ieee80211_input.c revision 148843
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_input.c 148843 2005-08-08 03:30:57Z sam $"); 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/mbuf.h> 39#include <sys/malloc.h> 40#include <sys/endian.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44 45#include <net/if.h> 46#include <net/if_media.h> 47#include <net/ethernet.h> 48#include <net/if_llc.h> 49#include <net/if_vlan_var.h> 50 51#include <net80211/ieee80211_var.h> 52 53#include <net/bpf.h> 54 55#ifdef IEEE80211_DEBUG 56#include <machine/stdarg.h> 57 58/* 59 * Decide if a received management frame should be 60 * printed when debugging is enabled. This filters some 61 * of the less interesting frames that come frequently 62 * (e.g. beacons). 63 */ 64static __inline int 65doprint(struct ieee80211com *ic, int subtype) 66{ 67 switch (subtype) { 68 case IEEE80211_FC0_SUBTYPE_BEACON: 69 return (ic->ic_flags & IEEE80211_F_SCAN); 70 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 71 return (ic->ic_opmode == IEEE80211_M_IBSS); 72 } 73 return 1; 74} 75 76/* 77 * Emit a debug message about discarding a frame or information 78 * element. One format is for extracting the mac address from 79 * the frame header; the other is for when a header is not 80 * available or otherwise appropriate. 81 */ 82#define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \ 83 if ((_ic)->ic_debug & (_m)) \ 84 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 85} while (0) 86#define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \ 87 if ((_ic)->ic_debug & (_m)) \ 88 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\ 89} while (0) 90#define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \ 91 if ((_ic)->ic_debug & (_m)) \ 92 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\ 93} while (0) 94 95static const u_int8_t *ieee80211_getbssid(struct ieee80211com *, 96 const struct ieee80211_frame *); 97static void ieee80211_discard_frame(struct ieee80211com *, 98 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 99static void ieee80211_discard_ie(struct ieee80211com *, 100 const struct ieee80211_frame *, const char *type, const char *fmt, ...); 101static void ieee80211_discard_mac(struct ieee80211com *, 102 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type, 103 const char *fmt, ...); 104#else 105#define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) 106#define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) 107#define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) 108#endif /* IEEE80211_DEBUG */ 109 110static struct mbuf *ieee80211_defrag(struct ieee80211com *, 111 struct ieee80211_node *, struct mbuf *, int); 112static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int); 113static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *, 114 const u_int8_t *mac, int subtype, int arg); 115static void ieee80211_deliver_data(struct ieee80211com *, 116 struct ieee80211_node *, struct mbuf *); 117static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable); 118static void ieee80211_recv_pspoll(struct ieee80211com *, 119 struct ieee80211_node *, struct mbuf *); 120 121/* 122 * Process a received frame. The node associated with the sender 123 * should be supplied. If nothing was found in the node table then 124 * the caller is assumed to supply a reference to ic_bss instead. 125 * The RSSI and a timestamp are also supplied. The RSSI data is used 126 * during AP scanning to select a AP to associate with; it can have 127 * any units so long as values have consistent units and higher values 128 * mean ``better signal''. The receive timestamp is currently not used 129 * by the 802.11 layer. 130 */ 131int 132ieee80211_input(struct ieee80211com *ic, struct mbuf *m, 133 struct ieee80211_node *ni, int rssi, u_int32_t rstamp) 134{ 135#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 136#define HAS_SEQ(type) ((type & 0x4) == 0) 137 struct ifnet *ifp = ic->ic_ifp; 138 struct ieee80211_frame *wh; 139 struct ieee80211_key *key; 140 struct ether_header *eh; 141 int hdrspace; 142 u_int8_t dir, type, subtype; 143 u_int8_t *bssid; 144 u_int16_t rxseq; 145 146 KASSERT(ni != NULL, ("null node")); 147 ni->ni_inact = ni->ni_inact_reload; 148 149 /* trim CRC here so WEP can find its own CRC at the end of packet. */ 150 if (m->m_flags & M_HASFCS) { 151 m_adj(m, -IEEE80211_CRC_LEN); 152 m->m_flags &= ~M_HASFCS; 153 } 154 type = -1; /* undefined */ 155 /* 156 * In monitor mode, send everything directly to bpf. 157 * XXX may want to include the CRC 158 */ 159 if (ic->ic_opmode == IEEE80211_M_MONITOR) 160 goto out; 161 162 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 163 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 164 ni->ni_macaddr, NULL, 165 "too short (1): len %u", m->m_pkthdr.len); 166 ic->ic_stats.is_rx_tooshort++; 167 goto out; 168 } 169 /* 170 * Bit of a cheat here, we use a pointer for a 3-address 171 * frame format but don't reference fields past outside 172 * ieee80211_frame_min w/o first validating the data is 173 * present. 174 */ 175 wh = mtod(m, struct ieee80211_frame *); 176 177 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 178 IEEE80211_FC0_VERSION_0) { 179 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 180 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]); 181 ic->ic_stats.is_rx_badversion++; 182 goto err; 183 } 184 185 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 186 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 187 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 188 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 189 switch (ic->ic_opmode) { 190 case IEEE80211_M_STA: 191 bssid = wh->i_addr2; 192 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 193 /* not interested in */ 194 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 195 bssid, NULL, "%s", "not to bss"); 196 ic->ic_stats.is_rx_wrongbss++; 197 goto out; 198 } 199 break; 200 case IEEE80211_M_IBSS: 201 case IEEE80211_M_AHDEMO: 202 case IEEE80211_M_HOSTAP: 203 if (dir != IEEE80211_FC1_DIR_NODS) 204 bssid = wh->i_addr1; 205 else if (type == IEEE80211_FC0_TYPE_CTL) 206 bssid = wh->i_addr1; 207 else { 208 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 209 IEEE80211_DISCARD_MAC(ic, 210 IEEE80211_MSG_ANY, ni->ni_macaddr, 211 NULL, "too short (2): len %u", 212 m->m_pkthdr.len); 213 ic->ic_stats.is_rx_tooshort++; 214 goto out; 215 } 216 bssid = wh->i_addr3; 217 } 218 if (type != IEEE80211_FC0_TYPE_DATA) 219 break; 220 /* 221 * Data frame, validate the bssid. 222 */ 223 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) && 224 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 225 /* not interested in */ 226 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 227 bssid, NULL, "%s", "not to bss"); 228 ic->ic_stats.is_rx_wrongbss++; 229 goto out; 230 } 231 /* 232 * For adhoc mode we cons up a node when it doesn't 233 * exist. This should probably done after an ACL check. 234 */ 235 if (ni == ic->ic_bss && 236 ic->ic_opmode != IEEE80211_M_HOSTAP) { 237 /* 238 * Fake up a node for this newly 239 * discovered member of the IBSS. 240 */ 241 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 242 wh->i_addr2); 243 if (ni == NULL) { 244 /* NB: stat kept for alloc failure */ 245 goto err; 246 } 247 } 248 break; 249 default: 250 goto out; 251 } 252 ni->ni_rssi = rssi; 253 ni->ni_rstamp = rstamp; 254 if (HAS_SEQ(type)) { 255 u_int8_t tid; 256 if (IEEE80211_QOS_HAS_SEQ(wh)) { 257 tid = ((struct ieee80211_qosframe *)wh)-> 258 i_qos[0] & IEEE80211_QOS_TID; 259 if (TID_TO_WME_AC(tid) >= WME_AC_VI) 260 ic->ic_wme.wme_hipri_traffic++; 261 tid++; 262 } else 263 tid = 0; 264 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 265 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && 266 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 267 /* duplicate, discard */ 268 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 269 bssid, "duplicate", 270 "seqno <%u,%u> fragno <%u,%u> tid %u", 271 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 272 ni->ni_rxseqs[tid] >> 273 IEEE80211_SEQ_SEQ_SHIFT, 274 rxseq & IEEE80211_SEQ_FRAG_MASK, 275 ni->ni_rxseqs[tid] & 276 IEEE80211_SEQ_FRAG_MASK, 277 tid); 278 ic->ic_stats.is_rx_dup++; 279 IEEE80211_NODE_STAT(ni, rx_dup); 280 goto out; 281 } 282 ni->ni_rxseqs[tid] = rxseq; 283 } 284 } 285 286 switch (type) { 287 case IEEE80211_FC0_TYPE_DATA: 288 hdrspace = ieee80211_hdrspace(ic, wh); 289 if (m->m_len < hdrspace && 290 (m = m_pullup(m, hdrspace)) == NULL) { 291 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 292 ni->ni_macaddr, NULL, 293 "data too short: expecting %u", hdrspace); 294 ic->ic_stats.is_rx_tooshort++; 295 goto out; /* XXX */ 296 } 297 switch (ic->ic_opmode) { 298 case IEEE80211_M_STA: 299 if (dir != IEEE80211_FC1_DIR_FROMDS) { 300 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 301 wh, "data", "%s", "unknown dir 0x%x", dir); 302 ic->ic_stats.is_rx_wrongdir++; 303 goto out; 304 } 305 if ((ifp->if_flags & IFF_SIMPLEX) && 306 IEEE80211_IS_MULTICAST(wh->i_addr1) && 307 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) { 308 /* 309 * In IEEE802.11 network, multicast packet 310 * sent from me is broadcasted from AP. 311 * It should be silently discarded for 312 * SIMPLEX interface. 313 */ 314 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 315 wh, NULL, "%s", "multicast echo"); 316 ic->ic_stats.is_rx_mcastecho++; 317 goto out; 318 } 319 break; 320 case IEEE80211_M_IBSS: 321 case IEEE80211_M_AHDEMO: 322 if (dir != IEEE80211_FC1_DIR_NODS) { 323 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 324 wh, "data", "%s", "unknown dir 0x%x", dir); 325 ic->ic_stats.is_rx_wrongdir++; 326 goto out; 327 } 328 /* XXX no power-save support */ 329 break; 330 case IEEE80211_M_HOSTAP: 331 if (dir != IEEE80211_FC1_DIR_TODS) { 332 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 333 wh, "data", "%s", "unknown dir 0x%x", dir); 334 ic->ic_stats.is_rx_wrongdir++; 335 goto out; 336 } 337 /* check if source STA is associated */ 338 if (ni == ic->ic_bss) { 339 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 340 wh, "data", "%s", "unknown src"); 341 ieee80211_send_error(ic, ni, wh->i_addr2, 342 IEEE80211_FC0_SUBTYPE_DEAUTH, 343 IEEE80211_REASON_NOT_AUTHED); 344 ic->ic_stats.is_rx_notassoc++; 345 goto err; 346 } 347 if (ni->ni_associd == 0) { 348 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 349 wh, "data", "%s", "unassoc src"); 350 IEEE80211_SEND_MGMT(ic, ni, 351 IEEE80211_FC0_SUBTYPE_DISASSOC, 352 IEEE80211_REASON_NOT_ASSOCED); 353 ic->ic_stats.is_rx_notassoc++; 354 goto err; 355 } 356 357 /* 358 * Check for power save state change. 359 */ 360 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^ 361 (ni->ni_flags & IEEE80211_NODE_PWR_MGT))) 362 ieee80211_node_pwrsave(ni, 363 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT); 364 break; 365 default: 366 /* XXX here to keep compiler happy */ 367 goto out; 368 } 369 370 /* 371 * Handle privacy requirements. Note that we 372 * must not be preempted from here until after 373 * we (potentially) call ieee80211_crypto_demic; 374 * otherwise we may violate assumptions in the 375 * crypto cipher modules used to do delayed update 376 * of replay sequence numbers. 