projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Staging: rt2860: remove dead DOT11N_DRAFT3 code
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / drivers / staging / rt2860 / common / cmm_sanity.c
1 /*
2 *************************************************************************
3 * Ralink Tech Inc.
4 * 5F., No.36, Taiyuan St., Jhubei City,
5 * Hsinchu County 302,
6 * Taiwan, R.O.C.
7 *
8 * (c) Copyright 2002-2007, Ralink Technology, Inc.
9 *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 * This program is distributed in the hope that it will be useful, *
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
18 * GNU General Public License for more details. *
19 * *
20 * You should have received a copy of the GNU General Public License *
21 * along with this program; if not, write to the *
22 * Free Software Foundation, Inc., *
23 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
24 * *
25 *************************************************************************
26
27 Module Name:
28 sanity.c
29
30 Abstract:
31
32 Revision History:
33 Who When What
34 -------- ---------- ----------------------------------------------
35 John Chang 2004-09-01 add WMM support
36 */
37 #include "../rt_config.h"
38
39
40 extern UCHAR CISCO_OUI[];
41
42 extern UCHAR WPA_OUI[];
43 extern UCHAR RSN_OUI[];
44 extern UCHAR WME_INFO_ELEM[];
45 extern UCHAR WME_PARM_ELEM[];
46 extern UCHAR Ccx2QosInfo[];
47 extern UCHAR RALINK_OUI[];
48 extern UCHAR BROADCOM_OUI[];
49 extern UCHAR WPS_OUI[];
50
51 /*
52 ==========================================================================
53 Description:
54 MLME message sanity check
55 Return:
56 TRUE if all parameters are OK, FALSE otherwise
57
58 IRQL = DISPATCH_LEVEL
59
60 ==========================================================================
61 */
62 BOOLEAN MlmeAddBAReqSanity(
63 IN PRTMP_ADAPTER pAd,
64 IN VOID *Msg,
65 IN ULONG MsgLen,
66 OUT PUCHAR pAddr2)
67 {
68 PMLME_ADDBA_REQ_STRUCT pInfo;
69
70 pInfo = (MLME_ADDBA_REQ_STRUCT *)Msg;
71
72 if ((MsgLen != sizeof(MLME_ADDBA_REQ_STRUCT)))
73 {
74 DBGPRINT(RT_DEBUG_TRACE, ("MlmeAddBAReqSanity fail - message lenght not correct.\n"));
75 return FALSE;
76 }
77
78 if ((pInfo->Wcid >= MAX_LEN_OF_MAC_TABLE))
79 {
80 DBGPRINT(RT_DEBUG_TRACE, ("MlmeAddBAReqSanity fail - The peer Mac is not associated yet.\n"));
81 return FALSE;
82 }
83
84 if ((pInfo->pAddr[0]&0x01) == 0x01)
85 {
86 DBGPRINT(RT_DEBUG_TRACE, ("MlmeAddBAReqSanity fail - broadcast address not support BA\n"));
87 return FALSE;
88 }
89
90 return TRUE;
91 }
92
93 /*
94 ==========================================================================
95 Description:
96 MLME message sanity check
97 Return:
98 TRUE if all parameters are OK, FALSE otherwise
99
100 IRQL = DISPATCH_LEVEL
101
102 ==========================================================================
103 */
104 BOOLEAN MlmeDelBAReqSanity(
105 IN PRTMP_ADAPTER pAd,
106 IN VOID *Msg,
107 IN ULONG MsgLen)
108 {
109 MLME_DELBA_REQ_STRUCT *pInfo;
110 pInfo = (MLME_DELBA_REQ_STRUCT *)Msg;
111
112 if ((MsgLen != sizeof(MLME_DELBA_REQ_STRUCT)))
113 {
114 DBGPRINT(RT_DEBUG_ERROR, ("MlmeDelBAReqSanity fail - message lenght not correct.\n"));
115 return FALSE;
116 }
117
118 if ((pInfo->Wcid >= MAX_LEN_OF_MAC_TABLE))
119 {
120 DBGPRINT(RT_DEBUG_ERROR, ("MlmeDelBAReqSanity fail - The peer Mac is not associated yet.\n"));
121 return FALSE;
122 }
123
124 if ((pInfo->TID & 0xf0))
125 {
126 DBGPRINT(RT_DEBUG_ERROR, ("MlmeDelBAReqSanity fail - The peer TID is incorrect.\n"));
127 return FALSE;
128 }
129
130 if (NdisEqualMemory(pAd->MacTab.Content[pInfo->Wcid].Addr, pInfo->Addr, MAC_ADDR_LEN) == 0)
131 {
132 DBGPRINT(RT_DEBUG_ERROR, ("MlmeDelBAReqSanity fail - the peer addr dosen't exist.\n"));
133 return FALSE;
134 }
135
136 return TRUE;
137 }
138
139 BOOLEAN PeerAddBAReqActionSanity(
140 IN PRTMP_ADAPTER pAd,
141 IN VOID *pMsg,
142 IN ULONG MsgLen,
143 OUT PUCHAR pAddr2)
144 {
145 PFRAME_802_11 pFrame = (PFRAME_802_11)pMsg;
146 PFRAME_ADDBA_REQ pAddFrame;
147 pAddFrame = (PFRAME_ADDBA_REQ)(pMsg);
148 if (MsgLen < (sizeof(FRAME_ADDBA_REQ)))
149 {
150 DBGPRINT(RT_DEBUG_ERROR,("PeerAddBAReqActionSanity: ADDBA Request frame length size = %ld incorrect\n", MsgLen));
151 return FALSE;
152 }
153 // we support immediate BA.
154 *(USHORT *)(&pAddFrame->BaParm) = cpu2le16(*(USHORT *)(&pAddFrame->BaParm));
155 pAddFrame->TimeOutValue = cpu2le16(pAddFrame->TimeOutValue);
156 pAddFrame->BaStartSeq.word = cpu2le16(pAddFrame->BaStartSeq.word);
157
158 if (pAddFrame->BaParm.BAPolicy != IMMED_BA)
159 {
160 DBGPRINT(RT_DEBUG_ERROR,("PeerAddBAReqActionSanity: ADDBA Request Ba Policy[%d] not support\n", pAddFrame->BaParm.BAPolicy));
161 DBGPRINT(RT_DEBUG_ERROR,("ADDBA Request. tid=%x, Bufsize=%x, AMSDUSupported=%x \n", pAddFrame->BaParm.TID, pAddFrame->BaParm.BufSize, pAddFrame->BaParm.AMSDUSupported));
162 return FALSE;
163 }
164
165 // we support immediate BA.
