2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 * $FreeBSD: head/sys/net80211/ieee80211_sta.c 203422 2010-02-03 10:07:43Z rpaulo $
29 * IEEE 802.11 Station mode support.
34 #include <sys/param.h>
35 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
45 #include <sys/sysctl.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/ethernet.h>
51 #include <net/route.h>
55 #include <netproto/802_11/ieee80211_var.h>
56 #include <netproto/802_11/ieee80211_sta.h>
57 #include <netproto/802_11/ieee80211_input.h>
58 #ifdef IEEE80211_SUPPORT_SUPERG
59 #include <netproto/802_11/ieee80211_superg.h>
62 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
64 static void sta_vattach(struct ieee80211vap
*);
65 static void sta_beacon_miss(struct ieee80211vap
*);
66 static int sta_newstate(struct ieee80211vap
*, enum ieee80211_state
, int);
67 static int sta_input(struct ieee80211_node
*, struct mbuf
*, int, int);
68 static void sta_recv_mgmt(struct ieee80211_node
*, struct mbuf
*,
69 int subtype
, int rssi
, int nf
);
70 static void sta_recv_ctl(struct ieee80211_node
*, struct mbuf
*, int subtype
);
73 ieee80211_sta_attach(struct ieee80211com
*ic
)
75 ic
->ic_vattach
[IEEE80211_M_STA
] = sta_vattach
;
79 ieee80211_sta_detach(struct ieee80211com
*ic
)
84 sta_vdetach(struct ieee80211vap
*vap
)
89 sta_vattach(struct ieee80211vap
*vap
)
91 vap
->iv_newstate
= sta_newstate
;
92 vap
->iv_input
= sta_input
;
93 vap
->iv_recv_mgmt
= sta_recv_mgmt
;
94 vap
->iv_recv_ctl
= sta_recv_ctl
;
95 vap
->iv_opdetach
= sta_vdetach
;
96 vap
->iv_bmiss
= sta_beacon_miss
;
100 * Handle a beacon miss event. The common code filters out
101 * spurious events that can happen when scanning and/or before
102 * reaching RUN state.
105 sta_beacon_miss(struct ieee80211vap
*vap
)
107 struct ieee80211com
*ic
= vap
->iv_ic
;
109 KASSERT((ic
->ic_flags
& IEEE80211_F_SCAN
) == 0, ("scanning"));
110 KASSERT(vap
->iv_state
>= IEEE80211_S_RUN
,
111 ("wrong state %s", ieee80211_state_name
[vap
->iv_state
]));
113 IEEE80211_DPRINTF(vap
, IEEE80211_MSG_STATE
| IEEE80211_MSG_DEBUG
,
114 "beacon miss, mode %s state %s\n",
115 ieee80211_opmode_name
[vap
->iv_opmode
],
116 ieee80211_state_name
[vap
->iv_state
]);
118 if (vap
->iv_state
== IEEE80211_S_CSA
) {
120 * A Channel Switch is pending; assume we missed the
121 * beacon that would've completed the process and just
122 * force the switch. If we made a mistake we'll not
123 * find the AP on the new channel and fall back to a
126 ieee80211_csa_completeswitch(ic
);
129 if (++vap
->iv_bmiss_count
< vap
->iv_bmiss_max
) {
131 * Send a directed probe req before falling back to a
132 * scan; if we receive a response ic_bmiss_count will
133 * be reset. Some cards mistakenly report beacon miss
134 * so this avoids the expensive scan if the ap is
137 ieee80211_send_probereq(vap
->iv_bss
, vap
->iv_myaddr
,
138 vap
->iv_bss
->ni_bssid
, vap
->iv_bss
->ni_bssid
,
139 vap
->iv_bss
->ni_essid
, vap
->iv_bss
->ni_esslen
);
142 vap
->iv_bmiss_count
= 0;
143 vap
->iv_stats
.is_beacon_miss
++;
144 if (vap
->iv_roaming
== IEEE80211_ROAMING_AUTO
) {
145 #ifdef IEEE80211_SUPPORT_SUPERG
146 struct ieee80211com
*ic
= vap
->iv_ic
;
149 * If we receive a beacon miss interrupt when using
150 * dynamic turbo, attempt to switch modes before
153 if (IEEE80211_ATH_CAP(vap
, vap
->iv_bss
, IEEE80211_NODE_TURBOP
))
154 ieee80211_dturbo_switch(vap
,
155 ic
->ic_bsschan
->ic_flags
^ IEEE80211_CHAN_TURBO
);
158 * Try to reassociate before scanning for a new ap.