377 */ 378 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 379 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 380 /* 381 * Discard encrypted frames when privacy is off. 382 */ 383 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 384 wh, "WEP", "%s", "PRIVACY off"); 385 ic->ic_stats.is_rx_noprivacy++; 386 IEEE80211_NODE_STAT(ni, rx_noprivacy); 387 goto out; 388 } 389 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 390 if (key == NULL) { 391 /* NB: stats+msgs handled in crypto_decap */ 392 IEEE80211_NODE_STAT(ni, rx_wepfail); 393 goto out; 394 } 395 wh = mtod(m, struct ieee80211_frame *); 396 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 397 } else { 398 key = NULL; 399 } 400 401 /* 402 * Next up, any fragmentation. 403 */ 404 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 405 m = ieee80211_defrag(ic, ni, m, hdrspace); 406 if (m == NULL) { 407 /* Fragment dropped or frame not complete yet */ 408 goto out; 409 } 410 } 411 wh = NULL; /* no longer valid, catch any uses */ 412 413 /* 414 * Next strip any MSDU crypto bits. 415 */ 416 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) { 417 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 418 ni->ni_macaddr, "data", "%s", "demic error"); 419 IEEE80211_NODE_STAT(ni, rx_demicfail); 420 goto out; 421 } 422 423 /* copy to listener after decrypt */ 424 if (ic->ic_rawbpf) 425 bpf_mtap(ic->ic_rawbpf, m); 426 427 /* 428 * Finally, strip the 802.11 header. 429 */ 430 m = ieee80211_decap(ic, m, hdrspace); 431 if (m == NULL) { 432 /* don't count Null data frames as errors */ 433 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA) 434 goto out; 435 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 436 ni->ni_macaddr, "data", "%s", "decap error"); 437 ic->ic_stats.is_rx_decap++; 438 IEEE80211_NODE_STAT(ni, rx_decap); 439 goto err; 440 } 441 eh = mtod(m, struct ether_header *); 442 if (!ieee80211_node_is_authorized(ni)) { 443 /* 444 * Deny any non-PAE frames received prior to 445 * authorization. For open/shared-key 446 * authentication the port is mark authorized 447 * after authentication completes. For 802.1x 448 * the port is not marked authorized by the 449 * authenticator until the handshake has completed. 450 */ 451 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 452 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT, 453 eh->ether_shost, "data", 454 "unauthorized port: ether type 0x%x len %u", 455 eh->ether_type, m->m_pkthdr.len); 456 ic->ic_stats.is_rx_unauth++; 457 IEEE80211_NODE_STAT(ni, rx_unauth); 458 goto err; 459 } 460 } else { 461 /* 462 * When denying unencrypted frames, discard 463 * any non-PAE frames received without encryption. 464 */ 465 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) && 466 key == NULL && 467 eh->ether_type != htons(ETHERTYPE_PAE)) { 468 /* 469 * Drop unencrypted frames. 470 */ 471 ic->ic_stats.is_rx_unencrypted++; 472 IEEE80211_NODE_STAT(ni, rx_unencrypted); 473 goto out; 474 } 475 } 476 ifp->if_ipackets++; 477 IEEE80211_NODE_STAT(ni, rx_data); 478 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len); 479 480 ieee80211_deliver_data(ic, ni, m); 481 return IEEE80211_FC0_TYPE_DATA; 482 483 case IEEE80211_FC0_TYPE_MGT: 484 IEEE80211_NODE_STAT(ni, rx_mgmt); 485 if (dir != IEEE80211_FC1_DIR_NODS) { 486 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 487 wh, "data", "%s", "unknown dir 0x%x", dir); 488 ic->ic_stats.is_rx_wrongdir++; 489 goto err; 490 } 491 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 492 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY, 493 ni->ni_macaddr, "mgt", "too short: len %u", 494 m->m_pkthdr.len); 495 ic->ic_stats.is_rx_tooshort++; 496 goto out; 497 } 498#ifdef IEEE80211_DEBUG 499 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) || 500 ieee80211_msg_dumppkts(ic)) { 501 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n", 502 ieee80211_mgt_subtype_name[subtype >> 503 IEEE80211_FC0_SUBTYPE_SHIFT], 504 ether_sprintf(wh->i_addr2), rssi); 505 } 506#endif 507 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 508 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 509 /* 510 * Only shared key auth frames with a challenge 511 * should be encrypted, discard all others. 512 */ 513 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 514 wh, ieee80211_mgt_subtype_name[subtype >> 515 IEEE80211_FC0_SUBTYPE_SHIFT], 516 "%s", "WEP set but not permitted"); 517 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */ 518 goto out; 519 } 520 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 521 /* 522 * Discard encrypted frames when privacy is off. 523 */ 524 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 525 wh, "mgt", "%s", "WEP set but PRIVACY off"); 526 ic->ic_stats.is_rx_noprivacy++; 527 goto out; 528 } 529 hdrspace = ieee80211_hdrspace(ic, wh); 530 key = ieee80211_crypto_decap(ic, ni, m, hdrspace); 531 if (key == NULL) { 532 /* NB: stats+msgs handled in crypto_decap */ 533 goto out; 534 } 535 wh = mtod(m, struct ieee80211_frame *); 536 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 537 } 538 if (ic->ic_rawbpf) 539 bpf_mtap(ic->ic_rawbpf, m); 540 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp); 541 m_freem(m); 542 return type; 543 544 case IEEE80211_FC0_TYPE_CTL: 545 IEEE80211_NODE_STAT(ni, rx_ctrl); 546 ic->ic_stats.is_rx_ctl++; 547 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 548 switch (subtype) { 549 case IEEE80211_FC0_SUBTYPE_PS_POLL: 550 ieee80211_recv_pspoll(ic, ni, m); 551 break; 552 } 553 } 554 goto out; 555 default: 556 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 557 wh, NULL, "bad frame type 0x%x", type); 558 /* should not come here */ 559 break; 560 } 561err: 562 ifp->if_ierrors++; 563out: 564 if (m != NULL) { 565 if (ic->ic_rawbpf) 566 bpf_mtap(ic->ic_rawbpf, m); 567 m_freem(m); 568 } 569 return type; 570#undef SEQ_LEQ 571} 572 573/* 574 * This function reassemble fragments. 575 */ 576static struct mbuf * 577ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni, 578 struct mbuf *m, int hdrspace) 579{ 580 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 581 struct ieee80211_frame *lwh; 582 u_int16_t rxseq; 583 u_int8_t fragno; 584 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG; 585 struct mbuf *mfrag; 586 587 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?")); 588 589 rxseq = le16toh(*(u_int16_t *)wh->i_seq); 590 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK; 591 592 /* Quick way out, if there's nothing to defragment */ 593 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) 594 return m; 595 596 /* 597 * Remove frag to insure it doesn't get reaped by timer. 598 */ 599 if (ni->ni_table == NULL) { 600 /* 601 * Should never happen. If the node is orphaned (not in 602 * the table) then input packets should not reach here. 603 * Otherwise, a concurrent request that yanks the table 604 * should be blocked by other interlocking and/or by first 605 * shutting the driver down. Regardless, be defensive 606 * here and just bail 607 */ 608 /* XXX need msg+stat */ 609 m_freem(m); 610 return NULL; 611 } 612 IEEE80211_NODE_LOCK(ni->ni_table); 613 mfrag = ni->ni_rxfrag[0]; 614 ni->ni_rxfrag[0] = NULL; 615 IEEE80211_NODE_UNLOCK(ni->ni_table); 616 617 /* 618 * Validate new fragment is in order and 619 * related to the previous ones. 620 */ 621 if (mfrag != NULL) { 622 u_int16_t last_rxseq; 623 624 lwh = mtod(mfrag, struct ieee80211_frame *); 625 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq); 626 /* NB: check seq # and frag together */ 627 if (rxseq != last_rxseq+1 || 628 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) || 629 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { 630 /* 631 * Unrelated fragment or no space for it, 632 * clear current fragments. 633 */ 634 m_freem(mfrag); 635 mfrag = NULL; 636 } 637 } 638 639 if (mfrag == NULL) { 640 if (fragno != 0) { /* !first fragment, discard */ 641 IEEE80211_NODE_STAT(ni, rx_defrag); 642 m_freem(m); 643 return NULL; 644 } 645 mfrag = m; 646 } else { /* concatenate */ 647 m_adj(m, hdrspace); /* strip header */ 648 m_cat(mfrag, m); 649 /* NB: m_cat doesn't update the packet header */ 650 mfrag->m_pkthdr.len += m->m_pkthdr.len; 651 /* track last seqnum and fragno */ 652 lwh = mtod(mfrag, struct ieee80211_frame *); 653 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq; 654 } 655 if (more_frag) { /* more to come, save */ 656 ni->ni_rxfragstamp = ticks; 657 ni->ni_rxfrag[0] = mfrag; 658 mfrag = NULL; 659 } 660 return mfrag; 661} 662 663static void 664ieee80211_deliver_data(struct ieee80211com *ic, 665 struct ieee80211_node *ni, struct mbuf *m) 666{ 667 struct ether_header *eh = mtod(m, struct ether_header *); 668 struct ifnet *ifp = ic->ic_ifp; 669 670 /* perform as a bridge within the AP */ 671 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 672 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) { 673 struct mbuf *m1 = NULL; 674 675 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 676 m1 = m_copypacket(m, M_DONTWAIT); 677 if (m1 == NULL) 678 ifp->if_oerrors++; 679 else 680 m1->m_flags |= M_MCAST; 681 } else { 682 /* 683 * Check if the destination is known; if so 684 * and the port is authorized dispatch directly. 