166 if (pAddFrame->BaParm.TID &0xfff0)
167 {
168 DBGPRINT(RT_DEBUG_ERROR,("PeerAddBAReqActionSanity: ADDBA Request incorrect TID = %d\n", pAddFrame->BaParm.TID));
169 return FALSE;
170 }
171 COPY_MAC_ADDR(pAddr2, pFrame->Hdr.Addr2);
172 return TRUE;
173 }
174
175 BOOLEAN PeerAddBARspActionSanity(
176 IN PRTMP_ADAPTER pAd,
177 IN VOID *pMsg,
178 IN ULONG MsgLen)
179 {
180 PFRAME_ADDBA_RSP pAddFrame;
181
182 pAddFrame = (PFRAME_ADDBA_RSP)(pMsg);
183 if (MsgLen < (sizeof(FRAME_ADDBA_RSP)))
184 {
185 DBGPRINT(RT_DEBUG_ERROR,("PeerAddBARspActionSanity: ADDBA Response frame length size = %ld incorrect\n", MsgLen));
186 return FALSE;
187 }
188 // we support immediate BA.
189 *(USHORT *)(&pAddFrame->BaParm) = cpu2le16(*(USHORT *)(&pAddFrame->BaParm));
190 pAddFrame->StatusCode = cpu2le16(pAddFrame->StatusCode);
191 pAddFrame->TimeOutValue = cpu2le16(pAddFrame->TimeOutValue);
192
193 if (pAddFrame->BaParm.BAPolicy != IMMED_BA)
194 {
195 DBGPRINT(RT_DEBUG_ERROR,("PeerAddBAReqActionSanity: ADDBA Response Ba Policy[%d] not support\n", pAddFrame->BaParm.BAPolicy));
196 return FALSE;
197 }
198
199 // we support immediate BA.
200 if (pAddFrame->BaParm.TID &0xfff0)
201 {
202 DBGPRINT(RT_DEBUG_ERROR,("PeerAddBARspActionSanity: ADDBA Response incorrect TID = %d\n", pAddFrame->BaParm.TID));
203 return FALSE;
204 }
205 return TRUE;
206
207 }
208
209 BOOLEAN PeerDelBAActionSanity(
210 IN PRTMP_ADAPTER pAd,
211 IN UCHAR Wcid,
212 IN VOID *pMsg,
213 IN ULONG MsgLen )
214 {
215 //PFRAME_802_11 pFrame = (PFRAME_802_11)pMsg;
216 PFRAME_DELBA_REQ pDelFrame;
217 if (MsgLen != (sizeof(FRAME_DELBA_REQ)))
218 return FALSE;
219
220 if (Wcid >= MAX_LEN_OF_MAC_TABLE)
221 return FALSE;
222
223 pDelFrame = (PFRAME_DELBA_REQ)(pMsg);
224
225 *(USHORT *)(&pDelFrame->DelbaParm) = cpu2le16(*(USHORT *)(&pDelFrame->DelbaParm));
226 pDelFrame->ReasonCode = cpu2le16(pDelFrame->ReasonCode);
227
228 if (pDelFrame->DelbaParm.TID &0xfff0)
229 return FALSE;
230
231 return TRUE;
232 }
233
234 /*
235 ==========================================================================
236 Description:
237 MLME message sanity check
238 Return:
239 TRUE if all parameters are OK, FALSE otherwise
240
241 IRQL = DISPATCH_LEVEL
242
243 ==========================================================================
244 */
245 BOOLEAN PeerBeaconAndProbeRspSanity(
246 IN PRTMP_ADAPTER pAd,
247 IN VOID *Msg,
248 IN ULONG MsgLen,
249 IN UCHAR MsgChannel,
250 OUT PUCHAR pAddr2,
251 OUT PUCHAR pBssid,
252 OUT CHAR Ssid[],
253 OUT UCHAR *pSsidLen,
254 OUT UCHAR *pBssType,
255 OUT USHORT *pBeaconPeriod,
256 OUT UCHAR *pChannel,
257 OUT UCHAR *pNewChannel,
258 OUT LARGE_INTEGER *pTimestamp,
259 OUT CF_PARM *pCfParm,
260 OUT USHORT *pAtimWin,
261 OUT USHORT *pCapabilityInfo,
262 OUT UCHAR *pErp,
263 OUT UCHAR *pDtimCount,
264 OUT UCHAR *pDtimPeriod,
265 OUT UCHAR *pBcastFlag,
266 OUT UCHAR *pMessageToMe,
267 OUT UCHAR SupRate[],
268 OUT UCHAR *pSupRateLen,
269 OUT UCHAR ExtRate[],
270 OUT UCHAR *pExtRateLen,
271 OUT UCHAR *pCkipFlag,
272 OUT UCHAR *pAironetCellPowerLimit,
273 OUT PEDCA_PARM pEdcaParm,
274 OUT PQBSS_LOAD_PARM pQbssLoad,
275 OUT PQOS_CAPABILITY_PARM pQosCapability,
276 OUT ULONG *pRalinkIe,
277 OUT UCHAR *pHtCapabilityLen,
278 #ifdef CONFIG_STA_SUPPORT
279 OUT UCHAR *pPreNHtCapabilityLen,
280 #endif // CONFIG_STA_SUPPORT //
281 OUT HT_CAPABILITY_IE *pHtCapability,
282 OUT UCHAR *AddHtInfoLen,
283 OUT ADD_HT_INFO_IE *AddHtInfo,
284 OUT UCHAR *NewExtChannelOffset, // Ht extension channel offset(above or below)
285 OUT USHORT *LengthVIE,
286 OUT PNDIS_802_11_VARIABLE_IEs pVIE)
287 {
288 CHAR *Ptr;
289 #ifdef CONFIG_STA_SUPPORT
290 CHAR TimLen;
291 #endif // CONFIG_STA_SUPPORT //
292 PFRAME_802_11 pFrame;
293 PEID_STRUCT pEid;
294 UCHAR SubType;
295 UCHAR Sanity;
296 //UCHAR ECWMin, ECWMax;
297 //MAC_CSR9_STRUC Csr9;
298 ULONG Length = 0;
299
300 // For some 11a AP which didn't have DS_IE, we use two conditions to decide the channel
301 // 1. If the AP is 11n enabled, then check the control channel.
302 // 2. If the AP didn't have any info about channel, use the channel we received this frame as the channel. (May inaccuracy!!)
