search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / net80211 / ieee80211_input.c
blobb022a437d2f370ed3a8b1c62426d0966083a13f7
1 /* $NetBSD: ieee80211_input.c,v 1.67 2008/12/17 20:51:37 cegger Exp $ */
2 /*-
3 * Copyright (c) 2001 Atsushi Onoe
4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * Alternatively, this software may be distributed under the terms of the
19 * GNU General Public License ("GPL") version 2 as published by the Free
20 * Software Foundation.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 #ifdef __FreeBSD__
36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
37 #endif
38 #ifdef __NetBSD__
39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_input.c,v 1.67 2008/12/17 20:51:37 cegger Exp $");
40 #endif
41
42 #include "opt_inet.h"
43
44 #ifdef __NetBSD__
45 #include "bpfilter.h"
46 #endif /* __NetBSD__ */
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/mbuf.h>
51 #include <sys/malloc.h>
52 #include <sys/endian.h>
53 #include <sys/kernel.h>
54
55 #include <sys/socket.h>
56 #include <sys/sockio.h>
57 #include <sys/endian.h>
58 #include <sys/errno.h>
59 #include <sys/proc.h>
60 #include <sys/sysctl.h>
61
62 #include <net/if.h>
63 #include <net/if_media.h>
64 #include <net/if_arp.h>
65 #include <net/if_ether.h>
66 #include <net/if_llc.h>
67
68 #include <net80211/ieee80211_netbsd.h>
69 #include <net80211/ieee80211_var.h>
70
71 #if NBPFILTER > 0
72 #include <net/bpf.h>
73 #endif
74
75 #ifdef INET
76 #include <netinet/in.h>
77 #include <net/if_ether.h>
78 #endif
79
80 const struct timeval ieee80211_merge_print_intvl = {.tv_sec = 1, .tv_usec = 0};
81
82 #ifdef IEEE80211_DEBUG
83 #include <machine/stdarg.h>
84
85 /*
86 * Decide if a received management frame should be
87 * printed when debugging is enabled. This filters some
88 * of the less interesting frames that come frequently
89 * (e.g. beacons).
90 */
91 static __inline int
92 doprint(struct ieee80211com *ic, int subtype)
93 {
94 switch (subtype) {
95 case IEEE80211_FC0_SUBTYPE_BEACON:
96 return (ic->ic_flags & IEEE80211_F_SCAN);
97 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
98 return (ic->ic_opmode == IEEE80211_M_IBSS);
99 }
100 return 1;
101 }
102
103 /*
104 * Emit a debug message about discarding a frame or information
105 * element. One format is for extracting the mac address from
106 * the frame header; the other is for when a header is not
107 * available or otherwise appropriate.
108 */
109 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \
110 if ((_ic)->ic_debug & (_m)) \
111 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\
112 } while (0)
113 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \
114 if ((_ic)->ic_debug & (_m)) \
115 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\
116 } while (0)
117 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \
118 if ((_ic)->ic_debug & (_m)) \
119 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\
120 } while (0)
121
122 static const u_int8_t *ieee80211_getbssid(struct ieee80211com *,
123 const struct ieee80211_frame *);
124 static void ieee80211_discard_frame(struct ieee80211com *,
125 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
126 static void ieee80211_discard_ie(struct ieee80211com *,
127 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
128 static void ieee80211_discard_mac(struct ieee80211com *,
129 const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type,
130 const char *fmt, ...);
131 #else
132 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...)
133 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...)
134 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...)
135 #endif /* IEEE80211_DEBUG */
136
137 static struct mbuf *ieee80211_defrag(struct ieee80211com *,
138 struct ieee80211_node *, struct mbuf *, int);
139 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int);
140 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
141 const u_int8_t *mac, int subtype, int arg);
142 static void ieee80211_deliver_data(struct ieee80211com *,
143 struct ieee80211_node *, struct mbuf *);
144 #ifndef IEEE80211_NO_HOSTAP
145 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable);
146 static void ieee80211_recv_pspoll(struct ieee80211com *,
147 struct ieee80211_node *, struct mbuf *);
148 #endif /* !IEEE80211_NO_HOSTAP */
149 static void ieee80211_update_adhoc_node(struct ieee80211com *,
150 struct ieee80211_node *, struct ieee80211_frame *,
151 struct ieee80211_scanparams *, int, u_int32_t);
152
153 /*
154 * Process a received frame. The node associated with the sender
155 * should be supplied. If nothing was found in the node table then
156 * the caller is assumed to supply a reference to ic_bss instead.
157 * The RSSI and a timestamp are also supplied. The RSSI data is used
158 * during AP scanning to select a AP to associate with; it can have
159 * any units so long as values have consistent units and higher values
160 * mean ``better signal''. The receive timestamp is currently not used
161 * by the 802.11 layer.
162 */
163 int
164 ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
165 struct ieee80211_node *ni, int rssi, u_int32_t rstamp)
166 {
167 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
168 #define HAS_SEQ(type) ((type & 0x4) == 0)
169 struct ifnet *ifp = ic->ic_ifp;
170 struct ieee80211_frame *wh;
171 struct ieee80211_key *key;
172 struct ether_header *eh;
173 int hdrspace;
174 u_int8_t dir, type, subtype;
175 u_int8_t *bssid;
176 u_int16_t rxseq;
177
178 IASSERT(ni != NULL, ("null node"));
179 ni->ni_inact = ni->ni_inact_reload;
180
181 /* trim CRC here so WEP can find its own CRC at the end of packet. */
182 if (m->m_flags & M_HASFCS) {
183 m_adj(m, -IEEE80211_CRC_LEN);
184 m->m_flags &= ~M_HASFCS;
185 }
186 type = -1; /* undefined */
187 /*
188 * In monitor mode, send everything directly to bpf.
189 * XXX may want to include the CRC
190 */
191 if (ic->ic_opmode == IEEE80211_M_MONITOR)
192 goto out;
193
194 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
196 ni->ni_macaddr, NULL,
197 "too short (1): len %u", m->m_pkthdr.len);
198 ic->ic_stats.is_rx_tooshort++;
199 goto out;
200 }
201 /*
202 * Bit of a cheat here, we use a pointer for a 3-address
203 * frame format but don't reference fields past outside
204 * ieee80211_frame_min w/o first validating the data is
205 * present.
206 */
207 wh = mtod(m, struct ieee80211_frame *);
208
209 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
210 IEEE80211_FC0_VERSION_0) {
211 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
212 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
213 ic->ic_stats.is_rx_badversion++;
214 goto err;
215 }
216
217 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
218 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
219 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
220 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
221 switch (ic->ic_opmode) {
222 case IEEE80211_M_STA:
223 bssid = wh->i_addr2;
224 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
225 /* not interested in */
226 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
227 bssid, NULL, "%s", "not to bss");
228 ic->ic_stats.is_rx_wrongbss++;
229 goto out;
230 }
231 break;
232 case IEEE80211_M_IBSS:
233 case IEEE80211_M_AHDEMO:
234 case IEEE80211_M_HOSTAP:
235 if (dir != IEEE80211_FC1_DIR_NODS)
236 bssid = wh->i_addr1;
237 else if (type == IEEE80211_FC0_TYPE_CTL)
238 bssid = wh->i_addr1;
239 else {
240 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
241 IEEE80211_DISCARD_MAC(ic,
242 IEEE80211_MSG_ANY, ni->ni_macaddr,
243 NULL, "too short (2): len %u",
244 m->m_pkthdr.len);
245 ic->ic_stats.is_rx_tooshort++;
246 goto out;
247 }
248 bssid = wh->i_addr3;
249 }
250 if (type != IEEE80211_FC0_TYPE_DATA)
251 break;
252 /*
253 * Data frame, validate the bssid.
254 */
255 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
256 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
257 /* not interested in */
258 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
259 bssid, NULL, "%s", "not to bss");
260 ic->ic_stats.is_rx_wrongbss++;
261 goto out;
262 }
263 /*
264 * For adhoc mode we cons up a node when it doesn't
265 * exist. This should probably done after an ACL check.
266 */
267 if (ni == ic->ic_bss &&
268 ic->ic_opmode != IEEE80211_M_HOSTAP &&
269 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
270 /*
271 * Fake up a node for this newly
272 * discovered member of the IBSS.
273 */
274 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
275 wh->i_addr2);
276 if (ni == NULL) {
277 /* NB: stat kept for alloc failure */
278 goto err;
279 }
280 }
281 break;
282 default:
283 goto out;
284 }
285 ni->ni_rssi = rssi;
286 ni->ni_rstamp = rstamp;
287 if (HAS_SEQ(type)) {
288 u_int8_t tid;
289 if (IEEE80211_QOS_HAS_SEQ(wh)) {
290 tid = ((struct ieee80211_qosframe *)wh)->
291 i_qos[0] & IEEE80211_QOS_TID;
292 if (TID_TO_WME_AC(tid) >= WME_AC_VI)
293 ic->ic_wme.wme_hipri_traffic++;
294 tid++;
295 } else
296 tid = 0;
297 rxseq = le16toh(*(u_int16_t *)wh->i_seq);
298 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
299 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
300 /* duplicate, discard */
301 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
302 bssid, "duplicate",
303 "seqno <%u,%u> fragno <%u,%u> tid %u",
304 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
305 ni->ni_rxseqs[tid] >>
306 IEEE80211_SEQ_SEQ_SHIFT,
307 rxseq & IEEE80211_SEQ_FRAG_MASK,
308 ni->ni_rxseqs[tid] &
309 IEEE80211_SEQ_FRAG_MASK,
310 tid);
311 ic->ic_stats.is_rx_dup++;
312 IEEE80211_NODE_STAT(ni, rx_dup);
313 goto out;
314 }
315 ni->ni_rxseqs[tid] = rxseq;
316 }
317 }
318
319 switch (type) {
320 case IEEE80211_FC0_TYPE_DATA:
321 hdrspace = ieee80211_hdrspace(ic, wh);
322 if (m->m_len < hdrspace &&
323 (m = m_pullup(m, hdrspace)) == NULL) {
324 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
325 ni->ni_macaddr, NULL,
326 "data too short: expecting %u", hdrspace);
327 ic->ic_stats.is_rx_tooshort++;
328 goto out; /* XXX */
329 }
330 switch (ic->ic_opmode) {
331 case IEEE80211_M_STA:
332 if (dir != IEEE80211_FC1_DIR_FROMDS) {
333 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
334 wh, "data", "%s", "unknown dir 0x%x", dir);
335 ic->ic_stats.is_rx_wrongdir++;
336 goto out;
337 }
338 if ((ifp->if_flags & IFF_SIMPLEX) &&
339 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
340 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
341 /*
342 * In IEEE802.11 network, multicast packet
343 * sent from me is broadcasted from AP.
344 * It should be silently discarded for
345 * SIMPLEX interface.
346 */
347 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
348 wh, NULL, "%s", "multicast echo");
349 ic->ic_stats.is_rx_mcastecho++;
350 goto out;
351 }
352 break;
353 case IEEE80211_M_IBSS:
354 case IEEE80211_M_AHDEMO:
355 if (dir != IEEE80211_FC1_DIR_NODS) {
356 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
357 wh, "data", "%s", "unknown dir 0x%x", dir);
358 ic->ic_stats.is_rx_wrongdir++;
359 goto out;
360 }
361 /* XXX no power-save support */
362 break;
363 case IEEE80211_M_HOSTAP:
364 #ifndef IEEE80211_NO_HOSTAP
365 if (dir != IEEE80211_FC1_DIR_TODS) {
366 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
367 wh, "data", "%s", "unknown dir 0x%x", dir);
368 ic->ic_stats.is_rx_wrongdir++;
369 goto out;
370 }
371 /* check if source STA is associated */
372 if (ni == ic->ic_bss) {
373 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
374 wh, "data", "%s", "unknown src");
375 ieee80211_send_error(ic, ni, wh->i_addr2,
376 IEEE80211_FC0_SUBTYPE_DEAUTH,
377 IEEE80211_REASON_NOT_AUTHED);
378 ic->ic_stats.is_rx_notassoc++;
379 goto err;
380 }
381 if (ni->ni_associd == 0) {
382 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
383 wh, "data", "%s", "unassoc src");
384 IEEE80211_SEND_MGMT(ic, ni,
385 IEEE80211_FC0_SUBTYPE_DISASSOC,
386 IEEE80211_REASON_NOT_ASSOCED);
387 ic->ic_stats.is_rx_notassoc++;
388 goto err;
389 }
390
391 /*
392 * Check for power save state change.
