IBSS: 317 case IEEE80211_M_AHDEMO: 318 if (dir != IEEE80211_FC1_DIR_NODS) { 319 ic->ic_stats.is_rx_wrongdir++; 320 goto out; 321 } 322 /* XXX no power-save support */ 323 break; 324 case IEEE80211_M_HOSTAP: 325 if (dir != IEEE80211_FC1_DIR_TODS) { 326 ic->ic_stats.is_rx_wrongdir++; 327 goto out; 328 } 329 /* check if source STA is associated */ 330 if (ni == ic->ic_bss) { 331 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 332 wh, "data", "%s", "unknown src"); 333 ieee80211_send_error(ic, ni, wh->i_addr2, 334 IEEE80211_FC0_SUBTYPE_DEAUTH, 335 IEEE80211_REASON_NOT_AUTHED); 336 ic->ic_stats.is_rx_notassoc++; 337 goto err; 338 } 339 if (ni->ni_associd == 0) { 340 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 341 wh, "data", "%s", "unassoc src"); 342 IEEE80211_SEND_MGMT(ic, ni, 343 IEEE80211_FC0_SUBTYPE_DISASSOC, 344 IEEE80211_REASON_NOT_ASSOCED); 345 ic->ic_stats.is_rx_notassoc++; 346 goto err; 347 } 348 349 /* 350 * Check for power save state change. 351 */ 352 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 353 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 354 ieee80211_node_pwrsave(ni, 355 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 356 break; 357 default: 358 /* XXX here to keep compiler happy */ 359 goto out; 360 } 361 362 /* 363 * Handle privacy requirements. Note that we 364 * must not be preempted from here until after 365 * we (potentially) call ieee80211_crypto_demic; 366 * otherwise we may violate assumptions in the 367 * crypto cipher modules used to do delayed update 368 * of replay sequence numbers. 369 */ 370 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 371 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 372 /* 373 * Discard encrypted frames when privacy is off. 374 */ 375 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 376 wh, "WEP", "%s", "PRIVACY off"); 377 ic->ic_stats.is_rx_noprivacy++; 378 IEEE80211_NODE_STAT(ni, rx_noprivacy); 379 goto out; 380 } 381 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 382 if (key == NULL) { 383 /* NB: stats+msgs handled in crypto_decap */ 384 IEEE80211_NODE_STAT(ni, rx_wepfail); 385 goto out; 386 } 387 wh = mtod(m, struct ieee80211_frame *); 388 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 389 } else { 390 key = NULL; 391 } 392 393 /* 394 * Next up, any fragmentation. 395 */ 396 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 397 m = ieee80211_defrag(ic, ni, m, hdrspace); 398 if (m == NULL) { 399 /* Fragment dropped or frame not complete yet */ 400 goto out; 401 } 402 } 403 wh = NULL; /* no longer valid, catch any uses */ 404 405 /* 406 * Next strip any MSDU crypto bits. 407 */ 408 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 409 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 410 ni->ni_macaddr, "data", "%s", "demic error"); 411 IEEE80211_NODE_STAT(ni, rx_demicfail); 412 goto out; 413 } 414 415 /* copy to listener after decrypt */ 416 if (ic->ic_rawbpf) 417 bpf_mtap(ic->ic_rawbpf, m); 418 419 /* 420 * Finally, strip the 802.11 header. 421 */ 422 m = ieee80211_decap(ic, m, hdrspace); 423 if (m == NULL) { 424 /* don't count Null data frames as errors */ 425 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 426 goto out; 427 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 428 ni->ni_macaddr, "data", "%s", "decap error"); 429 ic->ic_stats.is_rx_decap++; 430 IEEE80211_NODE_STAT(ni, rx_decap); 431 goto err; 432 } 433 eh = mtod(m, struct ether_header *); 434 if (!ieee80211_node_is_authorized(ni)) { 435 /* 436 * Deny any non-PAE frames received prior to 437 * authorization. For open/shared-key 438 * authentication the port is mark authorized 439 * after authentication completes. For 802.1x 440 * the port is not marked authorized by the 441 * authenticator until the handshake has completed. 442 */ 443 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 444 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 445 eh->ether_shost, "data", 446 "unauthorized port: ether type 0x%x len %u", 447 eh->ether_type, m->m_pkthdr.len); 448 ic->ic_stats.is_rx_unauth++; 449 IEEE80211_NODE_STAT(ni, rx_unauth); 450 goto err; 451 } 452 } else { 453 /* 454 * When denying unencrypted frames, discard 455 * any non-PAE frames received without encryption. 456 */ 457 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 458 key == NULL && 459 eh->ether_type != htons(ETHERTYPE_PAE)) { 460 /* 461 * Drop unencrypted frames. 462 */ 463 ic->ic_stats.is_rx_unencrypted++; 464 IEEE80211_NODE_STAT(ni, rx_unencrypted); 465 goto out; 466 } 467 } 468 ifp->if_ipackets++; 469 IEEE80211_NODE_STAT(ni, rx_data); 470 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 471 472 /* perform as a bridge within the AP */ 473 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 474 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 475 struct mbuf *m1 = NULL; 476 477 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 478 m1 = m_copypacket(m, M_DONTWAIT); 479 if (m1 == NULL) 480 ifp->if_oerrors++; 481 else 482 m1->m_flags |= M_MCAST; 483 } else { 484 /* XXX this dups work done in ieee80211_encap */ 485 /* check if destination is associated */ 486 struct ieee80211_node *ni1 = 487 ieee80211_find_node(&ic->ic_sta, 488 eh->ether_dhost); 489 if (ni1 != NULL) { 490 /* XXX check if authorized */ 491 if (ni1->ni_associd != 0) { 492 m1 = m; 493 m = NULL; 494 } 495 /* XXX statistic? */ 496 ieee80211_free_node(ni1); 497 } 498 } 499 if (m1 != NULL) 500 IF_HANDOFF(&ifp->if_snd, m1, ifp); 501 } 502 if (m != NULL) { 503 if (ni->ni_vlan != 0) { 504 /* attach vlan tag */ 505 /* XXX goto err? */ 506 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 507 } 508 (*ifp->if_input)(ifp, m); 509 } 510 return IEEE80211_FC0_TYPE_DATA; 511 512 case IEEE80211_FC0_TYPE_MGT: 513 IEEE80211_NODE_STAT(ni, rx_mgmt); 514 if (dir != IEEE80211_FC1_DIR_NODS) { 515 ic->ic_stats.is_rx_wrongdir++; 516 goto err; 517 } 518 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 519 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 520 ni->ni_macaddr, "mgt", "too short: len %u", 521 m->m_pkthdr.len); 522 ic->ic_stats.is_rx_tooshort++; 523 goto out; 524 } 525 #ifdef IEEE80211_DEBUG 526 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 527 ieee80211_msg_dumppkts(ic)) { 528 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 529 ieee80211_mgt_subtype_name[subtype >> 530 IEEE80211_FC0_SUBTYPE_SHIFT], 531 ether_sprintf(wh->i_addr2), rssi); 532 } 533 #endif 534 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 535 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 536 /* 537 * Only shared key auth frames with a challenge 538 * should be encrypted, discard all others. 539 */ 540 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 541 wh, ieee80211_mgt_subtype_name[subtype >> 542 IEEE80211_FC0_SUBTYPE_SHIFT], 543 "%s", "WEP set but not permitted"); 544 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 545 goto out; 546 } 547 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 548 /* 549 * Discard encrypted frames when privacy is off. 550 */ 551 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 552 wh, "mgt", "%s", "WEP set but PRIVACY off"); 553 ic->ic_stats.is_rx_noprivacy++; 554 goto out; 555 } 556 hdrspace = ieee80211_hdrspace(ic, wh); 557 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 558 if (key == NULL) { 559 /* NB: stats+msgs handled in crypto_decap */ 560 goto out; 561 } 562 wh = mtod(m, struct ieee80211_frame *); 563 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 564 } 565 if (ic->ic_rawbpf) 566 bpf_mtap(ic->ic_rawbpf, m); 567 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 568 m_freem(m); 569 return type; 570 571 case IEEE80211_FC0_TYPE_CTL: 572 IEEE80211_NODE_STAT(ni, rx_ctrl); 573 ic->ic_stats.is_rx_ctl++; 574 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 575 switch (subtype) { 576 case IEEE80211_FC0_SUBTYPE_PS_POLL: 577 ieee80211_recv_pspoll(ic, ni, m); 578 break; 579 } 580 } 581 goto out; 582 default: 583 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 584 wh, NULL, "bad frame type 0x%x", type); 585 /* should not come here */ 586 break; 587 } 588 err: 589 ifp->if_ierrors++; 590 out: 591 if (m != NULL) { 592 if (ic->ic_rawbpf) 593 bpf_mtap(ic->ic_rawbpf, m); 594 m_freem(m); 595 } 596 return type; 597 #undef SEQ_LEQ 598 } 599 600 /* 601 * This function reassemble fragments. 602 */ 603 static struct mbuf * 604 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 605 struct mbuf *m, int hdrspace) 606 { 607 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 608 struct ieee80211_frame *lwh; 609 u_int16_t rxseq; 610 u_int8_t fragno; 611 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 612 struct mbuf *mfrag; 613 614 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 615 616 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 617 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 618 619 /* Quick way out, if there's nothing to defragment */ 620 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 621 return m; 622 623 /* 624 * Remove frag to insure it doesn't get reaped by timer. 