1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2009 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28/* 29 * IEEE 802.11 IBSS mode support. 30 */ 31#include "opt_inet.h" 32#include "opt_wlan.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/mbuf.h> 37#include <sys/malloc.h> 38#include <sys/kernel.h> 39 40#include <sys/socket.h> 41#include <sys/sockio.h> 42#include <sys/endian.h> 43#include <sys/errno.h> 44#include <sys/proc.h> 45#include <sys/sysctl.h> 46 47#include <net/if.h> 48#include <net/if_var.h> 49#include <net/if_media.h> 50#include <net/if_llc.h> 51#include <net/if_private.h> 52#include <net/ethernet.h> 53 54#include <net/bpf.h> 55 56#include <net80211/ieee80211_var.h> 57#include <net80211/ieee80211_adhoc.h> 58#include <net80211/ieee80211_input.h> 59#ifdef IEEE80211_SUPPORT_SUPERG 60#include <net80211/ieee80211_superg.h> 61#endif 62#ifdef IEEE80211_SUPPORT_TDMA 63#include <net80211/ieee80211_tdma.h> 64#endif 65#include <net80211/ieee80211_sta.h> 66 67#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 68 69static void adhoc_vattach(struct ieee80211vap *); 70static int adhoc_newstate(struct ieee80211vap *, enum ieee80211_state, int); 71static int adhoc_input(struct ieee80211_node *, struct mbuf *, 72 const struct ieee80211_rx_stats *, int, int); 73static void adhoc_recv_mgmt(struct ieee80211_node *, struct mbuf *, 74 int subtype, const struct ieee80211_rx_stats *, int, int); 75static void ahdemo_recv_mgmt(struct ieee80211_node *, struct mbuf *, 76 int subtype, const struct ieee80211_rx_stats *rxs, int, int); 77static void adhoc_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype); 78 79void 80ieee80211_adhoc_attach(struct ieee80211com *ic) 81{ 82 ic->ic_vattach[IEEE80211_M_IBSS] = adhoc_vattach; 83 ic->ic_vattach[IEEE80211_M_AHDEMO] = adhoc_vattach; 84} 85 86void 87ieee80211_adhoc_detach(struct ieee80211com *ic) 88{ 89} 90 91static void 92adhoc_vdetach(struct ieee80211vap *vap) 93{ 94} 95 96static void 97adhoc_vattach(struct ieee80211vap *vap) 98{ 99 vap->iv_newstate = adhoc_newstate; 100 vap->iv_input = adhoc_input; 101 if (vap->iv_opmode == IEEE80211_M_IBSS) 102 vap->iv_recv_mgmt = adhoc_recv_mgmt; 103 else 104 vap->iv_recv_mgmt = ahdemo_recv_mgmt; 105 vap->iv_recv_ctl = adhoc_recv_ctl; 106 vap->iv_opdetach = adhoc_vdetach; 107#ifdef IEEE80211_SUPPORT_TDMA 108 /* 109 * Throw control to tdma support. Note we do this 110 * after setting up our callbacks so it can piggyback 111 * on top of us. 112 */ 113 if (vap->iv_caps & IEEE80211_C_TDMA) 114 ieee80211_tdma_vattach(vap); 115#endif 116} 117 118static void 119sta_leave(void *arg, struct ieee80211_node *ni) 120{ 121 struct ieee80211vap *vap = ni->ni_vap; 122 123 if (ni != vap->iv_bss) 124 ieee80211_node_leave(ni); 125} 126 127/* 128 * IEEE80211_M_IBSS+IEEE80211_M_AHDEMO vap state machine handler. 129 */ 130static int 131adhoc_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 132{ 133 struct ieee80211com *ic = vap->iv_ic; 134 struct ieee80211_node *ni; 135 enum ieee80211_state ostate; 136 137 IEEE80211_LOCK_ASSERT(vap->iv_ic); 138 139 ostate = vap->iv_state; 140 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 141 __func__, ieee80211_state_name[ostate], 142 ieee80211_state_name[nstate], arg); 143 vap->iv_state = nstate; /* state transition */ 144 if (ostate != IEEE80211_S_SCAN) 145 ieee80211_cancel_scan(vap); /* background scan */ 146 ni = vap->iv_bss; /* NB: no reference held */ 147 switch (nstate) { 148 case IEEE80211_S_INIT: 149 switch (ostate) { 150 case IEEE80211_S_SCAN: 151 ieee80211_cancel_scan(vap); 152 break; 153 default: 154 break; 155 } 156 if (ostate != IEEE80211_S_INIT) { 157 /* NB: optimize INIT -> INIT case */ 158 ieee80211_reset_bss(vap); 159 } 160 break; 161 case IEEE80211_S_SCAN: 162 switch (ostate) { 163 case IEEE80211_S_RUN: /* beacon miss */ 164 /* purge station table; entries are stale */ 165 ieee80211_iterate_nodes_vap(&ic->ic_sta, vap, 166 sta_leave, NULL); 167 /* fall thru... */ 168 case IEEE80211_S_INIT: 169 if (vap->iv_des_chan != IEEE80211_CHAN_ANYC && 170 !