685 */ 686 struct ieee80211_node *sta = 687 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost); 688 if (sta != NULL) { 689 if (ieee80211_node_is_authorized(sta)) { 690 /* 691 * Beware of sending to ourself; this 692 * needs to happen via the normal 693 * input path. 694 */ 695 if (sta != ic->ic_bss) { 696 m1 = m; 697 m = NULL; 698 } 699 } else { 700 ic->ic_stats.is_rx_unauth++; 701 IEEE80211_NODE_STAT(sta, rx_unauth); 702 } 703 ieee80211_free_node(sta); 704 } 705 } 706 if (m1 != NULL) 707 IF_HANDOFF(&ifp->if_snd, m1, ifp); 708 } 709 if (m != NULL) { 710 if (ni->ni_vlan != 0) { 711 /* attach vlan tag */ 712 /* XXX goto err? */ 713 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out); 714 } 715 (*ifp->if_input)(ifp, m); 716 } 717 return; 718 out: 719 if (m != NULL) { 720 if (ic->ic_rawbpf) 721 bpf_mtap(ic->ic_rawbpf, m); 722 m_freem(m); 723 } 724} 725 726static struct mbuf * 727ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen) 728{ 729 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */ 730 struct ether_header *eh; 731 struct llc *llc; 732 733 if (m->m_len < hdrlen + sizeof(*llc) && 734 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) { 735 /* XXX stat, msg */ 736 return NULL; 737 } 738 memcpy(&wh, mtod(m, caddr_t), hdrlen); 739 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen); 740 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP && 741 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 && 742 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) { 743 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); 744 llc = NULL; 745 } else { 746 m_adj(m, hdrlen - sizeof(*eh)); 747 } 748 eh = mtod(m, struct ether_header *); 749 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) { 750 case IEEE80211_FC1_DIR_NODS: 751 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 752 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 753 break; 754 case IEEE80211_FC1_DIR_TODS: 755 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 756 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2); 757 break; 758 case IEEE80211_FC1_DIR_FROMDS: 759 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1); 760 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3); 761 break; 762 case IEEE80211_FC1_DIR_DSTODS: 763 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3); 764 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4); 765 break; 766 } 767#ifdef ALIGNED_POINTER 768 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), u_int32_t)) { 769 struct mbuf *n, *n0, **np; 770 caddr_t newdata; 771 int off, pktlen; 772 773 n0 = NULL; 774 np = &n0; 775 off = 0; 776 pktlen = m->m_pkthdr.len; 777 while (pktlen > off) { 778 if (n0 == NULL) { 779 MGETHDR(n, M_DONTWAIT, MT_DATA); 780 if (n == NULL) { 781 m_freem(m); 782 return NULL; 783 } 784 M_MOVE_PKTHDR(n, m); 785 n->m_len = MHLEN; 786 } else { 787 MGET(n, M_DONTWAIT, MT_DATA); 788 if (n == NULL) { 789 m_freem(m); 790 m_freem(n0); 791 return NULL; 792 } 793 n->m_len = MLEN; 794 } 795 if (pktlen - off >= MINCLSIZE) { 796 MCLGET(n, M_DONTWAIT); 797 if (n->m_flags & M_EXT) 798 n->m_len = n->m_ext.ext_size; 799 } 800 if (n0 == NULL) { 801 newdata = 802 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) - 803 sizeof(*eh); 804 n->m_len -= newdata - n->m_data; 805 n->m_data = newdata; 806 } 807 if (n->m_len > pktlen - off) 808 n->m_len = pktlen - off; 809 m_copydata(m, off, n->m_len, mtod(n, caddr_t)); 810 off += n->m_len; 811 *np = n; 812 np = &n->m_next; 813 } 814 m_freem(m); 815 m = n0; 816 } 817#endif /* ALIGNED_POINTER */ 818 if (llc != NULL) { 819 eh = mtod(m, struct ether_header *); 820 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh)); 821 } 822 return m; 823} 824 825/* 826 * Install received rate set information in the node's state block. 827 */ 828int 829ieee80211_setup_rates(struct ieee80211_node *ni, 830 const u_int8_t *rates, const u_int8_t *xrates, int flags) 831{ 832 struct ieee80211com *ic = ni->ni_ic; 833 struct ieee80211_rateset *rs = &ni->ni_rates; 834 835 memset(rs, 0, sizeof(*rs)); 836 rs->rs_nrates = rates[1]; 837 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates); 838 if (xrates != NULL) { 839 u_int8_t nxrates; 840 /* 841 * Tack on 11g extended supported rate element. 842 */ 843 nxrates = xrates[1]; 844 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) { 845 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates; 846 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE, 847 "[%s] extended rate set too large;" 848 " only using %u of %u rates\n", 849 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]); 850 ic->ic_stats.is_rx_rstoobig++; 851 } 852 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates); 853 rs->rs_nrates += nxrates; 854 } 855 return ieee80211_fix_rate(ni, flags); 856} 857 858static void 859ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh, 860 struct ieee80211_node *ni, int rssi, u_int32_t rstamp, u_int16_t seq, 861 u_int16_t status) 862{ 863 864 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 865 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 866 ni->ni_macaddr, "open auth", 867 "bad sta auth mode %u", ni->ni_authmode); 868 ic->ic_stats.is_rx_bad_auth++; /* XXX */ 869 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 870 /* XXX hack to workaround calling convention */ 871 ieee80211_send_error(ic, ni, wh->i_addr2, 872 IEEE80211_FC0_SUBTYPE_AUTH, 873 (seq + 1) | (IEEE80211_STATUS_ALG<<16)); 874 } 875 return; 876 } 877 switch (ic->ic_opmode) { 878 case IEEE80211_M_IBSS: 879 case IEEE80211_M_AHDEMO: 880 case IEEE80211_M_MONITOR: 881 /* should not come here */ 882 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 883 ni->ni_macaddr, "open auth", 884 "bad operating mode %u", ic->ic_opmode); 885 break; 886 887 case IEEE80211_M_HOSTAP: 888 if (ic->ic_state != IEEE80211_S_RUN || 889 seq != IEEE80211_AUTH_OPEN_REQUEST) { 890 ic->ic_stats.is_rx_bad_auth++; 891 return; 892 } 893 /* always accept open authentication requests */ 894 if (ni == ic->ic_bss) { 895 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 896 if (ni == NULL) 897 return; 898 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 899 (void) ieee80211_ref_node(ni); 900 /* 901 * Mark the node as referenced to reflect that it's 902 * reference count has been bumped to insure it remains 903 * after the transaction completes. 904 */ 905 ni->ni_flags |= IEEE80211_NODE_AREF; 906 907 IEEE80211_SEND_MGMT(ic, ni, 908 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 909 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 910 "[%s] station authenticated (open)\n", 911 ether_sprintf(ni->ni_macaddr)); 912 /* 913 * When 802.1x is not in use mark the port 914 * authorized at this point so traffic can flow. 915 */ 916 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 917 ieee80211_node_authorize(ni); 918 break; 919 920 case IEEE80211_M_STA: 921 if (ic->ic_state != IEEE80211_S_AUTH || 922 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 923 ic->ic_stats.is_rx_bad_auth++; 924 return; 925 } 926 if (status != 0) { 927 IEEE80211_DPRINTF(ic, 928 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 929 "[%s] open auth failed (reason %d)\n", 930 ether_sprintf(ni->ni_macaddr), status); 931 /* XXX can this happen? */ 932 if (ni != ic->ic_bss) 933 ni->ni_fails++; 934 ic->ic_stats.is_rx_auth_fail++; 935 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 936 } else 937 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 938 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 939 break; 940 } 941} 942 943/* 944 * Send a management frame error response to the specified 945 * station. If ni is associated with the station then use 946 * it; otherwise allocate a temporary node suitable for 947 * transmitting the frame and then free the reference so 948 * it will go away as soon as the frame has been transmitted. 949 */ 950static void 951ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni, 952 const u_int8_t *mac, int subtype, int arg) 953{ 954 int istmp; 955 956 if (ni == ic->ic_bss) { 957 ni = ieee80211_tmp_node(ic, mac); 958 if (ni == NULL) { 959 /* XXX msg */ 960 return; 961 } 962 istmp = 1; 963 } else 964 istmp = 0; 965 IEEE80211_SEND_MGMT(ic, ni, subtype, arg); 966 if (istmp) 967 ieee80211_free_node(ni); 968} 969 970static int 971alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni) 972{ 973 if (ni->ni_challenge == NULL) 974 MALLOC(ni->ni_challenge, u_int32_t*, IEEE80211_CHALLENGE_LEN, 975 M_DEVBUF, M_NOWAIT); 976 if (ni->ni_challenge == NULL) { 977 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 978 "[%s] shared key challenge alloc failed\n", 979 ether_sprintf(ni->ni_macaddr)); 980 /* XXX statistic */ 981 } 982 return (ni->ni_challenge != NULL); 983} 984 985/* XXX TODO: add statistics */ 986static void 987ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh, 988 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi, 989 u_int32_t rstamp, u_int16_t seq, u_int16_t status) 990{ 991 u_int8_t *challenge; 992 int allocbs, estatus; 993 994 /* 995 * NB: this can happen as we allow pre-shared key 996 * authentication to be enabled w/o wep being turned 997 * on so that configuration of these can be done 998 * in any order. It may be better to enforce the 999 * ordering in which case this check would just be 1000 * for sanity/consistency. 1001 */ 1002 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) { 1003 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1004 ni->ni_macaddr, "shared key auth", 1005 "%s", " PRIVACY is disabled"); 1006 estatus = IEEE80211_STATUS_ALG; 1007 goto bad; 1008 } 1009 /* 1010 * Pre-shared key authentication is evil; accept 1011 * it only if explicitly configured (it is supported 1012 * mainly for compatibility with clients like OS X). 1013 */ 1014 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1015 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1016 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1017 ni->ni_macaddr, "shared key auth", 1018 "bad sta auth mode %u", ni->ni_authmode); 1019 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1020 estatus = IEEE80211_STATUS_ALG; 1021 goto bad; 1022 } 1023 1024 challenge = NULL; 1025 if (frm + 1 < efrm) { 1026 if ((frm[1] + 2) > (efrm - frm)) { 1027 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1028 ni->ni_macaddr, "shared key auth", 1029 "ie %d/%d too long", 1030 frm[0], (frm[1] + 2) - (efrm - frm)); 1031 ic->ic_stats.is_rx_bad_auth++; 1032 estatus = IEEE80211_STATUS_CHALLENGE; 1033 goto bad; 1034 } 1035 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1036 challenge = frm; 1037 frm += frm[1] + 2; 1038 } 1039 switch (seq) { 1040 case IEEE80211_AUTH_SHARED_CHALLENGE: 1041 case IEEE80211_AUTH_SHARED_RESPONSE: 1042 if (challenge == NULL) { 1043 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1044 ni->ni_macaddr, "shared key auth", 1045 "%s", "no challenge"); 1046 ic->ic_stats.is_rx_bad_auth++; 1047 estatus = IEEE80211_STATUS_CHALLENGE; 1048 goto bad; 1049 } 1050 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1051 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1052 ni->ni_macaddr, "shared key auth", 1053 "bad challenge len %d", challenge[1]); 1054 ic->ic_stats.is_rx_bad_auth++; 1055 estatus = IEEE80211_STATUS_CHALLENGE; 1056 goto bad; 1057 } 1058 default: 1059 break; 1060 } 1061 switch (ic->ic_opmode) { 1062 case IEEE80211_M_MONITOR: 1063 case IEEE80211_M_AHDEMO: 1064 case IEEE80211_M_IBSS: 1065 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1066 ni->ni_macaddr, "shared key auth", 1067 "bad operating mode %u", ic->ic_opmode); 1068 return; 1069 case IEEE80211_M_HOSTAP: 1070 if (ic->ic_state != IEEE80211_S_RUN) { 1071 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1072 ni->ni_macaddr, "shared key auth", 1073 "bad state %u", ic->ic_state); 1074 estatus = IEEE80211_STATUS_ALG; /* XXX */ 1075 goto bad; 1076 } 1077 switch (seq) { 1078 case IEEE80211_AUTH_SHARED_REQUEST: 1079 if (ni == ic->ic_bss) { 1080 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2); 1081 if (ni == NULL) { 1082 /* NB: no way to return an error */ 1083 return; 1084 } 1085 allocbs = 1; 1086 } else { 1087 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0) 1088 (void) ieee80211_ref_node(ni); 1089 allocbs = 0; 1090 } 1091 /* 1092 * Mark the node as referenced to reflect that it's 1093 * reference count has been bumped to insure it remains 1094 * after the transaction completes. 