303 UCHAR CtrlChannel = 0;
304
305 // Add for 3 necessary EID field check
306 Sanity = 0;
307
308 *pAtimWin = 0;
309 *pErp = 0;
310 *pDtimCount = 0;
311 *pDtimPeriod = 0;
312 *pBcastFlag = 0;
313 *pMessageToMe = 0;
314 *pExtRateLen = 0;
315 *pCkipFlag = 0; // Default of CkipFlag is 0
316 *pAironetCellPowerLimit = 0xFF; // Default of AironetCellPowerLimit is 0xFF
317 *LengthVIE = 0; // Set the length of VIE to init value 0
318 *pHtCapabilityLen = 0; // Set the length of VIE to init value 0
319 #ifdef CONFIG_STA_SUPPORT
320 if (pAd->OpMode == OPMODE_STA)
321 *pPreNHtCapabilityLen = 0; // Set the length of VIE to init value 0
322 #endif // CONFIG_STA_SUPPORT //
323 *AddHtInfoLen = 0; // Set the length of VIE to init value 0
324 *pRalinkIe = 0;
325 *pNewChannel = 0;
326 *NewExtChannelOffset = 0xff; //Default 0xff means no such IE
327 pCfParm->bValid = FALSE; // default: no IE_CF found
328 pQbssLoad->bValid = FALSE; // default: no IE_QBSS_LOAD found
329 pEdcaParm->bValid = FALSE; // default: no IE_EDCA_PARAMETER found
330 pQosCapability->bValid = FALSE; // default: no IE_QOS_CAPABILITY found
331
332 pFrame = (PFRAME_802_11)Msg;
333
334 // get subtype from header
335 SubType = (UCHAR)pFrame->Hdr.FC.SubType;
336
337 // get Addr2 and BSSID from header
338 COPY_MAC_ADDR(pAddr2, pFrame->Hdr.Addr2);
339 COPY_MAC_ADDR(pBssid, pFrame->Hdr.Addr3);
340
341 Ptr = pFrame->Octet;
342 Length += LENGTH_802_11;
343
344 // get timestamp from payload and advance the pointer
345 NdisMoveMemory(pTimestamp, Ptr, TIMESTAMP_LEN);
346
347 pTimestamp->u.LowPart = cpu2le32(pTimestamp->u.LowPart);
348 pTimestamp->u.HighPart = cpu2le32(pTimestamp->u.HighPart);
349
350 Ptr += TIMESTAMP_LEN;
351 Length += TIMESTAMP_LEN;
352
353 // get beacon interval from payload and advance the pointer
354 NdisMoveMemory(pBeaconPeriod, Ptr, 2);
355 Ptr += 2;
356 Length += 2;
357
358 // get capability info from payload and advance the pointer
359 NdisMoveMemory(pCapabilityInfo, Ptr, 2);
360 Ptr += 2;
361 Length += 2;
362
363 if (CAP_IS_ESS_ON(*pCapabilityInfo))
364 *pBssType = BSS_INFRA;
365 else
366 *pBssType = BSS_ADHOC;
367
368 pEid = (PEID_STRUCT) Ptr;
369
370 // get variable fields from payload and advance the pointer
371 while ((Length + 2 + pEid->Len) <= MsgLen)
372 {
373 //
374 // Secure copy VIE to VarIE[MAX_VIE_LEN] didn't overflow.
375 //
376 if ((*LengthVIE + pEid->Len + 2) >= MAX_VIE_LEN)
377 {
378 DBGPRINT(RT_DEBUG_WARN, ("PeerBeaconAndProbeRspSanity - Variable IEs out of resource [len(=%d) > MAX_VIE_LEN(=%d)]\n",
379 (*LengthVIE + pEid->Len + 2), MAX_VIE_LEN));
380 break;
381 }
382
383 switch(pEid->Eid)
384 {
385 case IE_SSID:
386 // Already has one SSID EID in this beacon, ignore the second one
387 if (Sanity & 0x1)
388 break;
389 if(pEid->Len <= MAX_LEN_OF_SSID)
390 {
391 NdisMoveMemory(Ssid, pEid->Octet, pEid->Len);
392 *pSsidLen = pEid->Len;
393 Sanity |= 0x1;
394 }
395 else
396 {
397 DBGPRINT(RT_DEBUG_TRACE, ("PeerBeaconAndProbeRspSanity - wrong IE_SSID (len=%d)\n",pEid->Len));
398 return FALSE;
399 }
400 break;
401
402 case IE_SUPP_RATES:
403 if(pEid->Len <= MAX_LEN_OF_SUPPORTED_RATES)
404 {
405 Sanity |= 0x2;
406 NdisMoveMemory(SupRate, pEid->Octet, pEid->Len);
407 *pSupRateLen = pEid->Len;
408
409 // TODO: 2004-09-14 not a good design here, cause it exclude extra rates
410 // from ScanTab. We should report as is. And filter out unsupported
411 // rates in MlmeAux.
412 // Check against the supported rates
413 // RTMPCheckRates(pAd, SupRate, pSupRateLen);
414 }
415 else
416 {
417 DBGPRINT(RT_DEBUG_TRACE, ("PeerBeaconAndProbeRspSanity - wrong IE_SUPP_RATES (len=%d)\n",pEid->Len));
418 return FALSE;
419 }
420 break;
421
422 case IE_HT_CAP:
423 if (pEid->Len >= SIZE_HT_CAP_IE) //Note: allow extension.!!
424 {
425 NdisMoveMemory(pHtCapability, pEid->Octet, sizeof(HT_CAPABILITY_IE));
426 *pHtCapabilityLen = SIZE_HT_CAP_IE; // Nnow we only support 26 bytes.
427
428 *(USHORT *)(&pHtCapability->HtCapInfo) = cpu2le16(*(USHORT *)(&pHtCapability->HtCapInfo));
429 *(USHORT *)(&pHtCapability->ExtHtCapInfo) = cpu2le16(*(USHORT *)(&pHtCapability->ExtHtCapInfo));
430
431 #ifdef CONFIG_STA_SUPPORT
432 IF_DEV_CONFIG_OPMODE_ON_STA(pAd)
433 {
434 *pPreNHtCapabilityLen = 0; // Nnow we only support 26 bytes.