393 */
394 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
395 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
396 ieee80211_node_pwrsave(ni,
397 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
398 #endif /* !IEEE80211_NO_HOSTAP */
399 break;
400 default:
401 /* XXX here to keep compiler happy */
402 goto out;
403 }
404
405 /*
406 * Handle privacy requirements. Note that we
407 * must not be preempted from here until after
408 * we (potentially) call ieee80211_crypto_demic;
409 * otherwise we may violate assumptions in the
410 * crypto cipher modules used to do delayed update
411 * of replay sequence numbers.
412 */
413 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
414 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
415 /*
416 * Discard encrypted frames when privacy is off.
417 */
418 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
419 wh, "WEP", "%s", "PRIVACY off");
420 ic->ic_stats.is_rx_noprivacy++;
421 IEEE80211_NODE_STAT(ni, rx_noprivacy);
422 goto out;
423 }
424 key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
425 if (key == NULL) {
426 /* NB: stats+msgs handled in crypto_decap */
427 IEEE80211_NODE_STAT(ni, rx_wepfail);
428 goto out;
429 }
430 wh = mtod(m, struct ieee80211_frame *);
431 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
432 } else {
433 key = NULL;
434 }
435
436 /*
437 * Next up, any fragmentation.
438 */
439 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
440 m = ieee80211_defrag(ic, ni, m, hdrspace);
441 if (m == NULL) {
442 /* Fragment dropped or frame not complete yet */
443 goto out;
444 }
445 }
446 wh = NULL; /* no longer valid, catch any uses */
447
448 /*
449 * Next strip any MSDU crypto bits.
450 */
451 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
452 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
453 ni->ni_macaddr, "data", "%s", "demic error");
454 IEEE80211_NODE_STAT(ni, rx_demicfail);
455 goto out;
456 }
457
458 #if NBPFILTER > 0
459 /* copy to listener after decrypt */
460 if (ic->ic_rawbpf)
461 bpf_mtap(ic->ic_rawbpf, m);
462 #endif
463
464 /*
465 * Finally, strip the 802.11 header.
466 */
467 m = ieee80211_decap(ic, m, hdrspace);
468 if (m == NULL) {
469 /* don't count Null data frames as errors */
470 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA)
471 goto out;
472 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
473 ni->ni_macaddr, "data", "%s", "decap error");
474 ic->ic_stats.is_rx_decap++;
475 IEEE80211_NODE_STAT(ni, rx_decap);
476 goto err;
477 }
478 eh = mtod(m, struct ether_header *);
479 if (!ieee80211_node_is_authorized(ni)) {
480 /*
481 * Deny any non-PAE frames received prior to
482 * authorization. For open/shared-key
483 * authentication the port is mark authorized
484 * after authentication completes. For 802.1x
485 * the port is not marked authorized by the
486 * authenticator until the handshake has completed.
487 */
488 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
489 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
490 eh->ether_shost, "data",
491 "unauthorized port: ether type 0x%x len %u",
492 eh->ether_type, m->m_pkthdr.len);
493 ic->ic_stats.is_rx_unauth++;
494 IEEE80211_NODE_STAT(ni, rx_unauth);
495 goto err;
496 }
497 } else {
498 /*
499 * When denying unencrypted frames, discard
500 * any non-PAE frames received without encryption.
501 */
502 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
503 key == NULL &&
504 eh->ether_type != htons(ETHERTYPE_PAE)) {
505 /*
506 * Drop unencrypted frames.
507 */
508 ic->ic_stats.is_rx_unencrypted++;
509 IEEE80211_NODE_STAT(ni, rx_unencrypted);
510 goto out;
511 }
512 }
513 ifp->if_ipackets++;
514 IEEE80211_NODE_STAT(ni, rx_data);
515 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
516
517 ieee80211_deliver_data(ic, ni, m);
518 return IEEE80211_FC0_TYPE_DATA;
519
520 case IEEE80211_FC0_TYPE_MGT:
521 IEEE80211_NODE_STAT(ni, rx_mgmt);
522 if (dir != IEEE80211_FC1_DIR_NODS) {
523 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
524 wh, "data", "%s", "unknown dir 0x%x", dir);
525 ic->ic_stats.is_rx_wrongdir++;
526 goto err;
527 }
528 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
529 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
530 ni->ni_macaddr, "mgt", "too short: len %u",
531 m->m_pkthdr.len);
532 ic->ic_stats.is_rx_tooshort++;
533 goto out;
534 }
535 #ifdef IEEE80211_DEBUG
536 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
537 ieee80211_msg_dumppkts(ic)) {
538 if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
539 ieee80211_mgt_subtype_name[subtype >>
540 IEEE80211_FC0_SUBTYPE_SHIFT],
541 ether_sprintf(wh->i_addr2), rssi);
542 }
543 #endif
544 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
545 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
546 /*
547 * Only shared key auth frames with a challenge
548 * should be encrypted, discard all others.
549 */
550 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
551 wh, ieee80211_mgt_subtype_name[subtype >>
552 IEEE80211_FC0_SUBTYPE_SHIFT],
553 "%s", "WEP set but not permitted");
554 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
555 goto out;
556 }
557 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
558 /*
559 * Discard encrypted frames when privacy is off.
560 */
561 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
562 wh, "mgt", "%s", "WEP set but PRIVACY off");
563 ic->ic_stats.is_rx_noprivacy++;
564 goto out;
565 }
566 hdrspace = ieee80211_hdrspace(ic, wh);
567 key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
568 if (key == NULL) {
569 /* NB: stats+msgs handled in crypto_decap */
570 goto out;
571 }
572 wh = mtod(m, struct ieee80211_frame *);
573 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
574 }
575 #if NBPFILTER > 0
576 if (ic->ic_rawbpf)
577 bpf_mtap(ic->ic_rawbpf, m);
578 #endif
579 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp);
580 m_freem(m);
581 return type;
582
583 case IEEE80211_FC0_TYPE_CTL:
584 IEEE80211_NODE_STAT(ni, rx_ctrl);
585 ic->ic_stats.is_rx_ctl++;
586 #ifndef IEEE80211_NO_HOSTAP
587 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
588 switch (subtype) {
589 case IEEE80211_FC0_SUBTYPE_PS_POLL:
590 ieee80211_recv_pspoll(ic, ni, m);
591 break;
592 }
593 }
594 #endif /* !IEEE80211_NO_HOSTAP */
595 goto out;
596 default:
597 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
598 wh, NULL, "bad frame type 0x%x", type);
599 /* should not come here */
600 break;
601 }
602 err:
603 ifp->if_ierrors++;
604 out:
605 if (m != NULL) {
606 #if NBPFILTER > 0
607 if (ic->ic_rawbpf)
608 bpf_mtap(ic->ic_rawbpf, m);
609 #endif
610 m_freem(m);
611 }
612 return type;
613 #undef SEQ_LEQ
614 }
615
616 /*
617 * This function reassemble fragments.
618 */
619 static struct mbuf *
620 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni,
621 struct mbuf *m, int hdrspace)
622 {
623 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
624 struct ieee80211_frame *lwh;
625 u_int16_t rxseq;
626 u_int8_t fragno;
627 u_int8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
628 struct mbuf *mfrag;
629
630 IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
631
632 rxseq = le16toh(*(u_int16_t *)wh->i_seq);
633 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
634
635 /* Quick way out, if there's nothing to defragment */
636 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
637 return m;
638
639 /*
640 * Remove frag to insure it doesn't get reaped by timer.
641 */
642 if (ni->ni_table == NULL) {
643 /*
644 * Should never happen. If the node is orphaned (not in
645 * the table) then input packets should not reach here.
646 * Otherwise, a concurrent request that yanks the table
647 * should be blocked by other interlocking and/or by first
648 * shutting the driver down. Regardless, be defensive
649 * here and just bail
650 */
651 /* XXX need msg+stat */
652 m_freem(m);
653 return NULL;
654 }
655 IEEE80211_NODE_LOCK(ni->ni_table);
656 mfrag = ni->ni_rxfrag[0];
657 ni->ni_rxfrag[0] = NULL;
658 IEEE80211_NODE_UNLOCK(ni->ni_table);
659
660 /*
661 * Validate new fragment is in order and
662 * related to the previous ones.
663 */
664 if (mfrag != NULL) {
665 u_int16_t last_rxseq;
666
667 lwh = mtod(mfrag, struct ieee80211_frame *);
668 last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq);
669 /* NB: check seq # and frag together */
670 if (rxseq != last_rxseq+1 ||
671 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
672 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
673 /*
674 * Unrelated fragment or no space for it,
675 * clear current fragments.
676 */
677 m_freem(mfrag);
678 mfrag = NULL;
679 }
680 }
681
682 if (mfrag == NULL) {
683 if (fragno != 0) { /* !first fragment, discard */
684 IEEE80211_NODE_STAT(ni, rx_defrag);
685 m_freem(m);
686 return NULL;
687 }
688 mfrag = m;
689 } else { /* concatenate */
690 m_adj(m, hdrspace); /* strip header */
691 m_cat(mfrag, m);
692 /* NB: m_cat doesn't update the packet header */
693 mfrag->m_pkthdr.len += m->m_pkthdr.len;
694 /* track last seqnum and fragno */
695 lwh = mtod(mfrag, struct ieee80211_frame *);
696 *(u_int16_t *) lwh->i_seq = *(u_int16_t *) wh->i_seq;
697 }
698 if (more_frag) { /* more to come, save */
699 ni->ni_rxfragstamp = ticks;
700 ni->ni_rxfrag[0] = mfrag;
701 mfrag = NULL;
702 }
703 return mfrag;
704 }
705
706 static void
707 ieee80211_deliver_data(struct ieee80211com *ic,
708 struct ieee80211_node *ni, struct mbuf *m)
709 {
710 struct ether_header *eh = mtod(m, struct ether_header *);
711 struct ifnet *ifp = ic->ic_ifp;
712 ALTQ_DECL(struct altq_pktattr pktattr;)
713 int error;
714
715 /* perform as a bridge within the AP */
716 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
717 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
718 struct mbuf *m1 = NULL;
719
720 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
721 m1 = m_copypacket(m, M_DONTWAIT);
722 if (m1 == NULL)
723 ifp->if_oerrors++;
724 else
725 m1->m_flags |= M_MCAST;
726 } else {
727 /*
728 * Check if the destination is known; if so
729 * and the port is authorized dispatch directly.
730 */
731 struct ieee80211_node *sta =
732 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
733 if (sta != NULL) {
734 if (ieee80211_node_is_authorized(sta)) {
735 /*
736 * Beware of sending to ourself; this
737 * needs to happen via the normal
738 * input path.
739 */
740 if (sta != ic->ic_bss) {
741 m1 = m;
742 m = NULL;
743 }
744 } else {
745 ic->ic_stats.is_rx_unauth++;
746 IEEE80211_NODE_STAT(sta, rx_unauth);
747 }
748 ieee80211_free_node(sta);
749 }
750 }
751 if (m1 != NULL) {
752 int len;
753 #ifdef ALTQ
754 if (ALTQ_IS_ENABLED(&ifp->if_snd)) {
755 altq_etherclassify(&ifp->if_snd, m1,
756 &pktattr);
757 }
758 #endif
759 len = m1->m_pkthdr.len;
760 IFQ_ENQUEUE(&ifp->if_snd, m1, &pktattr, error);
761 if (error) {
762 ifp->if_omcasts++;
763 m = NULL;
764 }
765 ifp->if_obytes += len;
766 }
767 }
768 if (m != NULL) {
769 #if NBPFILTER > 0
770 /*
771 * XXX If we forward packet into transmitter of the AP,
772 * we don't need to duplicate for DLT_EN10MB.