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) { 171 /* 172 * Already have a channel; bypass the 173 * scan and startup immediately. 174 */ 175 ieee80211_create_ibss(vap, 176 ieee80211_ht_adjust_channel(ic, 177 vap->iv_des_chan, vap->iv_flags_ht)); 178 break; 179 } 180 /* 181 * Initiate a scan. We can come here as a result 182 * of an IEEE80211_IOC_SCAN_REQ too in which case 183 * the vap will be marked with IEEE80211_FEXT_SCANREQ 184 * and the scan request parameters will be present 185 * in iv_scanreq. Otherwise we do the default. 186 */ 187 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 188 ieee80211_check_scan(vap, 189 vap->iv_scanreq_flags, 190 vap->iv_scanreq_duration, 191 vap->iv_scanreq_mindwell, 192 vap->iv_scanreq_maxdwell, 193 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 194 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 195 } else 196 ieee80211_check_scan_current(vap); 197 break; 198 case IEEE80211_S_SCAN: 199 /* 200 * This can happen because of a change in state 201 * that requires a reset. Trigger a new scan 202 * unless we're in manual roaming mode in which 203 * case an application must issue an explicit request. 204 */ 205 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 206 ieee80211_check_scan_current(vap); 207 break; 208 default: 209 goto invalid; 210 } 211 break; 212 case IEEE80211_S_RUN: 213 if (vap->iv_flags & IEEE80211_F_WPA) { 214 /* XXX validate prerequisites */ 215 } 216 switch (ostate) { 217 case IEEE80211_S_INIT: 218 /* 219 * Already have a channel; bypass the 220 * scan and startup immediately. 221 * Note that ieee80211_create_ibss will call 222 * back to do a RUN->RUN state change. 223 */ 224 ieee80211_create_ibss(vap, 225 ieee80211_ht_adjust_channel(ic, 226 ic->ic_curchan, vap->iv_flags_ht)); 227 /* NB: iv_bss is changed on return */ 228 ni = vap->iv_bss; 229 break; 230 case IEEE80211_S_SCAN: 231#ifdef IEEE80211_DEBUG 232 if (ieee80211_msg_debug(vap)) { 233 ieee80211_note(vap, 234 "synchronized with %s ssid ", 235 ether_sprintf(ni->ni_bssid)); 236 ieee80211_print_essid(vap->iv_bss->ni_essid, 237 ni->ni_esslen); 238 /* XXX MCS/HT */ 239 printf(" channel %d start %uMb\n", 240 ieee80211_chan2ieee(ic, ic->ic_curchan), 241 IEEE80211_RATE2MBS(ni->ni_txrate)); 242 } 243#endif 244 break; 245 case IEEE80211_S_RUN: /* IBSS merge */ 246 break; 247 default: 248 goto invalid; 249 } 250 /* 251 * When 802.1x is not in use mark the port authorized 252 * at this point so traffic can flow. 253 */ 254 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 255 ieee80211_node_authorize(ni); 256 /* 257 * Fake association when joining an existing bss. 258 */ 259 if (!IEEE80211_ADDR_EQ(ni->ni_macaddr, vap->iv_myaddr) && 260 ic->ic_newassoc != NULL) 261 ic->ic_newassoc(ni, ostate != IEEE80211_S_RUN); 262 break; 263 case IEEE80211_S_SLEEP: 264 vap->iv_sta_ps(vap, 0); 265 break; 266 default: 267 invalid: 268 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 269 "%s: unexpected state transition %s -> %s\n", __func__, 270 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 271 break; 272 } 273 return 0; 274} 275 276/* 277 * Decide if a received management frame should be 278 * printed when debugging is enabled. This filters some 279 * of the less interesting frames that come frequently 280 * (e.g. beacons). 281 */ 282static __inline int 283doprint(struct ieee80211vap *vap, int subtype) 284{ 285 switch (subtype) { 286 case IEEE80211_FC0_SUBTYPE_BEACON: 287 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 288 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 289 return 1; 290 } 291 return 1; 292} 293 294/* 295 * Process a received frame. The node associated with the sender 296 * should be supplied. If nothing was found in the node table then 297 * the caller is assumed to supply a reference to iv_bss instead. 