625 */ 626 if (ni->ni_table == NULL) { 627 /* 628 * Should never happen. If the node is orphaned (not in 629 * the table) then input packets should not reach here. 630 * Otherwise, a concurrent request that yanks the table 631 * should be blocked by other interlocking and/or by first 632 * shutting the driver down. Regardless, be defensive 633 * here and just bail 634 */ 635 /* XXX need msg+stat */ 636 m_freem(m); 637 return NULL; 638 } 639 IEEE80211_NODE_LOCK(ni->ni_table); 640 mfrag = ni->ni_rxfrag[0]; 641 ni->ni_rxfrag[0] = NULL; 642 IEEE80211_NODE_UNLOCK(ni->ni_table); 643 644 /* 645 * Validate new fragment is in order and 646 * related to the previous ones. 647 */ 648 if (mfrag != NULL) { 649 u_int16_t last_rxseq; 650 651 lwh = mtod(mfrag, struct ieee80211_frame *); 652 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 653 /* NB: check seq # and frag together */ 654 if (rxseq != last_rxseq+1 || 655 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 656 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 657 /* 658 * Unrelated fragment or no space for it, 659 * clear current fragments. 660 */ 661 m_freem(mfrag); 662 mfrag = NULL; 663 } 664 } 665 666 if (mfrag == NULL) { 667 if (fragno != 0) { /* !first fragment, discard */ 668 IEEE80211_NODE_STAT(ni, rx_defrag); 669 m_freem(m); 670 return NULL; 671 } 672 mfrag = m; 673 } else { /* concatenate */ 674 m_adj(m, hdrspace); /* strip header */ 675 m_cat(mfrag, m); 676 /* NB: m_cat doesn't update the packet header */ 677 mfrag->m_pkthdr.len += m->m_pkthdr.len; 678 /* track last seqnum and fragno */ 679 lwh = mtod(mfrag, struct ieee80211_frame *); 680 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 681 } 682 if (more_frag) { /* more to come, save */ 683 ni->ni_rxfragstamp = ticks; 684 ni->ni_rxfrag[0] = mfrag; 685 mfrag = NULL; 686 } 687 return mfrag; 688 } 689 690 static struct mbuf * 691 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 692 { 693 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 694 struct ether_header *eh; 695 struct llc *llc; 696 697 if (m->m_len < hdrlen + sizeof(*llc) && 698 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 699 /* XXX stat, msg */ 700 return NULL; 701 } 702 memcpy(&wh, mtod(m, caddr_t), hdrlen); 703 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 704 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 705 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 706 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 707 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 708 llc = NULL; 709 } else { 710 m_adj(m, hdrlen - sizeof(*eh)); 711 } 712 eh = mtod(m, struct ether_header *); 713 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 714 case IEEE80211_FC1_DIR_NODS: 715 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 716 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 717 break; 718 case IEEE80211_FC1_DIR_TODS: 719 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 720 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 721 break; 722 case IEEE80211_FC1_DIR_FROMDS: 723 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 724 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 725 break; 726 case IEEE80211_FC1_DIR_DSTODS: 727 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 728 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 729 break; 730 } 731 #ifdef ALIGNED_POINTER 732 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 733 struct mbuf *n, *n0, **np; 734 caddr_t newdata; 735 int off, pktlen; 736 737 n0 = NULL; 738 np = &n0; 739 off = 0; 740 pktlen = m->m_pkthdr.len; 741 while (pktlen > off) { 742 if (n0 == NULL) { 743 MGETHDR(n, M_DONTWAIT, MT_DATA); 744 if (n == NULL) { 745 m_freem(m); 746 return NULL; 747 } 748 M_MOVE_PKTHDR(n, m); 749 n->m_len = MHLEN; 750 } else { 751 MGET(n, M_DONTWAIT, MT_DATA); 752 if (n == NULL) { 753 m_freem(m); 754 m_freem(n0); 755 return NULL; 756 } 757 n->m_len = MLEN; 758 } 759 if (pktlen - off >= MINCLSIZE) { 760 MCLGET(n, M_DONTWAIT); 761 if (n->m_flags & M_EXT) 762 n->m_len = n->m_ext.ext_size; 763 } 764 if (n0 == NULL) { 765 newdata = 766 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 767 sizeof(*eh); 768 n->m_len -= newdata - n->m_data; 769 n->m_data = newdata; 770 } 771 if (n->m_len > pktlen - off) 772 n->m_len = pktlen - off; 773 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 774 off += n->m_len; 775 *np = n; 776 np = &n->m_next; 777 } 778 m_freem(m); 779 m = n0; 780 } 781 #endif /* ALIGNED_POINTER */ 782 if (llc != NULL) { 783 eh = mtod(m, struct ether_header *); 784 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 785 } 786 return m; 787 } 788 789 /* 790 * Install received rate set information in the node's state block. 791 */ 792 static int 793 ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 794 u_int8_t *rates, u_int8_t *xrates, int flags) 795 { 796 struct ieee80211_rateset *rs = &ni->ni_rates; 797 798 memset(rs, 0, sizeof(*rs)); 799 rs->rs_nrates = rates[1]; 800 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 801 if (xrates != NULL) { 802 u_int8_t nxrates; 803 /* 804 * Tack on 11g extended supported rate element. 805 */ 806 nxrates = xrates[1]; 807 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 808 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 809 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 810 "[%s] extended rate set too large;" 811 " only using %u of %u rates\n", 812 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 813 ic->ic_stats.is_rx_rstoobig++; 814 } 815 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 816 rs->rs_nrates += nxrates; 817 } 818 return ieee80211_fix_rate(ic, ni, flags); 819 } 820 821 static void 822 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 823 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 824 u_int16_t status) 825 { 826 827 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 828 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 829 ni->ni_macaddr, "open auth", 830 "bad sta auth mode %u", ni->ni_authmode); 831 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 832 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 833 /* XXX hack to workaround calling convention */ 834 ieee80211_send_error(ic, ni, wh->i_addr2, 835 IEEE80211_FC0_SUBTYPE_AUTH, 836 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 837 } 838 return; 839 } 840 switch (ic->ic_opmode) { 841 case IEEE80211_M_IBSS: 842 case IEEE80211_M_AHDEMO: 843 case IEEE80211_M_MONITOR: 844 /* should not come here */ 845 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 846 ni->ni_macaddr, "open auth", 847 "bad operating mode %u", ic->ic_opmode); 848 break; 849 850 case IEEE80211_M_HOSTAP: 851 if (ic->ic_state != IEEE80211_S_RUN || 852 seq != IEEE80211_AUTH_OPEN_REQUEST) { 853 ic->ic_stats.is_rx_bad_auth++; 854 return; 855 } 856 /* always accept open authentication requests */ 857 if (ni == ic->ic_bss) { 858 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 859 if (ni == NULL) 860 return; 861 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 862 (void) ieee80211_ref_node(ni); 863 /* 864 * Mark the node as referenced to reflect that it's 865 * reference count has been bumped to insure it remains 866 * after the transaction completes. 867 */ 868 ni->ni_flags |= IEEE80211_NODE_AREF; 869 870 IEEE80211_SEND_MGMT(ic, ni, 871 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 872 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 873 "[%s] station authenticated (open)\n", 874 ether_sprintf(ni->ni_macaddr)); 875 /* 876 * When 802.1x is not in use mark the port 877 * authorized at this point so traffic can flow. 878 */ 879 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 880 ieee80211_node_authorize(ic, ni); 881 break; 882 883 case IEEE80211_M_STA: 884 if (ic->ic_state != IEEE80211_S_AUTH || 885 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 886 ic->ic_stats.is_rx_bad_auth++; 887 return; 888 } 889 if (status != 0) { 890 IEEE80211_DPRINTF(ic, 891 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 892 "[%s] open auth failed (reason %d)\n", 893 ether_sprintf(ni->ni_macaddr), status); 894 /* XXX can this happen? */ 895 if (ni != ic->ic_bss) 896 ni->ni_fails++; 897 ic->ic_stats.is_rx_auth_fail++; 898 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 899 } else 900 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 901 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 902 break; 903 } 904 } 905 906 /* 907 * Send a management frame error response to the specified 908 * station. If ni is associated with the station then use 909 * it; otherwise allocate a temporary node suitable for 910 * transmitting the frame and then free the reference so 911 * it will go away as soon as the frame has been transmitted. 912 */ 913 static void 914 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 915 const u_int8_t *mac, int subtype, int arg) 916 { 917 int istmp; 918 919 if (ni == ic->ic_bss) { 920 ni = ieee80211_dup_bss(&ic->ic_sta, mac); 921 if (ni == NULL) { 922 /* XXX msg */ 923 return; 924 } 925 istmp = 1; 926 } else 927 istmp = 0; 928 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 929 if (istmp) 930 ieee80211_free_node(ni); 931 } 932 933 static int 934 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 935 { 936 if (ni->ni_challenge == NULL) 937 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN, 938 M_DEVBUF, M_NOWAIT); 939 if (ni->ni_challenge == NULL) { 940 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 941 "[%s] shared key challenge alloc failed\n", 942 ether_sprintf(ni->ni_macaddr)); 943 /* XXX statistic */ 944 } 945 return (ni->ni_challenge != NULL); 946 } 947 948 /* XXX TODO: add statistics */ 949 static void 950 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 951 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 952 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 953 { 954 u_int8_t *challenge; 955 int allocbs, estatus; 956 957 /* 958 * NB: this can happen as we allow pre-shared key 959 * authentication to be enabled w/o wep being turned 960 * on so that configuration of these can be done 961 * in any order. It may be better to enforce the 962 * ordering in which case this check would just be 963 * for sanity/consistency. 