773 */
774 if (ifp->if_bpf)
775 bpf_mtap(ifp->if_bpf, m);
776 #endif
777
778 if (ni->ni_vlan != 0) {
779 /* attach vlan tag */
780 /* XXX goto err? */
781 VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out);
782 }
783 (*ifp->if_input)(ifp, m);
784 }
785 return;
786 out:
787 if (m != NULL) {
788 #if NBPFILTER > 0
789 if (ic->ic_rawbpf)
790 bpf_mtap(ic->ic_rawbpf, m);
791 #endif
792 m_freem(m);
793 }
794 }
795
796 static struct mbuf *
797 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
798 {
799 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */
800 struct ether_header *eh;
801 struct llc *llc;
802
803 if (m->m_len < hdrlen + sizeof(*llc) &&
804 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
805 /* XXX stat, msg */
806 return NULL;
807 }
808 memcpy(&wh, mtod(m, void *), hdrlen);
809 llc = (struct llc *)(mtod(m, char *) + hdrlen);
810 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
811 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
812 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
813 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
814 llc = NULL;
815 } else {
816 m_adj(m, hdrlen - sizeof(*eh));
817 }
818 eh = mtod(m, struct ether_header *);
819 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
820 case IEEE80211_FC1_DIR_NODS:
821 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
822 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
823 break;
824 case IEEE80211_FC1_DIR_TODS:
825 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
826 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
827 break;
828 case IEEE80211_FC1_DIR_FROMDS:
829 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
830 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
831 break;
832 case IEEE80211_FC1_DIR_DSTODS:
833 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
834 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
835 break;
836 }
837 #ifdef ALIGNED_POINTER
838 if (!ALIGNED_POINTER(mtod(m, char *) + sizeof(*eh), u_int32_t)) {
839 struct mbuf *n, *n0, **np;
840 char *newdata;
841 int off, pktlen;
842
843 n0 = NULL;
844 np = &n0;
845 off = 0;
846 pktlen = m->m_pkthdr.len;
847 while (pktlen > off) {
848 if (n0 == NULL) {
849 MGETHDR(n, M_DONTWAIT, MT_DATA);
850 if (n == NULL) {
851 m_freem(m);
852 return NULL;
853 }
854 M_MOVE_PKTHDR(n, m);
855 n->m_len = MHLEN;
856 } else {
857 MGET(n, M_DONTWAIT, MT_DATA);
858 if (n == NULL) {
859 m_freem(m);
860 m_freem(n0);
861 return NULL;
862 }
863 n->m_len = MLEN;
864 }
865 if (pktlen - off >= MINCLSIZE) {
866 MCLGET(n, M_DONTWAIT);
867 if (n->m_flags & M_EXT)
868 n->m_len = n->m_ext.ext_size;
869 }
870 if (n0 == NULL) {
871 newdata =
872 (char *)ALIGN(n->m_data + sizeof(*eh)) -
873 sizeof(*eh);
874 n->m_len -= newdata - n->m_data;
875 n->m_data = newdata;
876 }
877 if (n->m_len > pktlen - off)
878 n->m_len = pktlen - off;
879 m_copydata(m, off, n->m_len, mtod(n, void *));
880 off += n->m_len;
881 *np = n;
882 np = &n->m_next;
883 }
884 m_freem(m);
885 m = n0;
886 }
887 #endif /* ALIGNED_POINTER */
888 if (llc != NULL) {
889 eh = mtod(m, struct ether_header *);
890 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
891 }
892 return m;
893 }
894
895 /*
896 * Install received rate set information in the node's state block.
897 */
898 int
899 ieee80211_setup_rates(struct ieee80211_node *ni,
900 const u_int8_t *rates, const u_int8_t *xrates, int flags)
901 {
902 struct ieee80211com *ic = ni->ni_ic;
903 struct ieee80211_rateset *rs = &ni->ni_rates;
904
905 memset(rs, 0, sizeof(*rs));
906 rs->rs_nrates = rates[1];
907 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
908 if (xrates != NULL) {
909 u_int8_t nxrates;
910 /*
911 * Tack on 11g extended supported rate element.
912 */
913 nxrates = xrates[1];
914 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
915 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
916 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
917 "[%s] extended rate set too large;"
918 " only using %u of %u rates\n",
919 ether_sprintf(ni->ni_macaddr), nxrates, xrates[1]);
920 ic->ic_stats.is_rx_rstoobig++;
921 }
922 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
923 rs->rs_nrates += nxrates;
924 }
925 return ieee80211_fix_rate(ni, flags);
926 }
927
928 static void
929 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
930 struct ieee80211_node *ni, int rssi, u_int32_t rstamp,
931 u_int16_t seq, u_int16_t status)
932 {
933
934 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
935 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
936 ni->ni_macaddr, "open auth",
937 "bad sta auth mode %u", ni->ni_authmode);
938 ic->ic_stats.is_rx_bad_auth++; /* XXX */
939 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
940 /* XXX hack to workaround calling convention */
941 ieee80211_send_error(ic, ni, wh->i_addr2,
942 IEEE80211_FC0_SUBTYPE_AUTH,
943 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
944 }
945 return;
946 }
947 switch (ic->ic_opmode) {
948 case IEEE80211_M_IBSS:
949 case IEEE80211_M_AHDEMO:
950 case IEEE80211_M_MONITOR:
951 /* should not come here */
952 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
953 ni->ni_macaddr, "open auth",
954 "bad operating mode %u", ic->ic_opmode);
955 break;
956
957 case IEEE80211_M_HOSTAP:
958 #ifndef IEEE80211_NO_HOSTAP
959 if (ic->ic_state != IEEE80211_S_RUN ||
960 seq != IEEE80211_AUTH_OPEN_REQUEST) {
961 ic->ic_stats.is_rx_bad_auth++;
962 return;
963 }
964 /* always accept open authentication requests */
965 if (ni == ic->ic_bss) {
966 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
967 if (ni == NULL)
968 return;
969 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
970 (void) ieee80211_ref_node(ni);
971 /*
972 * Mark the node as referenced to reflect that it's
973 * reference count has been bumped to insure it remains
974 * after the transaction completes.
975 */
976 ni->ni_flags |= IEEE80211_NODE_AREF;
977
978 IEEE80211_SEND_MGMT(ic, ni,
979 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
980 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
981 "[%s] station authenticated (open)\n",
982 ether_sprintf(ni->ni_macaddr));
983 /*
984 * When 802.1x is not in use mark the port
985 * authorized at this point so traffic can flow.
986 */
987 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
988 ieee80211_node_authorize(ni);
989 #endif /* !IEEE80211_NO_HOSTAP */
990 break;
991
992 case IEEE80211_M_STA:
993 if (ic->ic_state != IEEE80211_S_AUTH ||
994 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
995 ic->ic_stats.is_rx_bad_auth++;
996 return;
997 }
998 if (status != 0) {
999 IEEE80211_DPRINTF(ic,
1000 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1001 "[%s] open auth failed (reason %d)\n",
1002 ether_sprintf(ni->ni_macaddr), status);
1003 /* XXX can this happen? */
1004 if (ni != ic->ic_bss)
1005 ni->ni_fails++;
1006 ic->ic_stats.is_rx_auth_fail++;
1007 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1008 } else
1009 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1010 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1011 break;
1012 }
1013 }
1014
1015 /*
1016 * Send a management frame error response to the specified
1017 * station. If ni is associated with the station then use
1018 * it; otherwise allocate a temporary node suitable for
1019 * transmitting the frame and then free the reference so
1020 * it will go away as soon as the frame has been transmitted.
1021 */
1022 static void
1023 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1024 const u_int8_t *mac, int subtype, int arg)
1025 {
1026 int istmp;
1027
1028 if (ni == ic->ic_bss) {
1029 ni = ieee80211_tmp_node(ic, mac);
1030 if (ni == NULL) {
1031 /* XXX msg */
1032 return;
1033 }
1034 istmp = 1;
1035 } else
1036 istmp = 0;
1037 IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1038 if (istmp)
1039 ieee80211_free_node(ni);
1040 }
1041
1042 static int
1043 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1044 {
1045 if (ni->ni_challenge == NULL)
1046 ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN,
1047 M_DEVBUF, M_NOWAIT);
1048 if (ni->ni_challenge == NULL) {
1049 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1050 "[%s] shared key challenge alloc failed\n",
1051 ether_sprintf(ni->ni_macaddr));
1052 /* XXX statistic */
1053 }
1054 return (ni->ni_challenge != NULL);
1055 }
1056
1057 /* XXX TODO: add statistics */
1058 static void
1059 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1060 u_int8_t *frm, u_int8_t *efrm, struct ieee80211_node *ni, int rssi,
1061 u_int32_t rstamp, u_int16_t seq, u_int16_t status)
1062 {
1063 u_int8_t *challenge;
1064 int estatus;
1065
1066 /*
1067 * NB: this can happen as we allow pre-shared key
1068 * authentication to be enabled w/o wep being turned
1069 * on so that configuration of these can be done
1070 * in any order. It may be better to enforce the
1071 * ordering in which case this check would just be
1072 * for sanity/consistency.
1073 */
1074 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1075 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1076 ni->ni_macaddr, "shared key auth",
1077 "%s", " PRIVACY is disabled");
1078 estatus = IEEE80211_STATUS_ALG;
1079 goto bad;
1080 }
1081 /*
1082 * Pre-shared key authentication is evil; accept
1083 * it only if explicitly configured (it is supported
1084 * mainly for compatibility with clients like OS X).
1085 */
1086 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1087 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1088 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1089 ni->ni_macaddr, "shared key auth",
1090 "bad sta auth mode %u", ni->ni_authmode);
1091 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1092 estatus = IEEE80211_STATUS_ALG;
1093 goto bad;
1094 }
1095
1096 challenge = NULL;
1097 if (frm + 1 < efrm) {
1098 if ((frm[1] + 2) > (efrm - frm)) {
1099 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1100 ni->ni_macaddr, "shared key auth",
1101 "ie %d/%d too long",
1102 frm[0], (frm[1] + 2) - (efrm - frm));
1103 ic->ic_stats.is_rx_bad_auth++;
1104 estatus = IEEE80211_STATUS_CHALLENGE;
1105 goto bad;
1106 }
1107 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1108 challenge = frm;
1109 frm += frm[1] + 2;
1110 }
1111 switch (seq) {
1112 case IEEE80211_AUTH_SHARED_CHALLENGE:
1113 case IEEE80211_AUTH_SHARED_RESPONSE:
1114 if (challenge == NULL) {
1115 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1116 ni->ni_macaddr, "shared key auth",
1117 "%s", "no challenge");
1118 ic->ic_stats.is_rx_bad_auth++;
1119 estatus = IEEE80211_STATUS_CHALLENGE;
1120 goto bad;
1121 }
1122 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1123 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1124 ni->ni_macaddr, "shared key auth",
1125 "bad challenge len %d", challenge[1]);
1126 ic->ic_stats.is_rx_bad_auth++;
1127 estatus = IEEE80211_STATUS_CHALLENGE;
1128 goto bad;
1129 }
1130 default:
1131 break;
1132 }
1133 switch (ic->ic_opmode) {
1134 case IEEE80211_M_MONITOR:
1135 case IEEE80211_M_AHDEMO:
1136 case IEEE80211_M_IBSS:
1137 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1138 ni->ni_macaddr, "shared key auth",
1139 "bad operating mode %u", ic->ic_opmode);
1140 return;
1141 case IEEE80211_M_HOSTAP:
1142 #ifndef IEEE80211_NO_HOSTAP
1143 {
1144 int allocbs;
1145 if (ic->ic_state != IEEE80211_S_RUN) {
1146 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1147 ni->ni_macaddr, "shared key auth",
1148 "bad state %u", ic->ic_state);
1149 estatus = IEEE80211_STATUS_ALG; /* XXX */
1150 goto bad;
1151 }
1152 switch (seq) {
1153 case IEEE80211_AUTH_SHARED_REQUEST:
1154 if (ni == ic->ic_bss) {
1155 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1156 if (ni == NULL) {
1157 /* NB: no way to return an error */
1158 return;
1159 }
1160 allocbs = 1;
1161 } else {
1162 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1163 (void) ieee80211_ref_node(ni);
1164 allocbs = 0;
1165 }
1166 /*
1167 * Mark the node as referenced to reflect that it's
1168 * reference count has been bumped to insure it remains
1169 * after the transaction completes.