1095 */ 1096 ni->ni_flags |= IEEE80211_NODE_AREF; 1097 ni->ni_rssi = rssi; 1098 ni->ni_rstamp = rstamp; 1099 if (!alloc_challenge(ic, ni)) { 1100 /* NB: don't return error so they rexmit */ 1101 return; 1102 } 1103 get_random_bytes(ni->ni_challenge, 1104 IEEE80211_CHALLENGE_LEN); 1105 IEEE80211_DPRINTF(ic, 1106 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1107 "[%s] shared key %sauth request\n", 1108 ether_sprintf(ni->ni_macaddr), 1109 allocbs ? "" : "re"); 1110 break; 1111 case IEEE80211_AUTH_SHARED_RESPONSE: 1112 if (ni == ic->ic_bss) { 1113 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1114 ni->ni_macaddr, "shared key response", 1115 "%s", "unknown station"); 1116 /* NB: don't send a response */ 1117 return; 1118 } 1119 if (ni->ni_challenge == NULL) { 1120 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1121 ni->ni_macaddr, "shared key response", 1122 "%s", "no challenge recorded"); 1123 ic->ic_stats.is_rx_bad_auth++; 1124 estatus = IEEE80211_STATUS_CHALLENGE; 1125 goto bad; 1126 } 1127 if (memcmp(ni->ni_challenge, &challenge[2], 1128 challenge[1]) != 0) { 1129 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1130 ni->ni_macaddr, "shared key response", 1131 "%s", "challenge mismatch"); 1132 ic->ic_stats.is_rx_auth_fail++; 1133 estatus = IEEE80211_STATUS_CHALLENGE; 1134 goto bad; 1135 } 1136 IEEE80211_DPRINTF(ic, 1137 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1138 "[%s] station authenticated (shared key)\n", 1139 ether_sprintf(ni->ni_macaddr)); 1140 ieee80211_node_authorize(ni); 1141 break; 1142 default: 1143 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH, 1144 ni->ni_macaddr, "shared key auth", 1145 "bad seq %d", seq); 1146 ic->ic_stats.is_rx_bad_auth++; 1147 estatus = IEEE80211_STATUS_SEQUENCE; 1148 goto bad; 1149 } 1150 IEEE80211_SEND_MGMT(ic, ni, 1151 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1152 break; 1153 1154 case IEEE80211_M_STA: 1155 if (ic->ic_state != IEEE80211_S_AUTH) 1156 return; 1157 switch (seq) { 1158 case IEEE80211_AUTH_SHARED_PASS: 1159 if (ni->ni_challenge != NULL) { 1160 FREE(ni->ni_challenge, M_DEVBUF); 1161 ni->ni_challenge = NULL; 1162 } 1163 if (status != 0) { 1164 IEEE80211_DPRINTF(ic, 1165 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1166 "[%s] shared key auth failed (reason %d)\n", 1167 ether_sprintf(ieee80211_getbssid(ic, wh)), 1168 status); 1169 /* XXX can this happen? */ 1170 if (ni != ic->ic_bss) 1171 ni->ni_fails++; 1172 ic->ic_stats.is_rx_auth_fail++; 1173 return; 1174 } 1175 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1176 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 1177 break; 1178 case IEEE80211_AUTH_SHARED_CHALLENGE: 1179 if (!alloc_challenge(ic, ni)) 1180 return; 1181 /* XXX could optimize by passing recvd challenge */ 1182 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1183 IEEE80211_SEND_MGMT(ic, ni, 1184 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1185 break; 1186 default: 1187 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH, 1188 wh, "shared key auth", "bad seq %d", seq); 1189 ic->ic_stats.is_rx_bad_auth++; 1190 return; 1191 } 1192 break; 1193 } 1194 return; 1195bad: 1196 /* 1197 * Send an error response; but only when operating as an AP. 1198 */ 1199 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 1200 /* XXX hack to workaround calling convention */ 1201 ieee80211_send_error(ic, ni, wh->i_addr2, 1202 IEEE80211_FC0_SUBTYPE_AUTH, 1203 (seq + 1) | (estatus<<16)); 1204 } else if (ic->ic_opmode == IEEE80211_M_STA) { 1205 /* 1206 * Kick the state machine. This short-circuits 1207 * using the mgt frame timeout to trigger the 1208 * state transition. 1209 */ 1210 if (ic->ic_state == IEEE80211_S_AUTH) 1211 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 1212 } 1213} 1214 1215/* Verify the existence and length of __elem or get out. */ 1216#define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \ 1217 if ((__elem) == NULL) { \ 1218 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1219 wh, ieee80211_mgt_subtype_name[subtype >> \ 1220 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1221 "%s", "no " #__elem ); \ 1222 ic->ic_stats.is_rx_elem_missing++; \ 1223 return; \ 1224 } \ 1225 if ((__elem)[1] > (__maxlen)) { \ 1226 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1227 wh, ieee80211_mgt_subtype_name[subtype >> \ 1228 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1229 "bad " #__elem " len %d", (__elem)[1]); \ 1230 ic->ic_stats.is_rx_elem_toobig++; \ 1231 return; \ 1232 } \ 1233} while (0) 1234 1235#define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \ 1236 if ((_len) < (_minlen)) { \ 1237 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \ 1238 wh, ieee80211_mgt_subtype_name[subtype >> \ 1239 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1240 "%s", "ie too short"); \ 1241 ic->ic_stats.is_rx_elem_toosmall++; \ 1242 return; \ 1243 } \ 1244} while (0) 1245 1246#ifdef IEEE80211_DEBUG 1247static void 1248ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag, 1249 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid) 1250{ 1251 printf("[%s] discard %s frame, ssid mismatch: ", 1252 ether_sprintf(mac), tag); 1253 ieee80211_print_essid(ssid + 2, ssid[1]); 1254 printf("\n"); 1255} 1256 1257#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1258 if ((_ssid)[1] != 0 && \ 1259 ((_ssid)[1] != (_ni)->ni_esslen || \ 1260 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1261 if (ieee80211_msg_input(ic)) \ 1262 ieee80211_ssid_mismatch(ic, \ 1263 ieee80211_mgt_subtype_name[subtype >> \ 1264 IEEE80211_FC0_SUBTYPE_SHIFT], \ 1265 wh->i_addr2, _ssid); \ 1266 ic->ic_stats.is_rx_ssidmismatch++; \ 1267 return; \ 1268 } \ 1269} while (0) 1270#else /* !IEEE80211_DEBUG */ 1271#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \ 1272 if ((_ssid)[1] != 0 && \ 1273 ((_ssid)[1] != (_ni)->ni_esslen || \ 1274 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \ 1275 ic->ic_stats.is_rx_ssidmismatch++; \ 1276 return; \ 1277 } \ 1278} while (0) 1279#endif /* !IEEE80211_DEBUG */ 1280 1281/* unalligned little endian access */ 1282#define LE_READ_2(p) \ 1283 ((u_int16_t) \ 1284 ((((const u_int8_t *)(p))[0] ) | \ 1285 (((const u_int8_t *)(p))[1] << 8))) 1286#define LE_READ_4(p) \ 1287 ((u_int32_t) \ 1288 ((((const u_int8_t *)(p))[0] ) | \ 1289 (((const u_int8_t *)(p))[1] << 8) | \ 1290 (((const u_int8_t *)(p))[2] << 16) | \ 1291 (((const u_int8_t *)(p))[3] << 24))) 1292 1293static int __inline 1294iswpaoui(const u_int8_t *frm) 1295{ 1296 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); 1297} 1298 1299static int __inline 1300iswmeoui(const u_int8_t *frm) 1301{ 1302 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI); 1303} 1304 1305static int __inline 1306iswmeparam(const u_int8_t *frm) 1307{ 1308 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1309 frm[6] == WME_PARAM_OUI_SUBTYPE; 1310} 1311 1312static int __inline 1313iswmeinfo(const u_int8_t *frm) 1314{ 1315 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) && 1316 frm[6] == WME_INFO_OUI_SUBTYPE; 1317} 1318 1319static int __inline 1320isatherosoui(const u_int8_t *frm) 1321{ 1322 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI); 1323} 1324 1325/* 1326 * Convert a WPA cipher selector OUI to an internal 1327 * cipher algorithm. Where appropriate we also 1328 * record any key length. 1329 */ 1330static int 1331wpa_cipher(u_int8_t *sel, u_int8_t *keylen) 1332{ 1333#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1334 u_int32_t w = LE_READ_4(sel); 1335 1336 switch (w) { 1337 case WPA_SEL(WPA_CSE_NULL): 1338 return IEEE80211_CIPHER_NONE; 1339 case WPA_SEL(WPA_CSE_WEP40): 1340 if (keylen) 1341 *keylen = 40 / NBBY; 1342 return IEEE80211_CIPHER_WEP; 1343 case WPA_SEL(WPA_CSE_WEP104): 1344 if (keylen) 1345 *keylen = 104 / NBBY; 1346 return IEEE80211_CIPHER_WEP; 1347 case WPA_SEL(WPA_CSE_TKIP): 1348 return IEEE80211_CIPHER_TKIP; 1349 case WPA_SEL(WPA_CSE_CCMP): 1350 return IEEE80211_CIPHER_AES_CCM; 1351 } 1352 return 32; /* NB: so 1<< is discarded */ 1353#undef WPA_SEL 1354} 1355 1356/* 1357 * Convert a WPA key management/authentication algorithm 1358 * to an internal code. 1359 */ 1360static int 1361wpa_keymgmt(u_int8_t *sel) 1362{ 1363#define WPA_SEL(x) (((x)<<24)|WPA_OUI) 1364 u_int32_t w = LE_READ_4(sel); 1365 1366 switch (w) { 1367 case WPA_SEL(WPA_ASE_8021X_UNSPEC): 1368 return WPA_ASE_8021X_UNSPEC; 1369 case WPA_SEL(WPA_ASE_8021X_PSK): 1370 return WPA_ASE_8021X_PSK; 1371 case WPA_SEL(WPA_ASE_NONE): 1372 return WPA_ASE_NONE; 1373 } 1374 return 0; /* NB: so is discarded */ 1375#undef WPA_SEL 1376} 1377 1378/* 1379 * Parse a WPA information element to collect parameters 1380 * and validate the parameters against what has been 1381 * configured for the system. 1382 */ 1383static int 1384ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm, 1385 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1386{ 1387 u_int8_t len = frm[1]; 1388 u_int32_t w; 1389 int n; 1390 1391 /* 1392 * Check the length once for fixed parts: OUI, type, 1393 * version, mcast cipher, and 2 selector counts. 1394 * Other, variable-length data, must be checked separately. 1395 */ 1396 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) { 1397 IEEE80211_DISCARD_IE(ic, 1398 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1399 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags); 1400 return IEEE80211_REASON_IE_INVALID; 1401 } 1402 if (len < 14) { 1403 IEEE80211_DISCARD_IE(ic, 1404 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1405 wh, "WPA", "too short, len %u", len); 1406 return IEEE80211_REASON_IE_INVALID; 1407 } 1408 frm += 6, len -= 4; /* NB: len is payload only */ 1409 /* NB: iswapoui already validated the OUI and type */ 1410 w = LE_READ_2(frm); 1411 if (w != WPA_VERSION) { 1412 IEEE80211_DISCARD_IE(ic, 1413 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1414 wh, "WPA", "bad version %u", w); 1415 return IEEE80211_REASON_IE_INVALID; 1416 } 1417 frm += 2, len -= 2; 1418 1419 /* multicast/group cipher */ 1420 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen); 1421 if (w != rsn->rsn_mcastcipher) { 1422 IEEE80211_DISCARD_IE(ic, 1423 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1424 wh, "WPA", "mcast cipher mismatch; got %u, expected %u", 1425 w, rsn->rsn_mcastcipher); 1426 return IEEE80211_REASON_IE_INVALID; 1427 } 1428 frm += 4, len -= 4; 1429 1430 /* unicast ciphers */ 1431 n = LE_READ_2(frm); 1432 frm += 2, len -= 2; 1433 if (len < n*4+2) { 1434 IEEE80211_DISCARD_IE(ic, 1435 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1436 wh, "WPA", "ucast cipher data too short; len %u, n %u", 1437 len, n); 1438 return IEEE80211_REASON_IE_INVALID; 1439 } 1440 w = 0; 1441 for (; n > 0; n--) { 1442 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen); 1443 frm += 4, len -= 4; 1444 } 1445 w &= rsn->rsn_ucastcipherset; 1446 if (w == 0) { 1447 IEEE80211_DISCARD_IE(ic, 1448 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1449 wh, "WPA", "%s", "ucast cipher set empty"); 1450 return IEEE80211_REASON_IE_INVALID; 1451 } 1452 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1453 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1454 else 1455 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1456 1457 /* key management algorithms */ 1458 n = LE_READ_2(frm); 1459 frm += 2, len -= 2; 1460 if (len < n*4) { 1461 IEEE80211_DISCARD_IE(ic, 1462 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1463 wh, "WPA", "key mgmt alg data too short; len %u, n %u", 1464 len, n); 1465 return IEEE80211_REASON_IE_INVALID; 1466 } 1467 w = 0; 1468 for (; n > 0; n--) { 1469 w |= wpa_keymgmt(frm); 1470 frm += 4, len -= 4; 1471 } 1472 w &= rsn->rsn_keymgmtset; 1473 if (w == 0) { 1474 IEEE80211_DISCARD_IE(ic, 1475 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1476 wh, "WPA", "%s", "no acceptable key mgmt alg"); 1477 return IEEE80211_REASON_IE_INVALID; 1478 } 1479 if (w & WPA_ASE_8021X_UNSPEC) 1480 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC; 1481 else 1482 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK; 1483 1484 if (len > 2) /* optional capabilities */ 1485 rsn->rsn_caps = LE_READ_2(frm); 1486 1487 return 0; 1488} 1489 1490/* 1491 * Convert an RSN cipher selector OUI to an internal 1492 * cipher algorithm. Where appropriate we also 1493 * record any key length. 