298 * The RSSI and a timestamp are also supplied. The RSSI data is used 299 * during AP scanning to select a AP to associate with; it can have 300 * any units so long as values have consistent units and higher values 301 * mean ``better signal''. The receive timestamp is currently not used 302 * by the 802.11 layer. 303 */ 304static int 305adhoc_input(struct ieee80211_node *ni, struct mbuf *m, 306 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 307{ 308 struct ieee80211vap *vap = ni->ni_vap; 309 struct ieee80211com *ic = ni->ni_ic; 310 struct ifnet *ifp = vap->iv_ifp; 311 struct ieee80211_frame *wh; 312 struct ieee80211_key *key; 313 struct ether_header *eh; 314 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 315 uint8_t dir, type, subtype, qos; 316 uint8_t *bssid; 317 int is_hw_decrypted = 0; 318 int has_decrypted = 0; 319 320 /* 321 * Some devices do hardware decryption all the way through 322 * to pretending the frame wasn't encrypted in the first place. 323 * So, tag it appropriately so it isn't discarded inappropriately. 324 */ 325 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 326 is_hw_decrypted = 1; 327 328 if (m->m_flags & M_AMPDU_MPDU) { 329 /* 330 * Fastpath for A-MPDU reorder q resubmission. Frames 331 * w/ M_AMPDU_MPDU marked have already passed through 332 * here but were received out of order and been held on 333 * the reorder queue. When resubmitted they are marked 334 * with the M_AMPDU_MPDU flag and we can bypass most of 335 * the normal processing. 336 */ 337 wh = mtod(m, struct ieee80211_frame *); 338 type = IEEE80211_FC0_TYPE_DATA; 339 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 340 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 341 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 342 goto resubmit_ampdu; 343 } 344 345 KASSERT(ni != NULL, ("null node")); 346 ni->ni_inact = ni->ni_inact_reload; 347 348 type = -1; /* undefined */ 349 350 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 351 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 352 ni->ni_macaddr, NULL, 353 "too short (1): len %u", m->m_pkthdr.len); 354 vap->iv_stats.is_rx_tooshort++; 355 goto out; 356 } 357 /* 358 * Bit of a cheat here, we use a pointer for a 3-address 359 * frame format but don't reference fields past outside 360 * ieee80211_frame_min w/o first validating the data is 361 * present. 362 */ 363 wh = mtod(m, struct ieee80211_frame *); 364 365 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 366 IEEE80211_FC0_VERSION_0) { 367 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 368 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 369 wh->i_fc[0], wh->i_fc[1]); 370 vap->iv_stats.is_rx_badversion++; 371 goto err; 372 } 373 374 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 375 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 376 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 377 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 378 if (dir != IEEE80211_FC1_DIR_NODS) 379 bssid = wh->i_addr1; 380 else if (type == IEEE80211_FC0_TYPE_CTL) 381 bssid = wh->i_addr1; 382 else { 383 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 384 IEEE80211_DISCARD_MAC(vap, 385 IEEE80211_MSG_ANY, ni->ni_macaddr, 386 NULL, "too short (2): len %u", 387 m->m_pkthdr.len); 388 vap->iv_stats.is_rx_tooshort++; 389 goto out; 390 } 391 bssid = wh->i_addr3; 392 } 393 /* 394 * Validate the bssid. 395 */ 396 if (!(type == IEEE80211_FC0_TYPE_MGT && 397 (subtype == IEEE80211_FC0_SUBTYPE_BEACON || 398 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP)) && 399 !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) && 400 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) { 401 /* not interested in */ 402 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 403 bssid, NULL, "%s", "not to bss"); 404 vap->iv_stats.is_rx_wrongbss++; 405 goto out; 406 } 407 /* 408 * Data frame, cons up a node when it doesn't 409 * exist. This should probably done after an ACL check. 