1170 */
1171 ni->ni_flags |= IEEE80211_NODE_AREF;
1172 ni->ni_rssi = rssi;
1173 ni->ni_rstamp = rstamp;
1174 if (!alloc_challenge(ic, ni)) {
1175 /* NB: don't return error so they rexmit */
1176 return;
1177 }
1178 get_random_bytes(ni->ni_challenge,
1179 IEEE80211_CHALLENGE_LEN);
1180 IEEE80211_DPRINTF(ic,
1181 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1182 "[%s] shared key %sauth request\n",
1183 ether_sprintf(ni->ni_macaddr),
1184 allocbs ? "" : "re");
1185 break;
1186 case IEEE80211_AUTH_SHARED_RESPONSE:
1187 if (ni == ic->ic_bss) {
1188 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1189 ni->ni_macaddr, "shared key response",
1190 "%s", "unknown station");
1191 /* NB: don't send a response */
1192 return;
1193 }
1194 if (ni->ni_challenge == NULL) {
1195 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1196 ni->ni_macaddr, "shared key response",
1197 "%s", "no challenge recorded");
1198 ic->ic_stats.is_rx_bad_auth++;
1199 estatus = IEEE80211_STATUS_CHALLENGE;
1200 goto bad;
1201 }
1202 if (memcmp(ni->ni_challenge, &challenge[2],
1203 challenge[1]) != 0) {
1204 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1205 ni->ni_macaddr, "shared key response",
1206 "%s", "challenge mismatch");
1207 ic->ic_stats.is_rx_auth_fail++;
1208 estatus = IEEE80211_STATUS_CHALLENGE;
1209 goto bad;
1210 }
1211 IEEE80211_DPRINTF(ic,
1212 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1213 "[%s] station authenticated (shared key)\n",
1214 ether_sprintf(ni->ni_macaddr));
1215 ieee80211_node_authorize(ni);
1216 break;
1217 default:
1218 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1219 ni->ni_macaddr, "shared key auth",
1220 "bad seq %d", seq);
1221 ic->ic_stats.is_rx_bad_auth++;
1222 estatus = IEEE80211_STATUS_SEQUENCE;
1223 goto bad;
1224 }
1225 IEEE80211_SEND_MGMT(ic, ni,
1226 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1227 }
1228 #endif /* !IEEE80211_NO_HOSTAP */
1229 break;
1230
1231 case IEEE80211_M_STA:
1232 if (ic->ic_state != IEEE80211_S_AUTH)
1233 return;
1234 switch (seq) {
1235 case IEEE80211_AUTH_SHARED_PASS:
1236 if (ni->ni_challenge != NULL) {
1237 free(ni->ni_challenge, M_DEVBUF);
1238 ni->ni_challenge = NULL;
1239 }
1240 if (status != 0) {
1241 IEEE80211_DPRINTF(ic,
1242 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1243 "[%s] shared key auth failed (reason %d)\n",
1244 ether_sprintf(ieee80211_getbssid(ic, wh)),
1245 status);
1246 /* XXX can this happen? */
1247 if (ni != ic->ic_bss)
1248 ni->ni_fails++;
1249 ic->ic_stats.is_rx_auth_fail++;
1250 return;
1251 }
1252 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1253 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1254 break;
1255 case IEEE80211_AUTH_SHARED_CHALLENGE:
1256 if (!alloc_challenge(ic, ni))
1257 return;
1258 /* XXX could optimize by passing recvd challenge */
1259 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1260 IEEE80211_SEND_MGMT(ic, ni,
1261 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1262 break;
1263 default:
1264 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1265 wh, "shared key auth", "bad seq %d", seq);
1266 ic->ic_stats.is_rx_bad_auth++;
1267 return;
1268 }
1269 break;
1270 }
1271 return;
1272 bad:
1273 #ifndef IEEE80211_NO_HOSTAP
1274 /*
1275 * Send an error response; but only when operating as an AP.
1276 */
1277 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1278 /* XXX hack to workaround calling convention */
1279 ieee80211_send_error(ic, ni, wh->i_addr2,
1280 IEEE80211_FC0_SUBTYPE_AUTH,
1281 (seq + 1) | (estatus<<16));
1282 } else if (ic->ic_opmode == IEEE80211_M_STA) {
1283 /*
1284 * Kick the state machine. This short-circuits
1285 * using the mgt frame timeout to trigger the
1286 * state transition.
1287 */
1288 if (ic->ic_state == IEEE80211_S_AUTH)
1289 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1290 }
1291 #else
1292 ;
1293 #endif /* !IEEE80211_NO_HOSTAP */
1294 }
1295
1296 /* Verify the existence and length of __elem or get out. */
1297 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
1298 if ((__elem) == NULL) { \
1299 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1300 wh, ieee80211_mgt_subtype_name[subtype >> \
1301 IEEE80211_FC0_SUBTYPE_SHIFT], \
1302 "%s", "no " #__elem ); \
1303 ic->ic_stats.is_rx_elem_missing++; \
1304 return; \
1305 } \
1306 if ((__elem)[1] > (__maxlen)) { \
1307 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1308 wh, ieee80211_mgt_subtype_name[subtype >> \
1309 IEEE80211_FC0_SUBTYPE_SHIFT], \
1310 "bad " #__elem " len %d", (__elem)[1]); \
1311 ic->ic_stats.is_rx_elem_toobig++; \
1312 return; \
1313 } \
1314 } while (0)
1315
1316 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
1317 if ((_len) < (_minlen)) { \
1318 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1319 wh, ieee80211_mgt_subtype_name[subtype >> \
1320 IEEE80211_FC0_SUBTYPE_SHIFT], \
1321 "%s", "ie too short"); \
1322 ic->ic_stats.is_rx_elem_toosmall++; \
1323 return; \
1324 } \
1325 } while (0)
1326
1327 #ifdef IEEE80211_DEBUG
1328 static void
1329 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1330 u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid)
1331 {
1332 printf("[%s] discard %s frame, ssid mismatch: ",
1333 ether_sprintf(mac), tag);
1334 ieee80211_print_essid(ssid + 2, ssid[1]);
1335 printf("\n");
1336 }
1337
1338 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1339 if ((_ssid)[1] != 0 && \
1340 ((_ssid)[1] != (_ni)->ni_esslen || \
1341 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1342 if (ieee80211_msg_input(ic)) \
1343 ieee80211_ssid_mismatch(ic, \
1344 ieee80211_mgt_subtype_name[subtype >> \
1345 IEEE80211_FC0_SUBTYPE_SHIFT], \
1346 wh->i_addr2, _ssid); \
1347 ic->ic_stats.is_rx_ssidmismatch++; \
1348 return; \
1349 } \
1350 } while (0)
1351 #else /* !IEEE80211_DEBUG */
1352 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1353 if ((_ssid)[1] != 0 && \
1354 ((_ssid)[1] != (_ni)->ni_esslen || \
1355 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1356 ic->ic_stats.is_rx_ssidmismatch++; \
1357 return; \
1358 } \
1359 } while (0)
1360 #endif /* !IEEE80211_DEBUG */
1361
1362 /* unalligned little endian access */
1363 #define LE_READ_2(p) \
1364 ((u_int16_t) \
1365 ((((const u_int8_t *)(p))[0] ) | \
1366 (((const u_int8_t *)(p))[1] << 8)))
1367 #define LE_READ_4(p) \
1368 ((u_int32_t) \
1369 ((((const u_int8_t *)(p))[0] ) | \
1370 (((const u_int8_t *)(p))[1] << 8) | \
1371 (((const u_int8_t *)(p))[2] << 16) | \
1372 (((const u_int8_t *)(p))[3] << 24)))
1373
1374 static __inline int
1375 iswpaoui(const u_int8_t *frm)
1376 {
1377 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1378 }
1379
1380 static __inline int
1381 iswmeoui(const u_int8_t *frm)
1382 {
1383 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1384 }
1385
1386 static __inline int
1387 iswmeparam(const u_int8_t *frm)
1388 {
1389 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1390 frm[6] == WME_PARAM_OUI_SUBTYPE;
1391 }
1392
1393 static __inline int
1394 iswmeinfo(const u_int8_t *frm)
1395 {
1396 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1397 frm[6] == WME_INFO_OUI_SUBTYPE;
1398 }
1399
1400 static __inline int
1401 isatherosoui(const u_int8_t *frm)
1402 {
1403 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI);
1404 }
1405
1406 /*
1407 * Convert a WPA cipher selector OUI to an internal
1408 * cipher algorithm. Where appropriate we also
1409 * record any key length.
1410 */
1411 static int
1412 wpa_cipher(u_int8_t *sel, u_int8_t *keylen)
1413 {
1414 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1415 u_int32_t w = LE_READ_4(sel);
1416
1417 switch (w) {
1418 case WPA_SEL(WPA_CSE_NULL):
1419 return IEEE80211_CIPHER_NONE;
1420 case WPA_SEL(WPA_CSE_WEP40):
1421 if (keylen)
1422 *keylen = 40 / NBBY;
1423 return IEEE80211_CIPHER_WEP;
1424 case WPA_SEL(WPA_CSE_WEP104):
1425 if (keylen)
1426 *keylen = 104 / NBBY;
1427 return IEEE80211_CIPHER_WEP;
1428 case WPA_SEL(WPA_CSE_TKIP):
1429 return IEEE80211_CIPHER_TKIP;
1430 case WPA_SEL(WPA_CSE_CCMP):
1431 return IEEE80211_CIPHER_AES_CCM;
1432 }
1433 return 32; /* NB: so 1<< is discarded */
1434 #undef WPA_SEL
1435 }
1436
1437 /*
1438 * Convert a WPA key management/authentication algorithm
1439 * to an internal code.
1440 */
1441 static int
1442 wpa_keymgmt(u_int8_t *sel)
1443 {
1444 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1445 u_int32_t w = LE_READ_4(sel);
1446
1447 switch (w) {
1448 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1449 return WPA_ASE_8021X_UNSPEC;
1450 case WPA_SEL(WPA_ASE_8021X_PSK):
1451 return WPA_ASE_8021X_PSK;
1452 case WPA_SEL(WPA_ASE_NONE):
1453 return WPA_ASE_NONE;
1454 }
1455 return 0; /* NB: so is discarded */
1456 #undef WPA_SEL
1457 }
1458
1459 /*
1460 * Parse a WPA information element to collect parameters
1461 * and validate the parameters against what has been
1462 * configured for the system.
1463 */
1464 static int
1465 ieee80211_parse_wpa(struct ieee80211com *ic, u_int8_t *frm,
1466 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1467 {
1468 u_int8_t len = frm[1];
1469 u_int32_t w;
1470 int n;
1471
1472 /*
1473 * Check the length once for fixed parts: OUI, type,
1474 * version, mcast cipher, and 2 selector counts.
1475 * Other, variable-length data, must be checked separately.
