ieee80211_input.c revision 147788
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_input.c 147788 2005-07-06 01:51:44Z sam $"); 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/mbuf.h> 39#include <sys/malloc.h> 40#include <sys/endian.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44 45#include <net/if.h> 46#include <net/if_media.h> 47#include <net/ethernet.h> 48#include <net/if_llc.h> 49#include <net/if_vlan_var.h> 50 51#include <net80211/ieee80211_var.h> 52 53#include <net/bpf.h> 54 55#ifdef IEEE80211_DEBUG 56#include <machine/stdarg.h> 57 58/* 59 * Decide if a received management frame should be 60 * printed when debugging is enabled. This filters some 61 * of the less interesting frames that come frequently 62 * (e.g. beacons). 63 */ 64static __inline int 65doprint(struct ieee80211com *ic, int subtype) 66{ 67 switch (subtype) { 68 case IEEE80211_FC0_SUBTYPE_BEACON: 69 return (ic->ic_flags & IEEE80211_F_SCAN); 70 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 71 return (ic->ic_opmode == IEEE80211_M_IBSS); 72 } 73 return 1; 74} 75 76/* 77 * Emit a debug message about discarding a frame or information 78 * element. One format is for extracting the mac address from 79 * the frame header; the other is for when a header is not 80 * available or otherwise appropriate. 81 */ 82#define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 83 if ((_ic)->ic_debug & (_m)) \ 84 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 85} while (0) 86#define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 87 if ((_ic)->ic_debug & (_m)) \ 88 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 89} while (0) 90#define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 91 if ((_ic)->ic_debug & (_m)) \ 92 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 93} while (0) 94 95static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 96 const struct ieee80211_frame *); 97static void ieee80211_discard_frame(struct ieee80211com *, 98 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 99static void ieee80211_discard_ie(struct ieee80211com *, 100 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 101static void ieee80211_discard_mac(struct ieee80211com *, 102 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 103 const char *fmt, ...); 104#else 105#define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 106#define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 107#define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 108#endif /* IEEE80211_DEBUG */ 109 110static struct mbuf *ieee80211_defrag(struct ieee80211com *, 111 struct ieee80211_node *, struct mbuf *, int); 112static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 113static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 114 const u_int8_t *mac, int subtype, int arg); 115static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 116static void ieee80211_recv_pspoll(struct ieee80211com *, 117 struct ieee80211_node *, struct mbuf *); 118 119/* 120 * Process a received frame. The node associated with the sender 121 * should be supplied. If nothing was found in the node table then 122 * the caller is assumed to supply a reference to ic_bss instead. 123 * The RSSI and a timestamp are also supplied. The RSSI data is used 124 * during AP scanning to select a AP to associate with; it can have 125 * any units so long as values have consistent units and higher values 126 * mean ``better signal''. The receive timestamp is currently not used 127 * by the 802.11 layer. 128 */ 129int 130ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 131 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 132{ 133#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 134#define HAS_SEQ(type) ((type & 0x4) == 0) 135 struct ifnet *ifp = ic->ic_ifp; 136 struct ieee80211_frame *wh; 137 struct ieee80211_key *key; 138 struct ether_header *eh; 139 int len, hdrspace; 140 u_int8_t dir, type, subtype; 141 u_int8_t *bssid; 142 u_int16_t rxseq; 143 144 KASSERT(ni != NULL, ("null node")); 145 ni->ni_inact = ni->ni_inact_reload; 146 147 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 148 if (m->m_flags & M_HASFCS) { 149 m_adj(m, -IEEE80211_CRC_LEN); 150 m->m_flags &= ~M_HASFCS; 151 } 152 KASSERT(m->m_pkthdr.len >= sizeof(struct ieee80211_frame_min), 153 ("frame length too short: %u", m->m_pkthdr.len)); 154 155 type = -1; /* undefined */ 156 /* 157 * In monitor mode, send everything directly to bpf. 158 * XXX may want to include the CRC 159 */ 160 if (ic->ic_opmode == IEEE80211_M_MONITOR) 161 goto out; 162 163 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 164 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 165 ni->ni_macaddr, NULL, 166 "too short (1): len %u", m->m_pkthdr.len); 167 ic->ic_stats.is_rx_tooshort++; 168 goto out; 169 } 170 /* 171 * Bit of a cheat here, we use a pointer for a 3-address 172 * frame format but don't reference fields past outside 173 * ieee80211_frame_min w/o first validating the data is 174 * present. 175 */ 176 wh = mtod(m, struct ieee80211_frame *); 177 178 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 179 IEEE80211_FC0_VERSION_0) { 180 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 181 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 182 ic->ic_stats.is_rx_badversion++; 183 goto err; 184 } 185 186 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 187 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 188 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 189 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 190 switch (ic->ic_opmode) { 191 case IEEE80211_M_STA: 192 bssid = wh->i_addr2; 193 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 194 /* not interested in */ 195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 196 bssid, NULL, "%s", "not to bss"); 197 ic->ic_stats.is_rx_wrongbss++; 198 goto out; 199 } 200 break; 201 case IEEE80211_M_IBSS: 202 case IEEE80211_M_AHDEMO: 203 case IEEE80211_M_HOSTAP: 204 if (dir != IEEE80211_FC1_DIR_NODS) 205 bssid = wh->i_addr1; 206 else if (type == IEEE80211_FC0_TYPE_CTL) 207 bssid = wh->i_addr1; 208 else { 209 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 210 IEEE80211_DISCARD_MAC(ic, 211 IEEE80211_MSG_ANY, ni->ni_macaddr, 212 NULL, "too short (2): len %u", 213 m->m_pkthdr.len); 214 ic->ic_stats.is_rx_tooshort++; 215 goto out; 216 } 217 bssid = wh->i_addr3; 218 } 219 if (type != IEEE80211_FC0_TYPE_DATA) 220 break; 221 /* 222 * Data frame, validate the bssid. 223 */ 224 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 225 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 226 /* not interested in */ 227 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 228 bssid, NULL, "%s", "not to bss"); 229 ic->ic_stats.is_rx_wrongbss++; 230 goto out; 231 } 232 /* 233 * For adhoc mode we cons up a node when it doesn't 234 * exist. This should probably done after an ACL check. 235 */ 236 if (ni == ic->ic_bss && 237 ic->ic_opmode != IEEE80211_M_HOSTAP) { 238 /* 239 * Fake up a node for this newly 240 * discovered member of the IBSS. 241 */ 242 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 243 wh->i_addr2); 244 if (ni == NULL) { 245 /* NB: stat kept for alloc failure */ 246 goto err; 247 } 248 } 249 break; 250 default: 251 goto out; 252 } 253 ni->ni_rssi = rssi; 254 ni->ni_rstamp = rstamp; 255 if (HAS_SEQ(type)) { 256 u_int8_t tid; 257 if (IEEE80211_QOS_HAS_SEQ(wh)) { 258 tid = ((struct ieee80211_qosframe *)wh)-> 259 i_qos[0] & IEEE80211_QOS_TID; 260 if (tid >= WME_AC_VI) 261 ic->ic_wme.wme_hipri_traffic++; 262 tid++; 263 } else 264 tid = 0; 265 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 266 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 267 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 268 /* duplicate, discard */ 269 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 270 bssid, "duplicate", 271 "seqno <%u,%u> fragno <%u,%u> tid %u", 272 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 273 ni->ni_rxseqs[tid] >> 274 IEEE80211_SEQ_SEQ_SHIFT, 275 rxseq & IEEE80211_SEQ_FRAG_MASK, 276 ni->ni_rxseqs[tid] & 277 IEEE80211_SEQ_FRAG_MASK, 278 tid); 279 ic->ic_stats.is_rx_dup++; 280 IEEE80211_NODE_STAT(ni, rx_dup); 281 goto out; 282 } 283 ni->ni_rxseqs[tid] = rxseq; 284 } 285 } 286 287 switch (type) { 288 case IEEE80211_FC0_TYPE_DATA: 289 hdrspace = ieee80211_hdrspace(ic, wh); 290 if (m->m_len < hdrspace && 291 (m = m_pullup(m, hdrspace)) == NULL) { 292 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 293 ni->ni_macaddr, NULL, 294 "data too short: expecting %u", hdrspace); 295 ic->ic_stats.is_rx_tooshort++; 296 goto out; /* XXX */ 297 } 298 switch (ic->ic_opmode) { 299 case IEEE80211_M_STA: 300 if (dir != IEEE80211_FC1_DIR_FROMDS) { 301 ic->ic_stats.is_rx_wrongdir++; 302 goto out; 303 } 304 if ((ifp->if_flags & IFF_SIMPLEX) && 305 IEEE80211_IS_MULTICAST(wh->i_addr1) && 306 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 307 /* 308 * In IEEE802.11 network, multicast packet 309 * sent from me is broadcasted from AP. 310 * It should be silently discarded for 311 * SIMPLEX interface. 312 */ 313 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 314 wh, NULL, "%s", "multicast echo"); 315 ic->ic_stats.is_rx_mcastecho++; 316 goto out; 317 } 318 break; 319 case IEEE80211_M_IBSS: 320 case IEEE80211_M_AHDEMO: 321 if (dir != IEEE80211_FC1_DIR_NODS) { 322 ic->ic_stats.is_rx_wrongdir++; 323 goto out; 324 } 325 /* XXX no power-save support */ 326 break; 327 case IEEE80211_M_HOSTAP: 328 if (dir != IEEE80211_FC1_DIR_TODS) { 329 ic->ic_stats.is_rx_wrongdir++; 330 goto out; 331 } 332 /* check if source STA is associated */ 333 if (ni == ic->ic_bss) { 334 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 335 wh, "data", "%s", "unknown src"); 336 ieee80211_send_error(ic, ni, wh->i_addr2, 337 IEEE80211_FC0_SUBTYPE_DEAUTH, 338 IEEE80211_REASON_NOT_AUTHED); 339 ic->ic_stats.is_rx_notassoc++; 340 goto err; 341 } 342 if (ni->ni_associd == 0) { 343 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 344 wh, "data", "%s", "unassoc src"); 345 IEEE80211_SEND_MGMT(ic, ni, 346 IEEE80211_FC0_SUBTYPE_DISASSOC, 347 IEEE80211_REASON_NOT_ASSOCED); 348 ic->ic_stats.is_rx_notassoc++; 349 goto err; 350 } 351 352 /* 353 * Check for power save state change. 354 */ 355 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 356 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 357 ieee80211_node_pwrsave(ni, 358 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 359 break; 360 default: 361 /* XXX here to keep compiler happy */ 362 goto out; 363 } 364 365 /* 366 * Handle privacy requirements. Note that we 367 * must not be preempted from here until after 368 * we (potentially) call ieee80211_crypto_demic; 369 * otherwise we may violate assumptions in the 370 * crypto cipher modules used to do delayed update 371 * of replay sequence numbers. 