410 */ 411 if (type == IEEE80211_FC0_TYPE_DATA && 412 ni == vap->iv_bss && 413 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 414 /* 415 * Beware of frames that come in too early; we 416 * can receive broadcast frames and creating sta 417 * entries will blow up because there is no bss 418 * channel yet. 419 */ 420 if (vap->iv_state != IEEE80211_S_RUN) { 421 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 422 wh, "data", "not in RUN state (%s)", 423 ieee80211_state_name[vap->iv_state]); 424 vap->iv_stats.is_rx_badstate++; 425 goto err; 426 } 427 /* 428 * Fake up a node for this newly discovered member 429 * of the IBSS. 430 * 431 * Note: This doesn't "upgrade" the node to 11n; 432 * that will happen after a probe request/response 433 * exchange. 434 */ 435 ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); 436 if (ni == NULL) { 437 /* NB: stat kept for alloc failure */ 438 goto err; 439 } 440 } 441 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 442 ni->ni_noise = nf; 443 if (IEEE80211_HAS_SEQ(type, subtype) && 444 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 445 uint8_t tid = ieee80211_gettid(wh); 446 if (IEEE80211_QOS_HAS_SEQ(wh) && 447 TID_TO_WME_AC(tid) >= WME_AC_VI) 448 ic->ic_wme.wme_hipri_traffic++; 449 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 450 goto out; 451 } 452 } 453 454 switch (type) { 455 case IEEE80211_FC0_TYPE_DATA: 456 hdrspace = ieee80211_hdrspace(ic, wh); 457 if (m->m_len < hdrspace && 458 (m = m_pullup(m, hdrspace)) == NULL) { 459 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 460 ni->ni_macaddr, NULL, 461 "data too short: expecting %u", hdrspace); 462 vap->iv_stats.is_rx_tooshort++; 463 goto out; /* XXX */ 464 } 465 if (dir != IEEE80211_FC1_DIR_NODS) { 466 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 467 wh, "data", "incorrect dir 0x%x", dir); 468 vap->iv_stats.is_rx_wrongdir++; 469 goto out; 470 } 471 /* XXX no power-save support */ 472 473 /* 474 * Handle A-MPDU re-ordering. If the frame is to be 475 * processed directly then ieee80211_ampdu_reorder 476 * will return 0; otherwise it has consumed the mbuf 477 * and we should do nothing more with it. 478 */ 479 if ((m->m_flags & M_AMPDU) && 480 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 481 m = NULL; 482 goto out; 483 } 484 resubmit_ampdu: 485 486 /* 487 * Handle privacy requirements. Note that we 488 * must not be preempted from here until after 489 * we (potentially) call ieee80211_crypto_demic; 490 * otherwise we may violate assumptions in the 491 * crypto cipher modules used to do delayed update 492 * of replay sequence numbers. 493 */ 494 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 495 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 496 /* 497 * Discard encrypted frames when privacy is off. 498 */ 499 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 500 wh, "WEP", "%s", "PRIVACY off"); 501 vap->iv_stats.is_rx_noprivacy++; 502 IEEE80211_NODE_STAT(ni, rx_noprivacy); 503 goto out; 504 } 505 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 506 /* NB: stats+msgs handled in crypto_decap */ 507 IEEE80211_NODE_STAT(ni, rx_wepfail); 508 goto out; 509 } 510 wh = mtod(m, struct ieee80211_frame *); 511 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 512 has_decrypted = 1; 513 } else { 514 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 515 key = NULL; 516 } 517 518 /* 519 * Save QoS bits for use below--before we strip the header. 520 */ 521 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 522 qos = ieee80211_getqos(wh)[0]; 523 else 524 qos = 0; 525 526 /* 527 * Next up, any fragmentation. 528 */ 529 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 530 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 531 if (m == NULL) { 532 /* Fragment dropped or frame not complete yet */ 533 goto out; 534 } 535 } 536 wh = NULL; /* no longer valid, catch any uses */ 537 538 /* 539 * Next strip any MSDU crypto bits. 540 */ 541 if (!ieee80211_crypto_demic(vap, key, m, 0)) { 542 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 543 ni->ni_macaddr, "data", "%s", "demic error"); 544 vap->iv_stats.is_rx_demicfail++; 545 IEEE80211_NODE_STAT(ni, rx_demicfail); 546 goto out; 547 } 548 549 /* copy to listener after decrypt */ 550 if (ieee80211_radiotap_active_vap(vap)) 551 ieee80211_radiotap_rx(vap, m); 552 need_tap = 0; 553 554 /* 555 * Finally, strip the 802.11 header. 