1476 */
1477 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1478 IEEE80211_DISCARD_IE(ic,
1479 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1480 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1481 return IEEE80211_REASON_IE_INVALID;
1482 }
1483 if (len < 14) {
1484 IEEE80211_DISCARD_IE(ic,
1485 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1486 wh, "WPA", "too short, len %u", len);
1487 return IEEE80211_REASON_IE_INVALID;
1488 }
1489 frm += 6, len -= 4; /* NB: len is payload only */
1490 /* NB: iswapoui already validated the OUI and type */
1491 w = LE_READ_2(frm);
1492 if (w != WPA_VERSION) {
1493 IEEE80211_DISCARD_IE(ic,
1494 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1495 wh, "WPA", "bad version %u", w);
1496 return IEEE80211_REASON_IE_INVALID;
1497 }
1498 frm += 2, len -= 2;
1499
1500 /* multicast/group cipher */
1501 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1502 if (w != rsn->rsn_mcastcipher) {
1503 IEEE80211_DISCARD_IE(ic,
1504 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1505 wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1506 w, rsn->rsn_mcastcipher);
1507 return IEEE80211_REASON_IE_INVALID;
1508 }
1509 frm += 4, len -= 4;
1510
1511 /* unicast ciphers */
1512 n = LE_READ_2(frm);
1513 frm += 2, len -= 2;
1514 if (len < n*4+2) {
1515 IEEE80211_DISCARD_IE(ic,
1516 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1517 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1518 len, n);
1519 return IEEE80211_REASON_IE_INVALID;
1520 }
1521 w = 0;
1522 for (; n > 0; n--) {
1523 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1524 frm += 4, len -= 4;
1525 }
1526 w &= rsn->rsn_ucastcipherset;
1527 if (w == 0) {
1528 IEEE80211_DISCARD_IE(ic,
1529 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1530 wh, "WPA", "%s", "ucast cipher set empty");
1531 return IEEE80211_REASON_IE_INVALID;
1532 }
1533 if (w & (1<<IEEE80211_CIPHER_TKIP))
1534 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1535 else
1536 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1537
1538 /* key management algorithms */
1539 n = LE_READ_2(frm);
1540 frm += 2, len -= 2;
1541 if (len < n*4) {
1542 IEEE80211_DISCARD_IE(ic,
1543 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1544 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1545 len, n);
1546 return IEEE80211_REASON_IE_INVALID;
1547 }
1548 w = 0;
1549 for (; n > 0; n--) {
1550 w |= wpa_keymgmt(frm);
1551 frm += 4, len -= 4;
1552 }
1553 w &= rsn->rsn_keymgmtset;
1554 if (w == 0) {
1555 IEEE80211_DISCARD_IE(ic,
1556 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1557 wh, "WPA", "%s", "no acceptable key mgmt alg");
1558 return IEEE80211_REASON_IE_INVALID;
1559 }
1560 if (w & WPA_ASE_8021X_UNSPEC)
1561 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1562 else
1563 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1564
1565 if (len > 2) /* optional capabilities */
1566 rsn->rsn_caps = LE_READ_2(frm);
1567
1568 return 0;
1569 }
1570
1571 /*
1572 * Convert an RSN cipher selector OUI to an internal
1573 * cipher algorithm. Where appropriate we also
1574 * record any key length.
1575 */
1576 static int
1577 rsn_cipher(u_int8_t *sel, u_int8_t *keylen)
1578 {
1579 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1580 u_int32_t w = LE_READ_4(sel);
1581
1582 switch (w) {
1583 case RSN_SEL(RSN_CSE_NULL):
1584 return IEEE80211_CIPHER_NONE;
1585 case RSN_SEL(RSN_CSE_WEP40):
1586 if (keylen)
1587 *keylen = 40 / NBBY;
1588 return IEEE80211_CIPHER_WEP;
1589 case RSN_SEL(RSN_CSE_WEP104):
1590 if (keylen)
1591 *keylen = 104 / NBBY;
1592 return IEEE80211_CIPHER_WEP;
1593 case RSN_SEL(RSN_CSE_TKIP):
1594 return IEEE80211_CIPHER_TKIP;
1595 case RSN_SEL(RSN_CSE_CCMP):
1596 return IEEE80211_CIPHER_AES_CCM;
1597 case RSN_SEL(RSN_CSE_WRAP):
1598 return IEEE80211_CIPHER_AES_OCB;
1599 }
1600 return 32; /* NB: so 1<< is discarded */
1601 #undef WPA_SEL
1602 }
1603
1604 /*
1605 * Convert an RSN key management/authentication algorithm
1606 * to an internal code.
1607 */
1608 static int
1609 rsn_keymgmt(u_int8_t *sel)
1610 {
1611 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1612 u_int32_t w = LE_READ_4(sel);
1613
1614 switch (w) {
1615 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1616 return RSN_ASE_8021X_UNSPEC;
1617 case RSN_SEL(RSN_ASE_8021X_PSK):
1618 return RSN_ASE_8021X_PSK;
1619 case RSN_SEL(RSN_ASE_NONE):
1620 return RSN_ASE_NONE;
1621 }
1622 return 0; /* NB: so is discarded */
1623 #undef RSN_SEL
1624 }
1625
1626 /*
1627 * Parse a WPA/RSN information element to collect parameters
1628 * and validate the parameters against what has been
1629 * configured for the system.
1630 */
1631 static int
1632 ieee80211_parse_rsn(struct ieee80211com *ic, u_int8_t *frm,
1633 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1634 {
1635 u_int8_t len = frm[1];
1636 u_int32_t w;
1637 int n;
1638
1639 /*
1640 * Check the length once for fixed parts:
1641 * version, mcast cipher, and 2 selector counts.
1642 * Other, variable-length data, must be checked separately.
1643 */
1644 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1645 IEEE80211_DISCARD_IE(ic,
1646 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1647 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1648 return IEEE80211_REASON_IE_INVALID;
1649 }
1650 if (len < 10) {
1651 IEEE80211_DISCARD_IE(ic,
1652 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1653 wh, "RSN", "too short, len %u", len);
1654 return IEEE80211_REASON_IE_INVALID;
1655 }
1656 frm += 2;
1657 w = LE_READ_2(frm);
1658 if (w != RSN_VERSION) {
1659 IEEE80211_DISCARD_IE(ic,
1660 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1661 wh, "RSN", "bad version %u", w);
1662 return IEEE80211_REASON_IE_INVALID;
1663 }
1664 frm += 2, len -= 2;
1665
1666 /* multicast/group cipher */
1667 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1668 if (w != rsn->rsn_mcastcipher) {
1669 IEEE80211_DISCARD_IE(ic,
1670 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1671 wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1672 w, rsn->rsn_mcastcipher);
1673 return IEEE80211_REASON_IE_INVALID;
1674 }
1675 frm += 4, len -= 4;
1676
1677 /* unicast ciphers */
1678 n = LE_READ_2(frm);
1679 frm += 2, len -= 2;
1680 if (len < n*4+2) {
1681 IEEE80211_DISCARD_IE(ic,
1682 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1683 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1684 len, n);
1685 return IEEE80211_REASON_IE_INVALID;
1686 }
1687 w = 0;
1688 for (; n > 0; n--) {
1689 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1690 frm += 4, len -= 4;
1691 }
1692 w &= rsn->rsn_ucastcipherset;
1693 if (w == 0) {
1694 IEEE80211_DISCARD_IE(ic,
1695 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1696 wh, "RSN", "%s", "ucast cipher set empty");
1697 return IEEE80211_REASON_IE_INVALID;
1698 }
1699 if (w & (1<<IEEE80211_CIPHER_TKIP))
1700 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1701 else
1702 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1703
1704 /* key management algorithms */
1705 n = LE_READ_2(frm);
1706 frm += 2, len -= 2;
1707 if (len < n*4) {
1708 IEEE80211_DISCARD_IE(ic,
1709 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1710 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1711 len, n);
1712 return IEEE80211_REASON_IE_INVALID;
1713 }
1714 w = 0;
1715 for (; n > 0; n--) {
1716 w |= rsn_keymgmt(frm);
1717 frm += 4, len -= 4;
1718 }
1719 w &= rsn->rsn_keymgmtset;
1720 if (w == 0) {
1721 IEEE80211_DISCARD_IE(ic,
1722 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1723 wh, "RSN", "%s", "no acceptable key mgmt alg");
1724 return IEEE80211_REASON_IE_INVALID;
1725 }
1726 if (w & RSN_ASE_8021X_UNSPEC)
1727 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1728 else
1729 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1730
1731 /* optional RSN capabilities */
1732 if (len > 2)
1733 rsn->rsn_caps = LE_READ_2(frm);
1734 /* XXXPMKID */
1735
1736 return 0;
1737 }
1738
1739 static int
1740 ieee80211_parse_wmeparams(struct ieee80211com *ic, u_int8_t *frm,
1741 const struct ieee80211_frame *wh)
1742 {
1743 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1744 struct ieee80211_wme_state *wme = &ic->ic_wme;
1745 u_int len = frm[1], qosinfo;
1746 int i;
1747
1748 if (len < sizeof(struct ieee80211_wme_param)-2) {
1749 IEEE80211_DISCARD_IE(ic,
1750 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1751 wh, "WME", "too short, len %u", len);
1752 return -1;
1753 }
1754 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1755 qosinfo &= WME_QOSINFO_COUNT;
1756 /* XXX do proper check for wraparound */
1757 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1758 return 0;
1759 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1760 for (i = 0; i < WME_NUM_AC; i++) {
1761 struct wmeParams *wmep =
1762 &wme->wme_wmeChanParams.cap_wmeParams[i];
1763 /* NB: ACI not used */
1764 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1765 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1766 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1767 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1768 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1769 frm += 4;
1770 }
1771 wme->wme_wmeChanParams.cap_info = qosinfo;
1772 return 1;
1773 #undef MS
1774 }
1775
1776 void
1777 ieee80211_saveie(u_int8_t **iep, const u_int8_t *ie)
1778 {
1779 u_int ielen = ie[1]+2;
1780 /*
1781 * Record information element for later use.
1782 */
1783 if (*iep == NULL || (*iep)[1] != ie[1]) {
1784 if (*iep != NULL)
1785 free(*iep, M_DEVBUF);
1786 *iep = malloc(ielen, M_DEVBUF, M_NOWAIT);
1787 }
1788 if (*iep != NULL)
1789 memcpy(*iep, ie, ielen);
1790 /* XXX note failure */
1791 }
1792
1793 static void
1794 ieee80211_update_adhoc_node(struct ieee80211com *ic, struct ieee80211_node *ni,
1795 struct ieee80211_frame *wh, struct ieee80211_scanparams *scan, int rssi,
1796 u_int32_t rstamp)
1797 {
1798 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
1799 /*
1800 * Create a new entry in the neighbor table.
1801 * Records the TSF.
1802 */
1803 if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL)
1804 return;
1805 } else if (ni->ni_capinfo == 0) {
1806 /*
1807 * Initialize a node that was "faked up." Records
1808 * the TSF.
1809 *
1810 * No need to check for a change of BSSID: ni could
1811 * not have been the IBSS (ic_bss)
1812 */
1813 ieee80211_init_neighbor(ic, ni, wh, scan, 0);
1814 } else {
1815 /* Record TSF for potential resync. */
1816 memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp));
1817 }
1818
1819 ni->ni_rssi = rssi;
1820 ni->ni_rstamp = rstamp;
1821
1822 /* Mark a neighbor's change of BSSID. */
1823 if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid))
1824 return;
1825
1826 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
1827
1828 if (ni != ic->ic_bss)
1829 return;
1830 else if (ic->ic_flags & IEEE80211_F_DESBSSID) {
1831 /*
1832 * Now, ni does not represent a network we
1833 * want to belong to, so start a scan.
1834 */
1835 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1836 return;
1837 } else {
1838 /*
1839 * A RUN->RUN transition lets the driver
1840 * reprogram its BSSID filter.
1841 *
1842 * No need to SCAN, we already belong to
1843 * an IBSS that meets our criteria: channel,
1844 * SSID, etc. It could be harmful to scan,
1845 * too: if a scan does not detect nodes
1846 * belonging to my current IBSS, then we
1847 * will create a new IBSS at the end of
1848 * the scan, needlessly splitting the
1849 * network.
1850 */
1851 ieee80211_new_state(ic, IEEE80211_S_RUN, 0);
1852 }
1853 }
1854
1855 void
1856 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
1857 struct ieee80211_node *ni,
1858 int subtype, int rssi, u_int32_t rstamp)
1859 {
1860 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1861 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1862 struct ieee80211_frame *wh;
1863 u_int8_t *frm, *efrm;
1864 u_int8_t *ssid, *rates, *xrates, *wpa, *wme;
1865 int reassoc, resp, allocbs;
1866 u_int8_t rate;
1867
1868 wh = mtod(m0, struct ieee80211_frame *);
1869 frm = (u_int8_t *)&wh[1];
1870 efrm = mtod(m0, u_int8_t *) + m0->m_len;
1871 switch (subtype) {
1872 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1873 case IEEE80211_FC0_SUBTYPE_BEACON: {
1874 struct ieee80211_scanparams scan;
1875
1876 /*
1877 * We process beacon/probe response frames:
1878 * o when scanning, or
1879 * o station mode when associated (to collect state
1880 * updates such as 802.11g slot time), or
1881 * o adhoc mode (to discover neighbors)
1882 * Frames otherwise received are discarded.