964 */ 965 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 966 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 967 ni->ni_macaddr, "shared key auth", 968 "%s", " PRIVACY is disabled"); 969 estatus = IEEE80211_STATUS_ALG; 970 goto bad; 971 } 972 /* 973 * Pre-shared key authentication is evil; accept 974 * it only if explicitly configured (it is supported 975 * mainly for compatibility with clients like OS X). 976 */ 977 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 978 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 979 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 980 ni->ni_macaddr, "shared key auth", 981 "bad sta auth mode %u", ni->ni_authmode); 982 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 983 estatus = IEEE80211_STATUS_ALG; 984 goto bad; 985 } 986 987 challenge = NULL; 988 if (frm + 1 < efrm) { 989 if ((frm[1] + 2) > (efrm - frm)) { 990 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 991 ni->ni_macaddr, "shared key auth", 992 "ie %d/%d too long", 993 frm[0], (frm[1] + 2) - (efrm - frm)); 994 ic->ic_stats.is_rx_bad_auth++; 995 estatus = IEEE80211_STATUS_CHALLENGE; 996 goto bad; 997 } 998 if (*frm == IEEE80211_ELEMID_CHALLENGE) 999 challenge = frm; 1000 frm += frm[1] + 2; 1001 } 1002 switch (seq) { 1003 case IEEE80211_AUTH_SHARED_CHALLENGE: 1004 case IEEE80211_AUTH_SHARED_RESPONSE: 1005 if (challenge == NULL) { 1006 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1007 ni->ni_macaddr, "shared key auth", 1008 "%s", "no challenge"); 1009 ic->ic_stats.is_rx_bad_auth++; 1010 estatus = IEEE80211_STATUS_CHALLENGE; 1011 goto bad; 1012 } 1013 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1014 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1015 ni->ni_macaddr, "shared key auth", 1016 "bad challenge len %d", challenge[1]); 1017 ic->ic_stats.is_rx_bad_auth++; 1018 estatus = IEEE80211_STATUS_CHALLENGE; 1019 goto bad; 1020 } 1021 default: 1022 break; 1023 } 1024 switch (ic->ic_opmode) { 1025 case IEEE80211_M_MONITOR: 1026 case IEEE80211_M_AHDEMO: 1027 case IEEE80211_M_IBSS: 1028 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1029 ni->ni_macaddr, "shared key auth", 1030 "bad operating mode %u", ic->ic_opmode); 1031 return; 1032 case IEEE80211_M_HOSTAP: 1033 if (ic->ic_state != IEEE80211_S_RUN) { 1034 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1035 ni->ni_macaddr, "shared key auth", 1036 "bad state %u", ic->ic_state); 1037 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1038 goto bad; 1039 } 1040 switch (seq) { 1041 case IEEE80211_AUTH_SHARED_REQUEST: 1042 if (ni == ic->ic_bss) { 1043 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1044 if (ni == NULL) { 1045 /* NB: no way to return an error */ 1046 return; 1047 } 1048 allocbs = 1; 1049 } else { 1050 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1051 (void) ieee80211_ref_node(ni); 1052 allocbs = 0; 1053 } 1054 /* 1055 * Mark the node as referenced to reflect that it's 1056 * reference count has been bumped to insure it remains 1057 * after the transaction completes. 1058 */ 1059 ni->ni_flags |= IEEE80211_NODE_AREF; 1060 ni->ni_rssi = rssi; 1061 ni->ni_rstamp = rstamp; 1062 if (!alloc_challenge(ic, ni)) { 1063 /* NB: don't return error so they rexmit */ 1064 return; 1065 } 1066 get_random_bytes(ni->ni_challenge, 1067 IEEE80211_CHALLENGE_LEN); 1068 IEEE80211_DPRINTF(ic, 1069 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1070 "[%s] shared key %sauth request\n", 1071 ether_sprintf(ni->ni_macaddr), 1072 allocbs ? "" : "re"); 1073 break; 1074 case IEEE80211_AUTH_SHARED_RESPONSE: 1075 if (ni == ic->ic_bss) { 1076 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1077 ni->ni_macaddr, "shared key response", 1078 "%s", "unknown station"); 1079 /* NB: don't send a response */ 1080 return; 1081 } 1082 if (ni->ni_challenge == NULL) { 1083 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1084 ni->ni_macaddr, "shared key response", 1085 "%s", "no challenge recorded"); 1086 ic->ic_stats.is_rx_bad_auth++; 1087 estatus = IEEE80211_STATUS_CHALLENGE; 1088 goto bad; 1089 } 1090 if (memcmp(ni->ni_challenge, &challenge[2], 1091 challenge[1]) != 0) { 1092 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1093 ni->ni_macaddr, "shared key response", 1094 "%s", "challenge mismatch"); 1095 ic->ic_stats.is_rx_auth_fail++; 1096 estatus = IEEE80211_STATUS_CHALLENGE; 1097 goto bad; 1098 } 1099 IEEE80211_DPRINTF(ic, 1100 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1101 "[%s] station authenticated (shared key)\n", 1102 ether_sprintf(ni->ni_macaddr)); 1103 ieee80211_node_authorize(ic, ni); 1104 break; 1105 default: 1106 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1107 ni->ni_macaddr, "shared key auth", 1108 "bad seq %d", seq); 1109 ic->ic_stats.is_rx_bad_auth++; 1110 estatus = IEEE80211_STATUS_SEQUENCE; 1111 goto bad; 1112 } 1113 IEEE80211_SEND_MGMT(ic, ni, 1114 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1115 break; 1116 1117 case IEEE80211_M_STA: 1118 if (ic->ic_state != IEEE80211_S_AUTH) 1119 return; 1120 switch (seq) { 1121 case IEEE80211_AUTH_SHARED_PASS: 1122 if (ni->ni_challenge != NULL) { 1123 FREE(ni->ni_challenge, M_DEVBUF); 1124 ni->ni_challenge = NULL; 1125 } 1126 if (status != 0) { 1127 IEEE80211_DPRINTF(ic, 1128 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1129 "[%s] shared key auth failed (reason %d)\n", 1130 ether_sprintf(ieee80211_getbssid(ic, wh)), 1131 status); 1132 /* XXX can this happen? */ 1133 if (ni != ic->ic_bss) 1134 ni->ni_fails++; 1135 ic->ic_stats.is_rx_auth_fail++; 1136 return; 1137 } 1138 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1139 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1140 break; 1141 case IEEE80211_AUTH_SHARED_CHALLENGE: 1142 if (!alloc_challenge(ic, ni)) 1143 return; 1144 /* XXX could optimize by passing recvd challenge */ 1145 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1146 IEEE80211_SEND_MGMT(ic, ni, 1147 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1148 break; 1149 default: 1150 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1151 wh, "shared key auth", "bad seq %d", seq); 1152 ic->ic_stats.is_rx_bad_auth++; 1153 return; 1154 } 1155 break; 1156 } 1157 return; 1158 bad: 1159 /* 1160 * Send an error response; but only when operating as an AP. 1161 */ 1162 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1163 /* XXX hack to workaround calling convention */ 1164 ieee80211_send_error(ic, ni, wh->i_addr2, 1165 IEEE80211_FC0_SUBTYPE_AUTH, 1166 (seq + 1) | (estatus<<16)); 1167 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1168 /* 1169 * Kick the state machine. This short-circuits 1170 * using the mgt frame timeout to trigger the 1171 * state transition. 1172 */ 1173 if (ic->ic_state == IEEE80211_S_AUTH) 1174 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1175 } 1176 } 1177 1178 /* Verify the existence and length of __elem or get out. */ 1179 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1180 if ((__elem) == NULL) { \ 1181 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1182 wh, ieee80211_mgt_subtype_name[subtype >> \ 1183 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1184 "%s", "no " #__elem ); \ 1185 ic->ic_stats.is_rx_elem_missing++; \ 1186 return; \ 1187 } \ 1188 if ((__elem)[1] > (__maxlen)) { \ 1189 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1190 wh, ieee80211_mgt_subtype_name[subtype >> \ 1191 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1192 "bad " #__elem " len %d", (__elem)[1]); \ 1193 ic->ic_stats.is_rx_elem_toobig++; \ 1194 return; \ 1195 } \ 1196 } while (0) 1197 1198 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1199 if ((_len) < (_minlen)) { \ 1200 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1201 wh, ieee80211_mgt_subtype_name[subtype >> \ 1202 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1203 "%s", "ie too short"); \ 1204 ic->ic_stats.is_rx_elem_toosmall++; \ 1205 return; \ 1206 } \ 1207 } while (0) 1208 1209 #ifdef IEEE80211_DEBUG 1210 static void 1211 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1212 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1213 { 1214 printf("[%s] discard %s frame, ssid mismatch: ", 1215 ether_sprintf(mac), tag); 1216 ieee80211_print_essid(ssid + 2, ssid[1]); 1217 printf("\n"); 1218 } 1219 1220 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1221 if ((_ssid)[1] != 0 && \ 1222 ((_ssid)[1] != (_ni)->ni_esslen || \ 1223 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1224 if (ieee80211_msg_input(ic)) \ 1225 ieee80211_ssid_mismatch(ic, \ 1226 ieee80211_mgt_subtype_name[subtype >> \ 1227 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1228 wh->i_addr2, _ssid); \ 1229 ic->ic_stats.is_rx_ssidmismatch++; \ 1230 return; \ 1231 } \ 1232 } while (0) 1233 #else /* !IEEE80211_DEBUG */ 1234 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1235 if ((_ssid)[1] != 0 && \ 1236 ((_ssid)[1] != (_ni)->ni_esslen || \ 1237 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1238 ic->ic_stats.is_rx_ssidmismatch++; \ 1239 return; \ 1240 } \ 1241 } while (0) 1242 #endif /* !IEEE80211_DEBUG */ 1243 1244 /* unalligned little endian access */ 1245 #define LE_READ_2(p) \ 1246 ((u_int16_t) \ 1247 ((((const u_int8_t *)(p))[0] ) | \ 1248 (((const u_int8_t *)(p))[1] << 8))) 1249 #define LE_READ_4(p) \ 1250 ((u_int32_t) \ 1251 ((((const u_int8_t *)(p))[0] ) | \ 1252 (((const u_int8_t *)(p))[1] << 8) | \ 1253 (((const u_int8_t *)(p))[2] << 16) | \ 1254 (((const u_int8_t *)(p))[3] << 24))) 1255 1256 static int __inline 1257 iswpaoui(const u_int8_t *frm) 1258 { 1259 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1260 } 1261 1262 static int __inline 1263 iswmeoui(const u_int8_t *frm) 1264 { 1265 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1266 } 1267 1268 static int __inline 1269 iswmeparam(const u_int8_t *frm) 1270 { 1271 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1272 frm[6] == WME_PARAM_OUI_SUBTYPE; 1273 } 1274 1275 static int __inline 1276 iswmeinfo(const u_int8_t *frm) 1277 { 1278 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1279 frm[6] == WME_INFO_OUI_SUBTYPE; 1280 } 1281 1282 static int __inline 1283 isatherosoui(const u_int8_t *frm) 1284 { 1285 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1286 } 1287 1288 /* 1289 * Convert a WPA cipher selector OUI to an internal 1290 * cipher algorithm. Where appropriate we also 1291 * record any key length. 