1494 */ 1495static int 1496rsn_cipher(u_int8_t *sel, u_int8_t *keylen) 1497{ 1498#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1499 u_int32_t w = LE_READ_4(sel); 1500 1501 switch (w) { 1502 case RSN_SEL(RSN_CSE_NULL): 1503 return IEEE80211_CIPHER_NONE; 1504 case RSN_SEL(RSN_CSE_WEP40): 1505 if (keylen) 1506 *keylen = 40 / NBBY; 1507 return IEEE80211_CIPHER_WEP; 1508 case RSN_SEL(RSN_CSE_WEP104): 1509 if (keylen) 1510 *keylen = 104 / NBBY; 1511 return IEEE80211_CIPHER_WEP; 1512 case RSN_SEL(RSN_CSE_TKIP): 1513 return IEEE80211_CIPHER_TKIP; 1514 case RSN_SEL(RSN_CSE_CCMP): 1515 return IEEE80211_CIPHER_AES_CCM; 1516 case RSN_SEL(RSN_CSE_WRAP): 1517 return IEEE80211_CIPHER_AES_OCB; 1518 } 1519 return 32; /* NB: so 1<< is discarded */ 1520#undef WPA_SEL 1521} 1522 1523/* 1524 * Convert an RSN key management/authentication algorithm 1525 * to an internal code. 1526 */ 1527static int 1528rsn_keymgmt(u_int8_t *sel) 1529{ 1530#define RSN_SEL(x) (((x)<<24)|RSN_OUI) 1531 u_int32_t w = LE_READ_4(sel); 1532 1533 switch (w) { 1534 case RSN_SEL(RSN_ASE_8021X_UNSPEC): 1535 return RSN_ASE_8021X_UNSPEC; 1536 case RSN_SEL(RSN_ASE_8021X_PSK): 1537 return RSN_ASE_8021X_PSK; 1538 case RSN_SEL(RSN_ASE_NONE): 1539 return RSN_ASE_NONE; 1540 } 1541 return 0; /* NB: so is discarded */ 1542#undef RSN_SEL 1543} 1544 1545/* 1546 * Parse a WPA/RSN information element to collect parameters 1547 * and validate the parameters against what has been 1548 * configured for the system. 1549 */ 1550static int 1551ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm, 1552 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh) 1553{ 1554 u_int8_t len = frm[1]; 1555 u_int32_t w; 1556 int n; 1557 1558 /* 1559 * Check the length once for fixed parts: 1560 * version, mcast cipher, and 2 selector counts. 1561 * Other, variable-length data, must be checked separately. 1562 */ 1563 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) { 1564 IEEE80211_DISCARD_IE(ic, 1565 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1566 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags); 1567 return IEEE80211_REASON_IE_INVALID; 1568 } 1569 if (len < 10) { 1570 IEEE80211_DISCARD_IE(ic, 1571 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1572 wh, "RSN", "too short, len %u", len); 1573 return IEEE80211_REASON_IE_INVALID; 1574 } 1575 frm += 2; 1576 w = LE_READ_2(frm); 1577 if (w != RSN_VERSION) { 1578 IEEE80211_DISCARD_IE(ic, 1579 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1580 wh, "RSN", "bad version %u", w); 1581 return IEEE80211_REASON_IE_INVALID; 1582 } 1583 frm += 2, len -= 2; 1584 1585 /* multicast/group cipher */ 1586 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen); 1587 if (w != rsn->rsn_mcastcipher) { 1588 IEEE80211_DISCARD_IE(ic, 1589 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1590 wh, "RSN", "mcast cipher mismatch; got %u, expected %u", 1591 w, rsn->rsn_mcastcipher); 1592 return IEEE80211_REASON_IE_INVALID; 1593 } 1594 frm += 4, len -= 4; 1595 1596 /* unicast ciphers */ 1597 n = LE_READ_2(frm); 1598 frm += 2, len -= 2; 1599 if (len < n*4+2) { 1600 IEEE80211_DISCARD_IE(ic, 1601 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1602 wh, "RSN", "ucast cipher data too short; len %u, n %u", 1603 len, n); 1604 return IEEE80211_REASON_IE_INVALID; 1605 } 1606 w = 0; 1607 for (; n > 0; n--) { 1608 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen); 1609 frm += 4, len -= 4; 1610 } 1611 w &= rsn->rsn_ucastcipherset; 1612 if (w == 0) { 1613 IEEE80211_DISCARD_IE(ic, 1614 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1615 wh, "RSN", "%s", "ucast cipher set empty"); 1616 return IEEE80211_REASON_IE_INVALID; 1617 } 1618 if (w & (1<<IEEE80211_CIPHER_TKIP)) 1619 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP; 1620 else 1621 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; 1622 1623 /* key management algorithms */ 1624 n = LE_READ_2(frm); 1625 frm += 2, len -= 2; 1626 if (len < n*4) { 1627 IEEE80211_DISCARD_IE(ic, 1628 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1629 wh, "RSN", "key mgmt alg data too short; len %u, n %u", 1630 len, n); 1631 return IEEE80211_REASON_IE_INVALID; 1632 } 1633 w = 0; 1634 for (; n > 0; n--) { 1635 w |= rsn_keymgmt(frm); 1636 frm += 4, len -= 4; 1637 } 1638 w &= rsn->rsn_keymgmtset; 1639 if (w == 0) { 1640 IEEE80211_DISCARD_IE(ic, 1641 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA, 1642 wh, "RSN", "%s", "no acceptable key mgmt alg"); 1643 return IEEE80211_REASON_IE_INVALID; 1644 } 1645 if (w & RSN_ASE_8021X_UNSPEC) 1646 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC; 1647 else 1648 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; 1649 1650 /* optional RSN capabilities */ 1651 if (len > 2) 1652 rsn->rsn_caps = LE_READ_2(frm); 1653 /* XXXPMKID */ 1654 1655 return 0; 1656} 1657 1658static int 1659ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm, 1660 const struct ieee80211_frame *wh) 1661{ 1662#define MS(_v, _f) (((_v) & _f) >> _f##_S) 1663 struct ieee80211_wme_state *wme = &ic->ic_wme; 1664 u_int len = frm[1], qosinfo; 1665 int i; 1666 1667 if (len < sizeof(struct ieee80211_wme_param)-2) { 1668 IEEE80211_DISCARD_IE(ic, 1669 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1670 wh, "WME", "too short, len %u", len); 1671 return -1; 1672 } 1673 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1674 qosinfo &= WME_QOSINFO_COUNT; 1675 /* XXX do proper check for wraparound */ 1676 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1677 return 0; 1678 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1679 for (i = 0; i < WME_NUM_AC; i++) { 1680 struct wmeParams *wmep = 1681 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1682 /* NB: ACI not used */ 1683 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1684 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1685 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1686 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1687 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1688 frm += 4; 1689 } 1690 wme->wme_wmeChanParams.cap_info = qosinfo; 1691 return 1; 1692#undef MS 1693} 1694 1695static void 1696ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie) 1697{ 1698 u_int ielen = ie[1]+2; 1699 /* 1700 * Record information element for later use. 1701 */ 1702 if (*iep == NULL || (*iep)[1] != ie[1]) { 1703 if (*iep != NULL) 1704 FREE(*iep, M_DEVBUF); 1705 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT); 1706 } 1707 if (*iep != NULL) 1708 memcpy(*iep, ie, ielen); 1709 /* XXX note failure */ 1710} 1711 1712#ifdef IEEE80211_DEBUG 1713static void 1714dump_probe_beacon(u_int8_t subtype, int isnew, 1715 const u_int8_t mac[IEEE80211_ADDR_LEN], 1716 u_int8_t chan, u_int8_t bchan, u_int16_t capinfo, u_int16_t bintval, 1717 u_int8_t erp, u_int8_t *ssid, u_int8_t *country) 1718{ 1719 printf("[%s] %s%s on chan %u (bss chan %u) ", 1720 ether_sprintf(mac), isnew ? "new " : "", 1721 ieee80211_mgt_subtype_name[subtype >> IEEE80211_FC0_SUBTYPE_SHIFT], 1722 chan, bchan); 1723 ieee80211_print_essid(ssid + 2, ssid[1]); 1724 printf("\n"); 1725 1726 if (isnew) { 1727 printf("[%s] caps 0x%x bintval %u erp 0x%x", 1728 ether_sprintf(mac), capinfo, bintval, erp); 1729 if (country) { 1730#ifdef __FreeBSD__ 1731 printf(" country info %*D", country[1], country+2, " "); 1732#else 1733 int i; 1734 printf(" country info"); 1735 for (i = 0; i < country[1]; i++) 1736 printf(" %02x", country[i+2]); 1737#endif 1738 } 1739 printf("\n"); 1740 } 1741} 1742#endif /* IEEE80211_DEBUG */ 1743 1744void 1745ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, 1746 struct ieee80211_node *ni, 1747 int subtype, int rssi, u_int32_t rstamp) 1748{ 1749#define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1750#define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1751 struct ieee80211_frame *wh; 1752 u_int8_t *frm, *efrm; 1753 u_int8_t *ssid, *rates, *xrates, *wpa, *wme; 1754 int reassoc, resp, allocbs; 1755 u_int8_t rate; 1756 1757 wh = mtod(m0, struct ieee80211_frame *); 1758 frm = (u_int8_t *)&wh[1]; 1759 efrm = mtod(m0, u_int8_t *) + m0->m_len; 1760 switch (subtype) { 1761 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1762 case IEEE80211_FC0_SUBTYPE_BEACON: { 1763 u_int8_t *tstamp, *country, *tim; 1764 u_int8_t chan, bchan, fhindex, erp; 1765 u_int16_t capinfo, bintval, timoff; 1766 u_int16_t fhdwell; 1767 1768 /* 1769 * We process beacon/probe response frames: 1770 * o when scanning, or 1771 * o station mode when associated (to collect state 1772 * updates such as 802.11g slot time), or 1773 * o adhoc mode (to discover neighbors) 1774 * Frames otherwise received are discarded. 1775 */ 1776 if (!((ic->ic_flags & IEEE80211_F_SCAN) || 1777 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) || 1778 ic->ic_opmode == IEEE80211_M_IBSS)) { 1779 ic->ic_stats.is_rx_mgtdiscard++; 1780 return; 1781 } 1782 /* 1783 * beacon/probe response frame format 1784 * [8] time stamp 1785 * [2] beacon interval 1786 * [2] capability information 1787 * [tlv] ssid 1788 * [tlv] supported rates 1789 * [tlv] country information 1790 * [tlv] parameter set (FH/DS) 1791 * [tlv] erp information 1792 * [tlv] extended supported rates 1793 * [tlv] WME 1794 * [tlv] WPA or RSN 1795 */ 1796 IEEE80211_VERIFY_LENGTH(efrm - frm, 12); 1797 tstamp = frm; frm += 8; 1798 bintval = le16toh(*(u_int16_t *)frm); frm += 2; 1799 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 1800 ssid = rates = xrates = country = wpa = wme = tim = NULL; 1801 bchan = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1802 chan = bchan; 1803 fhdwell = 0; 1804 fhindex = 0; 1805 erp = 0; 1806 timoff = 0; 1807 while (frm < efrm) { 1808 switch (*frm) { 1809 case IEEE80211_ELEMID_SSID: 1810 ssid = frm; 1811 break; 1812 case IEEE80211_ELEMID_RATES: 1813 rates = frm; 1814 break; 1815 case IEEE80211_ELEMID_COUNTRY: 1816 country = frm; 1817 break; 1818 case IEEE80211_ELEMID_FHPARMS: 1819 if (ic->ic_phytype == IEEE80211_T_FH) { 1820 fhdwell = LE_READ_2(&frm[2]); 1821 chan = IEEE80211_FH_CHAN(frm[4], frm[5]); 1822 fhindex = frm[6]; 1823 } 1824 break; 1825 case IEEE80211_ELEMID_DSPARMS: 1826 /* 1827 * XXX hack this since depending on phytype 1828 * is problematic for multi-mode devices. 