372 */ 373 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 374 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 375 /* 376 * Discard encrypted frames when privacy is off. 377 */ 378 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 379 wh, "WEP", "%s", "PRIVACY off"); 380 ic->ic_stats.is_rx_noprivacy++; 381 IEEE80211_NODE_STAT(ni, rx_noprivacy); 382 goto out; 383 } 384 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 385 if (key == NULL) { 386 /* NB: stats+msgs handled in crypto_decap */ 387 IEEE80211_NODE_STAT(ni, rx_wepfail); 388 goto out; 389 } 390 wh = mtod(m, struct ieee80211_frame *); 391 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 392 } else { 393 key = NULL; 394 } 395 396 /* 397 * Next up, any fragmentation. 398 */ 399 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 400 m = ieee80211_defrag(ic, ni, m, hdrspace); 401 if (m == NULL) { 402 /* Fragment dropped or frame not complete yet */ 403 goto out; 404 } 405 } 406 wh = NULL; /* no longer valid, catch any uses */ 407 408 /* 409 * Next strip any MSDU crypto bits. 410 */ 411 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 412 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 413 ni->ni_macaddr, "data", "%s", "demic error"); 414 IEEE80211_NODE_STAT(ni, rx_demicfail); 415 goto out; 416 } 417 418 /* copy to listener after decrypt */ 419 if (ic->ic_rawbpf) 420 bpf_mtap(ic->ic_rawbpf, m); 421 422 /* 423 * Finally, strip the 802.11 header. 424 */ 425 m = ieee80211_decap(ic, m, hdrspace); 426 if (m == NULL) { 427 /* don't count Null data frames as errors */ 428 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 429 goto out; 430 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 431 ni->ni_macaddr, "data", "%s", "decap error"); 432 ic->ic_stats.is_rx_decap++; 433 IEEE80211_NODE_STAT(ni, rx_decap); 434 goto err; 435 } 436 eh = mtod(m, struct ether_header *); 437 if (!ieee80211_node_is_authorized(ni)) { 438 /* 439 * Deny any non-PAE frames received prior to 440 * authorization. For open/shared-key 441 * authentication the port is mark authorized 442 * after authentication completes. For 802.1x 443 * the port is not marked authorized by the 444 * authenticator until the handshake has completed. 445 */ 446 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 447 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 448 eh->ether_shost, "data", 449 "unauthorized port: ether type 0x%x len %u", 450 eh->ether_type, m->m_pkthdr.len); 451 ic->ic_stats.is_rx_unauth++; 452 IEEE80211_NODE_STAT(ni, rx_unauth); 453 goto err; 454 } 455 } else { 456 /* 457 * When denying unencrypted frames, discard 458 * any non-PAE frames received without encryption. 459 */ 460 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 461 key == NULL && 462 eh->ether_type != htons(ETHERTYPE_PAE)) { 463 /* 464 * Drop unencrypted frames. 465 */ 466 ic->ic_stats.is_rx_unencrypted++; 467 IEEE80211_NODE_STAT(ni, rx_unencrypted); 468 goto out; 469 } 470 } 471 ifp->if_ipackets++; 472 IEEE80211_NODE_STAT(ni, rx_data); 473 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 474 475 /* perform as a bridge within the AP */ 476 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 477 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 478 struct mbuf *m1 = NULL; 479 480 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 481 m1 = m_copypacket(m, M_DONTWAIT); 482 if (m1 == NULL) 483 ifp->if_oerrors++; 484 else 485 m1->m_flags |= M_MCAST; 486 } else { 487 /* XXX this dups work done in ieee80211_encap */ 488 /* check if destination is associated */ 489 struct ieee80211_node *ni1 = 490 ieee80211_find_node(&ic->ic_sta, 491 eh->ether_dhost); 492 if (ni1 != NULL) { 493 /* XXX check if authorized */ 494 if (ni1->ni_associd != 0) { 495 m1 = m; 496 m = NULL; 497 } 498 /* XXX statistic? */ 499 ieee80211_free_node(ni1); 500 } 501 } 502 if (m1 != NULL) { 503 len = m1->m_pkthdr.len; 504 IF_ENQUEUE(&ifp->if_snd, m1); 505 if (m != NULL) 506 ifp->if_omcasts++; 507 ifp->if_obytes += len; 508 } 509 } 510 if (m != NULL) { 511 if (ni->ni_vlan != 0) { 512 /* attach vlan tag */ 513 /* XXX goto err? */ 514 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 515 } 516 (*ifp->if_input)(ifp, m); 517 } 518 return IEEE80211_FC0_TYPE_DATA; 519 520 case IEEE80211_FC0_TYPE_MGT: 521 IEEE80211_NODE_STAT(ni, rx_mgmt); 522 if (dir != IEEE80211_FC1_DIR_NODS) { 523 ic->ic_stats.is_rx_wrongdir++; 524 goto err; 525 } 526 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 527 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 528 ni->ni_macaddr, "mgt", "too short: len %u", 529 m->m_pkthdr.len); 530 ic->ic_stats.is_rx_tooshort++; 531 goto out; 532 } 533#ifdef IEEE80211_DEBUG 534 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 535 ieee80211_msg_dumppkts(ic)) { 536 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 537 ieee80211_mgt_subtype_name[subtype >> 538 IEEE80211_FC0_SUBTYPE_SHIFT], 539 ether_sprintf(wh->i_addr2), rssi); 540 } 541#endif 542 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 543 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 544 /* 545 * Only shared key auth frames with a challenge 546 * should be encrypted, discard all others. 547 */ 548 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 549 wh, ieee80211_mgt_subtype_name[subtype >> 550 IEEE80211_FC0_SUBTYPE_SHIFT], 551 "%s", "WEP set but not permitted"); 552 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 553 goto out; 554 } 555 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 556 /* 557 * Discard encrypted frames when privacy is off. 558 */ 559 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 560 wh, "mgt", "%s", "WEP set but PRIVACY off"); 561 ic->ic_stats.is_rx_noprivacy++; 562 goto out; 563 } 564 hdrspace = ieee80211_hdrspace(ic, wh); 565 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 566 if (key == NULL) { 567 /* NB: stats+msgs handled in crypto_decap */ 568 goto out; 569 } 570 wh = mtod(m, struct ieee80211_frame *); 571 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 572 } 573 if (ic->ic_rawbpf) 574 bpf_mtap(ic->ic_rawbpf, m); 575 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 576 m_freem(m); 577 return type; 578 579 case IEEE80211_FC0_TYPE_CTL: 580 IEEE80211_NODE_STAT(ni, rx_ctrl); 581 ic->ic_stats.is_rx_ctl++; 582 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 583 switch (subtype) { 584 case IEEE80211_FC0_SUBTYPE_PS_POLL: 585 ieee80211_recv_pspoll(ic, ni, m); 586 break; 587 } 588 } 589 goto out; 590 default: 591 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 592 wh, NULL, "bad frame type 0x%x", type); 593 /* should not come here */ 594 break; 595 } 596err: 597 ifp->if_ierrors++; 598out: 599 if (m != NULL) { 600 if (ic->ic_rawbpf) 601 bpf_mtap(ic->ic_rawbpf, m); 602 m_freem(m); 603 } 604 return type; 605#undef SEQ_LEQ 606} 607 608/* 609 * This function reassemble fragments. 610 */ 611static struct mbuf * 612ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 613 struct mbuf *m, int hdrspace) 614{ 615 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 616 struct ieee80211_frame *lwh; 617 u_int16_t rxseq; 618 u_int8_t fragno; 619 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 620 struct mbuf *mfrag; 621 622 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 623 624 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 625 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 626 627 /* Quick way out, if there's nothing to defragment */ 628 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 629 return m; 630 631 /* 632 * Remove frag to insure it doesn't get reaped by timer. 633 */ 634 if (ni->ni_table == NULL) { 635 /* 636 * Should never happen. If the node is orphaned (not in 637 * the table) then input packets should not reach here. 638 * Otherwise, a concurrent request that yanks the table 639 * should be blocked by other interlocking and/or by first 640 * shutting the driver down. Regardless, be defensive 641 * here and just bail 642 */ 643 /* XXX need msg+stat */ 644 m_freem(m); 645 return NULL; 646 } 647 IEEE80211_NODE_LOCK(ni->ni_table); 648 mfrag = ni->ni_rxfrag[0]; 649 ni->ni_rxfrag[0] = NULL; 650 IEEE80211_NODE_UNLOCK(ni->ni_table); 651 652 /* 653 * Validate new fragment is in order and 654 * related to the previous ones. 655 */ 656 if (mfrag != NULL) { 657 u_int16_t last_rxseq; 658 659 lwh = mtod(mfrag, struct ieee80211_frame *); 660 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 661 /* NB: check seq # and frag together */ 662 if (rxseq != last_rxseq+1 || 663 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 664 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 665 /* 666 * Unrelated fragment or no space for it, 667 * clear current fragments. 668 */ 669 m_freem(mfrag); 670 mfrag = NULL; 671 } 672 } 673 674 if (mfrag == NULL) { 675 if (fragno != 0) { /* !first fragment, discard */ 676 IEEE80211_NODE_STAT(ni, rx_defrag); 677 m_freem(m); 678 return NULL; 679 } 680 mfrag = m; 681 } else { /* concatenate */ 682 m_adj(m, hdrspace); /* strip header */ 683 m_cat(mfrag, m); 684 /* NB: m_cat doesn't update the packet header */ 685 mfrag->m_pkthdr.len += m->m_pkthdr.len; 686 /* track last seqnum and fragno */ 687 lwh = mtod(mfrag, struct ieee80211_frame *); 688 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 689 } 690 if (more_frag) { /* more to come, save */ 691 ni->ni_rxfragstamp = ticks; 692 ni->ni_rxfrag[0] = mfrag; 693 mfrag = NULL; 694 } 695 return mfrag; 696} 697 698static struct mbuf * 699ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 700{ 701 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 702 struct ether_header *eh; 703 struct llc *llc; 704 705 if (m->m_len < hdrlen + sizeof(*llc) && 706 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 707 /* XXX stat, msg */ 708 return NULL; 709 } 710 memcpy(&wh, mtod(m, caddr_t), hdrlen); 711 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 712 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 713 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 714 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 715 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 716 llc = NULL; 717 } else { 718 m_adj(m, hdrlen - sizeof(*eh)); 719 } 720 eh = mtod(m, struct ether_header *); 721 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 722 case IEEE80211_FC1_DIR_NODS: 723 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 724 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 