1292 */ 1293 static int 1294 wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1295 { 1296 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1297 u_int32_t w = LE_READ_4(sel); 1298 1299 switch (w) { 1300 case WPA_SEL(WPA_CSE_NULL): 1301 return IEEE80211_CIPHER_NONE; 1302 case WPA_SEL(WPA_CSE_WEP40): 1303 if (keylen) 1304 *keylen = 40 / NBBY; 1305 return IEEE80211_CIPHER_WEP; 1306 case WPA_SEL(WPA_CSE_WEP104): 1307 if (keylen) 1308 *keylen = 104 / NBBY; 1309 return IEEE80211_CIPHER_WEP; 1310 case WPA_SEL(WPA_CSE_TKIP): 1311 return IEEE80211_CIPHER_TKIP; 1312 case WPA_SEL(WPA_CSE_CCMP): 1313 return IEEE80211_CIPHER_AES_CCM; 1314 } 1315 return 32; /* NB: so 1<< is discarded */ 1316 #undef WPA_SEL 1317 } 1318 1319 /* 1320 * Convert a WPA key management/authentication algorithm 1321 * to an internal code. 1322 */ 1323 static int 1324 wpa_keymgmt(u_int8_t *sel) 1325 { 1326 #define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1327 u_int32_t w = LE_READ_4(sel); 1328 1329 switch (w) { 1330 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1331 return WPA_ASE_8021X_UNSPEC; 1332 case WPA_SEL(WPA_ASE_8021X_PSK): 1333 return WPA_ASE_8021X_PSK; 1334 case WPA_SEL(WPA_ASE_NONE): 1335 return WPA_ASE_NONE; 1336 } 1337 return 0; /* NB: so is discarded */ 1338 #undef WPA_SEL 1339 } 1340 1341 /* 1342 * Parse a WPA information element to collect parameters 1343 * and validate the parameters against what has been 1344 * configured for the system. 1345 */ 1346 static int 1347 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1348 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1349 { 1350 u_int8_t len = frm[1]; 1351 u_int32_t w; 1352 int n; 1353 1354 /* 1355 * Check the length once for fixed parts: OUI, type, 1356 * version, mcast cipher, and 2 selector counts. 1357 * Other, variable-length data, must be checked separately. 1358 */ 1359 KASSERT(ic->ic_flags & IEEE80211_F_WPA1, 1360 ("not WPA, flags 0x%x", ic->ic_flags)); 1361 if (len < 14) { 1362 IEEE80211_DISCARD_IE(ic, 1363 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1364 wh, "WPA", "too short, len %u", len); 1365 return IEEE80211_REASON_IE_INVALID; 1366 } 1367 frm += 6, len -= 4; /* NB: len is payload only */ 1368 /* NB: iswapoui already validated the OUI and type */ 1369 w = LE_READ_2(frm); 1370 if (w != WPA_VERSION) { 1371 IEEE80211_DISCARD_IE(ic, 1372 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1373 wh, "WPA", "bad version %u", w); 1374 return IEEE80211_REASON_IE_INVALID; 1375 } 1376 frm += 2, len -= 2; 1377 1378 /* multicast/group cipher */ 1379 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1380 if (w != rsn->rsn_mcastcipher) { 1381 IEEE80211_DISCARD_IE(ic, 1382 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1383 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1384 w, rsn->rsn_mcastcipher); 1385 return IEEE80211_REASON_IE_INVALID; 1386 } 1387 frm += 4, len -= 4; 1388 1389 /* unicast ciphers */ 1390 n = LE_READ_2(frm); 1391 frm += 2, len -= 2; 1392 if (len < n*4+2) { 1393 IEEE80211_DISCARD_IE(ic, 1394 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1395 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1396 len, n); 1397 return IEEE80211_REASON_IE_INVALID; 1398 } 1399 w = 0; 1400 for (; n > 0; n--) { 1401 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1402 frm += 4, len -= 4; 1403 } 1404 w &= rsn->rsn_ucastcipherset; 1405 if (w == 0) { 1406 IEEE80211_DISCARD_IE(ic, 1407 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1408 wh, "WPA", "%s", "ucast cipher set empty"); 1409 return IEEE80211_REASON_IE_INVALID; 1410 } 1411 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1412 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1413 else 1414 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1415 1416 /* key management algorithms */ 1417 n = LE_READ_2(frm); 1418 frm += 2, len -= 2; 1419 if (len < n*4) { 1420 IEEE80211_DISCARD_IE(ic, 1421 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1422 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1423 len, n); 1424 return IEEE80211_REASON_IE_INVALID; 1425 } 1426 w = 0; 1427 for (; n > 0; n--) { 1428 w |= wpa_keymgmt(frm); 1429 frm += 4, len -= 4; 1430 } 1431 w &= rsn->rsn_keymgmtset; 1432 if (w == 0) { 1433 IEEE80211_DISCARD_IE(ic, 1434 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1435 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1436 return IEEE80211_REASON_IE_INVALID; 1437 } 1438 if (w & WPA_ASE_8021X_UNSPEC) 1439 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1440 else 1441 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1442 1443 if (len > 2) /* optional capabilities */ 1444 rsn->rsn_caps = LE_READ_2(frm); 1445 1446 return 0; 1447 } 1448 1449 /* 1450 * Convert an RSN cipher selector OUI to an internal 1451 * cipher algorithm. Where appropriate we also 1452 * record any key length. 1453 */ 1454 static int 1455 rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1456 { 1457 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1458 u_int32_t w = LE_READ_4(sel); 1459 1460 switch (w) { 1461 case RSN_SEL(RSN_CSE_NULL): 1462 return IEEE80211_CIPHER_NONE; 1463 case RSN_SEL(RSN_CSE_WEP40): 1464 if (keylen) 1465 *keylen = 40 / NBBY; 1466 return IEEE80211_CIPHER_WEP; 1467 case RSN_SEL(RSN_CSE_WEP104): 1468 if (keylen) 1469 *keylen = 104 / NBBY; 1470 return IEEE80211_CIPHER_WEP; 1471 case RSN_SEL(RSN_CSE_TKIP): 1472 return IEEE80211_CIPHER_TKIP; 1473 case RSN_SEL(RSN_CSE_CCMP): 1474 return IEEE80211_CIPHER_AES_CCM; 1475 case RSN_SEL(RSN_CSE_WRAP): 1476 return IEEE80211_CIPHER_AES_OCB; 1477 } 1478 return 32; /* NB: so 1<< is discarded */ 1479 #undef WPA_SEL 1480 } 1481 1482 /* 1483 * Convert an RSN key management/authentication algorithm 1484 * to an internal code. 1485 */ 1486 static int 1487 rsn_keymgmt(u_int8_t *sel) 1488 { 1489 #define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1490 u_int32_t w = LE_READ_4(sel); 1491 1492 switch (w) { 1493 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1494 return RSN_ASE_8021X_UNSPEC; 1495 case RSN_SEL(RSN_ASE_8021X_PSK): 1496 return RSN_ASE_8021X_PSK; 1497 case RSN_SEL(RSN_ASE_NONE): 1498 return RSN_ASE_NONE; 1499 } 1500 return 0; /* NB: so is discarded */ 1501 #undef RSN_SEL 1502 } 1503 1504 /* 1505 * Parse a WPA/RSN information element to collect parameters 1506 * and validate the parameters against what has been 1507 * configured for the system. 1508 */ 1509 static int 1510 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1511 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1512 { 1513 u_int8_t len = frm[1]; 1514 u_int32_t w; 1515 int n; 1516 1517 /* 1518 * Check the length once for fixed parts: 1519 * version, mcast cipher, and 2 selector counts. 1520 * Other, variable-length data, must be checked separately. 1521 */ 1522 KASSERT(ic->ic_flags & IEEE80211_F_WPA2, 1523 ("not RSN, flags 0x%x", ic->ic_flags)); 1524 if (len < 10) { 1525 IEEE80211_DISCARD_IE(ic, 1526 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1527 wh, "RSN", "too short, len %u", len); 1528 return IEEE80211_REASON_IE_INVALID; 1529 } 1530 frm += 2; 1531 w = LE_READ_2(frm); 1532 if (w != RSN_VERSION) { 1533 IEEE80211_DISCARD_IE(ic, 1534 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1535 wh, "RSN", "bad version %u", w); 1536 return IEEE80211_REASON_IE_INVALID; 1537 } 1538 frm += 2, len -= 2; 1539 1540 /* multicast/group cipher */ 1541 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1542 if (w != rsn->rsn_mcastcipher) { 1543 IEEE80211_DISCARD_IE(ic, 1544 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1545 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1546 w, rsn->rsn_mcastcipher); 1547 return IEEE80211_REASON_IE_INVALID; 1548 } 1549 frm += 4, len -= 4; 1550 1551 /* unicast ciphers */ 1552 n = LE_READ_2(frm); 1553 frm += 2, len -= 2; 1554 if (len < n*4+2) { 1555 IEEE80211_DISCARD_IE(ic, 1556 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1557 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1558 len, n); 1559 return IEEE80211_REASON_IE_INVALID; 1560 } 1561 w = 0; 1562 for (; n > 0; n--) { 1563 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1564 frm += 4, len -= 4; 1565 } 1566 w &= rsn->rsn_ucastcipherset; 1567 if (w == 0) { 1568 IEEE80211_DISCARD_IE(ic, 1569 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1570 wh, "RSN", "%s", "ucast