435
436 Ptr = (PUCHAR) pVIE;
437 NdisMoveMemory(Ptr + *LengthVIE, &pEid->Eid, pEid->Len + 2);
438 *LengthVIE += (pEid->Len + 2);
439 }
440 #endif // CONFIG_STA_SUPPORT //
441 }
442 else
443 {
444 DBGPRINT(RT_DEBUG_WARN, ("PeerBeaconAndProbeRspSanity - wrong IE_HT_CAP. pEid->Len = %d\n", pEid->Len));
445 }
446
447 break;
448 case IE_ADD_HT:
449 if (pEid->Len >= sizeof(ADD_HT_INFO_IE))
450 {
451 // This IE allows extension, but we can ignore extra bytes beyond our knowledge , so only
452 // copy first sizeof(ADD_HT_INFO_IE)
453 NdisMoveMemory(AddHtInfo, pEid->Octet, sizeof(ADD_HT_INFO_IE));
454 *AddHtInfoLen = SIZE_ADD_HT_INFO_IE;
455
456 CtrlChannel = AddHtInfo->ControlChan;
457
458 *(USHORT *)(&AddHtInfo->AddHtInfo2) = cpu2le16(*(USHORT *)(&AddHtInfo->AddHtInfo2));
459 *(USHORT *)(&AddHtInfo->AddHtInfo3) = cpu2le16(*(USHORT *)(&AddHtInfo->AddHtInfo3));
460
461 #ifdef CONFIG_STA_SUPPORT
462 IF_DEV_CONFIG_OPMODE_ON_STA(pAd)
463 {
464 Ptr = (PUCHAR) pVIE;
465 NdisMoveMemory(Ptr + *LengthVIE, &pEid->Eid, pEid->Len + 2);
466 *LengthVIE += (pEid->Len + 2);
467 }
468 #endif // CONFIG_STA_SUPPORT //
469 }
470 else
471 {
472 DBGPRINT(RT_DEBUG_WARN, ("PeerBeaconAndProbeRspSanity - wrong IE_ADD_HT. \n"));
473 }
474
475 break;
476 case IE_SECONDARY_CH_OFFSET:
477 if (pEid->Len == 1)
478 {
479 *NewExtChannelOffset = pEid->Octet[0];
480 }
481 else
482 {
483 DBGPRINT(RT_DEBUG_WARN, ("PeerBeaconAndProbeRspSanity - wrong IE_SECONDARY_CH_OFFSET. \n"));
484 }
485
486 break;
487 case IE_FH_PARM:
488 DBGPRINT(RT_DEBUG_TRACE, ("PeerBeaconAndProbeRspSanity(IE_FH_PARM) \n"));
489 break;
490
491 case IE_DS_PARM:
492 if(pEid->Len == 1)
493 {
494 *pChannel = *pEid->Octet;
495 #ifdef CONFIG_STA_SUPPORT
496 IF_DEV_CONFIG_OPMODE_ON_STA(pAd)
497 {
498 if (ChannelSanity(pAd, *pChannel) == 0)
499 {
500
501 return FALSE;
502 }
503 }
504 #endif // CONFIG_STA_SUPPORT //
505 Sanity |= 0x4;
506 }
507 else
508 {
509 DBGPRINT(RT_DEBUG_TRACE, ("PeerBeaconAndProbeRspSanity - wrong IE_DS_PARM (len=%d)\n",pEid->Len));
510 return FALSE;
511 }
512 break;
513
514 case IE_CF_PARM:
515 if(pEid->Len == 6)
516 {
517 pCfParm->bValid = TRUE;
518 pCfParm->CfpCount = pEid->Octet[0];
519 pCfParm->CfpPeriod = pEid->Octet[1];
520 pCfParm->CfpMaxDuration = pEid->Octet[2] + 256 * pEid->Octet[3];
521 pCfParm->CfpDurRemaining = pEid->Octet[4] + 256 * pEid->Octet[5];
522 }
523 else
524 {
525 DBGPRINT(RT_DEBUG_TRACE, ("PeerBeaconAndProbeRspSanity - wrong IE_CF_PARM\n"));
526 return FALSE;
527 }
528 break;
529
530 case IE_IBSS_PARM:
531 if(pEid->Len == 2)
532 {
533 NdisMoveMemory(pAtimWin, pEid->Octet, pEid->Len);
534 }
535 else
536 {
537 DBGPRINT(RT_DEBUG_TRACE, ("PeerBeaconAndProbeRspSanity - wrong IE_IBSS_PARM\n"));
538 return FALSE;
539 }
540 break;
541
542 #ifdef CONFIG_STA_SUPPORT
543 case IE_TIM:
544 if(INFRA_ON(pAd) && SubType == SUBTYPE_BEACON)
545 {
546 GetTimBit((PUCHAR)pEid, pAd->StaActive.Aid, &TimLen, pBcastFlag, pDtimCount, pDtimPeriod, pMessageToMe);
547 }
548 break;
549 #endif // CONFIG_STA_SUPPORT //
550 case IE_CHANNEL_SWITCH_ANNOUNCEMENT:
551 if(pEid->Len == 3)
552 {
553 *pNewChannel = pEid->Octet[1]; //extract new channel number
554 }
555 break;
556
557 // New for WPA
558 // CCX v2 has the same IE, we need to parse that too
559 // Wifi WMM use the same IE vale, need to parse that too
560 // case IE_WPA:
561 case IE_VENDOR_SPECIFIC:
562 // Check the OUI version, filter out non-standard usage
563 if (NdisEqualMemory(pEid->Octet, RALINK_OUI, 3) && (pEid->Len == 7))
564 {
565 //*pRalinkIe = pEid->Octet[3];
566 if (pEid->Octet[3] != 0)
567 *pRalinkIe = pEid->Octet[3];
568 else
569 *pRalinkIe = 0xf0000000; // Set to non-zero value (can't set bit0-2) to represent this is Ralink Chip. So at linkup, we will set ralinkchip flag.
570 }
571 #ifdef CONFIG_STA_SUPPORT
572 #ifdef DOT11_N_SUPPORT
573 // This HT IE is before IEEE draft set HT IE value.2006-09-28 by Jan.
574
575 // Other vendors had production before IE_HT_CAP value is assigned. To backward support those old-firmware AP,
576 // Check broadcom-defiend pre-802.11nD1.0 OUI for HT related IE, including HT Capatilities IE and HT Information IE
577 else if ((*pHtCapabilityLen == 0) && NdisEqualMemory(pEid->Octet, PRE_N_HT_OUI, 3) && (pEid->Len >= 4) && (pAd->OpMode == OPMODE_STA))
578 {
579 if ((pEid->Octet[3] == OUI_PREN_HT_CAP) && (pEid->Len >= 30) && (*pHtCapabilityLen == 0))
580 {
581 NdisMoveMemory(pHtCapability, &pEid->Octet[4], sizeof(HT_CAPABILITY_IE));
582 *pPreNHtCapabilityLen = SIZE_HT_CAP_IE;
583 }
584
585 if ((pEid->Octet[3] == OUI_PREN_ADD_HT) && (pEid->Len >= 26))
586 {
587 NdisMoveMemory(AddHtInfo, &pEid->Octet[4], sizeof(ADD_HT_INFO_IE));
588 *AddHtInfoLen = SIZE_ADD_HT_INFO_IE;
589 }
590 }
591 #endif // DOT11_N_SUPPORT //
592 #endif // CONFIG_STA_SUPPORT //
593 else if (NdisEqualMemory(pEid->Octet, WPA_OUI, 4))
594 {
595 // Copy to pVIE which will report to microsoft bssid list.