725 break; 726 case IEEE80211_FC1_DIR_TODS: 727 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 728 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 729 break; 730 case IEEE80211_FC1_DIR_FROMDS: 731 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 732 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 733 break; 734 case IEEE80211_FC1_DIR_DSTODS: 735 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 736 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 737 break; 738 } 739#ifdef ALIGNED_POINTER 740 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 741 struct mbuf *n, *n0, **np; 742 caddr_t newdata; 743 int off, pktlen; 744 745 n0 = NULL; 746 np = &n0; 747 off = 0; 748 pktlen = m->m_pkthdr.len; 749 while (pktlen > off) { 750 if (n0 == NULL) { 751 MGETHDR(n, M_DONTWAIT, MT_DATA); 752 if (n == NULL) { 753 m_freem(m); 754 return NULL; 755 } 756 M_MOVE_PKTHDR(n, m); 757 n->m_len = MHLEN; 758 } else { 759 MGET(n, M_DONTWAIT, MT_DATA); 760 if (n == NULL) { 761 m_freem(m); 762 m_freem(n0); 763 return NULL; 764 } 765 n->m_len = MLEN; 766 } 767 if (pktlen - off >= MINCLSIZE) { 768 MCLGET(n, M_DONTWAIT); 769 if (n->m_flags & M_EXT) 770 n->m_len = n->m_ext.ext_size; 771 } 772 if (n0 == NULL) { 773 newdata = 774 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 775 sizeof(*eh); 776 n->m_len -= newdata - n->m_data; 777 n->m_data = newdata; 778 } 779 if (n->m_len > pktlen - off) 780 n->m_len = pktlen - off; 781 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 782 off += n->m_len; 783 *np = n; 784 np = &n->m_next; 785 } 786 m_freem(m); 787 m = n0; 788 } 789#endif /* ALIGNED_POINTER */ 790 if (llc != NULL) { 791 eh = mtod(m, struct ether_header *); 792 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 793 } 794 return m; 795} 796 797/* 798 * Install received rate set information in the node's state block. 799 */ 800static int 801ieee80211_setup_rates(struct ieee80211com *ic, struct ieee80211_node *ni, 802 u_int8_t *rates, u_int8_t *xrates, int flags) 803{ 804 struct ieee80211_rateset *rs = &ni->ni_rates; 805 806 memset(rs, 0, sizeof(*rs)); 807 rs->rs_nrates = rates[1]; 808 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 809 if (xrates != NULL) { 810 u_int8_t nxrates; 811 /* 812 * Tack on 11g extended supported rate element. 813 */ 814 nxrates = xrates[1]; 815 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 816 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 817 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 818 "[%s] extended rate set too large;" 819 " only using %u of %u rates\n", 820 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 821 ic->ic_stats.is_rx_rstoobig++; 822 } 823 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 824 rs->rs_nrates += nxrates; 825 } 826 return ieee80211_fix_rate(ic, ni, flags); 827} 828 829static void 830ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 831 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 832 u_int16_t status) 833{ 834 835 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 836 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 837 ni->ni_macaddr, "open auth", 838 "bad sta auth mode %u", ni->ni_authmode); 839 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 840 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 841 /* XXX hack to workaround calling convention */ 842 ieee80211_send_error(ic, ni, wh->i_addr2, 843 IEEE80211_FC0_SUBTYPE_AUTH, 844 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 845 } 846 return; 847 } 848 switch (ic->ic_opmode) { 849 case IEEE80211_M_IBSS: 850 case IEEE80211_M_AHDEMO: 851 case IEEE80211_M_MONITOR: 852 /* should not come here */ 853 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 854 ni->ni_macaddr, "open auth", 855 "bad operating mode %u", ic->ic_opmode); 856 break; 857 858 case IEEE80211_M_HOSTAP: 859 if (ic->ic_state != IEEE80211_S_RUN || 860 seq != IEEE80211_AUTH_OPEN_REQUEST) { 861 ic->ic_stats.is_rx_bad_auth++; 862 return; 863 } 864 /* always accept open authentication requests */ 865 if (ni == ic->ic_bss) { 866 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 867 if (ni == NULL) 868 return; 869 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 870 (void) ieee80211_ref_node(ni); 871 /* 872 * Mark the node as referenced to reflect that it's 873 * reference count has been bumped to insure it remains 874 * after the transaction completes. 875 */ 876 ni->ni_flags |= IEEE80211_NODE_AREF; 877 878 IEEE80211_SEND_MGMT(ic, ni, 879 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 880 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 881 "[%s] station authenticated (open)\n", 882 ether_sprintf(ni->ni_macaddr)); 883 /* 884 * When 802.1x is not in use mark the port 885 * authorized at this point so traffic can flow. 886 */ 887 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 888 ieee80211_node_authorize(ic, ni); 889 break; 890 891 case IEEE80211_M_STA: 892 if (ic->ic_state != IEEE80211_S_AUTH || 893 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 894 ic->ic_stats.is_rx_bad_auth++; 895 return; 896 } 897 if (status != 0) { 898 IEEE80211_DPRINTF(ic, 899 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 900 "[%s] open auth failed (reason %d)\n", 901 ether_sprintf(ni->ni_macaddr), status); 902 /* XXX can this happen? */ 903 if (ni != ic->ic_bss) 904 ni->ni_fails++; 905 ic->ic_stats.is_rx_auth_fail++; 906 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 907 } else 908 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 909 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 910 break; 911 } 912} 913 914/* 915 * Send a management frame error response to the specified 916 * station. If ni is associated with the station then use 917 * it; otherwise allocate a temporary node suitable for 918 * transmitting the frame and then free the reference so 919 * it will go away as soon as the frame has been transmitted. 920 */ 921static void 922ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 923 const u_int8_t *mac, int subtype, int arg) 924{ 925 int istmp; 926 927 if (ni == ic->ic_bss) { 928 ni = ieee80211_dup_bss(&ic->ic_sta, mac); 929 if (ni == NULL) { 930 /* XXX msg */ 931 return; 932 } 933 istmp = 1; 934 } else 935 istmp = 0; 936 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 937 if (istmp) 938 ieee80211_free_node(ni); 939} 940 941static int 942alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 943{ 944 if (ni->ni_challenge == NULL) 945 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN, 946 M_DEVBUF, M_NOWAIT); 947 if (ni->ni_challenge == NULL) { 948 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 949 "[%s] shared key challenge alloc failed\n", 950 ether_sprintf(ni->ni_macaddr)); 951 /* XXX statistic */ 952 } 953 return (ni->ni_challenge != NULL); 954} 955 956/* XXX TODO: add statistics */ 957static void 958ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 959 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 960 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 961{ 962 u_int8_t *challenge; 963 int allocbs, estatus; 964 965 /* 966 * NB: this can happen as we allow pre-shared key 967 * authentication to be enabled w/o wep being turned 968 * on so that configuration of these can be done 969 * in any order. It may be better to enforce the 970 * ordering in which case this check would just be 971 * for sanity/consistency. 972 */ 973 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 974 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 975 ni->ni_macaddr, "shared key auth", 976 "%s", " PRIVACY is disabled"); 977 estatus = IEEE80211_STATUS_ALG; 978 goto bad; 979 } 980 /* 981 * Pre-shared key authentication is evil; accept 982 * it only if explicitly configured (it is supported 983 * mainly for compatibility with clients like OS X). 984 */ 985 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 986 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 987 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 988 ni->ni_macaddr, "shared key auth", 989 "bad sta auth mode %u", ni->ni_authmode); 990 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 991 estatus = IEEE80211_STATUS_ALG; 992 goto bad; 993 } 994 995 challenge = NULL; 996 if (frm + 1 < efrm) { 997 if ((frm[1] + 2) > (efrm - frm)) { 998 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 999 ni->ni_macaddr, "shared key auth", 1000 "ie %d/%d too long", 1001 frm[0], (frm[1] + 2) - (efrm - frm)); 1002 ic->ic_stats.is_rx_bad_auth++; 1003 estatus = IEEE80211_STATUS_CHALLENGE; 1004 goto bad; 1005 } 1006 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1007 challenge = frm; 1008 frm += frm[1] + 2; 1009 } 1010 switch (seq) { 1011 case IEEE80211_AUTH_SHARED_CHALLENGE: 1012 case IEEE80211_AUTH_SHARED_RESPONSE: 1013 if (challenge == NULL) { 1014 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1015 ni->ni_macaddr, "shared key auth", 1016 "%s", "no challenge"); 1017 ic->ic_stats.is_rx_bad_auth++; 1018 estatus = IEEE80211_STATUS_CHALLENGE; 1019 goto bad; 1020 } 1021 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1022 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1023 ni->ni_macaddr, "shared key auth", 1024 "bad challenge len %d", challenge[1]); 1025 ic->ic_stats.is_rx_bad_auth++; 1026 estatus = IEEE80211_STATUS_CHALLENGE; 1027 goto bad; 1028 } 1029 default: 1030 break; 1031 } 1032 switch (ic->ic_opmode) { 1033 case IEEE80211_M_MONITOR: 1034 case IEEE80211_M_AHDEMO: 1035 case IEEE80211_M_IBSS: 1036 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1037 ni->ni_macaddr, "shared key auth", 1038 "bad operating mode %u", ic->ic_opmode); 1039 return; 1040 case IEEE80211_M_HOSTAP: 1041 if (ic->ic_state != IEEE80211_S_RUN) { 1042 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1043 ni->ni_macaddr, "shared key auth", 1044 "bad state %u", ic->ic_state); 1045 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1046 goto bad; 1047 } 1048 switch (seq) { 1049 case IEEE80211_AUTH_SHARED_REQUEST: 1050 if (ni == ic->ic_bss) { 1051 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1052 if (ni == NULL) { 1053 /* NB: no way to return an error */ 1054 return; 1055 } 1056 allocbs = 1; 1057 } else { 1058 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1059 (void) ieee80211_ref_node(ni); 1060 allocbs = 0; 1061 } 1062 /* 1063 * Mark the node as referenced to reflect that it's 1064 * reference count has been bumped to insure it remains 1065 * after the transaction completes. 