cipher set empty"); 1571 return IEEE80211_REASON_IE_INVALID; 1572 } 1573 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1574 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1575 else 1576 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1577 1578 /* key management algorithms */ 1579 n = LE_READ_2(frm); 1580 frm += 2, len -= 2; 1581 if (len < n*4) { 1582 IEEE80211_DISCARD_IE(ic, 1583 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1584 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1585 len, n); 1586 return IEEE80211_REASON_IE_INVALID; 1587 } 1588 w = 0; 1589 for (; n > 0; n--) { 1590 w |= rsn_keymgmt(frm); 1591 frm += 4, len -= 4; 1592 } 1593 w &= rsn->rsn_keymgmtset; 1594 if (w == 0) { 1595 IEEE80211_DISCARD_IE(ic, 1596 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1597 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1598 return IEEE80211_REASON_IE_INVALID; 1599 } 1600 if (w & RSN_ASE_8021X_UNSPEC) 1601 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1602 else 1603 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1604 1605 /* optional RSN capabilities */ 1606 if (len > 2) 1607 rsn->rsn_caps = LE_READ_2(frm); 1608 /* XXXPMKID */ 1609 1610 return 0; 1611 } 1612 1613 static int 1614 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1615 const struct ieee80211_frame *wh) 1616 { 1617 #define MS(_v, _f) (((_v) & _f) >> _f##_S) 1618 struct ieee80211_wme_state *wme = &ic->ic_wme; 1619 u_int len = frm[1], qosinfo; 1620 int i; 1621 1622 if (len < sizeof(struct ieee80211_wme_param)-2) { 1623 IEEE80211_DISCARD_IE(ic, 1624 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1625 wh, "WME", "too short, len %u", len); 1626 return -1; 1627 } 1628 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1629 qosinfo &= WME_QOSINFO_COUNT; 1630 /* XXX do proper check for wraparound */ 1631 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1632 return 0; 1633 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1634 for (i = 0; i < WME_NUM_AC; i++) { 1635 struct wmeParams *wmep = 1636 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1637 /* NB: ACI not used */ 1638 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1639 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1640 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1641 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1642 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1643 frm += 4; 1644 } 1645 wme->wme_wmeChanParams.cap_info = qosinfo; 1646 return 1; 1647 #undef MS 1648 } 1649 1650 static void 1651 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1652 { 1653 u_int ielen = ie[1]+2; 1654 /* 1655 * Record information element for later use. 1656 */ 1657 if (*iep == NULL || (*iep)[1] != ie[1]) { 1658 if (*iep != NULL) 1659 FREE(*iep, M_DEVBUF); 1660 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1661 } 1662 if (*iep != NULL) 1663 memcpy(*iep, ie, ielen); 1664 /* XXX note failure */ 1665 } 1666 1667 #ifdef IEEE80211_DEBUG 1668 static void 1669 dump_probe_beacon(u_int8_t subtype, int isnew, 1670 const u_int8_t mac[IEEE80211_ADDR_LEN], 1671 u_int8_t chan, u_int8_t bchan, u_int16_t capinfo, u_int16_t bintval, 1672 u_int8_t erp, u_int8_t *ssid, u_int8_t *country) 1673 { 1674 printf("[%s] %s%s on chan %u (bss chan %u) ", 1675 ether_sprintf(mac), isnew ? "new " : "", 1676 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 1677 chan, bchan); 1678 ieee80211_print_essid(ssid + 2, ssid[1]); 1679 printf("\n"); 1680 1681 if (isnew) { 1682 printf("[%s] caps 0x%x bintval %u erp 0x%x", 1683 ether_sprintf(mac), capinfo, bintval, erp); 1684 if (country) { 1685 #ifdef __FreeBSD__ 1686 printf(" country info %*D", country[1], country+2, " "); 1687 #else 1688 int i; 1689 printf(" country info"); 1690 for (i = 0; i < country[1]; i++) 1691 printf(" %02x", country[i+2]); 1692 #endif 1693 } 1694 printf("\n"); 1695 } 1696 } 1697 #endif /* IEEE80211_DEBUG */ 1698 1699 void 1700 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1701 struct ieee80211_node *ni, 1702 int subtype, int rssi, u_int32_t rstamp) 1703 { 1704 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1705 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1706 struct ieee80211_frame *wh; 1707 u_int8_t *frm, *efrm; 1708 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1709 int reassoc, resp, allocbs; 1710 u_int8_t rate; 1711 1712 wh = mtod(m0, struct ieee80211_frame *); 1713 frm = (u_int8_t *)&wh[1]; 1714 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1715 switch (subtype) { 1716 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1717 case IEEE80211_FC0_SUBTYPE_BEACON: { 1718 u_int8_t *tstamp, *country, *tim; 1719 u_int8_t chan, bchan, fhindex, erp; 1720 u_int16_t capinfo, bintval, timoff; 1721 u_int16_t fhdwell; 1722 1723 /* 1724 * We process beacon/probe response frames: 1725 * o when scanning, or 1726 * o station mode when associated (to collect state 1727 * updates such as 802.11g slot time), or 1728 * o adhoc mode (to discover neighbors) 1729 * Frames otherwise received are discarded. 1730 */ 1731 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1732 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1733 ic->ic_opmode == IEEE80211_M_IBSS)) { 1734 ic->ic_stats.is_rx_mgtdiscard++; 1735 return; 1736 } 1737 /* 1738 * beacon/probe response frame format 1739 * [8] time stamp 1740 * [2] beacon interval 1741 * [2] capability information 1742 * [tlv] ssid 1743 * [tlv] supported rates 1744 * [tlv] country information 1745 * [tlv] parameter set (FH/DS) 1746 * [tlv] erp information 1747 * [tlv] extended supported rates 1748 * [tlv] WME 1749 * [tlv] WPA or RSN 1750 */ 1751 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1752 tstamp = frm; frm += 8; 1753 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1754 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1755 ssid = rates = xrates = country = wpa = wme = tim = NULL; 1756 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1757 chan = bchan; 1758 fhdwell = 0; 1759 fhindex = 0; 1760 erp = 0; 1761 timoff = 0; 1762 while (frm < efrm) { 1763 switch (*frm) { 1764 case IEEE80211_ELEMID_SSID: 1765 ssid = frm; 1766 break; 1767 case IEEE80211_ELEMID_RATES: 1768 rates = frm; 1769 break; 1770 case IEEE80211_ELEMID_COUNTRY: 1771 country = frm; 1772 break; 1773 case IEEE80211_ELEMID_FHPARMS: 1774 if (ic->ic_phytype == IEEE80211_T_FH) { 1775 fhdwell = LE_READ_2(&frm[2]); 1776 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1777 fhindex = frm[6]; 1778 } 1779 break; 1780 case IEEE80211_ELEMID_DSPARMS: 1781 /* 1782 * XXX hack this since depending on phytype 1783 * is problematic for multi-mode devices. 1784 */ 1785 if (ic->ic_phytype != IEEE80211_T_FH) 1786 chan = frm[2]; 1787 break; 1788 case IEEE80211_ELEMID_TIM: 1789 /* XXX ATIM? */ 1790 tim = frm; 1791 timoff = frm - mtod(m0, u_int8_t *); 1792 break; 1793 case IEEE80211_ELEMID_IBSSPARMS: 1794 break; 1795 case IEEE80211_ELEMID_XRATES: 1796 xrates = frm; 1797 break; 1798 case IEEE80211_ELEMID_ERP: 1799 if (frm[1] != 1) { 1800 IEEE80211_DISCARD_IE(ic, 1801 IEEE80211_MSG_ELEMID, wh, "ERP", 1802 "bad len %u", frm[1]); 1803 ic->ic_stats.is_rx_elem_toobig++; 1804 break; 1805 } 1806 erp = frm[2]; 1807 break; 1808 case IEEE80211_ELEMID_RSN: 1809 wpa = frm; 1810 break; 1811 case IEEE80211_ELEMID_VENDOR: 1812 if (iswpaoui(frm)) 1813 wpa = frm; 1814 else if (iswmeparam(frm) || iswmeinfo(frm)) 1815 wme = frm; 1816 /* XXX Atheros OUI support */ 1817 break; 1818 default: 1819 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1820 wh, "unhandled", 1821 "id %u, len %u", *frm, frm[1]); 1822 ic->ic_stats.is_rx_elem_unknown++; 1823 break; 1824 } 1825 frm += frm[1] + 2; 1826 } 1827 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1828 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1829 if ( 1830 #if IEEE80211_CHAN_MAX < 255 1831 chan > IEEE80211_CHAN_MAX || 1832 #endif 1833 isclr(ic->ic_chan_active, chan)) { 1834 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1835 wh, ieee80211_mgt_subtype_name[subtype >> 1836 IEEE80211_FC0_SUBTYPE_SHIFT], 1837 "invalid channel %u", chan); 1838 ic->ic_stats.is_rx_badchan++; 1839 return; 1840 } 1841 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1842 /* 1843 * Frame was received on a channel different from the 1844 * one indicated in the DS params element id; 1845 * silently discard it. 1846 * 1847 * NB: this can happen due to signal leakage. 1848 * But we should take it for FH phy because 1849 * the rssi value should be correct even for 1850 * different hop pattern in FH. 1851 */ 1852 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1853 wh, ieee80211_mgt_subtype_name[subtype >> 1854 IEEE80211_FC0_SUBTYPE_SHIFT], 1855 "for off-channel %u", chan); 1856 ic->ic_stats.is_rx_chanmismatch++; 1857 return; 1858 } 1859 1860 /* 1861 * Count frame now that we know it's to be processed. 1862 */ 1863 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1864 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1865 IEEE80211_NODE_STAT(ni, rx_beacons); 1866 } else 1867 IEEE80211_NODE_STAT(ni, rx_proberesp); 1868 1869 /* 1870 * When operating in station mode, check for state updates. 