556 */ 557 m = ieee80211_decap(vap, m, hdrspace, qos); 558 if (m == NULL) { 559 /* XXX mask bit to check for both */ 560 /* don't count Null data frames as errors */ 561 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 562 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 563 goto out; 564 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 565 ni->ni_macaddr, "data", "%s", "decap error"); 566 vap->iv_stats.is_rx_decap++; 567 IEEE80211_NODE_STAT(ni, rx_decap); 568 goto err; 569 } 570 if (!(qos & IEEE80211_QOS_AMSDU)) 571 eh = mtod(m, struct ether_header *); 572 else 573 eh = NULL; 574 if (!ieee80211_node_is_authorized(ni)) { 575 /* 576 * Deny any non-PAE frames received prior to 577 * authorization. For open/shared-key 578 * authentication the port is mark authorized 579 * after authentication completes. For 802.1x 580 * the port is not marked authorized by the 581 * authenticator until the handshake has completed. 582 */ 583 if (eh == NULL || 584 eh->ether_type != htons(ETHERTYPE_PAE)) { 585 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 586 ni->ni_macaddr, "data", "unauthorized or " 587 "unknown port: ether type 0x%x len %u", 588 eh == NULL ? -1 : eh->ether_type, 589 m->m_pkthdr.len); 590 vap->iv_stats.is_rx_unauth++; 591 IEEE80211_NODE_STAT(ni, rx_unauth); 592 goto err; 593 } 594 } else { 595 /* 596 * When denying unencrypted frames, discard 597 * any non-PAE frames received without encryption. 598 */ 599 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 600 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 601 (is_hw_decrypted == 0) && 602 (eh == NULL || 603 eh->ether_type != htons(ETHERTYPE_PAE))) { 604 /* 605 * Drop unencrypted frames. 606 */ 607 vap->iv_stats.is_rx_unencrypted++; 608 IEEE80211_NODE_STAT(ni, rx_unencrypted); 609 goto out; 610 } 611 } 612 /* XXX require HT? */ 613 if (qos & IEEE80211_QOS_AMSDU) { 614 m = ieee80211_decap_amsdu(ni, m); 615 if (m == NULL) 616 return IEEE80211_FC0_TYPE_DATA; 617 } else { 618#ifdef IEEE80211_SUPPORT_SUPERG 619 m = ieee80211_decap_fastframe(vap, ni, m); 620 if (m == NULL) 621 return IEEE80211_FC0_TYPE_DATA; 622#endif 623 } 624 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL) 625 ieee80211_deliver_data(ni->ni_wdsvap, ni, m); 626 else 627 ieee80211_deliver_data(vap, ni, m); 628 return IEEE80211_FC0_TYPE_DATA; 629 630 case IEEE80211_FC0_TYPE_MGT: 631 vap->iv_stats.is_rx_mgmt++; 632 IEEE80211_NODE_STAT(ni, rx_mgmt); 633 if (dir != IEEE80211_FC1_DIR_NODS) { 634 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 635 wh, "data", "incorrect dir 0x%x", dir); 636 vap->iv_stats.is_rx_wrongdir++; 637 goto err; 638 } 639 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 640 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 641 ni->ni_macaddr, "mgt", "too short: len %u", 642 m->m_pkthdr.len); 643 vap->iv_stats.is_rx_tooshort++; 644 goto out; 645 } 646#ifdef IEEE80211_DEBUG 647 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 648 ieee80211_msg_dumppkts(vap)) { 649 if_printf(ifp, "received %s from %s rssi %d\n", 650 ieee80211_mgt_subtype_name(subtype), 651 ether_sprintf(wh->i_addr2), rssi); 652 } 653#endif 654 if (IEEE80211_IS_PROTECTED(wh)) { 655 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 656 wh, NULL, "%s", "WEP set but not permitted"); 657 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 658 goto out; 659 } 660 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 661 goto out; 662 663 case IEEE80211_FC0_TYPE_CTL: 664 vap->iv_stats.is_rx_ctl++; 665 IEEE80211_NODE_STAT(ni, rx_ctrl); 666 vap->iv_recv_ctl(ni, m, subtype); 667 goto out; 668 669 default: 670 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 671 wh, "bad", "frame type 