1883 */
1884 if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
1885 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
1886 ic->ic_opmode == IEEE80211_M_IBSS)) {
1887 ic->ic_stats.is_rx_mgtdiscard++;
1888 return;
1889 }
1890 /*
1891 * beacon/probe response frame format
1892 * [8] time stamp
1893 * [2] beacon interval
1894 * [2] capability information
1895 * [tlv] ssid
1896 * [tlv] supported rates
1897 * [tlv] country information
1898 * [tlv] parameter set (FH/DS)
1899 * [tlv] erp information
1900 * [tlv] extended supported rates
1901 * [tlv] WME
1902 * [tlv] WPA or RSN
1903 */
1904 IEEE80211_VERIFY_LENGTH(efrm - frm, 12);
1905 memset(&scan, 0, sizeof(scan));
1906 scan.tstamp = frm; frm += 8;
1907 scan.bintval = le16toh(*(u_int16_t *)frm); frm += 2;
1908 scan.capinfo = le16toh(*(u_int16_t *)frm); frm += 2;
1909 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan);
1910 scan.chan = scan.bchan;
1911
1912 while (frm < efrm) {
1913 switch (*frm) {
1914 case IEEE80211_ELEMID_SSID:
1915 scan.ssid = frm;
1916 break;
1917 case IEEE80211_ELEMID_RATES:
1918 scan.rates = frm;
1919 break;
1920 case IEEE80211_ELEMID_COUNTRY:
1921 scan.country = frm;
1922 break;
1923 case IEEE80211_ELEMID_FHPARMS:
1924 if (ic->ic_phytype == IEEE80211_T_FH) {
1925 scan.fhdwell = LE_READ_2(&frm[2]);
1926 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]);
1927 scan.fhindex = frm[6];
1928 }
1929 break;
1930 case IEEE80211_ELEMID_DSPARMS:
1931 /*
1932 * XXX hack this since depending on phytype
1933 * is problematic for multi-mode devices.
1934 */
1935 if (ic->ic_phytype != IEEE80211_T_FH)
1936 scan.chan = frm[2];
1937 break;
1938 case IEEE80211_ELEMID_TIM:
1939 /* XXX ATIM? */
1940 scan.tim = frm;
1941 scan.timoff = frm - mtod(m0, u_int8_t *);
1942 break;
1943 case IEEE80211_ELEMID_IBSSPARMS:
1944 break;
1945 case IEEE80211_ELEMID_XRATES:
1946 scan.xrates = frm;
1947 break;
1948 case IEEE80211_ELEMID_ERP:
1949 if (frm[1] != 1) {
1950 IEEE80211_DISCARD_IE(ic,
1951 IEEE80211_MSG_ELEMID, wh, "ERP",
1952 "bad len %u", frm[1]);
1953 ic->ic_stats.is_rx_elem_toobig++;
1954 break;
1955 }
1956 scan.erp = frm[2];
1957 break;
1958 case IEEE80211_ELEMID_RSN:
1959 scan.wpa = frm;
1960 break;
1961 case IEEE80211_ELEMID_VENDOR:
1962 if (iswpaoui(frm))
1963 scan.wpa = frm;
1964 else if (iswmeparam(frm) || iswmeinfo(frm))
1965 scan.wme = frm;
1966 /* XXX Atheros OUI support */
1967 break;
1968 default:
1969 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
1970 wh, "unhandled",
1971 "id %u, len %u", *frm, frm[1]);
1972 ic->ic_stats.is_rx_elem_unknown++;
1973 break;
1974 }
1975 frm += frm[1] + 2;
1976 }
1977 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
1978 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
1979 if (
1980 #if IEEE80211_CHAN_MAX < 255
1981 scan.chan > IEEE80211_CHAN_MAX ||
1982 #endif
1983 isclr(ic->ic_chan_active, scan.chan)) {
1984 IEEE80211_DISCARD(ic,
1985 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
1986 wh, ieee80211_mgt_subtype_name[subtype >>
1987 IEEE80211_FC0_SUBTYPE_SHIFT],
1988 "invalid channel %u", scan.chan);
1989 ic->ic_stats.is_rx_badchan++;
1990 return;
1991 }
1992 if (scan.chan != scan.bchan &&
1993 ic->ic_phytype != IEEE80211_T_FH) {
1994 /*
1995 * Frame was received on a channel different from the
1996 * one indicated in the DS params element id;
1997 * silently discard it.
1998 *
1999 * NB: this can happen due to signal leakage.
2000 * But we should take it for FH phy because
2001 * the rssi value should be correct even for
2002 * different hop pattern in FH.
2003 */
2004 IEEE80211_DISCARD(ic,
2005 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2006 wh, ieee80211_mgt_subtype_name[subtype >>
2007 IEEE80211_FC0_SUBTYPE_SHIFT],
2008 "for off-channel %u", scan.chan);
2009 ic->ic_stats.is_rx_chanmismatch++;
2010 return;
2011 }
2012 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
2013 scan.bintval <= IEEE80211_BINTVAL_MAX)) {
2014 IEEE80211_DISCARD(ic,
2015 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
2016 wh, ieee80211_mgt_subtype_name[subtype >>
2017 IEEE80211_FC0_SUBTYPE_SHIFT],
2018 "bogus beacon interval", scan.bintval);
2019 ic->ic_stats.is_rx_badbintval++;
2020 return;
2021 }
2022
2023 if (ni != ic->ic_bss) {
2024 ni = ieee80211_refine_node_for_beacon(ic, ni,
2025 &ic->ic_channels[scan.chan], scan.ssid);
2026 }
2027 /*
2028 * Count frame now that we know it's to be processed.
2029 */
2030 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2031 ic->ic_stats.is_rx_beacon++; /* XXX remove */
2032 IEEE80211_NODE_STAT(ni, rx_beacons);
2033 } else
2034 IEEE80211_NODE_STAT(ni, rx_proberesp);
2035
2036 /*
2037 * When operating in station mode, check for state updates.
2038 * Be careful to ignore beacons received while doing a
2039 * background scan. We consider only 11g/WMM stuff right now.
2040 */
2041 if (ic->ic_opmode == IEEE80211_M_STA &&
2042 ni->ni_associd != 0 &&
2043 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2044 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2045 /* record tsf of last beacon */
2046 memcpy(ni->ni_tstamp.data, scan.tstamp,
2047 sizeof(ni->ni_tstamp));
2048 if (ni->ni_erp != scan.erp) {
2049 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2050 "[%s] erp change: was 0x%x, now 0x%x\n",
2051 ether_sprintf(wh->i_addr2),
2052 ni->ni_erp, scan.erp);
2053 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2054 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2055 ic->ic_flags |= IEEE80211_F_USEPROT;
2056 else
2057 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2058 ni->ni_erp = scan.erp;
2059 /* XXX statistic */
2060 }
2061 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2062 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2063 "[%s] capabilities change: before 0x%x,"
2064 " now 0x%x\n",
2065 ether_sprintf(wh->i_addr2),
2066 ni->ni_capinfo, scan.capinfo);
2067 /*
2068 * NB: we assume short preamble doesn't
2069 * change dynamically
2070 */
2071 ieee80211_set_shortslottime(ic,
2072 ic->ic_curmode == IEEE80211_MODE_11A ||
2073 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2074 ni->ni_capinfo = scan.capinfo;
2075 /* XXX statistic */
2076 }
2077 if (scan.wme != NULL &&
2078 (ni->ni_flags & IEEE80211_NODE_QOS) &&
2079 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0)
2080 ieee80211_wme_updateparams(ic);
2081 if (scan.tim != NULL) {
2082 struct ieee80211_tim_ie *ie =
2083 (struct ieee80211_tim_ie *) scan.tim;
2084
2085 ni->ni_dtim_count = ie->tim_count;
2086 ni->ni_dtim_period = ie->tim_period;
2087 }
2088 if (ic->ic_flags & IEEE80211_F_SCAN)
2089 ieee80211_add_scan(ic, &scan, wh,
2090 subtype, rssi, rstamp);
2091 ic->ic_bmiss_count = 0;
2092 return;
2093 }
2094 /*
2095 * If scanning, just pass information to the scan module.
2096 */
2097 if (ic->ic_flags & IEEE80211_F_SCAN) {
2098 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2099 /*
2100 * Actively scanning a channel marked passive;
2101 * send a probe request now that we know there
2102 * is 802.11 traffic present.
2103 *
2104 * XXX check if the beacon we recv'd gives
2105 * us what we need and suppress the probe req
2106 */
2107 ieee80211_probe_curchan(ic, 1);
2108 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2109 }
2110 ieee80211_add_scan(ic, &scan, wh,
2111 subtype, rssi, rstamp);
2112 return;
2113 }
2114 if (scan.capinfo & IEEE80211_CAPINFO_IBSS)
2115 ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi,
2116 rstamp);
2117 break;
2118 }
2119
2120 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2121 if (ic->ic_opmode == IEEE80211_M_STA ||
2122 ic->ic_state != IEEE80211_S_RUN) {
2123 ic->ic_stats.is_rx_mgtdiscard++;
2124 return;
2125 }
2126 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2127 /* frame must be directed */
2128 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */
2129 return;
2130 }
2131
2132 /*
2133 * prreq frame format
2134 * [tlv] ssid
2135 * [tlv] supported rates
2136 * [tlv] extended supported rates
2137 */
2138 ssid = rates = xrates = NULL;
2139 while (frm < efrm) {
2140 switch (*frm) {
2141 case IEEE80211_ELEMID_SSID:
2142 ssid = frm;
2143 break;
2144 case IEEE80211_ELEMID_RATES:
2145 rates = frm;
2146 break;
2147 case IEEE80211_ELEMID_XRATES:
2148 xrates = frm;
2149 break;
2150 }
2151 frm += frm[1] + 2;
2152 }
2153 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2154 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2155 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2156 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2157 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2158 wh, ieee80211_mgt_subtype_name[subtype >>
2159 IEEE80211_FC0_SUBTYPE_SHIFT],
2160 "%s", "no ssid with ssid suppression enabled");
2161 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2162 return;
2163 }
2164
2165 if (ni == ic->ic_bss) {
2166 if (ic->ic_opmode != IEEE80211_M_IBSS)
2167 ni = ieee80211_tmp_node(ic, wh->i_addr2);
2168 else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr))
2169 ;
2170 else {
2171 /*
2172 * XXX Cannot tell if the sender is operating
2173 * in ibss mode. But we need a new node to
2174 * send the response so blindly add them to the
2175 * neighbor table.
2176 */
2177 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2178 wh->i_addr2);
2179 }
2180 if (ni == NULL)
2181 return;
2182 allocbs = 1;
2183 } else
2184 allocbs = 0;
2185 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2186 "[%s] recv probe req\n", ether_sprintf(wh->i_addr2));
2187 ni->ni_rssi = rssi;
2188 ni->ni_rstamp = rstamp;
2189 rate = ieee80211_setup_rates(ni, rates, xrates,
2190 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE
2191 | IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2192 if (rate & IEEE80211_RATE_BASIC) {
2193 IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2194 wh, ieee80211_mgt_subtype_name[subtype >>
2195 IEEE80211_FC0_SUBTYPE_SHIFT],
2196 "%s", "recv'd rate set invalid");
2197 } else {
2198 IEEE80211_SEND_MGMT(ic, ni,
2199 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2200 }
2201 if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) {
2202 /* reclaim immediately */
2203 ieee80211_free_node(ni);
2204 }
2205 break;
2206
2207 case IEEE80211_FC0_SUBTYPE_AUTH: {
2208 u_int16_t algo, seq, status;
2209 /*
2210 * auth frame format
2211 * [2] algorithm
2212 * [2] sequence
2213 * [2] status
2214 * [tlv*] challenge
2215 */
2216 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2217 algo = le16toh(*(u_int16_t *)frm);
2218 seq = le16toh(*(u_int16_t *)(frm + 2));
2219 status = le16toh(*(u_int16_t *)(frm + 4));
2220 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2221 "[%s] recv auth frame with algorithm %d seq %d\n",
2222 ether_sprintf(wh->i_addr2), algo, seq);
2223 /*
2224 * Consult the ACL policy module if setup.