1871 * Be careful to ignore beacons received while doing a 1872 * background scan. We consider only 11g/WMM stuff right now. 1873 */ 1874 if (ic->ic_opmode == IEEE80211_M_STA && 1875 ni->ni_associd != 0 && 1876 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1877 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1878 /* record tsf of last beacon */ 1879 memcpy(ni->ni_tstamp.data, tstamp, 1880 sizeof(ni->ni_tstamp)); 1881 if (ni->ni_erp != erp) { 1882 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1883 "[%s] erp change: was 0x%x, now 0x%x\n", 1884 ether_sprintf(wh->i_addr2), 1885 ni->ni_erp, erp); 1886 if (ic->ic_curmode == IEEE80211_MODE_11G && 1887 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1888 ic->ic_flags |= IEEE80211_F_USEPROT; 1889 else 1890 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1891 ni->ni_erp = erp; 1892 /* XXX statistic */ 1893 } 1894 if ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1895 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1896 "[%s] capabilities change: before 0x%x," 1897 " now 0x%x\n", 1898 ether_sprintf(wh->i_addr2), 1899 ni->ni_capinfo, capinfo); 1900 /* 1901 * NB: we assume short preamble doesn't 1902 * change dynamically 1903 */ 1904 ieee80211_set_shortslottime(ic, 1905 ic->ic_curmode == IEEE80211_MODE_11A || 1906 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1907 ni->ni_capinfo = capinfo; 1908 /* XXX statistic */ 1909 } 1910 if (wme != NULL && 1911 (ni->ni_flags & IEEE80211_NODE_QOS) && 1912 ieee80211_parse_wmeparams(ic, wme, wh) > 0) 1913 ieee80211_wme_updateparams(ic); 1914 if (tim != NULL) { 1915 struct ieee80211_tim_ie *ie = 1916 (struct ieee80211_tim_ie *) tim; 1917 1918 ni->ni_dtim_count = ie->tim_count; 1919 ni->ni_dtim_period = ie->tim_period; 1920 } 1921 /* NB: don't need the rest of this */ 1922 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) 1923 return; 1924 } 1925 1926 if (ni == ic->ic_bss && 1927 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 1928 #ifdef IEEE80211_DEBUG 1929 if (ieee80211_msg_scan(ic)) 1930 dump_probe_beacon(subtype, 1, 1931 wh->i_addr2, chan, bchan, capinfo, 1932 bintval, erp, ssid, country); 1933 #endif 1934 /* 1935 * Create a new entry. If scanning the entry goes 1936 * in the scan cache. Otherwise, be particular when 1937 * operating in adhoc mode--only take nodes marked 1938 * as ibss participants so we don't populate our 1939 * neighbor table with unintersting sta's. 1940 */ 1941 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1942 if ((capinfo & IEEE80211_CAPINFO_IBSS) == 0) 1943 return; 1944 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 1945 wh->i_addr2); 1946 } else 1947 ni = ieee80211_dup_bss(&ic->ic_scan, wh->i_addr2); 1948 if (ni == NULL) 1949 return; 1950 ni->ni_esslen = ssid[1]; 1951 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1952 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1953 } else if (ssid[1] != 0 && 1954 (ISPROBE(subtype) || ni->ni_esslen == 0)) { 1955 /* 1956 * Update ESSID at probe response to adopt 1957 * hidden AP by Lucent/Cisco, which announces 1958 * null ESSID in beacon. 1959 */ 1960 #ifdef IEEE80211_DEBUG 1961 if (ieee80211_msg_scan(ic) || 1962 ieee80211_msg_debug(ic)) 1963 dump_probe_beacon(subtype, 0, 1964 wh->i_addr2, chan, bchan, capinfo, 1965 bintval, erp, ssid, country); 1966 #endif 1967 ni->ni_esslen = ssid[1]; 1968 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1969 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1970 } 1971 ni->ni_scangen = ic->ic_scan.nt_scangen; 1972 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1973 ni->ni_rssi = rssi; 1974 ni->ni_rstamp = rstamp; 1975 memcpy(ni->ni_tstamp.data, tstamp, sizeof(ni->ni_tstamp)); 1976 ni->ni_intval = bintval; 1977 ni->ni_capinfo = capinfo; 1978 ni->ni_chan = &ic->ic_channels[chan]; 1979 ni->ni_fhdwell = fhdwell; 1980 ni->ni_fhindex = fhindex; 1981 ni->ni_erp = erp; 1982 if (tim != NULL) { 1983 struct ieee80211_tim_ie *ie = 1984 (struct ieee80211_tim_ie *) tim; 1985 1986 ni->ni_dtim_count = ie->tim_count; 1987 ni->ni_dtim_period = ie->tim_period; 1988 } 1989 /* 1990 * Record the byte offset from the mac header to 1991 * the start of the TIM information element for 1992 * use by hardware and/or to speedup software 1993 * processing of beacon frames. 1994 */ 1995 ni->ni_timoff = timoff; 1996 /* 1997 * Record optional information elements that might be 1998 * used by applications or drivers. 1999 */ 2000 if (wme != NULL) 2001 ieee80211_saveie(&ni->ni_wme_ie, wme); 2002 if (wpa != NULL) 2003 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2004 /* NB: must be after ni_chan is setup */ 2005 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 2006 break; 2007 } 2008 2009 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2010 if (ic->ic_opmode == IEEE80211_M_STA || 2011 ic->ic_state != IEEE80211_S_RUN) { 2012 ic->ic_stats.is_rx_mgtdiscard++; 2013 return; 2014 } 2015 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2016 /* frame must be directed */ 2017 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2018 return; 2019 } 2020 2021 /* 2022 * prreq frame format 2023 * [tlv] ssid 2024 * [tlv] supported rates 2025 * [tlv] extended supported rates 2026 */ 2027 ssid = rates = xrates = NULL; 2028 while (frm < efrm) { 2029 switch (*frm) { 2030 case IEEE80211_ELEMID_SSID: 2031 ssid = frm; 2032 break; 2033 case IEEE80211_ELEMID_RATES: 2034 rates = frm; 2035 break; 2036 case IEEE80211_ELEMID_XRATES: 2037 xrates = frm; 2038 break; 2039 } 2040 frm += frm[1] + 2; 2041 } 2042 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2043 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2044 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2045 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2046 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2047 wh, ieee80211_mgt_subtype_name[subtype >> 2048 IEEE80211_FC0_SUBTYPE_SHIFT], 2049 "%s", "no ssid with ssid suppression enabled"); 2050 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2051 return; 2052 } 2053 2054 if (ni == ic->ic_bss) { 2055 if (ic->ic_opmode == IEEE80211_M_IBSS) { 2056 /* 2057 * XXX Cannot tell if the sender is operating 2058 * in ibss mode. But we need a new node to 2059 * send the response so blindly add them to the 2060 * neighbor table. 2061 */ 2062 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2063 wh->i_addr2); 2064 } else 2065 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 2066 if (ni == NULL) 2067 return; 2068 allocbs = 1; 2069 } else 2070 allocbs = 0; 2071 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2072 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2073 ni->ni_rssi = rssi; 2074 ni->ni_rstamp = rstamp; 2075 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2076 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2077 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2078 if (rate & IEEE80211_RATE_BASIC) { 2079 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2080 wh, ieee80211_mgt_subtype_name[subtype >> 2081 IEEE80211_FC0_SUBTYPE_SHIFT], 2082 "%s", "recv'd rate set invalid"); 2083 } else { 2084 IEEE80211_SEND_MGMT(ic, ni, 2085 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2086 } 2087 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2088 /* reclaim immediately */ 2089 ieee80211_free_node(ni); 2090 } 2091 break; 2092 2093 case IEEE80211_FC0_SUBTYPE_AUTH: { 2094 u_int16_t algo, seq, status; 2095 /* 2096 * auth frame format 2097 * [2] algorithm 2098 * [2] sequence 2099 * [2] status 2100 * [tlv*] challenge 2101 */ 2102 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2103 algo = le16toh(*(u_int16_t *)frm); 2104 seq = le16toh(*(u_int16_t *)(frm + 2)); 2105 status = le16toh(*(u_int16_t *)(frm + 4)); 2106 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2107 "[%s] recv auth frame with algorithm %d seq %d\n", 2108 ether_sprintf(wh->i_addr2), algo, seq); 2109 /* 2110 * Consult the ACL policy module if setup. 2111 */ 2112 if (ic->ic_acl != NULL && 2113 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2114 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2115 wh, "auth", "%s", "disallowed by ACL"); 2116 ic->ic_stats.is_rx_acl++; 2117 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2118 IEEE80211_SEND_MGMT(ic, ni, 2119 IEEE80211_FC0_SUBTYPE_AUTH, 2120 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2121 } 2122 return; 2123 } 2124 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2125 IEEE80211_DISCARD(ic, 2126 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2127 wh, "auth", "%s", "TKIP countermeasures enabled"); 2128 ic->ic_stats.is_rx_auth_countermeasures++; 2129 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2130 IEEE80211_SEND_MGMT(ic, ni, 2131 IEEE80211_FC0_SUBTYPE_AUTH, 2132 IEEE80211_REASON_MIC_FAILURE); 2133 } 2134 return; 2135 } 2136 if (algo == IEEE80211_AUTH_ALG_SHARED) 2137 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2138 rstamp, seq, status); 2139 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2140 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2141 status); 2142 else { 2143 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2144 wh, "auth", "unsupported alg %d", algo); 2145 ic->ic_stats.is_rx_auth_unsupported++; 2146 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2147 /* XXX not right */ 2148 IEEE80211_SEND_MGMT(ic, ni, 2149 IEEE80211_FC0_SUBTYPE_AUTH, 2150 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2151 } 2152 return; 2153 } 2154 break; 2155 } 2156 2157 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2158 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2159 u_int16_t capinfo, bintval; 2160 struct ieee80211_rsnparms rsn; 2161 u_int8_t reason; 2162 2163 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2164 ic->ic_state != IEEE80211_S_RUN) { 2165 ic->ic_stats.is_rx_mgtdiscard++; 2166 return; 2167 } 2168 2169 