596 Ptr = (PUCHAR) pVIE;
597 NdisMoveMemory(Ptr + *LengthVIE, &pEid->Eid, pEid->Len + 2);
598 *LengthVIE += (pEid->Len + 2);
599 }
600 else if (NdisEqualMemory(pEid->Octet, WME_PARM_ELEM, 6) && (pEid->Len == 24))
601 {
602 PUCHAR ptr;
603 int i;
604
605 // parsing EDCA parameters
606 pEdcaParm->bValid = TRUE;
607 pEdcaParm->bQAck = FALSE; // pEid->Octet[0] & 0x10;
608 pEdcaParm->bQueueRequest = FALSE; // pEid->Octet[0] & 0x20;
609 pEdcaParm->bTxopRequest = FALSE; // pEid->Octet[0] & 0x40;
610 pEdcaParm->EdcaUpdateCount = pEid->Octet[6] & 0x0f;
611 pEdcaParm->bAPSDCapable = (pEid->Octet[6] & 0x80) ? 1 : 0;
612 ptr = &pEid->Octet[8];
613 for (i=0; i<4; i++)
614 {
615 UCHAR aci = (*ptr & 0x60) >> 5; // b5~6 is AC INDEX
616 pEdcaParm->bACM[aci] = (((*ptr) & 0x10) == 0x10); // b5 is ACM
617 pEdcaParm->Aifsn[aci] = (*ptr) & 0x0f; // b0~3 is AIFSN
618 pEdcaParm->Cwmin[aci] = *(ptr+1) & 0x0f; // b0~4 is Cwmin
619 pEdcaParm->Cwmax[aci] = *(ptr+1) >> 4; // b5~8 is Cwmax
620 pEdcaParm->Txop[aci] = *(ptr+2) + 256 * (*(ptr+3)); // in unit of 32-us
621 ptr += 4; // point to next AC
622 }
623 }
624 else if (NdisEqualMemory(pEid->Octet, WME_INFO_ELEM, 6) && (pEid->Len == 7))
625 {
626 // parsing EDCA parameters
627 pEdcaParm->bValid = TRUE;
628 pEdcaParm->bQAck = FALSE; // pEid->Octet[0] & 0x10;
629 pEdcaParm->bQueueRequest = FALSE; // pEid->Octet[0] & 0x20;
630 pEdcaParm->bTxopRequest = FALSE; // pEid->Octet[0] & 0x40;
631 pEdcaParm->EdcaUpdateCount = pEid->Octet[6] & 0x0f;
632 pEdcaParm->bAPSDCapable = (pEid->Octet[6] & 0x80) ? 1 : 0;
633
634 // use default EDCA parameter
635 pEdcaParm->bACM[QID_AC_BE] = 0;
636 pEdcaParm->Aifsn[QID_AC_BE] = 3;
637 pEdcaParm->Cwmin[QID_AC_BE] = CW_MIN_IN_BITS;
638 pEdcaParm->Cwmax[QID_AC_BE] = CW_MAX_IN_BITS;
639 pEdcaParm->Txop[QID_AC_BE] = 0;
640
641 pEdcaParm->bACM[QID_AC_BK] = 0;
642 pEdcaParm->Aifsn[QID_AC_BK] = 7;
643 pEdcaParm->Cwmin[QID_AC_BK] = CW_MIN_IN_BITS;
644 pEdcaParm->Cwmax[QID_AC_BK] = CW_MAX_IN_BITS;
645 pEdcaParm->Txop[QID_AC_BK] = 0;
646
647 pEdcaParm->bACM[QID_AC_VI] = 0;
648 pEdcaParm->Aifsn[QID_AC_VI] = 2;
649 pEdcaParm->Cwmin[QID_AC_VI] = CW_MIN_IN_BITS-1;
650 pEdcaParm->Cwmax[QID_AC_VI] = CW_MAX_IN_BITS;
651 pEdcaParm->Txop[QID_AC_VI] = 96; // AC_VI: 96*32us ~= 3ms
652
653 pEdcaParm->bACM[QID_AC_VO] = 0;
654 pEdcaParm->Aifsn[QID_AC_VO] = 2;
655 pEdcaParm->Cwmin[QID_AC_VO] = CW_MIN_IN_BITS-2;
656 pEdcaParm->Cwmax[QID_AC_VO] = CW_MAX_IN_BITS-1;
657 pEdcaParm->Txop[QID_AC_VO] = 48; // AC_VO: 48*32us ~= 1.5ms
658 }
659 break;
660
661 case IE_EXT_SUPP_RATES:
662 if (pEid->Len <= MAX_LEN_OF_SUPPORTED_RATES)
663 {
664 NdisMoveMemory(ExtRate, pEid->Octet, pEid->Len);
665 *pExtRateLen = pEid->Len;
666
667 // TODO: 2004-09-14 not a good design here, cause it exclude extra rates
668 // from ScanTab. We should report as is. And filter out unsupported
669 // rates in MlmeAux.
670 // Check against the supported rates
671 // RTMPCheckRates(pAd, ExtRate, pExtRateLen);
672 }
673 break;
674
675 case IE_ERP:
676 if (pEid->Len == 1)
677 {
678 *pErp = (UCHAR)pEid->Octet[0];
679 }
680 break;
681
682 case IE_AIRONET_CKIP:
683 // 0. Check Aironet IE length, it must be larger or equal to 28
684 // Cisco AP350 used length as 28
685 // Cisco AP12XX used length as 30
686 if (pEid->Len < (CKIP_NEGOTIATION_LENGTH - 2))
687 break;
688
689 // 1. Copy CKIP flag byte to buffer for process
690 *pCkipFlag = *(pEid->Octet + 8);
691 break;
692
693 case IE_AP_TX_POWER:
694 // AP Control of Client Transmit Power
695 //0. Check Aironet IE length, it must be 6
696 if (pEid->Len != 0x06)
697 break;
698
699 // Get cell power limit in dBm
700 if (NdisEqualMemory(pEid->Octet, CISCO_OUI, 3) == 1)
701 *pAironetCellPowerLimit = *(pEid->Octet + 4);
702 break;
703
704 // WPA2 & 802.11i RSN
705 case IE_RSN:
706 // There is no OUI for version anymore, check the group cipher OUI before copying
707 if (RTMPEqualMemory(pEid->Octet + 2, RSN_OUI, 3))
708 {
709 // Copy to pVIE which will report to microsoft bssid list.