1829 */ 1830 if (ic->ic_phytype != IEEE80211_T_FH) 1831 chan = frm[2]; 1832 break; 1833 case IEEE80211_ELEMID_TIM: 1834 /* XXX ATIM? */ 1835 tim = frm; 1836 timoff = frm - mtod(m0, u_int8_t *); 1837 break; 1838 case IEEE80211_ELEMID_IBSSPARMS: 1839 break; 1840 case IEEE80211_ELEMID_XRATES: 1841 xrates = frm; 1842 break; 1843 case IEEE80211_ELEMID_ERP: 1844 if (frm[1] != 1) { 1845 IEEE80211_DISCARD_IE(ic, 1846 IEEE80211_MSG_ELEMID, wh, "ERP", 1847 "bad len %u", frm[1]); 1848 ic->ic_stats.is_rx_elem_toobig++; 1849 break; 1850 } 1851 erp = frm[2]; 1852 break; 1853 case IEEE80211_ELEMID_RSN: 1854 wpa = frm; 1855 break; 1856 case IEEE80211_ELEMID_VENDOR: 1857 if (iswpaoui(frm)) 1858 wpa = frm; 1859 else if (iswmeparam(frm) || iswmeinfo(frm)) 1860 wme = frm; 1861 /* XXX Atheros OUI support */ 1862 break; 1863 default: 1864 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID, 1865 wh, "unhandled", 1866 "id %u, len %u", *frm, frm[1]); 1867 ic->ic_stats.is_rx_elem_unknown++; 1868 break; 1869 } 1870 frm += frm[1] + 2; 1871 } 1872 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 1873 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 1874 if ( 1875#if IEEE80211_CHAN_MAX < 255 1876 chan > IEEE80211_CHAN_MAX || 1877#endif 1878 isclr(ic->ic_chan_active, chan)) { 1879 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1880 wh, ieee80211_mgt_subtype_name[subtype >> 1881 IEEE80211_FC0_SUBTYPE_SHIFT], 1882 "invalid channel %u", chan); 1883 ic->ic_stats.is_rx_badchan++; 1884 return; 1885 } 1886 if (chan != bchan && ic->ic_phytype != IEEE80211_T_FH) { 1887 /* 1888 * Frame was received on a channel different from the 1889 * one indicated in the DS params element id; 1890 * silently discard it. 1891 * 1892 * NB: this can happen due to signal leakage. 1893 * But we should take it for FH phy because 1894 * the rssi value should be correct even for 1895 * different hop pattern in FH. 1896 */ 1897 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, 1898 wh, ieee80211_mgt_subtype_name[subtype >> 1899 IEEE80211_FC0_SUBTYPE_SHIFT], 1900 "for off-channel %u", chan); 1901 ic->ic_stats.is_rx_chanmismatch++; 1902 return; 1903 } 1904 if (!(IEEE80211_BINTVAL_MIN <= bintval && 1905 bintval <= IEEE80211_BINTVAL_MAX)) { 1906 IEEE80211_DISCARD(ic, 1907 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT, 1908 wh, ieee80211_mgt_subtype_name[subtype >> 1909 IEEE80211_FC0_SUBTYPE_SHIFT], 1910 "bogus beacon interval", bintval); 1911 ic->ic_stats.is_rx_badbintval++; 1912 return; 1913 } 1914 1915 /* 1916 * Count frame now that we know it's to be processed. 1917 */ 1918 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1919 ic->ic_stats.is_rx_beacon++; /* XXX remove */ 1920 IEEE80211_NODE_STAT(ni, rx_beacons); 1921 } else 1922 IEEE80211_NODE_STAT(ni, rx_proberesp); 1923 1924 /* 1925 * When operating in station mode, check for state updates. 1926 * Be careful to ignore beacons received while doing a 1927 * background scan. We consider only 11g/WMM stuff right now. 1928 */ 1929 if (ic->ic_opmode == IEEE80211_M_STA && 1930 ni->ni_associd != 0 && 1931 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1932 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1933 /* record tsf of last beacon */ 1934 memcpy(ni->ni_tstamp.data, tstamp, 1935 sizeof(ni->ni_tstamp)); 1936 if (ni->ni_erp != erp) { 1937 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1938 "[%s] erp change: was 0x%x, now 0x%x\n", 1939 ether_sprintf(wh->i_addr2), 1940 ni->ni_erp, erp); 1941 if (ic->ic_curmode == IEEE80211_MODE_11G && 1942 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1943 ic->ic_flags |= IEEE80211_F_USEPROT; 1944 else 1945 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1946 ni->ni_erp = erp; 1947 /* XXX statistic */ 1948 } 1949 if ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1950 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1951 "[%s] capabilities change: before 0x%x," 1952 " now 0x%x\n", 1953 ether_sprintf(wh->i_addr2), 1954 ni->ni_capinfo, capinfo); 1955 /* 1956 * NB: we assume short preamble doesn't 1957 * change dynamically 1958 */ 1959 ieee80211_set_shortslottime(ic, 1960 ic->ic_curmode == IEEE80211_MODE_11A || 1961 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1962 ni->ni_capinfo = capinfo; 1963 /* XXX statistic */ 1964 } 1965 if (wme != NULL && 1966 (ni->ni_flags & IEEE80211_NODE_QOS) && 1967 ieee80211_parse_wmeparams(ic, wme, wh) > 0) 1968 ieee80211_wme_updateparams(ic); 1969 if (tim != NULL) { 1970 struct ieee80211_tim_ie *ie = 1971 (struct ieee80211_tim_ie *) tim; 1972 1973 ni->ni_dtim_count = ie->tim_count; 1974 ni->ni_dtim_period = ie->tim_period; 1975 } 1976 /* NB: don't need the rest of this */ 1977 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) 1978 return; 1979 } 1980 1981 if (ni == ic->ic_bss && 1982 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid)) { 1983#ifdef IEEE80211_DEBUG 1984 if (ieee80211_msg_scan(ic)) 1985 dump_probe_beacon(subtype, 1, 1986 wh->i_addr2, chan, bchan, capinfo, 1987 bintval, erp, ssid, country); 1988#endif 1989 /* 1990 * Create a new entry. If scanning the entry goes 1991 * in the scan cache. Otherwise, be particular when 1992 * operating in adhoc mode--only take nodes marked 1993 * as ibss participants so we don't populate our 1994 * neighbor table with unintersting sta's. 1995 */ 1996 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1997 if ((capinfo & IEEE80211_CAPINFO_IBSS) == 0) 1998 return; 1999 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2000 wh->i_addr2); 2001 } else 2002 ni = ieee80211_dup_bss(&ic->ic_scan, wh->i_addr2); 2003 if (ni == NULL) 2004 return; 2005 ni->ni_esslen = ssid[1]; 2006 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 2007 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 2008 } else if (ssid[1] != 0 && 2009 (ISPROBE(subtype) || ni->ni_esslen == 0)) { 2010 /* 2011 * Update ESSID at probe response to adopt 2012 * hidden AP by Lucent/Cisco, which announces 2013 * null ESSID in beacon. 2014 */ 2015#ifdef IEEE80211_DEBUG 2016 if (ieee80211_msg_scan(ic) || 2017 ieee80211_msg_debug(ic)) 2018 dump_probe_beacon(subtype, 0, 2019 wh->i_addr2, chan, bchan, capinfo, 2020 bintval, erp, ssid, country); 2021#endif 2022 ni->ni_esslen = ssid[1]; 2023 memset(ni->ni_essid, 0, sizeof(ni->ni_essid)); 2024 memcpy(ni->ni_essid, ssid + 2, ssid[1]); 2025 } 2026 ni->ni_scangen = ic->ic_scan.nt_scangen; 2027 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); 2028 ni->ni_rssi = rssi; 2029 ni->ni_rstamp = rstamp; 2030 memcpy(ni->ni_tstamp.data, tstamp, sizeof(ni->ni_tstamp)); 2031 ni->ni_intval = bintval; 2032 ni->ni_capinfo = capinfo; 2033 ni->ni_chan = &ic->ic_channels[chan]; 2034 ni->ni_fhdwell = fhdwell; 2035 ni->ni_fhindex = fhindex; 2036 ni->ni_erp = erp; 2037 if (tim != NULL) { 2038 struct ieee80211_tim_ie *ie = 2039 (struct ieee80211_tim_ie *) tim; 2040 2041 ni->ni_dtim_count = ie->tim_count; 2042 ni->ni_dtim_period = ie->tim_period; 2043 } 2044 /* 2045 * Record the byte offset from the mac header to 2046 * the start of the TIM information element for 2047 * use by hardware and/or to speedup software 2048 * processing of beacon frames. 2049 */ 2050 ni->ni_timoff = timoff; 2051 /* 2052 * Record optional information elements that might be 2053 * used by applications or drivers. 2054 */ 2055 if (wme != NULL) 2056 ieee80211_saveie(&ni->ni_wme_ie, wme); 2057 if (wpa != NULL) 2058 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2059 /* NB: must be after ni_chan is setup */ 2060 ieee80211_setup_rates(ni, rates, xrates, IEEE80211_F_DOSORT); 2061 break; 2062 } 2063 2064 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2065 if (ic->ic_opmode == IEEE80211_M_STA || 2066 ic->ic_state != IEEE80211_S_RUN) { 2067 ic->ic_stats.is_rx_mgtdiscard++; 2068 return; 2069 } 2070 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 2071 /* frame must be directed */ 2072 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */ 2073 return; 2074 } 2075 2076 /* 2077 * prreq frame format 2078 * [tlv] ssid 2079 * [tlv] supported rates 2080 * [tlv] extended supported rates 2081 */ 2082 ssid = rates = xrates = NULL; 2083 while (frm < efrm) { 2084 switch (*frm) { 2085 case IEEE80211_ELEMID_SSID: 2086 ssid = frm; 2087 break; 2088 case IEEE80211_ELEMID_RATES: 2089 rates = frm; 2090 break; 2091 case IEEE80211_ELEMID_XRATES: 2092 xrates = frm; 2093 break; 2094 } 2095 frm += frm[1] + 2; 2096 } 2097 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2098 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2099 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2100 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 2101 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT, 2102 wh, ieee80211_mgt_subtype_name[subtype >> 2103 IEEE80211_FC0_SUBTYPE_SHIFT], 2104 "%s", "no ssid with ssid suppression enabled"); 2105 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/ 2106 return; 2107 } 2108 2109 if (ni == ic->ic_bss) { 2110 if (ic->ic_opmode == IEEE80211_M_IBSS) { 2111 /* 2112 * XXX Cannot tell if the sender is operating 2113 * in ibss mode. But we need a new node to 2114 * send the response so blindly add them to the 2115 * neighbor table. 2116 */ 2117 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta, 2118 wh->i_addr2); 2119 } else 2120 ni = ieee80211_tmp_node(ic, wh->i_addr2); 2121 if (ni == NULL) 2122 return; 2123 allocbs = 1; 2124 } else 2125 allocbs = 0; 2126 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2127 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2)); 2128 ni->ni_rssi = rssi; 2129 ni->ni_rstamp = rstamp; 2130 rate = ieee80211_setup_rates(ni, rates, xrates, 2131 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE 2132 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2133 if (rate & IEEE80211_RATE_BASIC) { 2134 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE, 2135 wh, ieee80211_mgt_subtype_name[subtype >> 2136 IEEE80211_FC0_SUBTYPE_SHIFT], 2137 "%s", "recv'd rate set invalid"); 2138 } else { 2139 IEEE80211_SEND_MGMT(ic, ni, 2140 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0); 2141 } 2142 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) { 2143 /* reclaim immediately */ 2144 ieee80211_free_node(ni); 2145 } 2146 break; 2147 2148 case IEEE80211_FC0_SUBTYPE_AUTH: { 2149 u_int16_t algo, seq, status; 2150 /* 2151 * auth frame format 2152 * [2] algorithm 2153 * [2] sequence 2154 * [2] status 2155 * [tlv*] challenge 2156 */ 2157 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2158 algo = le16toh(*(u_int16_t *)frm); 2159 seq = le16toh(*(u_int16_t *)(frm + 2)); 2160 status = le16toh(*(u_int16_t *)(frm + 4)); 2161 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2162 "[%s] recv auth frame with algorithm %d seq %d\n", 2163 ether_sprintf(wh->i_addr2), algo, seq); 2164 /* 2165 * Consult the ACL policy module if setup. 