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2170 reassoc = 1; 2171 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2172 } else { 2173 reassoc = 0; 2174 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2175 } 2176 /* 2177 * asreq frame format 2178 * [2] capability information 2179 * [2] listen interval 2180 * [6*] current AP address (reassoc only) 2181 * [tlv] ssid 2182 * [tlv] supported rates 2183 * [tlv] extended supported rates 2184 * [tlv] WPA or RSN 2185 */ 2186 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2187 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2188 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2189 wh, ieee80211_mgt_subtype_name[subtype >> 2190 IEEE80211_FC0_SUBTYPE_SHIFT], 2191 "%s", "wrong bssid"); 2192 ic->ic_stats.is_rx_assoc_bss++; 2193 return; 2194 } 2195 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2196 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 2197 if (reassoc) 2198 frm += 6; /* ignore current AP info */ 2199 ssid = rates = xrates = wpa = wme = NULL; 2200 while (frm < efrm) { 2201 switch (*frm) { 2202 case IEEE80211_ELEMID_SSID: 2203 ssid = frm; 2204 break; 2205 case IEEE80211_ELEMID_RATES: 2206 rates = frm; 2207 break; 2208 case IEEE80211_ELEMID_XRATES: 2209 xrates = frm; 2210 break; 2211 /* XXX verify only one of RSN and WPA ie's? */ 2212 case IEEE80211_ELEMID_RSN: 2213 wpa = frm; 2214 break; 2215 case IEEE80211_ELEMID_VENDOR: 2216 if (iswpaoui(frm)) { 2217 if (ic->ic_flags & IEEE80211_F_WPA1) 2218 wpa = frm; 2219 } else if (iswmeinfo(frm)) 2220 wme = frm; 2221 /* XXX Atheros OUI support */ 2222 break; 2223 } 2224 frm += frm[1] + 2; 2225 } 2226 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2227 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2228 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2229 2230 if (ni == ic->ic_bss) { 2231 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2232 "[%s] deny %s request, sta not authenticated\n", 2233 ether_sprintf(wh->i_addr2), 2234 reassoc ? "reassoc" : "assoc"); 2235 ieee80211_send_error(ic, ni, wh->i_addr2, 2236 IEEE80211_FC0_SUBTYPE_DEAUTH, 2237 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2238 ic->ic_stats.is_rx_assoc_notauth++; 2239 return; 2240 } 2241 /* assert right associstion security credentials */ 2242 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2243 IEEE80211_DPRINTF(ic, 2244 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2245 "[%s] no WPA/RSN IE in association request\n", 2246 ether_sprintf(wh->i_addr2)); 2247 IEEE80211_SEND_MGMT(ic, ni, 2248 IEEE80211_FC0_SUBTYPE_DEAUTH, 2249 IEEE80211_REASON_RSN_REQUIRED); 2250 ieee80211_node_leave(ic, ni); 2251 /* XXX distinguish WPA/RSN? */ 2252 ic->ic_stats.is_rx_assoc_badwpaie++; 2253 return; 2254 } 2255 if (wpa != NULL) { 2256 /* 2257 * Parse WPA information element. Note that 2258 * we initialize the param block from the node 2259 * state so that information in the IE overrides 2260 * our defaults. The resulting parameters are 2261 * installed below after the association is assured. 2262 */ 2263 rsn = ni->ni_rsn; 2264 if (wpa[0] != IEEE80211_ELEMID_RSN) 2265 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2266 else 2267 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2268 if (reason != 0) { 2269 IEEE80211_SEND_MGMT(ic, ni, 2270 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2271 ieee80211_node_leave(ic, ni); 2272 /* XXX distinguish WPA/RSN? */ 2273 ic->ic_stats.is_rx_assoc_badwpaie++; 2274 return; 2275 } 2276 IEEE80211_DPRINTF(ic, 2277 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2278 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2279 ether_sprintf(wh->i_addr2), 2280 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2281 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2282 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2283 rsn.rsn_keymgmt, rsn.rsn_caps); 2284 } 2285 /* discard challenge after association */ 2286 if (ni->ni_challenge != NULL) { 2287 FREE(ni->ni_challenge, M_DEVBUF); 2288 ni->ni_challenge = NULL; 2289 } 2290 /* NB: 802.11 spec says to ignore station's privacy bit */ 2291 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2292 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2293 "[%s] deny %s request, capability mismatch 0x%x\n", 2294 ether_sprintf(wh->i_addr2), 2295 reassoc ? "reassoc" : "assoc", capinfo); 2296 IEEE80211_SEND_MGMT(ic, ni, resp, 2297 IEEE80211_STATUS_CAPINFO); 2298 ieee80211_node_leave(ic, ni); 2299 ic->ic_stats.is_rx_assoc_capmismatch++; 2300 return; 2301 } 2302 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2303 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2304 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2305 /* 2306 * If constrained to 11g-only stations reject an 2307 * 11b-only station. We cheat a bit here by looking 2308 * at the max negotiated xmit rate and assuming anyone 2309 * with a best rate <24Mb/s is an 11b station. 2310 */ 2311 if ((rate & IEEE80211_RATE_BASIC) || 2312 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2313 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2314 "[%s] deny %s request, rate set mismatch\n", 2315 ether_sprintf(wh->i_addr2), 2316 reassoc ? "reassoc" : "assoc"); 2317 IEEE80211_SEND_MGMT(ic, ni, resp, 2318 IEEE80211_STATUS_BASIC_RATE); 2319 ieee80211_node_leave(ic, ni); 2320 ic->ic_stats.is_rx_assoc_norate++; 2321 return; 2322 } 2323 ni->ni_rssi = rssi; 2324 ni->ni_rstamp = rstamp; 2325 ni->ni_intval = bintval; 2326 ni->ni_capinfo = capinfo; 2327 ni->ni_chan = ic->ic_bss->ni_chan; 2328 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2329 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2330 if (wpa != NULL) { 2331 /* 2332 * Record WPA/RSN parameters for station, mark 2333 * node as using WPA and record information element 2334 * for applications that require it. 2335 */ 2336 ni->ni_rsn = rsn; 2337 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2338 } else if (ni->ni_wpa_ie != NULL) { 2339 /* 2340 * Flush any state from a previous association. 2341 */ 2342 FREE(ni->ni_wpa_ie, M_DEVBUF); 2343 ni->ni_wpa_ie = NULL; 2344 } 2345 if (wme != NULL) { 2346 /* 2347 * Record WME parameters for station, mark node 2348 * as capable of QoS and record information 2349 * element for applications that require it. 2350 */ 2351 ieee80211_saveie(&ni->ni_wme_ie, wme); 2352 ni->ni_flags |= IEEE80211_NODE_QOS; 2353 } else if (ni->ni_wme_ie != NULL) { 2354 /* 2355 * Flush any state from a previous association. 2356 */ 2357 FREE(ni->ni_wme_ie, M_DEVBUF); 2358 ni->ni_wme_ie = NULL; 2359 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2360 } 2361 ieee80211_node_join(ic, ni, resp); 2362 break; 2363 } 2364 2365 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2366 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2367 u_int16_t capinfo, associd; 2368 u_int16_t status; 2369 2370 if (ic->ic_opmode != IEEE80211_M_STA || 2371 ic->ic_state != IEEE80211_S_ASSOC) { 2372 ic->ic_stats.is_rx_mgtdiscard++; 2373 return; 2374 } 2375 2376 /* 2377 * asresp frame format 2378 * [2] capability information 2379 * [2] status 2380 * [2] association ID 2381 * [tlv] supported rates 2382 * [tlv] extended supported rates 2383 * [tlv] WME 2384 */ 2385 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2386 ni = ic->ic_bss; 2387 capinfo = le16toh(*(u_int16_t *)frm); 2388 frm += 2; 2389 status = le16toh(*(u_int16_t *)frm); 2390 frm += 2; 2391 if (status != 0) { 2392 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2393 "[%s] %sassoc failed (reason %d)\n", 2394 ether_sprintf(wh->i_addr2), 2395 ISREASSOC(subtype) ? "re" : "", status); 2396 if (ni != ic->ic_bss) /* XXX never true? */ 2397 ni->ni_fails++; 2398 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2399 return; 2400 } 2401 associd = le16toh(*(u_int16_t *)frm); 2402 frm += 2; 2403 2404 rates = xrates = wpa = wme = NULL; 2405 while (frm < efrm) { 2406 switch (*frm) { 2407 case IEEE80211_ELEMID_RATES: 2408 rates = frm; 2409 break; 2410 case IEEE80211_ELEMID_XRATES: 2411 xrates = frm; 2412 break; 2413 case IEEE80211_ELEMID_VENDOR: 2414 if (iswmeoui(frm)) 2415 wme = frm; 2416 /* XXX Atheros OUI support */ 2417 break; 2418 } 2419 frm += frm[1] + 2; 2420 } 2421 2422 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2423 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2424 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2425 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2426 if (rate & IEEE80211_RATE_BASIC) { 2427 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2428 "[%s] %sassoc failed (rate set mismatch)\n", 2429 ether_sprintf(wh->i_addr2), 2430 ISREASSOC(subtype) ? "re" : ""); 2431 if (ni != ic->ic_bss) /* XXX never true? */ 2432 ni->ni_fails++; 2433 ic->ic_stats.is_rx_assoc_norate++; 2434 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2435 return; 2436 } 2437 2438 ni->ni_capinfo = capinfo; 2439 ni->ni_associd = associd; 2440 if (wme != NULL && 2441 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2442 ni->ni_flags |= IEEE80211_NODE_QOS; 2443 ieee80211_wme_updateparams(ic); 2444 } else 2445 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2446 /* 2447 * Configure state now that we are associated. 2448 * 2449 * XXX may need different/additional driver callbacks? 