710 Ptr = (PUCHAR) pVIE;
711 NdisMoveMemory(Ptr + *LengthVIE, &pEid->Eid, pEid->Len + 2);
712 *LengthVIE += (pEid->Len + 2);
713 }
714 break;
715
716 default:
717 break;
718 }
719
720 Length = Length + 2 + pEid->Len; // Eid[1] + Len[1]+ content[Len]
721 pEid = (PEID_STRUCT)((UCHAR*)pEid + 2 + pEid->Len);
722 }
723
724 // For some 11a AP. it did not have the channel EID, patch here
725 #ifdef CONFIG_STA_SUPPORT
726 IF_DEV_CONFIG_OPMODE_ON_STA(pAd)
727 {
728 UCHAR LatchRfChannel = MsgChannel;
729 if ((pAd->LatchRfRegs.Channel > 14) && ((Sanity & 0x4) == 0))
730 {
731 if (CtrlChannel != 0)
732 *pChannel = CtrlChannel;
733 else
734 *pChannel = LatchRfChannel;
735 Sanity |= 0x4;
736 }
737 }
738 #endif // CONFIG_STA_SUPPORT //
739
740 if (Sanity != 0x7)
741 {
742 DBGPRINT(RT_DEBUG_WARN, ("PeerBeaconAndProbeRspSanity - missing field, Sanity=0x%02x\n", Sanity));
743 return FALSE;
744 }
745 else
746 {
747 return TRUE;
748 }
749
750 }
751
752 /*
753 ==========================================================================
754 Description:
755 MLME message sanity check
756 Return:
757 TRUE if all parameters are OK, FALSE otherwise
758 ==========================================================================
759 */
760 BOOLEAN MlmeScanReqSanity(
761 IN PRTMP_ADAPTER pAd,
762 IN VOID *Msg,
763 IN ULONG MsgLen,
764 OUT UCHAR *pBssType,
765 OUT CHAR Ssid[],
766 OUT UCHAR *pSsidLen,
767 OUT UCHAR *pScanType)
768 {
769 MLME_SCAN_REQ_STRUCT *Info;
770
771 Info = (MLME_SCAN_REQ_STRUCT *)(Msg);
772 *pBssType = Info->BssType;
773 *pSsidLen = Info->SsidLen;
774 NdisMoveMemory(Ssid, Info->Ssid, *pSsidLen);
775 *pScanType = Info->ScanType;
776
777 if ((*pBssType == BSS_INFRA || *pBssType == BSS_ADHOC || *pBssType == BSS_ANY)
778 && (*pScanType == SCAN_ACTIVE || *pScanType == SCAN_PASSIVE
779 #ifdef CONFIG_STA_SUPPORT
780 || *pScanType == SCAN_CISCO_PASSIVE || *pScanType == SCAN_CISCO_ACTIVE
781 || *pScanType == SCAN_CISCO_CHANNEL_LOAD || *pScanType == SCAN_CISCO_NOISE
782 #endif // CONFIG_STA_SUPPORT //
783 ))
784 {
785 return TRUE;
786 }
787 else
788 {
789 DBGPRINT(RT_DEBUG_TRACE, ("MlmeScanReqSanity fail - wrong BssType or ScanType\n"));
790 return FALSE;
791 }
792 }
793
794 // IRQL = DISPATCH_LEVEL
795 UCHAR ChannelSanity(
796 IN PRTMP_ADAPTER pAd,
797 IN UCHAR channel)
798 {
799 int i;
800
801 for (i = 0; i < pAd->ChannelListNum; i ++)
802 {
803 if (channel == pAd->ChannelList[i].Channel)
804 return 1;
805 }
806 return 0;
807 }
808
809 /*
810 ==========================================================================
811 Description:
812 MLME message sanity check
813 Return:
814 TRUE if all parameters are OK, FALSE otherwise
815
816 IRQL = DISPATCH_LEVEL
817
818 ==========================================================================
819 */
820 BOOLEAN PeerDeauthSanity(
821 IN PRTMP_ADAPTER pAd,
822 IN VOID *Msg,
823 IN ULONG MsgLen,
824 OUT PUCHAR pAddr2,
825 OUT USHORT *pReason)
826 {
827 PFRAME_802_11 pFrame = (PFRAME_802_11)Msg;
828
829 COPY_MAC_ADDR(pAddr2, pFrame->Hdr.Addr2);
830 NdisMoveMemory(pReason, &pFrame->Octet[0], 2);
831
832 return TRUE;
833 }
834
835 /*
836 ==========================================================================
837 Description:
838 MLME message sanity check
839 Return:
840 TRUE if all parameters are OK, FALSE otherwise
841
842 IRQL = DISPATCH_LEVEL
843
844 ==========================================================================
845 */
846 BOOLEAN PeerAuthSanity(
847 IN PRTMP_ADAPTER pAd,
848 IN VOID *Msg,
849 IN ULONG MsgLen,
850 OUT PUCHAR pAddr,
851 OUT USHORT *pAlg,
852 OUT USHORT *pSeq,
853 OUT USHORT *pStatus,
854 CHAR *pChlgText)
855 {
856 PFRAME_802_11 pFrame = (PFRAME_802_11)Msg;
857
858 COPY_MAC_ADDR(pAddr, pFrame->Hdr.Addr2);
859 NdisMoveMemory(pAlg, &pFrame->Octet[0], 2);
860 NdisMoveMemory(pSeq, &pFrame->Octet[2], 2);
861 NdisMoveMemory(pStatus, &pFrame->Octet[4], 2);
862
863 if ((*pAlg == Ndis802_11AuthModeOpen)
864 )
865 {
866 if (*pSeq == 1 || *pSeq == 2)
867 {
868 return TRUE;
869 }
870 else
871 {
872 DBGPRINT(RT_DEBUG_TRACE, ("PeerAuthSanity fail - wrong Seg#\n"));
873 return FALSE;
874 }
875 }
876 else if (*pAlg == Ndis802_11AuthModeShared)
877 {
878 if (*pSeq == 1 || *pSeq == 4)
879 {
880 return TRUE;
881 }
882 else if (*pSeq == 2 || *pSeq == 3)
883 {
884 NdisMoveMemory(pChlgText, &pFrame->Octet[8], CIPHER_TEXT_LEN);
885 return TRUE;
886 }
887 else
888 {
889 DBGPRINT(RT_DEBUG_TRACE, ("PeerAuthSanity fail - wrong Seg#\n"));
890 return FALSE;
891 }
892 }
893 else
894 {
895 DBGPRINT(RT_DEBUG_TRACE, ("PeerAuthSanity fail - wrong algorithm\n"));
896 return FALSE;
897 }
898 }
899
900 /*
901 ==========================================================================
902 Description:
903 MLME message sanity check
904 Return:
905 TRUE if all parameters are OK, FALSE otherwise
906 ==========================================================================
907 */
908 BOOLEAN MlmeAuthReqSanity(
909 IN PRTMP_ADAPTER pAd,
910 IN VOID *Msg,
911 IN ULONG MsgLen,
912 OUT PUCHAR pAddr,
913 OUT ULONG *pTimeout,
914 OUT USHORT *pAlg)
915 {
916 MLME_AUTH_REQ_STRUCT *pInfo;
917
918 pInfo = (MLME_AUTH_REQ_STRUCT *)Msg;
919 COPY_MAC_ADDR(pAddr, pInfo->Addr);
920 *pTimeout = pInfo->Timeout;
921 *pAlg = pInfo->Alg;
922
923 if (((*pAlg == Ndis802_11AuthModeShared) ||(*pAlg == Ndis802_11AuthModeOpen)
924 ) &&
925 ((*pAddr & 0x01) == 0))
926 {
927 return TRUE;
928 }
929 else
930 {
931 DBGPRINT(RT_DEBUG_TRACE, ("MlmeAuthReqSanity fail - wrong algorithm\n"));
932 return FALSE;
933 }
934 }
935
936 /*
937 ==========================================================================
938 Description:
939 MLME message sanity check
940 Return:
941 TRUE if all parameters are OK, FALSE otherwise
942
943 IRQL = DISPATCH_LEVEL
944
945 ==========================================================================
946 */
947 BOOLEAN MlmeAssocReqSanity(
948 IN PRTMP_ADAPTER pAd,
949 IN VOID *Msg,
950 IN ULONG MsgLen,
951 OUT PUCHAR pApAddr,
952 OUT USHORT *pCapabilityInfo,
953 OUT ULONG *pTimeout,
954 OUT USHORT *pListenIntv)
955 {
956 MLME_ASSOC_REQ_STRUCT *pInfo;
957
958 pInfo = (MLME_ASSOC_REQ_STRUCT *)Msg;
959 *pTimeout = pInfo->Timeout; // timeout
960 COPY_MAC_ADDR(pApAddr, pInfo->Addr); // AP address
961 *pCapabilityInfo = pInfo->CapabilityInfo; // capability info
962 *pListenIntv = pInfo->ListenIntv;
963
964 return TRUE;
965 }
966
967 /*
968 ==========================================================================
969 Description:
970 MLME message sanity check
971 Return:
972 TRUE if all parameters are OK, FALSE otherwise
973
974 IRQL = DISPATCH_LEVEL
975
976 ==========================================================================
977 */
978 BOOLEAN PeerDisassocSanity(
979 IN PRTMP_ADAPTER pAd,
980 IN VOID *Msg,
981 IN ULONG MsgLen,
982 OUT PUCHAR pAddr2,
983 OUT USHORT *pReason)
984 {
985 PFRAME_802_11 pFrame = (PFRAME_802_11)Msg;
986
987 COPY_MAC_ADDR(pAddr2, pFrame->Hdr.Addr2);
988 NdisMoveMemory(pReason, &pFrame->Octet[0], 2);
989
990 return TRUE;
991 }
992
993 /*
994 ========================================================================
995 Routine Description:
996 Sanity check NetworkType (11b, 11g or 11a)
997
998 Arguments:
999 pBss - Pointer to BSS table.