2166 */ 2167 if (ic->ic_acl != NULL && 2168 !ic->ic_acl->iac_check(ic, wh->i_addr2)) { 2169 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL, 2170 wh, "auth", "%s", "disallowed by ACL"); 2171 ic->ic_stats.is_rx_acl++; 2172 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2173 IEEE80211_SEND_MGMT(ic, ni, 2174 IEEE80211_FC0_SUBTYPE_AUTH, 2175 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16)); 2176 } 2177 return; 2178 } 2179 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 2180 IEEE80211_DISCARD(ic, 2181 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 2182 wh, "auth", "%s", "TKIP countermeasures enabled"); 2183 ic->ic_stats.is_rx_auth_countermeasures++; 2184 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2185 IEEE80211_SEND_MGMT(ic, ni, 2186 IEEE80211_FC0_SUBTYPE_AUTH, 2187 IEEE80211_REASON_MIC_FAILURE); 2188 } 2189 return; 2190 } 2191 if (algo == IEEE80211_AUTH_ALG_SHARED) 2192 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi, 2193 rstamp, seq, status); 2194 else if (algo == IEEE80211_AUTH_ALG_OPEN) 2195 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq, 2196 status); 2197 else { 2198 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2199 wh, "auth", "unsupported alg %d", algo); 2200 ic->ic_stats.is_rx_auth_unsupported++; 2201 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2202 /* XXX not right */ 2203 IEEE80211_SEND_MGMT(ic, ni, 2204 IEEE80211_FC0_SUBTYPE_AUTH, 2205 (seq+1) | (IEEE80211_STATUS_ALG<<16)); 2206 } 2207 return; 2208 } 2209 break; 2210 } 2211 2212 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2213 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: { 2214 u_int16_t capinfo, lintval; 2215 struct ieee80211_rsnparms rsn; 2216 u_int8_t reason; 2217 2218 if (ic->ic_opmode != IEEE80211_M_HOSTAP || 2219 ic->ic_state != IEEE80211_S_RUN) { 2220 ic->ic_stats.is_rx_mgtdiscard++; 2221 return; 2222 } 2223 2224 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2225 reassoc = 1; 2226 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP; 2227 } else { 2228 reassoc = 0; 2229 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP; 2230 } 2231 /* 2232 * asreq frame format 2233 * [2] capability information 2234 * [2] listen interval 2235 * [6*] current AP address (reassoc only) 2236 * [tlv] ssid 2237 * [tlv] supported rates 2238 * [tlv] extended supported rates 2239 * [tlv] WPA or RSN 2240 */ 2241 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4)); 2242 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) { 2243 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2244 wh, ieee80211_mgt_subtype_name[subtype >> 2245 IEEE80211_FC0_SUBTYPE_SHIFT], 2246 "%s", "wrong bssid"); 2247 ic->ic_stats.is_rx_assoc_bss++; 2248 return; 2249 } 2250 capinfo = le16toh(*(u_int16_t *)frm); frm += 2; 2251 lintval = le16toh(*(u_int16_t *)frm); frm += 2; 2252 if (reassoc) 2253 frm += 6; /* ignore current AP info */ 2254 ssid = rates = xrates = wpa = wme = NULL; 2255 while (frm < efrm) { 2256 switch (*frm) { 2257 case IEEE80211_ELEMID_SSID: 2258 ssid = frm; 2259 break; 2260 case IEEE80211_ELEMID_RATES: 2261 rates = frm; 2262 break; 2263 case IEEE80211_ELEMID_XRATES: 2264 xrates = frm; 2265 break; 2266 /* XXX verify only one of RSN and WPA ie's? */ 2267 case IEEE80211_ELEMID_RSN: 2268 wpa = frm; 2269 break; 2270 case IEEE80211_ELEMID_VENDOR: 2271 if (iswpaoui(frm)) 2272 wpa = frm; 2273 else if (iswmeinfo(frm)) 2274 wme = frm; 2275 /* XXX Atheros OUI support */ 2276 break; 2277 } 2278 frm += frm[1] + 2; 2279 } 2280 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2281 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN); 2282 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid); 2283 2284 if (ni == ic->ic_bss) { 2285 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2286 "[%s] deny %s request, sta not authenticated\n", 2287 ether_sprintf(wh->i_addr2), 2288 reassoc ? "reassoc" : "assoc"); 2289 ieee80211_send_error(ic, ni, wh->i_addr2, 2290 IEEE80211_FC0_SUBTYPE_DEAUTH, 2291 IEEE80211_REASON_ASSOC_NOT_AUTHED); 2292 ic->ic_stats.is_rx_assoc_notauth++; 2293 return; 2294 } 2295 /* assert right associstion security credentials */ 2296 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) { 2297 IEEE80211_DPRINTF(ic, 2298 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2299 "[%s] no WPA/RSN IE in association request\n", 2300 ether_sprintf(wh->i_addr2)); 2301 IEEE80211_SEND_MGMT(ic, ni, 2302 IEEE80211_FC0_SUBTYPE_DEAUTH, 2303 IEEE80211_REASON_RSN_REQUIRED); 2304 ieee80211_node_leave(ic, ni); 2305 /* XXX distinguish WPA/RSN? */ 2306 ic->ic_stats.is_rx_assoc_badwpaie++; 2307 return; 2308 } 2309 if (wpa != NULL) { 2310 /* 2311 * Parse WPA information element. Note that 2312 * we initialize the param block from the node 2313 * state so that information in the IE overrides 2314 * our defaults. The resulting parameters are 2315 * installed below after the association is assured. 2316 */ 2317 rsn = ni->ni_rsn; 2318 if (wpa[0] != IEEE80211_ELEMID_RSN) 2319 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh); 2320 else 2321 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh); 2322 if (reason != 0) { 2323 IEEE80211_SEND_MGMT(ic, ni, 2324 IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 2325 ieee80211_node_leave(ic, ni); 2326 /* XXX distinguish WPA/RSN? */ 2327 ic->ic_stats.is_rx_assoc_badwpaie++; 2328 return; 2329 } 2330 IEEE80211_DPRINTF(ic, 2331 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, 2332 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n", 2333 ether_sprintf(wh->i_addr2), 2334 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN", 2335 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen, 2336 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen, 2337 rsn.rsn_keymgmt, rsn.rsn_caps); 2338 } 2339 /* discard challenge after association */ 2340 if (ni->ni_challenge != NULL) { 2341 FREE(ni->ni_challenge, M_DEVBUF); 2342 ni->ni_challenge = NULL; 2343 } 2344 /* NB: 802.11 spec says to ignore station's privacy bit */ 2345 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) { 2346 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2347 "[%s] deny %s request, capability mismatch 0x%x\n", 2348 ether_sprintf(wh->i_addr2), 2349 reassoc ? "reassoc" : "assoc", capinfo); 2350 IEEE80211_SEND_MGMT(ic, ni, resp, 2351 IEEE80211_STATUS_CAPINFO); 2352 ieee80211_node_leave(ic, ni); 2353 ic->ic_stats.is_rx_assoc_capmismatch++; 2354 return; 2355 } 2356 rate = ieee80211_setup_rates(ni, rates, xrates, 2357 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2358 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2359 /* 2360 * If constrained to 11g-only stations reject an 2361 * 11b-only station. We cheat a bit here by looking 2362 * at the max negotiated xmit rate and assuming anyone 2363 * with a best rate <24Mb/s is an 11b station. 2364 */ 2365 if ((rate & IEEE80211_RATE_BASIC) || 2366 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) { 2367 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2368 "[%s] deny %s request, rate set mismatch\n", 2369 ether_sprintf(wh->i_addr2), 2370 reassoc ? "reassoc" : "assoc"); 2371 IEEE80211_SEND_MGMT(ic, ni, resp, 2372 IEEE80211_STATUS_BASIC_RATE); 2373 ieee80211_node_leave(ic, ni); 2374 ic->ic_stats.is_rx_assoc_norate++; 2375 return; 2376 } 2377 ni->ni_rssi = rssi; 2378 ni->ni_rstamp = rstamp; 2379 ni->ni_intval = lintval; 2380 ni->ni_capinfo = capinfo; 2381 ni->ni_chan = ic->ic_bss->ni_chan; 2382 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell; 2383 ni->ni_fhindex = ic->ic_bss->ni_fhindex; 2384 if (wpa != NULL) { 2385 /* 2386 * Record WPA/RSN parameters for station, mark 2387 * node as using WPA and record information element 2388 * for applications that require it. 2389 */ 2390 ni->ni_rsn = rsn; 2391 ieee80211_saveie(&ni->ni_wpa_ie, wpa); 2392 } else if (ni->ni_wpa_ie != NULL) { 2393 /* 2394 * Flush any state from a previous association. 2395 */ 2396 FREE(ni->ni_wpa_ie, M_DEVBUF); 2397 ni->ni_wpa_ie = NULL; 2398 } 2399 if (wme != NULL) { 2400 /* 2401 * Record WME parameters for station, mark node 2402 * as capable of QoS and record information 2403 * element for applications that require it. 2404 */ 2405 ieee80211_saveie(&ni->ni_wme_ie, wme); 2406 ni->ni_flags |= IEEE80211_NODE_QOS; 2407 } else if (ni->ni_wme_ie != NULL) { 2408 /* 2409 * Flush any state from a previous association. 2410 */ 2411 FREE(ni->ni_wme_ie, M_DEVBUF); 2412 ni->ni_wme_ie = NULL; 2413 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2414 } 2415 ieee80211_node_join(ic, ni, resp); 2416 break; 2417 } 2418 2419 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2420 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 2421 u_int16_t capinfo, associd; 2422 u_int16_t status; 2423 2424 if (ic->ic_opmode != IEEE80211_M_STA || 2425 ic->ic_state != IEEE80211_S_ASSOC) { 2426 ic->ic_stats.is_rx_mgtdiscard++; 2427 return; 2428 } 2429 2430 /* 2431 * asresp frame format 2432 * [2] capability information 2433 * [2] status 2434 * [2] association ID 2435 * [tlv] supported rates 2436 * [tlv] extended supported rates 2437 * [tlv] WME 2438 */ 2439 IEEE80211_VERIFY_LENGTH(efrm - frm, 6); 2440 ni = ic->ic_bss; 2441 capinfo = le16toh(*(u_int16_t *)frm); 2442 frm += 2; 2443 status = le16toh(*(u_int16_t *)frm); 2444 frm += 2; 2445 if (status != 0) { 2446 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2447 "[%s] %sassoc failed (reason %d)\n", 2448 ether_sprintf(wh->i_addr2), 2449 ISREASSOC(subtype) ? "re" : "", status); 2450 if (ni != ic->ic_bss) /* XXX never true? */ 2451 ni->ni_fails++; 2452 ic->ic_stats.is_rx_auth_fail++; /* XXX */ 2453 return; 2454 } 2455 associd = le16toh(*(u_int16_t *)frm); 2456 frm += 2; 2457 2458 rates = xrates = wpa = wme = NULL; 2459 while (frm < efrm) { 2460 switch (*frm) { 2461 case IEEE80211_ELEMID_RATES: 2462 rates = frm; 2463 break; 2464 case IEEE80211_ELEMID_XRATES: 2465 xrates = frm; 2466 break; 2467 case IEEE80211_ELEMID_VENDOR: 2468 if (iswmeoui(frm)) 2469 wme = frm; 2470 /* XXX Atheros OUI support */ 2471 break; 2472 } 2473 frm += frm[1] + 2; 2474 } 2475 2476 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE); 2477 rate = ieee80211_setup_rates(ni, rates, xrates, 2478 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 2479 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 2480 if (rate & IEEE80211_RATE_BASIC) { 2481 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2482 "[%s] %sassoc failed (rate set mismatch)\n", 2483 ether_sprintf(wh->i_addr2), 2484 ISREASSOC(subtype) ? "re" : ""); 2485 if (ni != ic->ic_bss) /* XXX never true? */ 2486 ni->ni_fails++; 2487 ic->ic_stats.is_rx_assoc_norate++; 2488 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0); 2489 return; 2490 } 2491 2492 ni->ni_capinfo = capinfo; 2493 ni->ni_associd = associd; 2494 if (wme != NULL && 2495 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) { 2496 ni->ni_flags |= IEEE80211_NODE_QOS; 2497 ieee80211_wme_updateparams(ic); 2498 } else 2499 ni->ni_flags &= ~IEEE80211_NODE_QOS; 2500 /* 2501 * Configure state now that we are associated. 