1066 */ 1067 ni->ni_flags |= IEEE80211_NODE_AREF; 1068 ni->ni_rssi = rssi; 1069 ni->ni_rstamp = rstamp; 1070 if (!alloc_challenge(ic, ni)) { 1071 /* NB: don't return error so they rexmit */ 1072 return; 1073 } 1074 get_random_bytes(ni->ni_challenge, 1075 IEEE80211_CHALLENGE_LEN); 1076 IEEE80211_DPRINTF(ic, 1077 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1078 "[%s] shared key %sauth request\n", 1079 ether_sprintf(ni->ni_macaddr), 1080 allocbs ? "" : "re"); 1081 break; 1082 case IEEE80211_AUTH_SHARED_RESPONSE: 1083 if (ni == ic->ic_bss) { 1084 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1085 ni->ni_macaddr, "shared key response", 1086 "%s", "unknown station"); 1087 /* NB: don't send a response */ 1088 return; 1089 } 1090 if (ni->ni_challenge == NULL) { 1091 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1092 ni->ni_macaddr, "shared key response", 1093 "%s", "no challenge recorded"); 1094 ic->ic_stats.is_rx_bad_auth++; 1095 estatus = IEEE80211_STATUS_CHALLENGE; 1096 goto bad; 1097 } 1098 if (memcmp(ni->ni_challenge, &challenge[2], 1099 challenge[1]) != 0) { 1100 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1101 ni->ni_macaddr, "shared key response", 1102 "%s", "challenge mismatch"); 1103 ic->ic_stats.is_rx_auth_fail++; 1104 estatus = IEEE80211_STATUS_CHALLENGE; 1105 goto bad; 1106 } 1107 IEEE80211_DPRINTF(ic, 1108 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1109 "[%s] station authenticated (shared key)\n", 1110 ether_sprintf(ni->ni_macaddr)); 1111 ieee80211_node_authorize(ic, ni); 1112 break; 1113 default: 1114 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1115 ni->ni_macaddr, "shared key auth", 1116 "bad seq %d", seq); 1117 ic->ic_stats.is_rx_bad_auth++; 1118 estatus = IEEE80211_STATUS_SEQUENCE; 1119 goto bad; 1120 } 1121 IEEE80211_SEND_MGMT(ic, ni, 1122 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1123 break; 1124 1125 case IEEE80211_M_STA: 1126 if (ic->ic_state != IEEE80211_S_AUTH) 1127 return; 1128 switch (seq) { 1129 case IEEE80211_AUTH_SHARED_PASS: 1130 if (ni->ni_challenge != NULL) { 1131 FREE(ni->ni_challenge, M_DEVBUF); 1132 ni->ni_challenge = NULL; 1133 } 1134 if (status != 0) { 1135 IEEE80211_DPRINTF(ic, 1136 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1137 "[%s] shared key auth failed (reason %d)\n", 1138 ether_sprintf(ieee80211_getbssid(ic, wh)), 1139 status); 1140 /* XXX can this happen? */ 1141 if (ni != ic->ic_bss) 1142 ni->ni_fails++; 1143 ic->ic_stats.is_rx_auth_fail++; 1144 return; 1145 } 1146 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1147 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1148 break; 1149 case IEEE80211_AUTH_SHARED_CHALLENGE: 1150 if (!alloc_challenge(ic, ni)) 1151 return; 1152 /* XXX could optimize by passing recvd challenge */ 1153 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1154 IEEE80211_SEND_MGMT(ic, ni, 1155 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1156 break; 1157 default: 1158 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1159 wh, "shared key auth", "bad seq %d", seq); 1160 ic->ic_stats.is_rx_bad_auth++; 1161 return; 1162 } 1163 break; 1164 } 1165 return; 1166bad: 1167 /* 1168 * Send an error response; but only when operating as an AP. 1169 */ 1170 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1171 /* XXX hack to workaround calling convention */ 1172 ieee80211_send_error(ic, ni, wh->i_addr2, 1173 IEEE80211_FC0_SUBTYPE_AUTH, 1174 (seq + 1) | (estatus<<16)); 1175 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1176 /* 1177 * Kick the state machine. This short-circuits 1178 * using the mgt frame timeout to trigger the 1179 * state transition. 1180 */ 1181 if (ic->ic_state == IEEE80211_S_AUTH) 1182 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1183 } 1184} 1185 1186/* Verify the existence and length of __elem or get out. */ 1187#define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1188 if ((__elem) == NULL) { \ 1189 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1190 wh, ieee80211_mgt_subtype_name[subtype >> \ 1191 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1192 "%s", "no " #__elem ); \ 1193 ic->ic_stats.is_rx_elem_missing++; \ 1194 return; \ 1195 } \ 1196 if ((__elem)[1] > (__maxlen)) { \ 1197 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1198 wh, ieee80211_mgt_subtype_name[subtype >> \ 1199 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1200 "bad " #__elem " len %d", (__elem)[1]); \ 1201 ic->ic_stats.is_rx_elem_toobig++; \ 1202 return; \ 1203 } \ 1204} while (0) 1205 1206#define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1207 if ((_len) < (_minlen)) { \ 1208 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1209 wh, ieee80211_mgt_subtype_name[subtype >> \ 1210 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1211 "%s", "ie too short"); \ 1212 ic->ic_stats.is_rx_elem_toosmall++; \ 1213 return; \ 1214 } \ 1215} while (0) 1216 1217#ifdef IEEE80211_DEBUG 1218static void 1219ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1220 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1221{ 1222 printf("[%s] discard %s frame, ssid mismatch: ", 1223 ether_sprintf(mac), tag); 1224 ieee80211_print_essid(ssid + 2, ssid[1]); 1225 printf("\n"); 1226} 1227 1228#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1229 if ((_ssid)[1] != 0 && \ 1230 ((_ssid)[1] != (_ni)->ni_esslen || \ 1231 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1232 if (ieee80211_msg_input(ic)) \ 1233 ieee80211_ssid_mismatch(ic, \ 1234 ieee80211_mgt_subtype_name[subtype >> \ 1235 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1236 wh->i_addr2, _ssid); \ 1237 ic->ic_stats.is_rx_ssidmismatch++; \ 1238 return; \ 1239 } \ 1240} while (0) 1241#else /* !IEEE80211_DEBUG */ 1242#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1243 if ((_ssid)[1] != 0 && \ 1244 ((_ssid)[1] != (_ni)->ni_esslen || \ 1245 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1246 ic->ic_stats.is_rx_ssidmismatch++; \ 1247 return; \ 1248 } \ 1249} while (0) 1250#endif /* !IEEE80211_DEBUG */ 1251 1252/* unalligned little endian access */ 1253#define LE_READ_2(p) \ 1254 ((u_int16_t) \ 1255 ((((const u_int8_t *)(p))[0] ) | \ 1256 (((const u_int8_t *)(p))[1] << 8))) 1257#define LE_READ_4(p) \ 1258 ((u_int32_t) \ 1259 ((((const u_int8_t *)(p))[0] ) | \ 1260 (((const u_int8_t *)(p))[1] << 8) | \ 1261 (((const u_int8_t *)(p))[2] << 16) | \ 1262 (((const u_int8_t *)(p))[3] << 24))) 1263 1264static int __inline 1265iswpaoui(const u_int8_t *frm) 1266{ 1267 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1268} 1269 1270static int __inline 1271iswmeoui(const u_int8_t *frm) 1272{ 1273 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1274} 1275 1276static int __inline 1277iswmeparam(const u_int8_t *frm) 1278{ 1279 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1280 frm[6] == WME_PARAM_OUI_SUBTYPE; 1281} 1282 1283static int __inline 1284iswmeinfo(const u_int8_t *frm) 1285{ 1286 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1287 frm[6] == WME_INFO_OUI_SUBTYPE; 1288} 1289 1290static int __inline 1291isatherosoui(const u_int8_t *frm) 1292{ 1293 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1294} 1295 1296/* 1297 * Convert a WPA cipher selector OUI to an internal 1298 * cipher algorithm. Where appropriate we also 1299 * record any key length. 1300 */ 1301static int 1302wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1303{ 1304#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1305 u_int32_t w = LE_READ_4(sel); 1306 1307 switch (w) { 1308 case WPA_SEL(WPA_CSE_NULL): 1309 return IEEE80211_CIPHER_NONE; 1310 case WPA_SEL(WPA_CSE_WEP40): 1311 if (keylen) 1312 *keylen = 40 / NBBY; 1313 return IEEE80211_CIPHER_WEP; 1314 case WPA_SEL(WPA_CSE_WEP104): 1315 if (keylen) 1316 *keylen = 104 / NBBY; 1317 return IEEE80211_CIPHER_WEP; 1318 case WPA_SEL(WPA_CSE_TKIP): 1319 return IEEE80211_CIPHER_TKIP; 1320 case WPA_SEL(WPA_CSE_CCMP): 1321 return IEEE80211_CIPHER_AES_CCM; 1322 } 1323 return 32; /* NB: so 1<< is discarded */ 1324#undef WPA_SEL 1325} 1326 1327/* 1328 * Convert a WPA key management/authentication algorithm 1329 * to an internal code. 1330 */ 1331static int 1332wpa_keymgmt(u_int8_t *sel) 1333{ 1334#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1335 u_int32_t w = LE_READ_4(sel); 1336 1337 switch (w) { 1338 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1339 return WPA_ASE_8021X_UNSPEC; 1340 case WPA_SEL(WPA_ASE_8021X_PSK): 1341 return WPA_ASE_8021X_PSK; 1342 case WPA_SEL(WPA_ASE_NONE): 1343 return WPA_ASE_NONE; 1344 } 1345 return 0; /* NB: so is discarded */ 1346#undef WPA_SEL 1347} 1348 1349/* 1350 * Parse a WPA information element to collect parameters 1351 * and validate the parameters against what has been 1352 * configured for the system. 1353 */ 1354static int 1355ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1356 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1357{ 1358 u_int8_t len = frm[1]; 1359 u_int32_t w; 1360 int n; 1361 1362 /* 1363 * Check the length once for fixed parts: OUI, type, 1364 * version, mcast cipher, and 2 selector counts. 1365 * Other, variable-length data, must be checked separately. 1366 */ 1367 KASSERT(ic->ic_flags & IEEE80211_F_WPA1, 1368 ("not WPA, flags 0x%x", ic->ic_flags)); 1369 if (len < 14) { 1370 IEEE80211_DISCARD_IE(ic, 1371 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1372 wh, "WPA", "too short, len %u", len); 1373 return IEEE80211_REASON_IE_INVALID; 1374 } 1375 frm += 6, len -= 4; /* NB: len is payload only */ 1376 /* NB: iswapoui already validated the OUI and type */ 1377 w = LE_READ_2(frm); 1378 if (w != WPA_VERSION) { 1379 IEEE80211_DISCARD_IE(ic, 1380 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1381 wh, "WPA", "bad version %u", w); 1382 return IEEE80211_REASON_IE_INVALID; 1383 } 1384 frm += 2, len -= 2; 1385 1386 /* multicast/group cipher */ 1387 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1388 if (w != rsn->rsn_mcastcipher) { 1389 IEEE80211_DISCARD_IE(ic, 1390 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1391 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1392 w, rsn->rsn_mcastcipher); 1393 return IEEE80211_REASON_IE_INVALID; 1394 } 1395 frm += 4, len -= 4; 1396 1397 /* unicast ciphers */ 1398 n = LE_READ_2(frm); 1399 frm += 2, len -= 2; 1400 if (len < n*4+2) { 1401 IEEE80211_DISCARD_IE(ic, 1402 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1403 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1404 len, n); 1405 return IEEE80211_REASON_IE_INVALID; 1406 } 1407 w = 0; 1408 for (; n > 0; n--) { 1409 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1410 frm += 4, len -= 4; 1411 } 1412 w &= rsn->rsn_ucastcipherset; 1413 if (w == 0) { 1414 IEEE80211_DISCARD_IE(ic, 1415 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1416 wh, "WPA", "%s", "ucast cipher set empty"); 1417 return IEEE80211_REASON_IE_INVALID; 1418 } 1419 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1420 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1421 else 1422 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1423 1424 /* key management algorithms */ 1425 n = LE_READ_2(frm); 1426 frm += 2, len -= 2; 1427 if (len < n*4) { 1428 IEEE80211_DISCARD_IE(ic, 1429 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1430 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1431 len, n); 1432 return IEEE80211_REASON_IE_INVALID; 1433 } 1434 w = 0; 1435 for (; n > 0; n--) { 1436 w |= wpa_keymgmt(frm); 1437 frm += 4, len -= 4; 1438 } 1439 w &= rsn->rsn_keymgmtset; 1440 if (w == 0) { 1441 IEEE80211_DISCARD_IE(ic, 1442 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1443 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1444 return IEEE80211_REASON_IE_INVALID; 1445 } 1446 if (w & WPA_ASE_8021X_UNSPEC) 1447 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1448 else 1449 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1450 1451 if (len > 2) /* optional capabilities */ 1452 rsn->rsn_caps = LE_READ_2(frm); 1453 1454 return 0; 1455} 1456 1457/* 1458 * Convert an RSN cipher selector OUI to an internal 1459 * cipher algorithm. Where appropriate we also 1460 * record any key length. 