1000
1001 Return Value:
1002 Ndis802_11DS .......(11b)
1003 Ndis802_11OFDM24....(11g)
1004 Ndis802_11OFDM5.....(11a)
1005
1006 IRQL = DISPATCH_LEVEL
1007
1008 ========================================================================
1009 */
1010 NDIS_802_11_NETWORK_TYPE NetworkTypeInUseSanity(
1011 IN PBSS_ENTRY pBss)
1012 {
1013 NDIS_802_11_NETWORK_TYPE NetWorkType;
1014 UCHAR rate, i;
1015
1016 NetWorkType = Ndis802_11DS;
1017
1018 if (pBss->Channel <= 14)
1019 {
1020 //
1021 // First check support Rate.
1022 //
1023 for (i = 0; i < pBss->SupRateLen; i++)
1024 {
1025 rate = pBss->SupRate[i] & 0x7f; // Mask out basic rate set bit
1026 if ((rate == 2) || (rate == 4) || (rate == 11) || (rate == 22))
1027 {
1028 continue;
1029 }
1030 else
1031 {
1032 //
1033 // Otherwise (even rate > 108) means Ndis802_11OFDM24
1034 //
1035 NetWorkType = Ndis802_11OFDM24;
1036 break;
1037 }
1038 }
1039
1040 //
1041 // Second check Extend Rate.
1042 //
1043 if (NetWorkType != Ndis802_11OFDM24)
1044 {
1045 for (i = 0; i < pBss->ExtRateLen; i++)
1046 {
1047 rate = pBss->SupRate[i] & 0x7f; // Mask out basic rate set bit
1048 if ((rate == 2) || (rate == 4) || (rate == 11) || (rate == 22))
1049 {
1050 continue;
1051 }
1052 else
1053 {
1054 //
1055 // Otherwise (even rate > 108) means Ndis802_11OFDM24
1056 //
1057 NetWorkType = Ndis802_11OFDM24;
1058 break;
1059 }
1060 }
1061 }
1062 }
1063 else
1064 {
1065 NetWorkType = Ndis802_11OFDM5;
1066 }
1067
1068 if (pBss->HtCapabilityLen != 0)
1069 {
1070 if (NetWorkType == Ndis802_11OFDM5)
1071 NetWorkType = Ndis802_11OFDM5_N;
1072 else
1073 NetWorkType = Ndis802_11OFDM24_N;
1074 }
1075
1076 return NetWorkType;
1077 }
1078
1079 /*
1080 ==========================================================================
1081 Description:
1082 WPA message sanity check
1083 Return:
1084 TRUE if all parameters are OK, FALSE otherwise
1085 ==========================================================================
1086 */
1087 BOOLEAN PeerWpaMessageSanity(
1088 IN PRTMP_ADAPTER pAd,
1089 IN PEAPOL_PACKET pMsg,
1090 IN ULONG MsgLen,
1091 IN UCHAR MsgType,
1092 IN MAC_TABLE_ENTRY *pEntry)
1093 {
1094 UCHAR mic[LEN_KEY_DESC_MIC], digest[80], KEYDATA[MAX_LEN_OF_RSNIE];
1095 BOOLEAN bReplayDiff = FALSE;
1096 BOOLEAN bWPA2 = FALSE;
1097 KEY_INFO EapolKeyInfo;
1098 UCHAR GroupKeyIndex = 0;
1099
1100
1101 NdisZeroMemory(mic, sizeof(mic));
1102 NdisZeroMemory(digest, sizeof(digest));
1103 NdisZeroMemory(KEYDATA, sizeof(KEYDATA));
1104 NdisZeroMemory((PUCHAR)&EapolKeyInfo, sizeof(EapolKeyInfo));
1105
1106 NdisMoveMemory((PUCHAR)&EapolKeyInfo, (PUCHAR)&pMsg->KeyDesc.KeyInfo, sizeof(KEY_INFO));
1107
1108 *((USHORT *)&EapolKeyInfo) = cpu2le16(*((USHORT *)&EapolKeyInfo));
1109
1110 // Choose WPA2 or not
1111 if ((pEntry->AuthMode == Ndis802_11AuthModeWPA2) || (pEntry->AuthMode == Ndis802_11AuthModeWPA2PSK))
1112 bWPA2 = TRUE;
1113
1114 // 0. Check MsgType
1115 if ((MsgType > EAPOL_GROUP_MSG_2) || (MsgType < EAPOL_PAIR_MSG_1))
1116 {
1117 DBGPRINT(RT_DEBUG_ERROR, ("The message type is invalid(%d)! \n", MsgType));
1118 return FALSE;
1119 }
1120
1121 // 1. Replay counter check
1122 if (MsgType == EAPOL_PAIR_MSG_1 || MsgType == EAPOL_PAIR_MSG_3 || MsgType == EAPOL_GROUP_MSG_1) // For supplicant
1123 {
1124 // First validate replay counter, only accept message with larger replay counter.