0x%x", type); 672 /* should not come here */ 673 break; 674 } 675err: 676 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 677out: 678 if (m != NULL) { 679 if (need_tap && ieee80211_radiotap_active_vap(vap)) 680 ieee80211_radiotap_rx(vap, m); 681 m_freem(m); 682 } 683 return type; 684} 685 686static int 687is11bclient(const uint8_t *rates, const uint8_t *xrates) 688{ 689 static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11); 690 int i; 691 692 /* NB: the 11b clients we care about will not have xrates */ 693 if (xrates != NULL || rates == NULL) 694 return 0; 695 for (i = 0; i < rates[1]; i++) { 696 int r = rates[2+i] & IEEE80211_RATE_VAL; 697 if (r > 2*11 || ((1<<r) & brates) == 0) 698 return 0; 699 } 700 return 1; 701} 702 703static void 704adhoc_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 705 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 706{ 707 struct ieee80211vap *vap = ni->ni_vap; 708 struct ieee80211com *ic = ni->ni_ic; 709 struct ieee80211_channel *rxchan = ic->ic_curchan; 710 struct ieee80211_frame *wh; 711 uint8_t *frm, *efrm; 712 uint8_t *ssid, *rates, *xrates; 713#if 0 714 int ht_state_change = 0; 715#endif 716 717 wh = mtod(m0, struct ieee80211_frame *); 718 frm = (uint8_t *)&wh[1]; 719 efrm = mtod(m0, uint8_t *) + m0->m_len; 720 721 IEEE80211_DPRINTF(vap, IEEE80211_MSG_INPUT | IEEE80211_MSG_DEBUG, 722 "%s: recv mgmt frame, addr2=%6D, ni=%p (%6D) fc=%.02x %.02x\n", 723 __func__, 724 wh->i_addr2, ":", 725 ni, 726 ni->ni_macaddr, ":", 727 wh->i_fc[0], 728 wh->i_fc[1]); 729 switch (subtype) { 730 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 731 case IEEE80211_FC0_SUBTYPE_BEACON: { 732 struct ieee80211_scanparams scan; 733 struct ieee80211_channel *c; 734 /* 735 * We process beacon/probe response 736 * frames to discover neighbors. 737 */ 738 if (rxs != NULL) { 739 c = ieee80211_lookup_channel_rxstatus(vap, rxs); 740 if (c != NULL) 741 rxchan = c; 742 } 743 if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0) 744 return; 745 /* 746 * Count frame now that we know it's to be processed. 747 */ 748 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 749 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 750 IEEE80211_NODE_STAT(ni, rx_beacons); 751 } else 752 IEEE80211_NODE_STAT(ni, rx_proberesp); 753 /* 754 * If scanning, just pass information to the scan module. 755 */ 756 if (ic->ic_flags & IEEE80211_F_SCAN) { 757 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 758 /* 759 * Actively scanning a channel marked passive; 760 * send a probe request now that we know there 761 * is 802.11 traffic present. 762 * 763 * XXX check if the beacon we recv'd gives 764 * us what we need and suppress the probe req 765 */ 766 ieee80211_probe_curchan(vap, 1); 767 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 768 } 769 ieee80211_add_scan(vap, rxchan, &scan, wh, 770 subtype, rssi, nf); 771 return; 772 } 773 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) { 774 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 775 /* 776 * Create a new entry in the neighbor table. 777 * 778 * XXX TODO: 779 * 780 * Here we're not scanning; so if we have an 781 * SSID then make sure it matches our SSID. 782 * Otherwise this code will match on all IBSS 783 * beacons/probe requests for all SSIDs, 784 * filling the node table with nodes that 785 * aren't ours. 786 */ 787 if (ieee80211_ibss_node_check_new(ni, &scan)) { 788 ni = ieee80211_add_neighbor(vap, wh, &scan); 789 /* 790 * Send a probe request so we announce 11n 791 * capabilities. 792 */ 793 ieee80211_send_probereq(ni, /* node */ 794 vap->iv_myaddr, /* SA */ 795 ni->ni_macaddr, /* DA */ 796 vap->iv_bss->ni_bssid, /* BSSID */ 797 vap->iv_bss->ni_essid, 798 vap->iv_bss->ni_esslen); /* SSID */ 799 } else 800 ni = NULL; 801 802 /* 803 * Send a probe request so we announce 11n 804 * capabilities. 805 * 806 * Don't do this if we're scanning. 