1461 */ 1462static int 1463rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1464{ 1465#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1466 u_int32_t w = LE_READ_4(sel); 1467 1468 switch (w) { 1469 case RSN_SEL(RSN_CSE_NULL): 1470 return IEEE80211_CIPHER_NONE; 1471 case RSN_SEL(RSN_CSE_WEP40): 1472 if (keylen) 1473 *keylen = 40 / NBBY; 1474 return IEEE80211_CIPHER_WEP; 1475 case RSN_SEL(RSN_CSE_WEP104): 1476 if (keylen) 1477 *keylen = 104 / NBBY; 1478 return IEEE80211_CIPHER_WEP; 1479 case RSN_SEL(RSN_CSE_TKIP): 1480 return IEEE80211_CIPHER_TKIP; 1481 case RSN_SEL(RSN_CSE_CCMP): 1482 return IEEE80211_CIPHER_AES_CCM; 1483 case RSN_SEL(RSN_CSE_WRAP): 1484 return IEEE80211_CIPHER_AES_OCB; 1485 } 1486 return 32; /* NB: so 1<< is discarded */ 1487#undef WPA_SEL 1488} 1489 1490/* 1491 * Convert an RSN key management/authentication algorithm 1492 * to an internal code. 1493 */ 1494static int 1495rsn_keymgmt(u_int8_t *sel) 1496{ 1497#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1498 u_int32_t w = LE_READ_4(sel); 1499 1500 switch (w) { 1501 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1502 return RSN_ASE_8021X_UNSPEC; 1503 case RSN_SEL(RSN_ASE_8021X_PSK): 1504 return RSN_ASE_8021X_PSK; 1505 case RSN_SEL(RSN_ASE_NONE): 1506 return RSN_ASE_NONE; 1507 } 1508 return 0; /* NB: so is discarded */ 1509#undef RSN_SEL 1510} 1511 1512/* 1513 * Parse a WPA/RSN information element to collect parameters 1514 * and validate the parameters against what has been 1515 * configured for the system. 1516 */ 1517static int 1518ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1519 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1520{ 1521 u_int8_t len = frm[1]; 1522 u_int32_t w; 1523 int n; 1524 1525 /* 1526 * Check the length once for fixed parts: 1527 * version, mcast cipher, and 2 selector counts. 1528 * Other, variable-length data, must be checked separately. 1529 */ 1530 KASSERT(ic->ic_flags & IEEE80211_F_WPA2, 1531 ("not RSN, flags 0x%x", ic->ic_flags)); 1532 if (len < 10) { 1533 IEEE80211_DISCARD_IE(ic, 1534 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1535 wh, "RSN", "too short, len %u", len); 1536 return IEEE80211_REASON_IE_INVALID; 1537 } 1538 frm += 2; 1539 w = LE_READ_2(frm); 1540 if (w != RSN_VERSION) { 1541 IEEE80211_DISCARD_IE(ic, 1542 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1543 wh, "RSN", "bad version %u", w); 1544 return IEEE80211_REASON_IE_INVALID; 1545 } 1546 frm += 2, len -= 2; 1547 1548 /* multicast/group cipher */ 1549 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1550 if (w != rsn->rsn_mcastcipher) { 1551 IEEE80211_DISCARD_IE(ic, 1552 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1553 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1554 w, rsn->rsn_mcastcipher); 1555 return IEEE80211_REASON_IE_INVALID; 1556 } 1557 frm += 4, len -= 4; 1558 1559 /* unicast ciphers */ 1560 n = LE_READ_2(frm); 1561 frm += 2, len -= 2; 1562 if (len < n*4+2) { 1563 IEEE80211_DISCARD_IE(ic, 1564 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1565 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1566 len, n); 1567 return IEEE80211_REASON_IE_INVALID; 1568 } 1569 w = 0; 1570 for (; n > 0; n--) { 1571 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1572 frm += 4, len -= 4; 1573 } 1574 w &= rsn->rsn_ucastcipherset; 1575 if (w == 0) { 1576 IEEE80211_DISCARD_IE(ic, 1577 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1578 wh, "RSN", "%s", "ucast cipher set empty"); 1579 return IEEE80211_REASON_IE_INVALID; 1580 } 1581 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1582 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1583 else 1584 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1585 1586 /* key management algorithms */ 1587 n = LE_READ_2(frm); 1588 frm += 2, len -= 2; 1589 if (len < n*4) { 1590 IEEE80211_DISCARD_IE(ic, 1591 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1592 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1593 len, n); 1594 return IEEE80211_REASON_IE_INVALID; 1595 } 1596 w = 0; 1597 for (; n > 0; n--) { 1598 w |= rsn_keymgmt(frm); 1599 frm += 4, len -= 4; 1600 } 1601 w &= rsn->rsn_keymgmtset; 1602 if (w == 0) { 1603 IEEE80211_DISCARD_IE(ic, 1604 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1605 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1606 return IEEE80211_REASON_IE_INVALID; 1607 } 1608 if (w & RSN_ASE_8021X_UNSPEC) 1609 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1610 else 1611 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1612 1613 /* optional RSN capabilities */ 1614 if (len > 2) 1615 rsn->rsn_caps = LE_READ_2(frm); 1616 /* XXXPMKID */ 1617 1618 return 0; 1619} 1620 1621static int 1622ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1623 const struct ieee80211_frame *wh) 1624{ 1625#define MS(_v, _f) (((_v) & _f) >> _f##_S) 1626 struct ieee80211_wme_state *wme = &ic->ic_wme; 1627 u_int len = frm[1], qosinfo; 1628 int i; 1629 1630 if (len < sizeof(struct ieee80211_wme_param)-2) { 1631 IEEE80211_DISCARD_IE(ic, 1632 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1633 wh, "WME", "too short, len %u", len); 1634 return -1; 1635 } 1636 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1637 qosinfo &= WME_QOSINFO_COUNT; 1638 /* XXX do proper check for wraparound */ 1639 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1640 return 0; 1641 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1642 for (i = 0; i < WME_NUM_AC; i++) { 1643 struct wmeParams *wmep = 1644 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1645 /* NB: ACI not used */ 1646 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1647 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1648 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1649 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1650 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1651 frm += 4; 1652 } 1653 wme->wme_wmeChanParams.cap_info = qosinfo; 1654 return 1; 1655#undef MS 1656} 1657 1658static void 1659ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1660{ 1661 u_int ielen = ie[1]+2; 1662 /* 1663 * Record information element for later use. 1664 */ 1665 if (*iep == NULL || (*iep)[1] != ie[1]) { 1666 if (*iep != NULL) 1667 FREE(*iep, M_DEVBUF); 1668 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1669 } 1670 if (*iep != NULL) 1671 memcpy(*iep, ie, ielen); 1672 /* XXX note failure */ 1673} 1674 1675#ifdef IEEE80211_DEBUG 1676static void 1677dump_probe_beacon(u_int8_t subtype, int isnew, 1678 const u_int8_t mac[IEEE80211_ADDR_LEN], 1679 u_int8_t chan, u_int8_t bchan, u_int16_t capinfo, u_int16_t bintval, 1680 u_int8_t erp, u_int8_t *ssid, u_int8_t *country) 1681{ 1682 printf("[%s] %s%s on chan %u (bss chan %u) ", 1683 ether_sprintf(mac), isnew ? "new " : "", 1684 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 1685 chan, bchan); 1686 ieee80211_print_essid(ssid + 2, ssid[1]); 1687 printf("\n"); 1688 1689 if (isnew) { 1690 printf("[%s] caps 0x%x bintval %u erp 0x%x", 1691 ether_sprintf(mac), capinfo, bintval, erp); 1692 if (country) { 1693#ifdef __FreeBSD__ 1694 printf(" country info %*D", country[1], country+2, " "); 1695#else 1696 int i; 1697 printf(" country info"); 1698 for (i = 0; i < country[1]; i++) 1699 printf(" %02x", country[i+2]); 1700#endif 1701 } 1702 printf("\n"); 1703 } 1704} 1705#endif /* IEEE80211_DEBUG */ 1706 1707void 1708ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1709 struct ieee80211_node *ni, 1710 int subtype, int rssi, u_int32_t rstamp) 1711{ 1712#define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1713#define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1714 struct ieee80211_frame *wh; 1715 u_int8_t *frm, *efrm; 1716 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1717 int reassoc, resp, allocbs; 1718 u_int8_t rate; 1719 1720 wh = mtod(m0, struct ieee80211_frame *); 1721 frm = (u_int8_t *)&wh[1]; 1722 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1723 switch (subtype) { 1724 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1725 case IEEE80211_FC0_SUBTYPE_BEACON: { 1726 u_int8_t *tstamp, *country, *tim; 1727 u_int8_t chan, bchan, fhindex, erp; 1728 u_int16_t capinfo, bintval, timoff; 1729 u_int16_t fhdwell; 1730 1731 /* 1732 * We process beacon/probe response frames: 1733 * o when scanning, or 1734 * o station mode when associated (to collect state 1735 * updates such as 802.11g slot time), or 1736 * o adhoc mode (to discover neighbors) 1737 * Frames otherwise received are discarded. 