1125 // Let equal pass, some AP start with all zero replay counter
1126 UCHAR ZeroReplay[LEN_KEY_DESC_REPLAY];
1127
1128 NdisZeroMemory(ZeroReplay, LEN_KEY_DESC_REPLAY);
1129 if ((RTMPCompareMemory(pMsg->KeyDesc.ReplayCounter, pEntry->R_Counter, LEN_KEY_DESC_REPLAY) != 1) &&
1130 (RTMPCompareMemory(pMsg->KeyDesc.ReplayCounter, ZeroReplay, LEN_KEY_DESC_REPLAY) != 0))
1131 {
1132 bReplayDiff = TRUE;
1133 }
1134 }
1135 else if (MsgType == EAPOL_PAIR_MSG_2 || MsgType == EAPOL_PAIR_MSG_4 || MsgType == EAPOL_GROUP_MSG_2) // For authenticator
1136 {
1137 // check Replay Counter coresponds to MSG from authenticator, otherwise discard
1138 if (!NdisEqualMemory(pMsg->KeyDesc.ReplayCounter, pEntry->R_Counter, LEN_KEY_DESC_REPLAY))
1139 {
1140 bReplayDiff = TRUE;
1141 }
1142 }
1143
1144 // Replay Counter different condition
1145 if (bReplayDiff)
1146 {
1147 // send wireless event - for replay counter different
1148 if (pAd->CommonCfg.bWirelessEvent)
1149 RTMPSendWirelessEvent(pAd, IW_REPLAY_COUNTER_DIFF_EVENT_FLAG, pEntry->Addr, pEntry->apidx, 0);
1150
1151 if (MsgType < EAPOL_GROUP_MSG_1)
1152 {
1153 DBGPRINT(RT_DEBUG_ERROR, ("Replay Counter Different in pairwise msg %d of 4-way handshake!\n", MsgType));
1154 }
1155 else
1156 {
1157 DBGPRINT(RT_DEBUG_ERROR, ("Replay Counter Different in group msg %d of 2-way handshake!\n", (MsgType - EAPOL_PAIR_MSG_4)));
1158 }
1159
1160 hex_dump("Receive replay counter ", pMsg->KeyDesc.ReplayCounter, LEN_KEY_DESC_REPLAY);
1161 hex_dump("Current replay counter ", pEntry->R_Counter, LEN_KEY_DESC_REPLAY);
1162 return FALSE;
1163 }
1164
1165 // 2. Verify MIC except Pairwise Msg1
1166 if (MsgType != EAPOL_PAIR_MSG_1)
1167 {
1168 UCHAR rcvd_mic[LEN_KEY_DESC_MIC];
1169
1170 // Record the received MIC for check later
1171 NdisMoveMemory(rcvd_mic, pMsg->KeyDesc.KeyMic, LEN_KEY_DESC_MIC);
1172 NdisZeroMemory(pMsg->KeyDesc.KeyMic, LEN_KEY_DESC_MIC);
1173
1174 if (pEntry->WepStatus == Ndis802_11Encryption2Enabled) // TKIP
1175 {
1176 hmac_md5(pEntry->PTK, LEN_EAP_MICK, (PUCHAR)pMsg, MsgLen, mic);
1177 }
1178 else if (pEntry->WepStatus == Ndis802_11Encryption3Enabled) // AES
1179 {
1180 HMAC_SHA1((PUCHAR)pMsg, MsgLen, pEntry->PTK, LEN_EAP_MICK, digest);
1181 NdisMoveMemory(mic, digest, LEN_KEY_DESC_MIC);
1182 }
1183
1184 if (!NdisEqualMemory(rcvd_mic, mic, LEN_KEY_DESC_MIC))
1185 {
1186 // send wireless event - for MIC different
1187 if (pAd->CommonCfg.bWirelessEvent)
1188 RTMPSendWirelessEvent(pAd, IW_MIC_DIFF_EVENT_FLAG, pEntry->Addr, pEntry->apidx, 0);
1189
1190 if (MsgType < EAPOL_GROUP_MSG_1)
1191 {
1192 DBGPRINT(RT_DEBUG_ERROR, ("MIC Different in pairwise msg %d of 4-way handshake!\n", MsgType));
1193 }
1194 else
1195 {
1196 DBGPRINT(RT_DEBUG_ERROR, ("MIC Different in group msg %d of 2-way handshake!\n", (MsgType - EAPOL_PAIR_MSG_4)));
1197 }
1198
1199 hex_dump("Received MIC", rcvd_mic, LEN_KEY_DESC_MIC);
1200 hex_dump("Desired MIC", mic, LEN_KEY_DESC_MIC);
1201
1202 return FALSE;
1203 }
1204 }
1205
1206 // Extract the context of the Key Data field if it exist
1207 // The field in pairwise_msg_2_WPA1(WPA2) & pairwise_msg_3_WPA1 is un-encrypted.
1208 // The field in group_msg_1_WPA1(WPA2) & pairwise_msg_3_WPA2 is encrypted.
1209 if (pMsg->KeyDesc.KeyDataLen[1] > 0)
1210 {
1211 // Decrypt this field
1212 if ((MsgType == EAPOL_PAIR_MSG_3 && bWPA2) || (MsgType == EAPOL_GROUP_MSG_1))
1213 {
1214 if(pEntry->WepStatus == Ndis802_11Encryption3Enabled)
1215 {
1216 // AES
1217 AES_GTK_KEY_UNWRAP(&pEntry->PTK[16], KEYDATA, pMsg->KeyDesc.KeyDataLen[1],pMsg->KeyDesc.KeyData);
1218 }
1219 else
1220 {
1221 INT i;
1222 UCHAR Key[32];
1223 // Decrypt TKIP GTK
1224 // Construct 32 bytes RC4 Key
1225 NdisMoveMemory(Key, pMsg->KeyDesc.KeyIv, 16);
1226 NdisMoveMemory(&Key[16], &pEntry->PTK[16], 16);
1227 ARCFOUR_INIT(&pAd->PrivateInfo.WEPCONTEXT, Key, 32);
1228 //discard first 256 bytes
1229 for(i = 0; i < 256; i++)
1230 ARCFOUR_BYTE(&pAd->PrivateInfo.WEPCONTEXT);
1231 // Decrypt GTK. Becareful, there is no ICV to check the result is correct or not
1232 ARCFOUR_DECRYPT(&pAd->PrivateInfo.WEPCONTEXT, KEYDATA, pMsg->KeyDesc.KeyData, pMsg->KeyDesc.KeyDataLen[1]);
1233 }
1234
1235 if (!bWPA2 && (MsgType == EAPOL_GROUP_MSG_1))
1236 GroupKeyIndex = EapolKeyInfo.KeyIndex;
1237
1238 }
1239 else if ((MsgType == EAPOL_PAIR_MSG_2) || (MsgType == EAPOL_PAIR_MSG_3 && !bWPA2))
1240 {
1241 NdisMoveMemory(KEYDATA, pMsg->KeyDesc.KeyData, pMsg->KeyDesc.KeyDataLen[1]);
1242 }
1243 else
1244 {
1245
1246 return TRUE;
1247 }
1248
1249 // Parse Key Data field to
1250 // 1. verify RSN IE for pairwise_msg_2_WPA1(WPA2) ,pairwise_msg_3_WPA1(WPA2)
1251 // 2. verify KDE format for pairwise_msg_3_WPA2, group_msg_1_WPA2
1252 // 3. update shared key for pairwise_msg_3_WPA2, group_msg_1_WPA1(WPA2)
1253 if (!RTMPParseEapolKeyData(pAd, KEYDATA, pMsg->KeyDesc.KeyDataLen[1], GroupKeyIndex, MsgType, bWPA2, pEntry))
1254 {
1255 return FALSE;
1256 }
1257 }
1258
1259 return TRUE;
1260
1261 }
kernel source for telekom puls (alcatel/mediatek)