807 */ 808 if (! (ic->ic_flags & IEEE80211_F_SCAN)) 809 ieee80211_send_probereq(ni, /* node */ 810 vap->iv_myaddr, /* SA */ 811 ni->ni_macaddr, /* DA */ 812 vap->iv_bss->ni_bssid, /* BSSID */ 813 vap->iv_bss->ni_essid, 814 vap->iv_bss->ni_esslen); /* SSID */ 815 816 } else if (ni->ni_capinfo == 0) { 817 /* 818 * Update faked node created on transmit. 819 * Note this also updates the tsf. 820 */ 821 ieee80211_init_neighbor(ni, wh, &scan); 822 823 /* 824 * Send a probe request so we announce 11n 825 * capabilities. 826 */ 827 ieee80211_send_probereq(ni, /* node */ 828 vap->iv_myaddr, /* SA */ 829 ni->ni_macaddr, /* DA */ 830 vap->iv_bss->ni_bssid, /* BSSID */ 831 vap->iv_bss->ni_essid, 832 vap->iv_bss->ni_esslen); /* SSID */ 833 } else { 834 /* 835 * Record tsf for potential resync. 836 */ 837 memcpy(ni->ni_tstamp.data, scan.tstamp, 838 sizeof(ni->ni_tstamp)); 839 } 840 /* 841 * This isn't enabled yet - otherwise it would 842 * update the HT parameters and channel width 843 * from any node, which could lead to lots of 844 * strange behaviour if the 11n nodes aren't 845 * exactly configured to match. 846 */ 847#if 0 848 if (scan.htcap != NULL && scan.htinfo != NULL && 849 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 850 ieee80211_ht_updateparams(ni, 851 scan.htcap, scan.htinfo)); 852 if (ieee80211_ht_updateparams_final(ni, 853 scan.htcap, scan.htinfo)) 854 ht_state_change = 1; 855 } 856 857 /* XXX same for VHT? */ 858#endif 859 if (ni != NULL) { 860 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 861 ni->ni_noise = nf; 862 } 863 /* 864 * Same here - the channel width change should 865 * be applied to the specific peer node, not 866 * to the ic. Ie, the interface configuration 867 * should stay in its current channel width; 868 * but it should change the rate control and 869 * any queued frames for the given node only. 870 * 871 * Since there's no (current) way to inform 872 * the driver that a channel width change has 873 * occurred for a single node, just stub this 874 * out. 875 */ 876#if 0 877 if (ht_state_change) 878 ieee80211_update_chw(ic); 879#endif 880 } 881 break; 882 } 883 884 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 885 if (vap->iv_state != IEEE80211_S_RUN) { 886 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 887 wh, NULL, "wrong state %s", 888 ieee80211_state_name[vap->iv_state]); 889 vap->iv_stats.is_rx_mgtdiscard++; 890 return; 891 } 892 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) { 893 /* frame must be directed */ 894 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 895 wh, NULL, "%s", "not unicast"); 896 vap->iv_stats.is_rx_mgtdiscard++; /* XXX stat */ 897 return; 898 } 899 900 /* 901 * prreq frame format 902 * [tlv] ssid 903 * [tlv] supported rates 904 * [tlv] extended supported rates 905 */ 906 ssid = rates = xrates = NULL; 907 while (efrm - frm > 1) { 908 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 909 switch (*frm) { 910 case IEEE80211_ELEMID_SSID: 911 ssid = frm; 912 break; 913 case IEEE80211_ELEMID_RATES: 914 rates = frm; 915 break; 916 case IEEE80211_ELEMID_XRATES: 917 xrates = frm; 918 break; 919 } 920 frm += frm[1] + 2; 921 } 922 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 923 if (xrates != NULL) 924 IEEE80211_VERIFY_ELEMENT(xrates, 925 IEEE80211_RATE_MAXSIZE - rates[1], return); 926 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return); 927 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return); 928 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) { 929 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 930 wh, NULL, 931 "%s", "no ssid with ssid suppression enabled"); 932 vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/ 933 return; 934 } 935 936 /* XXX find a better class or define it's own */ 937 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2, 938 "%s", "recv probe req"); 939 /* 940 * Some legacy 11b clients cannot hack a complete 941 * probe response frame. When the request includes 942 * only a bare-bones rate set, communicate this to 943 * the transmit side. 944 */ 945 