1738 */ 1739 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1740 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1741 ic->ic_opmode == IEEE80211_M_IBSS)) { 1742 ic->ic_stats.is_rx_mgtdiscard++; 1743 return; 1744 } 1745 /* 1746 * beacon/probe response frame format 1747 * [8] time stamp 1748 * [2] beacon interval 1749 * [2] capability information 1750 * [tlv] ssid 1751 * [tlv] supported rates 1752 * [tlv] country information 1753 * [tlv] parameter set (FH/DS) 1754 * [tlv] erp information 1755 * [tlv] extended supported rates 1756 * [tlv] WME 1757 * [tlv] WPA or RSN 1758 */ 1759 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1760 tstamp = frm; frm += 8; 1761 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1762 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1763 ssid = rates = xrates = country = wpa = wme = tim = NULL; 1764 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1765 chan = bchan; 1766 fhdwell = 0; 1767 fhindex = 0; 1768 erp = 0; 1769 timoff = 0; 1770 while (frm < efrm) { 1771 switch (*frm) { 1772 case IEEE80211_ELEMID_SSID: 1773 ssid = frm; 1774 break; 1775 case IEEE80211_ELEMID_RATES: 1776 rates = frm; 1777 break; 1778 case IEEE80211_ELEMID_COUNTRY: 1779 country = frm; 1780 break; 1781 case IEEE80211_ELEMID_FHPARMS: 1782 if (ic->ic_phytype == IEEE80211_T_FH) { 1783 fhdwell = LE_READ_2(&frm[2]); 1784 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1785 fhindex = frm[6]; 1786 } 1787 break; 1788 case IEEE80211_ELEMID_DSPARMS: 1789 /* 1790 * XXX hack this since depending on phytype 1791 * is problematic for multi-mode devices. 1792 */ 1793 if (ic->ic_phytype != IEEE80211_T_FH) 1794 chan = frm[2]; 1795 break; 1796 case IEEE80211_ELEMID_TIM: 1797 /* XXX ATIM? */ 1798 tim = frm; 1799 timoff = frm - mtod(m0, u_int8_t *); 1800 break; 1801 case IEEE80211_ELEMID_IBSSPARMS: 1802 break; 1803 case IEEE80211_ELEMID_XRATES: 1804 xrates = frm; 1805 break; 1806 case IEEE80211_ELEMID_ERP: 1807 if (frm[1] != 1) { 1808 IEEE80211_DISCARD_IE(ic, 1809 IEEE80211_MSG_ELEMID, wh, "ERP", 1810 "bad len %u", frm[1]); 1811 ic->ic_stats.is_rx_elem_toobig++; 1812 break; 1813 } 1814 erp = frm[2]; 1815 break; 1816 case IEEE80211_ELEMID_RSN: 1817 wpa = frm; 1818 break; 1819 case IEEE80211_ELEMID_VENDOR: 1820 if (iswpaoui(frm)) 1821 wpa = frm; 1822 else if (iswmeparam(frm) || iswmeinfo(frm)) 1823 wme = frm; 1824 /* XXX Atheros OUI support */ 1825 break; 1826 default: 1827 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1828 wh, "unhandled", 1829 "id %u, len %u", *frm, frm[1]); 1830 ic->ic_stats.is_rx_elem_unknown++; 1831 break; 1832 } 1833 frm += frm[1] + 2; 1834 } 1835 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1836 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1837 if ( 1838#if IEEE80211_CHAN_MAX < 255 1839 chan > IEEE80211_CHAN_MAX || 1840#endif 1841 isclr(ic->ic_chan_active, chan)) { 1842 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1843 wh, ieee80211_mgt_subtype_name[subtype >> 1844 IEEE80211_FC0_SUBTYPE_SHIFT], 1845 "invalid channel %u", chan); 1846 ic->ic_stats.is_rx_badchan++; 1847 return; 1848 } 1849 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1850 /* 1851 * Frame was received on a channel different from the 1852 * one indicated in the DS params element id; 1853 * silently discard it. 1854 * 1855 * NB: this can happen due to signal leakage. 1856 * But we should take it for FH phy because 1857 * the rssi value should be correct even for 1858 * different hop pattern in FH. 1859 */ 1860 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1861 wh, ieee80211_mgt_subtype_name[subtype >> 1862 IEEE80211_FC0_SUBTYPE_SHIFT], 1863 "for off-channel %u", chan); 1864 ic->ic_stats.is_rx_chanmismatch++; 1865 return; 1866 } 1867 1868 /* 1869 * Count frame now that we know it's to be processed. 1870 */ 1871 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1872 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1873 IEEE80211_NODE_STAT(ni, rx_beacons); 1874 } else 1875 IEEE80211_NODE_STAT(ni, rx_proberesp); 1876 1877 /* 1878 * When operating in station mode, check for state updates. 1879 * Be careful to ignore beacons received while doing a 1880 * background scan. We consider only 11g/WMM stuff right now. 1881 */ 1882 if (ic->ic_opmode == IEEE80211_M_STA && 1883 ni->ni_associd != 0 && 1884 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1885 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1886 /* record tsf of last beacon */ 1887 memcpy(ni->ni_tstamp.data, tstamp, 1888 sizeof(ni->ni_tstamp)); 1889 if (ni->ni_erp != erp) { 1890 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1891 "[%s] erp change: was 0x%x, now 0x%x\n", 1892 ether_sprintf(wh->i_addr2), 1893 ni->ni_erp, erp); 1894 if (ic->ic_curmode == IEEE80211_MODE_11G && 1895 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1896 ic->ic_flags |= IEEE80211_F_USEPROT; 1897 else 1898 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1899 ni->ni_erp = erp; 1900 /* XXX statistic */ 1901 } 1902 if ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1903 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1904 "[%s] capabilities change: before 0x%x," 1905 " now 0x%x\n", 1906 ether_sprintf(wh->i_addr2), 1907 ni->ni_capinfo, capinfo); 1908 /* 1909 * NB: we assume short preamble doesn't 1910 * change dynamically 1911 */ 1912 ieee80211_set_shortslottime(ic, 1913 ic->ic_curmode == IEEE80211_MODE_11A || 1914 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1915 ni->ni_capinfo = capinfo; 1916 /* XXX statistic */ 1917 } 1918 if (wme != NULL && 1919 (ni->ni_flags & IEEE80211_NODE_QOS) && 1920 ieee80211_parse_wmeparams(ic, wme, wh) > 0) 1921 ieee80211_wme_updateparams(ic); 1922 if (tim != NULL) { 1923 struct ieee80211_tim_ie *ie = 1924 (struct ieee80211_tim_ie *) tim; 1925 1926 ni->ni_dtim_count = ie->tim_count; 1927 ni->ni_dtim_period = ie->tim_period; 1928 } 1929 /* NB: don't need the rest of this */ 1930 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) 1931 return; 1932 } 1933 1934 if (ni == ic->ic_bss && 1935 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 1936#ifdef IEEE80211_DEBUG 1937 if (ieee80211_msg_scan(ic)) 1938 dump_probe_beacon(subtype, 1, 1939 wh->i_addr2, chan, bchan, capinfo, 1940 bintval, erp, ssid, country); 1941#endif 1942 /* 1943 * Create a new entry. If scanning the entry goes 1944 * in the scan cache. Otherwise, be particular when 1945 * operating in adhoc mode--only take nodes marked 1946 * as ibss participants so we don't populate our 1947 * neighbor table with unintersting sta's. 1948 */ 1949 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1950 if ((capinfo & IEEE80211_CAPINFO_IBSS) == 0) 1951 return; 1952 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 1953 wh->i_addr2); 1954 } else 1955 ni = ieee80211_dup_bss(&ic->ic_scan, wh->i_addr2); 1956 if (ni == NULL) 1957 return; 1958 ni->ni_esslen = ssid[1]; 1959 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1960 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1961 } else if (ssid[1] != 0 && 1962 (ISPROBE(subtype) || ni->ni_esslen == 0)) { 1963 /* 1964 * Update ESSID at probe response to adopt 1965 * hidden AP by Lucent/Cisco, which announces 1966 * null ESSID in beacon. 1967 */ 1968#ifdef IEEE80211_DEBUG 1969 if (ieee80211_msg_scan(ic) || 1970 ieee80211_msg_debug(ic)) 1971 dump_probe_beacon(subtype, 0, 1972 wh->i_addr2, chan, bchan, capinfo, 1973 bintval, erp, ssid, country); 1974#endif 1975 ni->ni_esslen = ssid[1]; 1976 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 1977 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 1978 } 1979 ni->ni_scangen = ic->ic_scan.nt_scangen; 1980 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 1981 ni->ni_rssi = rssi; 1982 ni->ni_rstamp = rstamp; 1983 memcpy(ni->ni_tstamp.data, tstamp, sizeof(ni->ni_tstamp)); 1984 ni->ni_intval = bintval; 1985 ni->ni_capinfo = capinfo; 1986 ni->ni_chan = &ic->ic_channels[chan]; 1987 ni->ni_fhdwell = fhdwell; 1988 ni->ni_fhindex = fhindex; 1989 ni->ni_erp = erp; 1990 if (tim != NULL) { 1991 struct ieee80211_tim_ie *ie = 1992 (struct ieee80211_tim_ie *) tim; 1993 1994 ni->ni_dtim_count = ie->tim_count; 1995 ni->ni_dtim_period = ie->tim_period; 1996 } 1997 /* 1998 * Record the byte offset from the mac header to 1999 * the start of the TIM information element for 2000 * use by hardware and/or to speedup software 2001 * processing of beacon frames. 2002 */ 2003 ni->ni_timoff = timoff; 2004 /* 2005 * Record optional information elements that might be 2006 * used by applications or drivers. 2007 */ 2008 if (wme != NULL) 2009 ieee80211_saveie(&ni->ni_wme_ie, wme); 2010 if (wpa != NULL) 2011 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2012 /* NB: must be after ni_chan is setup */ 2013 ieee80211_setup_rates(ic, ni, rates, xrates, IEEE80211_F_DOSORT); 2014 break; 2015 } 2016 2017 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2018 if (ic->ic_opmode == IEEE80211_M_STA || 2019 ic->ic_state != IEEE80211_S_RUN) { 2020 ic->ic_stats.is_rx_mgtdiscard++; 2021 return; 2022 } 2023 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2024 /* frame must be directed */ 2025 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2026 return; 2027 } 2028 2029 /* 2030 * prreq frame format 2031 * [tlv] ssid 2032 * [tlv] supported rates 2033 * [tlv] extended supported rates 2034 */ 2035 ssid = rates = xrates = NULL; 2036 while (frm < efrm) { 2037 switch (*frm) { 2038 case IEEE80211_ELEMID_SSID: 2039 ssid = frm; 2040 break; 2041 case IEEE80211_ELEMID_RATES: 2042 rates = frm; 2043 break; 2044 case IEEE80211_ELEMID_XRATES: 2045 xrates = frm; 2046 break; 2047 } 2048 frm += frm[1] + 2; 2049 } 2050 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2051 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2052 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2053 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2054 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2055 wh, ieee80211_mgt_subtype_name[subtype >> 2056 IEEE80211_FC0_SUBTYPE_SHIFT], 2057 "%s", "no ssid with ssid suppression enabled"); 2058 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2059 return; 2060 } 2061 2062 if (ni == ic->ic_bss) { 2063 if (ic->ic_opmode == IEEE80211_M_IBSS) { 2064 /* 2065 * XXX Cannot tell if the sender is operating 2066 * in ibss mode. But we need a new node to 2067 * send the response so blindly add them to the 2068 * neighbor table. 2069 */ 2070 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2071 wh->i_addr2); 2072 } else 2073 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 2074 if (ni == NULL) 2075 return; 2076 allocbs = 1; 2077 } else 2078 allocbs = 0; 2079 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2080 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2081 ni->ni_rssi = rssi; 2082 ni->ni_rstamp = rstamp; 2083 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2084 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2085 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2086 if (rate & IEEE80211_RATE_BASIC) { 2087 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2088 wh, ieee80211_mgt_subtype_name[subtype >> 2089 IEEE80211_FC0_SUBTYPE_SHIFT], 2090 "%s", "recv'd rate set invalid"); 2091 } else { 2092 IEEE80211_SEND_MGMT(ic, ni, 2093 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2094 } 2095 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2096 /* reclaim immediately */ 2097 ieee80211_free_node(ni); 2098 } 2099 break; 2100 2101 case IEEE80211_FC0_SUBTYPE_AUTH: { 2102 u_int16_t algo, seq, status; 2103 /* 2104 * auth frame format 2105 * [2] algorithm 2106 * [2] sequence 2107 * [2] status 2108 * [tlv*] challenge 2109 */ 2110 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2111 algo = le16toh(*(u_int16_t *)frm); 2112 seq = le16toh(*(u_int16_t *)(frm + 2)); 2113 status = le16toh(*(u_int16_t *)(frm + 4)); 2114 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2115 "[%s] recv auth frame with algorithm %d seq %d\n", 2116 ether_sprintf(wh->i_addr2), algo, seq); 2117 /* 2118 * Consult the ACL policy module if setup. 