2450 */ 2451 if (ic->ic_curmode == IEEE80211_MODE_11A || 2452 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2453 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2454 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2455 } else { 2456 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2457 ic->ic_flags |= IEEE80211_F_USEBARKER; 2458 } 2459 ieee80211_set_shortslottime(ic, 2460 ic->ic_curmode == IEEE80211_MODE_11A || 2461 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2462 /* 2463 * Honor ERP protection. 2464 * 2465 * NB: ni_erp should zero for non-11g operation. 2466 * XXX check ic_curmode anyway? 2467 */ 2468 if (ic->ic_curmode == IEEE80211_MODE_11G && 2469 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2470 ic->ic_flags |= IEEE80211_F_USEPROT; 2471 else 2472 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2473 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2474 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2475 ether_sprintf(wh->i_addr2), 2476 ISREASSOC(subtype) ? "re" : "", 2477 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2478 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2479 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2480 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2481 ); 2482 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2483 break; 2484 } 2485 2486 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2487 u_int16_t reason; 2488 2489 if (ic->ic_state == IEEE80211_S_SCAN) { 2490 ic->ic_stats.is_rx_mgtdiscard++; 2491 return; 2492 } 2493 /* 2494 * deauth frame format 2495 * [2] reason 2496 */ 2497 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2498 reason = le16toh(*(u_int16_t *)frm); 2499 ic->ic_stats.is_rx_deauth++; 2500 IEEE80211_NODE_STAT(ni, rx_deauth); 2501 2502 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2503 "[%s] recv deauthenticate (reason %d)\n", 2504 ether_sprintf(ni->ni_macaddr), reason); 2505 switch (ic->ic_opmode) { 2506 case IEEE80211_M_STA: 2507 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2508 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2509 break; 2510 case IEEE80211_M_HOSTAP: 2511 if (ni != ic->ic_bss) 2512 ieee80211_node_leave(ic, ni); 2513 break; 2514 default: 2515 ic->ic_stats.is_rx_mgtdiscard++; 2516 break; 2517 } 2518 break; 2519 } 2520 2521 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2522 u_int16_t reason; 2523 2524 if (ic->ic_state != IEEE80211_S_RUN && 2525 ic->ic_state != IEEE80211_S_ASSOC && 2526 ic->ic_state != IEEE80211_S_AUTH) { 2527 ic->ic_stats.is_rx_mgtdiscard++; 2528 return; 2529 } 2530 /* 2531 * disassoc frame format 2532 * [2] reason 2533 */ 2534 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2535 reason = le16toh(*(u_int16_t *)frm); 2536 ic->ic_stats.is_rx_disassoc++; 2537 IEEE80211_NODE_STAT(ni, rx_disassoc); 2538 2539 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2540 "[%s] recv disassociated (reason %d)\n", 2541 ether_sprintf(ni->ni_macaddr), reason); 2542 switch (ic->ic_opmode) { 2543 case IEEE80211_M_STA: 2544 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2545 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2546 break; 2547 case IEEE80211_M_HOSTAP: 2548 if (ni != ic->ic_bss) 2549 ieee80211_node_leave(ic, ni); 2550 break; 2551 default: 2552 ic->ic_stats.is_rx_mgtdiscard++; 2553 break; 2554 } 2555 break; 2556 } 2557 default: 2558 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2559 wh, "mgt", "subtype 0x%x not handled", subtype); 2560 ic->ic_stats.is_rx_badsubtype++; 2561 break; 2562 } 2563 #undef ISREASSOC 2564 #undef ISPROBE 2565 } 2566 #undef IEEE80211_VERIFY_LENGTH 2567 #undef IEEE80211_VERIFY_ELEMENT 2568 2569 /* 2570 * Handle station power-save state change. 2571 */ 2572 static void 2573 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2574 { 2575 struct ieee80211com *ic = ni->ni_ic; 2576 struct mbuf *m; 2577 2578 if (enable) { 2579 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2580 ic->ic_ps_sta++; 2581 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2582 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2583 "[%s] power save mode on, %u sta's in ps mode\n", 2584 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2585 return; 2586 } 2587 2588 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2589 ic->ic_ps_sta--; 2590 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2591 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2592 "[%s] power save mode off, %u sta's in ps mode\n", 2593 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2594 /* XXX if no stations in ps mode, flush mc frames */ 2595 2596 /* 2597 * Flush queued unicast frames. 2598 */ 2599 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2600 if (ic->ic_set_tim != NULL) 2601 ic->ic_set_tim(ic, ni, 0); /* just in case */ 2602 return; 2603 } 2604 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2605 "[%s] flush ps queue, %u packets queued\n", 2606 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2607 for (;;) { 2608 int qlen; 2609 2610 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2611 if (m == NULL) 2612 break; 2613 /* 2614 * If this is the last packet, turn off the TIM bit. 2615 * If there are more packets, set the more packets bit 2616 * in the mbuf so ieee80211_encap will mark the 802.11 2617 * head to indicate more data frames will follow. 2618 */ 2619 if (qlen != 0) 2620 m->m_flags |= M_MORE_DATA; 2621 /* XXX need different driver interface */ 2622 /* XXX bypasses q max */ 2623 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2624 } 2625 if (ic->ic_set_tim != NULL) 2626 ic->ic_set_tim(ic, ni, 0); 2627 } 2628 2629 /* 2630 * Process a received ps-poll frame. 2631 */ 2632 static void 2633 ieee80211_recv_pspoll(struct ieee80211com *ic, 2634 struct ieee80211_node *ni, struct mbuf *m0) 2635 { 2636 struct ieee80211_frame_min *wh; 2637 struct mbuf *m; 2638 u_int16_t aid; 2639 int qlen; 2640 2641 wh = mtod(m0, struct ieee80211_frame_min *); 2642 if (ni->ni_associd == 0) { 2643 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2644 (struct ieee80211_frame *) wh, "ps-poll", 2645 "%s", "unassociated station"); 2646 ic->ic_stats.is_ps_unassoc++; 2647 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2648 IEEE80211_REASON_NOT_ASSOCED); 2649 return; 2650 } 2651 2652 aid = le16toh(*(u_int16_t *)wh->i_dur); 2653 if (aid != ni->ni_associd) { 2654 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2655 (struct ieee80211_frame *) wh, "ps-poll", 2656 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2657 ni->ni_associd, aid); 2658 ic->ic_stats.is_ps_badaid++; 2659 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2660 IEEE80211_REASON_NOT_ASSOCED); 2661 return; 2662 } 2663 2664 /* Okay, take the first queued packet and put it out... */ 2665 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2666 if (m == NULL) { 2667 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2668 "[%s] recv ps-poll, but queue empty\n", 2669 ether_sprintf(wh->i_addr2)); 2670 ieee80211_send_nulldata(ic, ni); 2671 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2672 if (ic->ic_set_tim != NULL) 2673 ic->ic_set_tim(ic, ni, 0); /* just in case */ 2674 return; 2675 } 2676 /* 2677 * If there are more packets, set the more packets bit 2678 * in the packet dispatched to the station; otherwise 2679 * turn off the TIM bit. 2680 */ 2681 if (qlen != 0) { 2682 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2683 "[%s] recv ps-poll, send packet, %u still queued\n", 2684 ether_sprintf(ni->ni_macaddr), qlen); 2685 m->m_flags |= M_MORE_DATA; 2686 } else { 2687 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2688 "[%s] recv ps-poll, send packet, queue empty\n", 2689 ether_sprintf(ni->ni_macaddr)); 2690 if (ic->ic_set_tim != NULL) 2691 ic->ic_set_tim(ic, ni, 0); 2692 } 2693 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2694 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2695 } 2696 2697 #ifdef IEEE80211_DEBUG 2698 /* 2699 * Debugging support. 2700 */ 2701 2702 /* 2703 * Return the bssid of a frame. 2704 */ 2705 static const u_int8_t * 2706 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2707 { 2708 if (ic->ic_opmode == IEEE80211_M_STA) 2709 return wh->i_addr2; 2710 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2711 return wh->i_addr1; 2712 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2713 return wh->i_addr1; 2714 return wh->i_addr3; 2715 } 2716 2717 static void 2718 ieee80211_discard_frame(struct ieee80211com *ic, 2719 const struct ieee80211_frame *wh, 2720 const char *type, const char *fmt, ...) 2721 { 2722 va_list ap; 2723 2724 printf("[%s] discard ", ether_sprintf(ieee80211_getbssid(ic, wh))); 2725 if (type != NULL) 2726 printf("%s frame, ", type); 2727 else 2728 printf("frame, "); 2729 va_start(ap, fmt); 2730 vprintf(fmt, ap); 2731 va_end(ap); 2732 printf("\n"); 2733 } 2734 2735 static void 2736 ieee80211_discard_ie(struct ieee80211com *ic, 2737 const struct ieee80211_frame *wh, 2738 const char *type, const char *fmt, ...) 2739 { 2740 va_list ap; 2741 2742 printf("[%s] discard ", ether_sprintf(ieee80211_getbssid(ic, wh))); 2743 if (type != NULL) 2744 printf("%s information element, ", type); 2745 else 2746 printf("information element, "); 2747 va_start(ap, fmt); 2748 vprintf(fmt, ap); 2749 va_end(ap); 2750 printf("\n"); 2751 } 2752 2753 static void 2754 ieee80211_discard_mac(struct ieee80211com *ic, 2755 const u_int8_t mac[IEEE80211_ADDR_LEN], 2756 const char *type, const char *fmt, ...) 2757 { 2758 va_list ap; 2759 2760 printf("[%s] discard ", ether_sprintf(mac)); 2761 if (type != NULL) 2762 printf("%s frame, ", type); 2763 else 2764 printf("frame, "); 2765 va_start(ap, fmt); 2766 vprintf(fmt, ap); 2767 va_end(ap); 2768 printf("\n"); 2769 } 2770 #endif /* IEEE80211_DEBUG */ 2771