ieee80211_send_proberesp(vap, wh->i_addr2, 946 is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); 947 948 /* 949 * Note: we don't benefit from stashing the probe request 950 * IEs away to use for IBSS negotiation, because we 951 * typically don't get all of the IEs. 952 */ 953 break; 954 955 case IEEE80211_FC0_SUBTYPE_ACTION: 956 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 957 if ((ni == vap->iv_bss) && 958 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) { 959 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 960 wh, NULL, "%s", "unknown node"); 961 vap->iv_stats.is_rx_mgtdiscard++; 962 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 963 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 964 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT | IEEE80211_MSG_DEBUG, 965 wh, NULL, "%s", "not for us"); 966 vap->iv_stats.is_rx_mgtdiscard++; 967 } else if (vap->iv_state != IEEE80211_S_RUN) { 968 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT | IEEE80211_MSG_DEBUG, 969 wh, NULL, "wrong state %s", 970 ieee80211_state_name[vap->iv_state]); 971 vap->iv_stats.is_rx_mgtdiscard++; 972 } else { 973 if (ieee80211_parse_action(ni, m0) == 0) 974 (void)ic->ic_recv_action(ni, wh, frm, efrm); 975 } 976 break; 977 978 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 979 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 980 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 981 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 982 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 983 case IEEE80211_FC0_SUBTYPE_ATIM: 984 case IEEE80211_FC0_SUBTYPE_DISASSOC: 985 case IEEE80211_FC0_SUBTYPE_AUTH: 986 case IEEE80211_FC0_SUBTYPE_DEAUTH: 987 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 988 wh, NULL, "%s", "not handled"); 989 vap->iv_stats.is_rx_mgtdiscard++; 990 break; 991 992 default: 993 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 994 wh, "mgt", "subtype 0x%x not handled", subtype); 995 vap->iv_stats.is_rx_badsubtype++; 996 break; 997 } 998} 999#undef IEEE80211_VERIFY_LENGTH 1000#undef IEEE80211_VERIFY_ELEMENT 1001 1002static void 1003ahdemo_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1004 int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) 1005{ 1006 struct ieee80211vap *vap = ni->ni_vap; 1007 struct ieee80211com *ic = ni->ni_ic; 1008 1009 /* 1010 * Process management frames when scanning; useful for doing 1011 * a site-survey. 1012 */ 1013 if (ic->ic_flags & IEEE80211_F_SCAN) 1014 adhoc_recv_mgmt(ni, m0, subtype, rxs, rssi, nf); 1015 else { 1016#ifdef IEEE80211_DEBUG 1017 struct ieee80211_frame *wh; 1018 1019 wh = mtod(m0, struct ieee80211_frame *); 1020#endif 1021 switch (subtype) { 1022 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1023 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1024 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1025 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1026 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1027 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1028 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 1029 case IEEE80211_FC0_SUBTYPE_BEACON: 1030 case IEEE80211_FC0_SUBTYPE_ATIM: 1031 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1032 case IEEE80211_FC0_SUBTYPE_AUTH: 1033 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1034 case IEEE80211_FC0_SUBTYPE_ACTION: 1035 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 1036 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 1037 wh, NULL, "%s", "not handled"); 1038 vap->iv_stats.is_rx_mgtdiscard++; 1039 break; 1040 default: 1041 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1042 wh, "mgt", "subtype 0x%x not handled", subtype); 1043 vap->iv_stats.is_rx_badsubtype++; 1044 break; 1045 } 1046 } 1047} 1048 1049static void 1050adhoc_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 1051{ 1052 1053 switch (subtype) { 1054 case IEEE80211_FC0_SUBTYPE_BAR: 1055 ieee80211_recv_bar(ni, m); 1056 break; 1057 } 1058} 1059