2225 */
2226 if (ic->ic_acl != NULL &&
2227 !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2228 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2229 wh, "auth", "%s", "disallowed by ACL");
2230 ic->ic_stats.is_rx_acl++;
2231 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2232 IEEE80211_SEND_MGMT(ic, ni,
2233 IEEE80211_FC0_SUBTYPE_AUTH,
2234 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2235 }
2236 return;
2237 }
2238 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2239 IEEE80211_DISCARD(ic,
2240 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2241 wh, "auth", "%s", "TKIP countermeasures enabled");
2242 ic->ic_stats.is_rx_auth_countermeasures++;
2243 #ifndef IEEE80211_NO_HOSTAP
2244 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2245 IEEE80211_SEND_MGMT(ic, ni,
2246 IEEE80211_FC0_SUBTYPE_AUTH,
2247 IEEE80211_REASON_MIC_FAILURE);
2248 }
2249 #endif /* !IEEE80211_NO_HOSTAP */
2250 return;
2251 }
2252 if (algo == IEEE80211_AUTH_ALG_SHARED)
2253 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2254 rstamp, seq, status);
2255 else if (algo == IEEE80211_AUTH_ALG_OPEN)
2256 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq,
2257 status);
2258 else {
2259 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2260 wh, "auth", "unsupported alg %d", algo);
2261 ic->ic_stats.is_rx_auth_unsupported++;
2262 #ifndef IEEE80211_NO_HOSTAP
2263 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2264 /* XXX not right */
2265 IEEE80211_SEND_MGMT(ic, ni,
2266 IEEE80211_FC0_SUBTYPE_AUTH,
2267 (seq+1) | (IEEE80211_STATUS_ALG<<16));
2268 }
2269 #endif /* !IEEE80211_NO_HOSTAP */
2270 return;
2271 }
2272 break;
2273 }
2274
2275 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2276 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2277 u_int16_t capinfo, lintval;
2278 struct ieee80211_rsnparms rsn;
2279 u_int8_t reason;
2280
2281 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2282 ic->ic_state != IEEE80211_S_RUN) {
2283 ic->ic_stats.is_rx_mgtdiscard++;
2284 return;
2285 }
2286
2287 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2288 reassoc = 1;
2289 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2290 } else {
2291 reassoc = 0;
2292 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2293 }
2294 /*
2295 * asreq frame format
2296 * [2] capability information
2297 * [2] listen interval
2298 * [6*] current AP address (reassoc only)
2299 * [tlv] ssid
2300 * [tlv] supported rates
2301 * [tlv] extended supported rates
2302 * [tlv] WPA or RSN
2303 */
2304 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4));
2305 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2306 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2307 wh, ieee80211_mgt_subtype_name[subtype >>
2308 IEEE80211_FC0_SUBTYPE_SHIFT],
2309 "%s", "wrong bssid");
2310 ic->ic_stats.is_rx_assoc_bss++;
2311 return;
2312 }
2313 capinfo = le16toh(*(u_int16_t *)frm); frm += 2;
2314 lintval = le16toh(*(u_int16_t *)frm); frm += 2;
2315 if (reassoc)
2316 frm += 6; /* ignore current AP info */
2317 ssid = rates = xrates = wpa = wme = NULL;
2318 while (frm < efrm) {
2319 switch (*frm) {
2320 case IEEE80211_ELEMID_SSID:
2321 ssid = frm;
2322 break;
2323 case IEEE80211_ELEMID_RATES:
2324 rates = frm;
2325 break;
2326 case IEEE80211_ELEMID_XRATES:
2327 xrates = frm;
2328 break;
2329 /* XXX verify only one of RSN and WPA ie's? */
2330 case IEEE80211_ELEMID_RSN:
2331 wpa = frm;
2332 break;
2333 case IEEE80211_ELEMID_VENDOR:
2334 if (iswpaoui(frm))
2335 wpa = frm;
2336 else if (iswmeinfo(frm))
2337 wme = frm;
2338 /* XXX Atheros OUI support */
2339 break;
2340 }
2341 frm += frm[1] + 2;
2342 }
2343 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2344 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2345 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2346
2347 if (ni == ic->ic_bss) {
2348 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2349 "[%s] deny %s request, sta not authenticated\n",
2350 ether_sprintf(wh->i_addr2),
2351 reassoc ? "reassoc" : "assoc");
2352 ieee80211_send_error(ic, ni, wh->i_addr2,
2353 IEEE80211_FC0_SUBTYPE_DEAUTH,
2354 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2355 ic->ic_stats.is_rx_assoc_notauth++;
2356 return;
2357 }
2358 /* assert right associstion security credentials */
2359 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) {
2360 IEEE80211_DPRINTF(ic,
2361 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2362 "[%s] no WPA/RSN IE in association request\n",
2363 ether_sprintf(wh->i_addr2));
2364 IEEE80211_SEND_MGMT(ic, ni,
2365 IEEE80211_FC0_SUBTYPE_DEAUTH,
2366 IEEE80211_REASON_RSN_REQUIRED);
2367 ieee80211_node_leave(ic, ni);
2368 /* XXX distinguish WPA/RSN? */
2369 ic->ic_stats.is_rx_assoc_badwpaie++;
2370 return;
2371 }
2372 if (wpa != NULL) {
2373 /*
2374 * Parse WPA information element. Note that
2375 * we initialize the param block from the node
2376 * state so that information in the IE overrides
2377 * our defaults. The resulting parameters are
2378 * installed below after the association is assured.
2379 */
2380 rsn = ni->ni_rsn;
2381 if (wpa[0] != IEEE80211_ELEMID_RSN)
2382 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh);
2383 else
2384 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh);
2385 if (reason != 0) {
2386 IEEE80211_SEND_MGMT(ic, ni,
2387 IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2388 ieee80211_node_leave(ic, ni);
2389 /* XXX distinguish WPA/RSN? */
2390 ic->ic_stats.is_rx_assoc_badwpaie++;
2391 return;
2392 }
2393 IEEE80211_DPRINTF(ic,
2394 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2395 "[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2396 ether_sprintf(wh->i_addr2),
2397 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
2398 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen,
2399 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen,
2400 rsn.rsn_keymgmt, rsn.rsn_caps);
2401 }
2402 /* discard challenge after association */
2403 if (ni->ni_challenge != NULL) {
2404 free(ni->ni_challenge, M_DEVBUF);
2405 ni->ni_challenge = NULL;
2406 }
2407 /* NB: 802.11 spec says to ignore station's privacy bit */
2408 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2409 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2410 "[%s] deny %s request, capability mismatch 0x%x\n",
2411 ether_sprintf(wh->i_addr2),
2412 reassoc ? "reassoc" : "assoc", capinfo);
2413 IEEE80211_SEND_MGMT(ic, ni, resp,
2414 IEEE80211_STATUS_CAPINFO);
2415 ieee80211_node_leave(ic, ni);
2416 ic->ic_stats.is_rx_assoc_capmismatch++;
2417 return;
2418 }
2419 rate = ieee80211_setup_rates(ni, rates, xrates,
2420 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2421 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2422 /*
2423 * If constrained to 11g-only stations reject an
2424 * 11b-only station. We cheat a bit here by looking
2425 * at the max negotiated xmit rate and assuming anyone
2426 * with a best rate <24Mb/s is an 11b station.
2427 */
2428 if ((rate & IEEE80211_RATE_BASIC) ||
2429 ((ic->ic_flags & IEEE80211_F_PUREG) && rate < 48)) {
2430 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2431 "[%s] deny %s request, rate set mismatch\n",
2432 ether_sprintf(wh->i_addr2),
2433 reassoc ? "reassoc" : "assoc");
2434 IEEE80211_SEND_MGMT(ic, ni, resp,
2435 IEEE80211_STATUS_BASIC_RATE);
2436 ieee80211_node_leave(ic, ni);
2437 ic->ic_stats.is_rx_assoc_norate++;
2438 return;
2439 }
2440 ni->ni_rssi = rssi;
2441 ni->ni_rstamp = rstamp;
2442 ni->ni_intval = lintval;
2443 ni->ni_capinfo = capinfo;
2444 ni->ni_chan = ic->ic_bss->ni_chan;
2445 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2446 ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2447 if (wpa != NULL) {
2448 /*
2449 * Record WPA/RSN parameters for station, mark
2450 * node as using WPA and record information element
2451 * for applications that require it.
2452 */
2453 ni->ni_rsn = rsn;
2454 ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2455 } else if (ni->ni_wpa_ie != NULL) {
2456 /*
2457 * Flush any state from a previous association.
2458 */
2459 free(ni->ni_wpa_ie, M_DEVBUF);
2460 ni->ni_wpa_ie = NULL;
2461 }
2462 if (wme != NULL) {
2463 /*
2464 * Record WME parameters for station, mark node
2465 * as capable of QoS and record information
2466 * element for applications that require it.
2467 */
2468 ieee80211_saveie(&ni->ni_wme_ie, wme);
2469 ni->ni_flags |= IEEE80211_NODE_QOS;
2470 } else if (ni->ni_wme_ie != NULL) {
2471 /*
2472 * Flush any state from a previous association.
2473 */
2474 free(ni->ni_wme_ie, M_DEVBUF);
2475 ni->ni_wme_ie = NULL;
2476 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2477 }
2478 ieee80211_node_join(ic, ni, resp);
2479 break;
2480 }
2481
2482 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2483 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2484 u_int16_t capinfo, associd;
2485 u_int16_t status;
2486
2487 if (ic->ic_opmode != IEEE80211_M_STA ||
2488 ic->ic_state != IEEE80211_S_ASSOC) {
2489 ic->ic_stats.is_rx_mgtdiscard++;
2490 return;
2491 }
2492
2493 /*
2494 * asresp frame format
2495 * [2] capability information
2496 * [2] status
2497 * [2] association ID
2498 * [tlv] supported rates
2499 * [tlv] extended supported rates
2500 * [tlv] WME
2501 */
2502 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2503 ni = ic->ic_bss;
2504 capinfo = le16toh(*(u_int16_t *)frm);
2505 frm += 2;
2506 status = le16toh(*(u_int16_t *)frm);
2507 frm += 2;
2508 if (status != 0) {
2509 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2510 "[%s] %sassoc failed (reason %d)\n",
2511 ether_sprintf(wh->i_addr2),
2512 ISREASSOC(subtype) ? "re" : "", status);
2513 if (ni != ic->ic_bss) /* XXX never true? */
2514 ni->ni_fails++;
2515 ic->ic_stats.is_rx_auth_fail++; /* XXX */
2516 return;
2517 }
2518 associd = le16toh(*(u_int16_t *)frm);
2519 frm += 2;
2520
2521 rates = xrates = wpa = wme = NULL;
2522 while (frm < efrm) {
2523 switch (*frm) {
2524 case IEEE80211_ELEMID_RATES:
2525 rates = frm;
2526 break;
2527 case IEEE80211_ELEMID_XRATES:
2528 xrates = frm;
2529 break;
2530 case IEEE80211_ELEMID_VENDOR:
2531 if (iswmeoui(frm))
2532 wme = frm;
2533 /* XXX Atheros OUI support */
2534 break;
2535 }
2536 frm += frm[1] + 2;
2537 }
2538
2539 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2540 rate = ieee80211_setup_rates(ni, rates, xrates,
2541 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2542 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2543 if (rate & IEEE80211_RATE_BASIC) {
2544 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2545 "[%s] %sassoc failed (rate set mismatch)\n",
2546 ether_sprintf(wh->i_addr2),
2547 ISREASSOC(subtype) ? "re" : "");
2548 if (ni != ic->ic_bss) /* XXX never true? */
2549 ni->ni_fails++;
2550 ic->ic_stats.is_rx_assoc_norate++;
2551 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
2552 return;
2553 }
2554
2555 ni->ni_capinfo = capinfo;
2556 ni->ni_associd = associd;
2557 if (wme != NULL &&
2558 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
2559 ni->ni_flags |= IEEE80211_NODE_QOS;
2560 ieee80211_wme_updateparams(ic);
2561 } else
2562 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2563 /*
2564 * Configure state now that we are associated.
2565 *
2566 * XXX may need different/additional driver callbacks?