2119 */ 2120 if (ic->ic_acl != NULL && 2121 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2122 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2123 wh, "auth", "%s", "disallowed by ACL"); 2124 ic->ic_stats.is_rx_acl++; 2125 return; 2126 } 2127 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2128 IEEE80211_DISCARD(ic, 2129 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2130 wh, "auth", "%s", "TKIP countermeasures enabled"); 2131 ic->ic_stats.is_rx_auth_countermeasures++; 2132 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2133 IEEE80211_SEND_MGMT(ic, ni, 2134 IEEE80211_FC0_SUBTYPE_AUTH, 2135 IEEE80211_REASON_MIC_FAILURE); 2136 } 2137 return; 2138 } 2139 if (algo == IEEE80211_AUTH_ALG_SHARED) 2140 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2141 rstamp, seq, status); 2142 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2143 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2144 status); 2145 else { 2146 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2147 wh, "auth", "unsupported alg %d", algo); 2148 ic->ic_stats.is_rx_auth_unsupported++; 2149 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2150 /* XXX not right */ 2151 IEEE80211_SEND_MGMT(ic, ni, 2152 IEEE80211_FC0_SUBTYPE_AUTH, 2153 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2154 } 2155 return; 2156 } 2157 break; 2158 } 2159 2160 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2161 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2162 u_int16_t capinfo, bintval; 2163 struct ieee80211_rsnparms rsn; 2164 u_int8_t reason; 2165 2166 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2167 ic->ic_state != IEEE80211_S_RUN) { 2168 ic->ic_stats.is_rx_mgtdiscard++; 2169 return; 2170 } 2171 2172 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2173 reassoc = 1; 2174 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2175 } else { 2176 reassoc = 0; 2177 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2178 } 2179 /* 2180 * asreq frame format 2181 * [2] capability information 2182 * [2] listen interval 2183 * [6*] current AP address (reassoc only) 2184 * [tlv] ssid 2185 * [tlv] supported rates 2186 * [tlv] extended supported rates 2187 * [tlv] WPA or RSN 2188 */ 2189 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2190 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2191 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2192 wh, ieee80211_mgt_subtype_name[subtype >> 2193 IEEE80211_FC0_SUBTYPE_SHIFT], 2194 "%s", "wrong bssid"); 2195 ic->ic_stats.is_rx_assoc_bss++; 2196 return; 2197 } 2198 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2199 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 2200 if (reassoc) 2201 frm += 6; /* ignore current AP info */ 2202 ssid = rates = xrates = wpa = wme = NULL; 2203 while (frm < efrm) { 2204 switch (*frm) { 2205 case IEEE80211_ELEMID_SSID: 2206 ssid = frm; 2207 break; 2208 case IEEE80211_ELEMID_RATES: 2209 rates = frm; 2210 break; 2211 case IEEE80211_ELEMID_XRATES: 2212 xrates = frm; 2213 break; 2214 /* XXX verify only one of RSN and WPA ie's? */ 2215 case IEEE80211_ELEMID_RSN: 2216 wpa = frm; 2217 break; 2218 case IEEE80211_ELEMID_VENDOR: 2219 if (iswpaoui(frm)) { 2220 if (ic->ic_flags & IEEE80211_F_WPA1) 2221 wpa = frm; 2222 } else if (iswmeinfo(frm)) 2223 wme = frm; 2224 /* XXX Atheros OUI support */ 2225 break; 2226 } 2227 frm += frm[1] + 2; 2228 } 2229 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2230 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2231 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2232 2233 if (ni == ic->ic_bss) { 2234 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2235 "[%s] deny %s request, sta not authenticated\n", 2236 ether_sprintf(wh->i_addr2), 2237 reassoc ? "reassoc" : "assoc"); 2238 ieee80211_send_error(ic, ni, wh->i_addr2, 2239 IEEE80211_FC0_SUBTYPE_DEAUTH, 2240 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2241 ic->ic_stats.is_rx_assoc_notauth++; 2242 return; 2243 } 2244 /* assert right associstion security credentials */ 2245 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2246 IEEE80211_DPRINTF(ic, 2247 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2248 "[%s] no WPA/RSN IE in association request\n", 2249 ether_sprintf(wh->i_addr2)); 2250 IEEE80211_SEND_MGMT(ic, ni, 2251 IEEE80211_FC0_SUBTYPE_DEAUTH, 2252 IEEE80211_REASON_RSN_REQUIRED); 2253 ieee80211_node_leave(ic, ni); 2254 /* XXX distinguish WPA/RSN? */ 2255 ic->ic_stats.is_rx_assoc_badwpaie++; 2256 return; 2257 } 2258 if (wpa != NULL) { 2259 /* 2260 * Parse WPA information element. Note that 2261 * we initialize the param block from the node 2262 * state so that information in the IE overrides 2263 * our defaults. The resulting parameters are 2264 * installed below after the association is assured. 2265 */ 2266 rsn = ni->ni_rsn; 2267 if (wpa[0] != IEEE80211_ELEMID_RSN) 2268 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2269 else 2270 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2271 if (reason != 0) { 2272 IEEE80211_SEND_MGMT(ic, ni, 2273 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2274 ieee80211_node_leave(ic, ni); 2275 /* XXX distinguish WPA/RSN? */ 2276 ic->ic_stats.is_rx_assoc_badwpaie++; 2277 return; 2278 } 2279 IEEE80211_DPRINTF(ic, 2280 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2281 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2282 ether_sprintf(wh->i_addr2), 2283 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2284 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2285 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2286 rsn.rsn_keymgmt, rsn.rsn_caps); 2287 } 2288 /* discard challenge after association */ 2289 if (ni->ni_challenge != NULL) { 2290 FREE(ni->ni_challenge, M_DEVBUF); 2291 ni->ni_challenge = NULL; 2292 } 2293 /* NB: 802.11 spec says to ignore station's privacy bit */ 2294 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2295 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2296 "[%s] deny %s request, capability mismatch 0x%x\n", 2297 ether_sprintf(wh->i_addr2), 2298 reassoc ? "reassoc" : "assoc", capinfo); 2299 IEEE80211_SEND_MGMT(ic, ni, resp, 2300 IEEE80211_STATUS_CAPINFO); 2301 ieee80211_node_leave(ic, ni); 2302 ic->ic_stats.is_rx_assoc_capmismatch++; 2303 return; 2304 } 2305 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2306 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2307 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2308 if (rate & IEEE80211_RATE_BASIC) { 2309 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2310 "[%s] deny %s request, rate set mismatch\n", 2311 ether_sprintf(wh->i_addr2), 2312 reassoc ? "reassoc" : "assoc"); 2313 IEEE80211_SEND_MGMT(ic, ni, resp, 2314 IEEE80211_STATUS_BASIC_RATE); 2315 ieee80211_node_leave(ic, ni); 2316 ic->ic_stats.is_rx_assoc_norate++; 2317 return; 2318 } 2319 ni->ni_rssi = rssi; 2320 ni->ni_rstamp = rstamp; 2321 ni->ni_intval = bintval; 2322 ni->ni_capinfo = capinfo; 2323 ni->ni_chan = ic->ic_bss->ni_chan; 2324 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2325 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2326 if (wpa != NULL) { 2327 /* 2328 * Record WPA/RSN parameters for station, mark 2329 * node as using WPA and record information element 2330 * for applications that require it. 2331 */ 2332 ni->ni_rsn = rsn; 2333 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2334 } else if (ni->ni_wpa_ie != NULL) { 2335 /* 2336 * Flush any state from a previous association. 2337 */ 2338 FREE(ni->ni_wpa_ie, M_DEVBUF); 2339 ni->ni_wpa_ie = NULL; 2340 } 2341 if (wme != NULL) { 2342 /* 2343 * Record WME parameters for station, mark node 2344 * as capable of QoS and record information 2345 * element for applications that require it. 2346 */ 2347 ieee80211_saveie(&ni->ni_wme_ie, wme); 2348 ni->ni_flags |= IEEE80211_NODE_QOS; 2349 } else if (ni->ni_wme_ie != NULL) { 2350 /* 2351 * Flush any state from a previous association. 2352 */ 2353 FREE(ni->ni_wme_ie, M_DEVBUF); 2354 ni->ni_wme_ie = NULL; 2355 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2356 } 2357 ieee80211_node_join(ic, ni, resp); 2358 break; 2359 } 2360 2361 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2362 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2363 u_int16_t capinfo, associd; 2364 u_int16_t status; 2365 2366 if (ic->ic_opmode != IEEE80211_M_STA || 2367 ic->ic_state != IEEE80211_S_ASSOC) { 2368 ic->ic_stats.is_rx_mgtdiscard++; 2369 return; 2370 } 2371 2372 /* 2373 * asresp frame format 2374 * [2] capability information 2375 * [2] status 2376 * [2] association ID 2377 * [tlv] supported rates 2378 * [tlv] extended supported rates 2379 * [tlv] WME 2380 */ 2381 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2382 ni = ic->ic_bss; 2383 capinfo = le16toh(*(u_int16_t *)frm); 2384 frm += 2; 2385 status = le16toh(*(u_int16_t *)frm); 2386 frm += 2; 2387 if (status != 0) { 2388 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2389 "[%s] %sassoc failed (reason %d)\n", 2390 ether_sprintf(wh->i_addr2), 2391 ISREASSOC(subtype) ? "re" : "", status); 2392 if (ni != ic->ic_bss) /* XXX never true? */ 2393 ni->ni_fails++; 2394 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2395 return; 2396 } 2397 associd = le16toh(*(u_int16_t *)frm); 2398 frm += 2; 2399 2400 rates = xrates = wpa = wme = NULL; 2401 while (frm < efrm) { 2402 switch (*frm) { 2403 case IEEE80211_ELEMID_RATES: 2404 rates = frm; 2405 break; 2406 case IEEE80211_ELEMID_XRATES: 2407 xrates = frm; 2408 break; 2409 case IEEE80211_ELEMID_VENDOR: 2410 if (iswmeoui(frm)) 2411 wme = frm; 2412 /* XXX Atheros OUI support */ 2413 break; 2414 } 2415 frm += frm[1] + 2; 2416 } 2417 2418 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2419 rate = ieee80211_setup_rates(ic, ni, rates, xrates, 2420 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2421 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2422 if (rate & IEEE80211_RATE_BASIC) { 2423 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2424 "[%s] %sassoc failed (rate set mismatch)\n", 2425 ether_sprintf(wh->i_addr2), 2426 ISREASSOC(subtype) ? "re" : ""); 2427 if (ni != ic->ic_bss) /* XXX never true? */ 2428 ni->ni_fails++; 2429 ic->ic_stats.is_rx_assoc_norate++; 2430 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2431 return; 2432 } 2433 2434 ni->ni_capinfo = capinfo; 2435 ni->ni_associd = associd; 2436 if (wme != NULL && 2437 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2438 ni->ni_flags |= IEEE80211_NODE_QOS; 2439 ieee80211_wme_updateparams(ic); 2440 } else 2441 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2442 /* 2443 * Configure state now that we are associated. 