2502 * 2503 * XXX may need different/additional driver callbacks? 2504 */ 2505 if (ic->ic_curmode == IEEE80211_MODE_11A || 2506 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 2507 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 2508 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 2509 } else { 2510 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 2511 ic->ic_flags |= IEEE80211_F_USEBARKER; 2512 } 2513 ieee80211_set_shortslottime(ic, 2514 ic->ic_curmode == IEEE80211_MODE_11A || 2515 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 2516 /* 2517 * Honor ERP protection. 2518 * 2519 * NB: ni_erp should zero for non-11g operation. 2520 * XXX check ic_curmode anyway? 2521 */ 2522 if (ic->ic_curmode == IEEE80211_MODE_11G && 2523 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 2524 ic->ic_flags |= IEEE80211_F_USEPROT; 2525 else 2526 ic->ic_flags &= ~IEEE80211_F_USEPROT; 2527 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2528 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n", 2529 ether_sprintf(wh->i_addr2), 2530 ISREASSOC(subtype) ? "re" : "", 2531 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 2532 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 2533 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 2534 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "" 2535 ); 2536 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype); 2537 break; 2538 } 2539 2540 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 2541 u_int16_t reason; 2542 2543 if (ic->ic_state == IEEE80211_S_SCAN) { 2544 ic->ic_stats.is_rx_mgtdiscard++; 2545 return; 2546 } 2547 /* 2548 * deauth frame format 2549 * [2] reason 2550 */ 2551 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2552 reason = le16toh(*(u_int16_t *)frm); 2553 ic->ic_stats.is_rx_deauth++; 2554 IEEE80211_NODE_STAT(ni, rx_deauth); 2555 2556 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 2557 "[%s] recv deauthenticate (reason %d)\n", 2558 ether_sprintf(ni->ni_macaddr), reason); 2559 switch (ic->ic_opmode) { 2560 case IEEE80211_M_STA: 2561 ieee80211_new_state(ic, IEEE80211_S_AUTH, 2562 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2563 break; 2564 case IEEE80211_M_HOSTAP: 2565 if (ni != ic->ic_bss) 2566 ieee80211_node_leave(ic, ni); 2567 break; 2568 default: 2569 ic->ic_stats.is_rx_mgtdiscard++; 2570 break; 2571 } 2572 break; 2573 } 2574 2575 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 2576 u_int16_t reason; 2577 2578 if (ic->ic_state != IEEE80211_S_RUN && 2579 ic->ic_state != IEEE80211_S_ASSOC && 2580 ic->ic_state != IEEE80211_S_AUTH) { 2581 ic->ic_stats.is_rx_mgtdiscard++; 2582 return; 2583 } 2584 /* 2585 * disassoc frame format 2586 * [2] reason 2587 */ 2588 IEEE80211_VERIFY_LENGTH(efrm - frm, 2); 2589 reason = le16toh(*(u_int16_t *)frm); 2590 ic->ic_stats.is_rx_disassoc++; 2591 IEEE80211_NODE_STAT(ni, rx_disassoc); 2592 2593 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 2594 "[%s] recv disassociate (reason %d)\n", 2595 ether_sprintf(ni->ni_macaddr), reason); 2596 switch (ic->ic_opmode) { 2597 case IEEE80211_M_STA: 2598 ieee80211_new_state(ic, IEEE80211_S_ASSOC, 2599 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK); 2600 break; 2601 case IEEE80211_M_HOSTAP: 2602 if (ni != ic->ic_bss) 2603 ieee80211_node_leave(ic, ni); 2604 break; 2605 default: 2606 ic->ic_stats.is_rx_mgtdiscard++; 2607 break; 2608 } 2609 break; 2610 } 2611 default: 2612 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY, 2613 wh, "mgt", "subtype 0x%x not handled", subtype); 2614 ic->ic_stats.is_rx_badsubtype++; 2615 break; 2616 } 2617#undef ISREASSOC 2618#undef ISPROBE 2619} 2620#undef IEEE80211_VERIFY_LENGTH 2621#undef IEEE80211_VERIFY_ELEMENT 2622 2623/* 2624 * Handle station power-save state change. 2625 */ 2626static void 2627ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable) 2628{ 2629 struct ieee80211com *ic = ni->ni_ic; 2630 struct mbuf *m; 2631 2632 if (enable) { 2633 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) 2634 ic->ic_ps_sta++; 2635 ni->ni_flags |= IEEE80211_NODE_PWR_MGT; 2636 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2637 "[%s] power save mode on, %u sta's in ps mode\n", 2638 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2639 return; 2640 } 2641 2642 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT) 2643 ic->ic_ps_sta--; 2644 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT; 2645 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2646 "[%s] power save mode off, %u sta's in ps mode\n", 2647 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta); 2648 /* XXX if no stations in ps mode, flush mc frames */ 2649 2650 /* 2651 * Flush queued unicast frames. 2652 */ 2653 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) { 2654 if (ic->ic_set_tim != NULL) 2655 ic->ic_set_tim(ni, 0); /* just in case */ 2656 return; 2657 } 2658 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2659 "[%s] flush ps queue, %u packets queued\n", 2660 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni)); 2661 for (;;) { 2662 int qlen; 2663 2664 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2665 if (m == NULL) 2666 break; 2667 /* 2668 * If this is the last packet, turn off the TIM bit. 2669 * If there are more packets, set the more packets bit 2670 * in the mbuf so ieee80211_encap will mark the 802.11 2671 * head to indicate more data frames will follow. 2672 */ 2673 if (qlen != 0) 2674 m->m_flags |= M_MORE_DATA; 2675 /* XXX need different driver interface */ 2676 /* XXX bypasses q max */ 2677 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2678 } 2679 if (ic->ic_set_tim != NULL) 2680 ic->ic_set_tim(ni, 0); 2681} 2682 2683/* 2684 * Process a received ps-poll frame. 2685 */ 2686static void 2687ieee80211_recv_pspoll(struct ieee80211com *ic, 2688 struct ieee80211_node *ni, struct mbuf *m0) 2689{ 2690 struct ieee80211_frame_min *wh; 2691 struct mbuf *m; 2692 u_int16_t aid; 2693 int qlen; 2694 2695 wh = mtod(m0, struct ieee80211_frame_min *); 2696 if (ni->ni_associd == 0) { 2697 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2698 (struct ieee80211_frame *) wh, "ps-poll", 2699 "%s", "unassociated station"); 2700 ic->ic_stats.is_ps_unassoc++; 2701 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2702 IEEE80211_REASON_NOT_ASSOCED); 2703 return; 2704 } 2705 2706 aid = le16toh(*(u_int16_t *)wh->i_dur); 2707 if (aid != ni->ni_associd) { 2708 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG, 2709 (struct ieee80211_frame *) wh, "ps-poll", 2710 "aid mismatch: sta aid 0x%x poll aid 0x%x", 2711 ni->ni_associd, aid); 2712 ic->ic_stats.is_ps_badaid++; 2713 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 2714 IEEE80211_REASON_NOT_ASSOCED); 2715 return; 2716 } 2717 2718 /* Okay, take the first queued packet and put it out... */ 2719 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen); 2720 if (m == NULL) { 2721 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2722 "[%s] recv ps-poll, but queue empty\n", 2723 ether_sprintf(wh->i_addr2)); 2724 ieee80211_send_nulldata(ieee80211_ref_node(ni)); 2725 ic->ic_stats.is_ps_qempty++; /* XXX node stat */ 2726 if (ic->ic_set_tim != NULL) 2727 ic->ic_set_tim(ni, 0); /* just in case */ 2728 return; 2729 } 2730 /* 2731 * If there are more packets, set the more packets bit 2732 * in the packet dispatched to the station; otherwise 2733 * turn off the TIM bit. 2734 */ 2735 if (qlen != 0) { 2736 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2737 "[%s] recv ps-poll, send packet, %u still queued\n", 2738 ether_sprintf(ni->ni_macaddr), qlen); 2739 m->m_flags |= M_MORE_DATA; 2740 } else { 2741 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2742 "[%s] recv ps-poll, send packet, queue empty\n", 2743 ether_sprintf(ni->ni_macaddr)); 2744 if (ic->ic_set_tim != NULL) 2745 ic->ic_set_tim(ni, 0); 2746 } 2747 m->m_flags |= M_PWR_SAV; /* bypass PS handling */ 2748 IF_ENQUEUE(&ic->ic_ifp->if_snd, m); 2749} 2750 2751#ifdef IEEE80211_DEBUG 2752/* 2753 * Debugging support. 2754 */ 2755 2756/* 2757 * Return the bssid of a frame. 2758 */ 2759static const u_int8_t * 2760ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh) 2761{ 2762 if (ic->ic_opmode == IEEE80211_M_STA) 2763 return wh->i_addr2; 2764 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS) 2765 return wh->i_addr1; 2766 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL) 2767 return wh->i_addr1; 2768 return wh->i_addr3; 2769} 2770 2771void 2772ieee80211_note(struct ieee80211com *ic, const char *fmt, ...) 2773{ 2774 char buf[128]; /* XXX */ 2775 va_list ap; 2776 2777 va_start(ap, fmt); 2778 vsnprintf(buf, sizeof(buf), fmt, ap); 2779 va_end(ap); 2780 2781 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */ 2782} 2783 2784void 2785ieee80211_note_frame(struct ieee80211com *ic, 2786 const struct ieee80211_frame *wh, 2787 const char *fmt, ...) 2788{ 2789 char buf[128]; /* XXX */ 2790 va_list ap; 2791 2792 va_start(ap, fmt); 2793 vsnprintf(buf, sizeof(buf), fmt, ap); 2794 va_end(ap); 2795 if_printf(ic->ic_ifp, "[%s] %s\n", 2796 ether_sprintf(ieee80211_getbssid(ic, wh)), buf); 2797} 2798 2799void 2800ieee80211_note_mac(struct ieee80211com *ic, 2801 const u_int8_t mac[IEEE80211_ADDR_LEN], 2802 const char *fmt, ...) 2803{ 2804 char buf[128]; /* XXX */ 2805 va_list ap; 2806 2807 va_start(ap, fmt); 2808 vsnprintf(buf, sizeof(buf), fmt, ap); 2809 va_end(ap); 2810 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf); 2811} 2812 2813static void 2814ieee80211_discard_frame(struct ieee80211com *ic, 2815 const struct ieee80211_frame *wh, 2816 const char *type, const char *fmt, ...) 2817{ 2818 va_list ap; 2819 2820 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2821 ether_sprintf(ieee80211_getbssid(ic, wh))); 2822 if (type != NULL) 2823 printf("%s frame, ", type); 2824 else 2825 printf("frame, "); 2826 va_start(ap, fmt); 2827 vprintf(fmt, ap); 2828 va_end(ap); 2829 printf("\n"); 2830} 2831 2832static void 2833ieee80211_discard_ie(struct ieee80211com *ic, 2834 const struct ieee80211_frame *wh, 2835 const char *type, const char *fmt, ...) 2836{ 2837 va_list ap; 2838 2839 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, 2840 ether_sprintf(ieee80211_getbssid(ic, wh))); 2841 if (type != NULL) 2842 printf("%s information element, ", type); 2843 else 2844 printf("information element, "); 2845 va_start(ap, fmt); 2846 vprintf(fmt, ap); 2847 va_end(ap); 2848 printf("\n"); 2849} 2850 2851static void 2852ieee80211_discard_mac(struct ieee80211com *ic, 2853 const u_int8_t mac[IEEE80211_ADDR_LEN], 2854 const char *type, const char *fmt, ...) 2855{ 2856 va_list ap; 2857 2858 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac)); 2859 if (type != NULL) 2860 printf("%s frame, ", type); 2861 else 2862 printf("frame, "); 2863 va_start(ap, fmt); 2864 vprintf(fmt, ap); 2865 va_end(ap); 2866 printf("\n"); 2867} 2868#endif /* IEEE80211_DEBUG */ 2869