2567 */
2568 if (ic->ic_curmode == IEEE80211_MODE_11A ||
2569 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2570 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
2571 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
2572 } else {
2573 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2574 ic->ic_flags |= IEEE80211_F_USEBARKER;
2575 }
2576 ieee80211_set_shortslottime(ic,
2577 ic->ic_curmode == IEEE80211_MODE_11A ||
2578 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2579 /*
2580 * Honor ERP protection.
2581 *
2582 * NB: ni_erp should zero for non-11g operation.
2583 * XXX check ic_curmode anyway?
2584 */
2585 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2586 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2587 ic->ic_flags |= IEEE80211_F_USEPROT;
2588 else
2589 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2590 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2591 "[%s] %sassoc success: %s preamble, %s slot time%s%s\n",
2592 ether_sprintf(wh->i_addr2),
2593 ISREASSOC(subtype) ? "re" : "",
2594 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
2595 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
2596 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
2597 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : ""
2598 );
2599 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
2600 break;
2601 }
2602
2603 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
2604 u_int16_t reason;
2605
2606 if (ic->ic_state == IEEE80211_S_SCAN) {
2607 ic->ic_stats.is_rx_mgtdiscard++;
2608 return;
2609 }
2610 /*
2611 * deauth frame format
2612 * [2] reason
2613 */
2614 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2615 reason = le16toh(*(u_int16_t *)frm);
2616 ic->ic_stats.is_rx_deauth++;
2617 IEEE80211_NODE_STAT(ni, rx_deauth);
2618
2619 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2620 /* Not intended for this station. */
2621 ic->ic_stats.is_rx_mgtdiscard++;
2622 break;
2623 }
2624 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2625 "[%s] recv deauthenticate (reason %d)\n",
2626 ether_sprintf(ni->ni_macaddr), reason);
2627 switch (ic->ic_opmode) {
2628 case IEEE80211_M_STA:
2629 ieee80211_new_state(ic, IEEE80211_S_AUTH,
2630 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2631 break;
2632 case IEEE80211_M_HOSTAP:
2633 #ifndef IEEE80211_NO_HOSTAP
2634 if (ni != ic->ic_bss)
2635 ieee80211_node_leave(ic, ni);
2636 #endif /* !IEEE80211_NO_HOSTAP */
2637 break;
2638 default:
2639 ic->ic_stats.is_rx_mgtdiscard++;
2640 break;
2641 }
2642 break;
2643 }
2644
2645 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2646 u_int16_t reason;
2647
2648 if (ic->ic_state != IEEE80211_S_RUN &&
2649 ic->ic_state != IEEE80211_S_ASSOC &&
2650 ic->ic_state != IEEE80211_S_AUTH) {
2651 ic->ic_stats.is_rx_mgtdiscard++;
2652 return;
2653 }
2654 /*
2655 * disassoc frame format
2656 * [2] reason
2657 */
2658 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2659 reason = le16toh(*(u_int16_t *)frm);
2660 ic->ic_stats.is_rx_disassoc++;
2661 IEEE80211_NODE_STAT(ni, rx_disassoc);
2662
2663 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2664 /* Not intended for this station. */
2665 ic->ic_stats.is_rx_mgtdiscard++;
2666 break;
2667 }
2668 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2669 "[%s] recv disassociate (reason %d)\n",
2670 ether_sprintf(ni->ni_macaddr), reason);
2671 switch (ic->ic_opmode) {
2672 case IEEE80211_M_STA:
2673 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
2674 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2675 break;
2676 case IEEE80211_M_HOSTAP:
2677 #ifndef IEEE80211_NO_HOSTAP
2678 if (ni != ic->ic_bss)
2679 ieee80211_node_leave(ic, ni);
2680 #endif /* !IEEE80211_NO_HOSTAP */
2681 break;
2682 default:
2683 ic->ic_stats.is_rx_mgtdiscard++;
2684 break;
2685 }
2686 break;
2687 }
2688 default:
2689 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2690 wh, "mgt", "subtype 0x%x not handled", subtype);
2691 ic->ic_stats.is_rx_badsubtype++;
2692 break;
2693 }
2694 #undef ISREASSOC
2695 #undef ISPROBE
2696 }
2697 #undef IEEE80211_VERIFY_LENGTH
2698 #undef IEEE80211_VERIFY_ELEMENT
2699
2700 #ifndef IEEE80211_NO_HOSTAP
2701 /*
2702 * Handle station power-save state change.
2703 */
2704 static void
2705 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable)
2706 {
2707 struct ieee80211com *ic = ni->ni_ic;
2708 struct mbuf *m;
2709
2710 if (enable) {
2711 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0)
2712 ic->ic_ps_sta++;
2713 ni->ni_flags |= IEEE80211_NODE_PWR_MGT;
2714 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2715 "[%s] power save mode on, %u sta's in ps mode\n",
2716 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta);
2717 return;
2718 }
2719
2720 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT)
2721 ic->ic_ps_sta--;
2722 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT;
2723 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2724 "[%s] power save mode off, %u sta's in ps mode\n",
2725 ether_sprintf(ni->ni_macaddr), ic->ic_ps_sta);
2726 /* XXX if no stations in ps mode, flush mc frames */
2727
2728 /*
2729 * Flush queued unicast frames.
2730 */
2731 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) {
2732 if (ic->ic_set_tim != NULL)
2733 ic->ic_set_tim(ni, 0); /* just in case */
2734 return;
2735 }
2736 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2737 "[%s] flush ps queue, %u packets queued\n",
2738 ether_sprintf(ni->ni_macaddr), IEEE80211_NODE_SAVEQ_QLEN(ni));
2739 for (;;) {
2740 int qlen;
2741
2742 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2743 if (m == NULL)
2744 break;
2745 /*
2746 * If this is the last packet, turn off the TIM bit.
2747 * If there are more packets, set the more packets bit
2748 * in the mbuf so ieee80211_encap will mark the 802.11
2749 * head to indicate more data frames will follow.
2750 */
2751 if (qlen != 0)
2752 m->m_flags |= M_MORE_DATA;
2753 /* XXX need different driver interface */
2754 /* XXX bypasses q max */
2755 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
2756 }
2757 if (ic->ic_set_tim != NULL)
2758 ic->ic_set_tim(ni, 0);
2759 }
2760
2761 /*
2762 * Process a received ps-poll frame.
2763 */
2764 static void
2765 ieee80211_recv_pspoll(struct ieee80211com *ic,
2766 struct ieee80211_node *ni, struct mbuf *m0)
2767 {
2768 struct ieee80211_frame_min *wh;
2769 struct mbuf *m;
2770 u_int16_t aid;
2771 int qlen;
2772
2773 wh = mtod(m0, struct ieee80211_frame_min *);
2774 if (ni->ni_associd == 0) {
2775 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2776 (struct ieee80211_frame *) wh, "ps-poll",
2777 "%s", "unassociated station");
2778 ic->ic_stats.is_ps_unassoc++;
2779 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2780 IEEE80211_REASON_NOT_ASSOCED);
2781 return;
2782 }
2783
2784 aid = le16toh(*(u_int16_t *)wh->i_dur);
2785 if (aid != ni->ni_associd) {
2786 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2787 (struct ieee80211_frame *) wh, "ps-poll",
2788 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2789 ni->ni_associd, aid);
2790 ic->ic_stats.is_ps_badaid++;
2791 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2792 IEEE80211_REASON_NOT_ASSOCED);
2793 return;
2794 }
2795
2796 /* Okay, take the first queued packet and put it out... */
2797 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2798 if (m == NULL) {
2799 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2800 "[%s] recv ps-poll, but queue empty\n",
2801 ether_sprintf(wh->i_addr2));
2802 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2803 ic->ic_stats.is_ps_qempty++; /* XXX node stat */
2804 if (ic->ic_set_tim != NULL)
2805 ic->ic_set_tim(ni, 0); /* just in case */
2806 return;
2807 }
2808 /*
2809 * If there are more packets, set the more packets bit
2810 * in the packet dispatched to the station; otherwise
2811 * turn off the TIM bit.
2812 */
2813 if (qlen != 0) {
2814 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2815 "[%s] recv ps-poll, send packet, %u still queued\n",
2816 ether_sprintf(ni->ni_macaddr), qlen);
2817 m->m_flags |= M_MORE_DATA;
2818 } else {
2819 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2820 "[%s] recv ps-poll, send packet, queue empty\n",
2821 ether_sprintf(ni->ni_macaddr));
2822 if (ic->ic_set_tim != NULL)
2823 ic->ic_set_tim(ni, 0);
2824 }
2825 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2826 IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
2827 }
2828 #endif /* !IEEE80211_NO_HOSTAP */
2829
2830 #ifdef IEEE80211_DEBUG
2831 /*
2832 * Debugging support.
2833 */
2834
2835 /*
2836 * Return the bssid of a frame.
2837 */
2838 static const u_int8_t *
2839 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
2840 {
2841 if (ic->ic_opmode == IEEE80211_M_STA)
2842 return wh->i_addr2;
2843 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
2844 return wh->i_addr1;
2845 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
2846 return wh->i_addr1;
2847 return wh->i_addr3;
2848 }
2849
2850 void
2851 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
2852 {
2853 char buf[128]; /* XXX */
2854 va_list ap;
2855
2856 va_start(ap, fmt);
2857 vsnprintf(buf, sizeof(buf), fmt, ap);
2858 va_end(ap);
2859
2860 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */
2861 }
2862
2863 void
2864 ieee80211_note_frame(struct ieee80211com *ic,
2865 const struct ieee80211_frame *wh,
2866 const char *fmt, ...)
2867 {
2868 char buf[128]; /* XXX */
2869 va_list ap;
2870
2871 va_start(ap, fmt);
2872 vsnprintf(buf, sizeof(buf), fmt, ap);
2873 va_end(ap);
2874 if_printf(ic->ic_ifp, "[%s] %s\n",
2875 ether_sprintf(ieee80211_getbssid(ic, wh)), buf);
2876 }
2877
2878 void
2879 ieee80211_note_mac(struct ieee80211com *ic,
2880 const u_int8_t mac[IEEE80211_ADDR_LEN],
2881 const char *fmt, ...)
2882 {
2883 char buf[128]; /* XXX */
2884 va_list ap;
2885
2886 va_start(ap, fmt);
2887 vsnprintf(buf, sizeof(buf), fmt, ap);
2888 va_end(ap);
2889 if_printf(ic->ic_ifp, "[%s] %s\n", ether_sprintf(mac), buf);
2890 }
2891
2892 static void
2893 ieee80211_discard_frame(struct ieee80211com *ic,
2894 const struct ieee80211_frame *wh,
2895 const char *type, const char *fmt, ...)
2896 {
2897 va_list ap;
2898
2899 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2900 ether_sprintf(ieee80211_getbssid(ic, wh)));
2901 if (type != NULL)
2902 printf("%s frame, ", type);
2903 else
2904 printf("frame, ");
2905 va_start(ap, fmt);
2906 vprintf(fmt, ap);
2907 va_end(ap);
2908 printf("\n");
2909 }
2910
2911 static void
2912 ieee80211_discard_ie(struct ieee80211com *ic,
2913 const struct ieee80211_frame *wh,
2914 const char *type, const char *fmt, ...)
2915 {
2916 va_list ap;
2917
2918 printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2919 ether_sprintf(ieee80211_getbssid(ic, wh)));
2920 if (type != NULL)
2921 printf("%s information element, ", type);
2922 else
2923 printf("information element, ");
2924 va_start(ap, fmt);
2925 vprintf(fmt, ap);
2926 va_end(ap);
2927 printf("\n");
2928 }
2929
2930 static void
2931 ieee80211_discard_mac(struct ieee80211com *ic,
2932 const u_int8_t mac[IEEE80211_ADDR_LEN],
2933 const char *type, const char *fmt, ...)
2934 {
2935 va_list ap;
2936
2937 printf("[%s:%s] discard ", ic->ic_ifp->if_xname, ether_sprintf(mac));
2938 if (type != NULL)
2939 printf("%s frame, ", type);
2940 else
2941 printf("frame, ");
2942 va_start(ap, fmt);
2943 vprintf(fmt, ap);
2944 va_end(ap);
2945 printf("\n");
2946 }
2947 #endif /* IEEE80211_DEBUG */
NetBSD on the FriendlyARM MINI2440