2444 * 2445 * XXX may need different/additional driver callbacks? 2446 */ 2447 if (ic->ic_curmode == IEEE80211_MODE_11A || 2448 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2449 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2450 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2451 } else { 2452 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2453 ic->ic_flags |= IEEE80211_F_USEBARKER; 2454 } 2455 ieee80211_set_shortslottime(ic, 2456 ic->ic_curmode == IEEE80211_MODE_11A || 2457 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2458 /* 2459 * Honor ERP protection. 2460 * 2461 * NB: ni_erp should zero for non-11g operation. 2462 * XXX check ic_curmode anyway? 2463 */ 2464 if (ic->ic_curmode == IEEE80211_MODE_11G && 2465 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2466 ic->ic_flags |= IEEE80211_F_USEPROT; 2467 else 2468 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2469 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2470 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2471 ether_sprintf(wh->i_addr2), 2472 ISREASSOC(subtype) ? "re" : "", 2473 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2474 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2475 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2476 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2477 ); 2478 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2479 break; 2480 } 2481 2482 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2483 u_int16_t reason; 2484 2485 if (ic->ic_state == IEEE80211_S_SCAN) { 2486 ic->ic_stats.is_rx_mgtdiscard++; 2487 return; 2488 } 2489 /* 2490 * deauth frame format 2491 * [2] reason 2492 */ 2493 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2494 reason = le16toh(*(u_int16_t *)frm); 2495 ic->ic_stats.is_rx_deauth++; 2496 IEEE80211_NODE_STAT(ni, rx_deauth); 2497 2498 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2499 "[%s] recv deauthenticate (reason %d)\n", 2500 ether_sprintf(ni->ni_macaddr), reason); 2501 switch (ic->ic_opmode) { 2502 case IEEE80211_M_STA: 2503 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2504 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2505 break; 2506 case IEEE80211_M_HOSTAP: 2507 if (ni != ic->ic_bss) 2508 ieee80211_node_leave(ic, ni); 2509 break; 2510 default: 2511 ic->ic_stats.is_rx_mgtdiscard++; 2512 break; 2513 } 2514 break; 2515 } 2516 2517 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2518 u_int16_t reason; 2519 2520 if (ic->ic_state != IEEE80211_S_RUN && 2521 ic->ic_state != IEEE80211_S_ASSOC && 2522 ic->ic_state != IEEE80211_S_AUTH) { 2523 ic->ic_stats.is_rx_mgtdiscard++; 2524 return; 2525 } 2526 /* 2527 * disassoc frame format 2528 * [2] reason 2529 */ 2530 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2531 reason = le16toh(*(u_int16_t *)frm); 2532 ic->ic_stats.is_rx_disassoc++; 2533 IEEE80211_NODE_STAT(ni, rx_disassoc); 2534 2535 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2536 "[%s] recv disassociated (reason %d)\n", 2537 ether_sprintf(ni->ni_macaddr), reason); 2538 switch (ic->ic_opmode) { 2539 case IEEE80211_M_STA: 2540 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2541 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2542 break; 2543 case IEEE80211_M_HOSTAP: 2544 if (ni != ic->ic_bss) 2545 ieee80211_node_leave(ic, ni); 2546 break; 2547 default: 2548 ic->ic_stats.is_rx_mgtdiscard++; 2549 break; 2550 } 2551 break; 2552 } 2553 default: 2554 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2555 wh, "mgt", "subtype 0x%x not handled", subtype); 2556 ic->ic_stats.is_rx_badsubtype++; 2557 break; 2558 } 2559#undef ISREASSOC 2560#undef ISPROBE 2561} 2562#undef IEEE80211_VERIFY_LENGTH 2563#undef IEEE80211_VERIFY_ELEMENT 2564 2565/* 2566 * Handle station power-save state change. 2567 */ 2568static void 2569ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2570{ 2571 struct ieee80211com *ic = ni->ni_ic; 2572 struct mbuf *m; 2573 2574 if (enable) { 2575 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2576 ic->ic_ps_sta++; 2577 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2578 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2579 "[%s] power save mode on, %u sta's in ps mode\n", 2580 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2581 return; 2582 } 2583 2584 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2585 ic->ic_ps_sta--; 2586 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2587 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2588 "[%s] power save mode off, %u sta's in ps mode\n", 2589 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2590 /* XXX if no stations in ps mode, flush mc frames */ 2591 2592 /* 2593 * Flush queued unicast frames. 2594 */ 2595 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2596 if (ic->ic_set_tim != NULL) 2597 ic->ic_set_tim(ic, ni, 0); /* just in case */ 2598 return; 2599 } 2600 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2601 "[%s] flush ps queue, %u packets queued\n", 2602 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2603 for (;;) { 2604 int qlen; 2605 2606 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2607 if (m == NULL) 2608 break; 2609 /* 2610 * If this is the last packet, turn off the TIM bit. 2611 * If there are more packets, set the more packets bit 2612 * in the packet dispatched to the station. 2613 */ 2614 if (qlen != 0) { 2615 struct ieee80211_frame_min *wh = 2616 mtod(m, struct ieee80211_frame_min *); 2617 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2618 } 2619 /* XXX need different driver interface */ 2620 /* XXX bypasses q max */ 2621 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2622 } 2623 if (ic->ic_set_tim != NULL) 2624 ic->ic_set_tim(ic, ni, 0); 2625} 2626 2627/* 2628 * Process a received ps-poll frame. 2629 */ 2630static void 2631ieee80211_recv_pspoll(struct ieee80211com *ic, 2632 struct ieee80211_node *ni, struct mbuf *m0) 2633{ 2634 struct ieee80211_frame_min *wh; 2635 struct mbuf *m; 2636 u_int16_t aid; 2637 int qlen; 2638 2639 wh = mtod(m0, struct ieee80211_frame_min *); 2640 if (ni->ni_associd == 0) { 2641 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2642 (struct ieee80211_frame *) wh, "ps-poll", 2643 "%s", "unassociated station"); 2644 ic->ic_stats.is_ps_unassoc++; 2645 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2646 IEEE80211_REASON_NOT_ASSOCED); 2647 return; 2648 } 2649 2650 aid = le16toh(*(u_int16_t *)wh->i_dur); 2651 if (aid != ni->ni_associd) { 2652 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2653 (struct ieee80211_frame *) wh, "ps-poll", 2654 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2655 ni->ni_associd, aid); 2656 ic->ic_stats.is_ps_badaid++; 2657 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2658 IEEE80211_REASON_NOT_ASSOCED); 2659 return; 2660 } 2661 2662 /* Okay, take the first queued packet and put it out... */ 2663 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2664 if (m == NULL) { 2665 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2666 "[%s] recv ps-poll, but queue empty\n", 2667 ether_sprintf(wh->i_addr2)); 2668 ieee80211_send_nulldata(ic, ni); 2669 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2670 if (ic->ic_set_tim != NULL) 2671 ic->ic_set_tim(ic, ni, 0); /* just in case */ 2672 return; 2673 } 2674 /* 2675 * If there are more packets, set the more packets bit 2676 * in the packet dispatched to the station; otherwise 2677 * turn off the TIM bit. 2678 */ 2679 if (qlen != 0) { 2680 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2681 "[%s] recv ps-poll, send packet, %u still queued\n", 2682 ether_sprintf(ni->ni_macaddr), qlen); 2683 wh = mtod(m, struct ieee80211_frame_min *); 2684 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 2685 } else { 2686 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2687 "[%s] recv ps-poll, send packet, queue empty\n", 2688 ether_sprintf(ni->ni_macaddr)); 2689 if (ic->ic_set_tim != NULL) 2690 ic->ic_set_tim(ic, ni, 0); 2691 } 2692 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2693 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2694} 2695 2696#ifdef IEEE80211_DEBUG 2697/* 2698 * Debugging support. 2699 */ 2700 2701/* 2702 * Return the bssid of a frame. 2703 */ 2704static const u_int8_t * 2705ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2706{ 2707 if (ic->ic_opmode == IEEE80211_M_STA) 2708 return wh->i_addr2; 2709 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2710 return wh->i_addr1; 2711 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2712 return wh->i_addr1; 2713 return wh->i_addr3; 2714} 2715 2716static void 2717ieee80211_discard_frame(struct ieee80211com *ic, 2718 const struct ieee80211_frame *wh, 2719 const char *type, const char *fmt, ...) 2720{ 2721 va_list ap; 2722 2723 printf("[%s] discard ", ether_sprintf(ieee80211_getbssid(ic, wh))); 2724 if (type != NULL) 2725 printf(" %s frame, ", type); 2726 else 2727 printf(" frame, "); 2728 va_start(ap, fmt); 2729 vprintf(fmt, ap); 2730 va_end(ap); 2731 printf("\n"); 2732} 2733 2734static void 2735ieee80211_discard_ie(struct ieee80211com *ic, 2736 const struct ieee80211_frame *wh, 2737 const char *type, const char *fmt, ...) 2738{ 2739 va_list ap; 2740 2741 printf("[%s] discard ", ether_sprintf(ieee80211_getbssid(ic, wh))); 2742 if (type != NULL) 2743 printf(" %s information element, ", type); 2744 else 2745 printf(" information element, "); 2746 va_start(ap, fmt); 2747 vprintf(fmt, ap); 2748 va_end(ap); 2749 printf("\n"); 2750} 2751 2752static void 2753ieee80211_discard_mac(struct ieee80211com *ic, 2754 const u_int8_t mac[IEEE80211_ADDR_LEN], 2755 const char *type, const char *fmt, ...) 2756{ 2757 va_list ap; 2758 2759 printf("[%s] discard ", ether_sprintf(mac)); 2760 if (type != NULL) 2761 printf(" %s frame, ", type); 2762 else 2763 printf(" frame, "); 2764 va_start(ap, fmt); 2765 vprintf(fmt, ap); 2766 va_end(ap); 2767 printf("\n"); 2768} 2769#endif /* IEEE80211_DEBUG */ 2770