160 ieee80211_new_state(vap
, IEEE80211_S_ASSOC
, 1);
163 * Somebody else is controlling state changes (e.g.
164 * a user-mode app) don't do anything that would
165 * confuse them; just drop into scan mode so they'll
166 * notified of the state change and given control.
168 ieee80211_new_state(vap
, IEEE80211_S_SCAN
, 0);
173 * Handle deauth with reason. We retry only for
174 * the cases where we might succeed. Otherwise
175 * we downgrade the ap and scan.
178 sta_authretry(struct ieee80211vap
*vap
, struct ieee80211_node
*ni
, int reason
)
181 case IEEE80211_STATUS_SUCCESS
: /* NB: MLME assoc */
182 case IEEE80211_STATUS_TIMEOUT
:
183 case IEEE80211_REASON_ASSOC_EXPIRE
:
184 case IEEE80211_REASON_NOT_AUTHED
:
185 case IEEE80211_REASON_NOT_ASSOCED
:
186 case IEEE80211_REASON_ASSOC_LEAVE
:
187 case IEEE80211_REASON_ASSOC_NOT_AUTHED
:
188 IEEE80211_SEND_MGMT(ni
, IEEE80211_FC0_SUBTYPE_AUTH
, 1);
191 ieee80211_scan_assoc_fail(vap
, vap
->iv_bss
->ni_macaddr
, reason
);
192 if (vap
->iv_roaming
== IEEE80211_ROAMING_AUTO
)
193 ieee80211_check_scan_current(vap
);
199 * IEEE80211_M_STA vap state machine handler.
200 * This routine handles the main states in the 802.11 protocol.
203 sta_newstate(struct ieee80211vap
*vap
, enum ieee80211_state nstate
, int arg
)
205 struct ieee80211com
*ic
= vap
->iv_ic
;
206 struct ieee80211_node
*ni
;
207 enum ieee80211_state ostate
;
209 ostate
= vap
->iv_state
;
210 IEEE80211_DPRINTF(vap
, IEEE80211_MSG_STATE
, "%s: %s -> %s (%d)\n",
211 __func__
, ieee80211_state_name
[ostate
],
212 ieee80211_state_name
[nstate
], arg
);
213 vap
->iv_state
= nstate
; /* state transition */
214 callout_stop(&vap
->iv_mgtsend
); /* XXX callout_drain */
215 if (ostate
!= IEEE80211_S_SCAN
)
216 ieee80211_cancel_scan(vap
); /* background scan */
217 ni
= vap
->iv_bss
; /* NB: no reference held */
218 if (vap
->iv_flags_ext
& IEEE80211_FEXT_SWBMISS
)
219 callout_stop(&vap
->iv_swbmiss
);
221 case IEEE80211_S_INIT
:
223 case IEEE80211_S_SLEEP
:
225 case IEEE80211_S_RUN
:
226 IEEE80211_SEND_MGMT(ni
,
227 IEEE80211_FC0_SUBTYPE_DISASSOC
,
228 IEEE80211_REASON_ASSOC_LEAVE
);
229 ieee80211_sta_leave(ni
);
231 case IEEE80211_S_ASSOC
:
232 IEEE80211_SEND_MGMT(ni
,
233 IEEE80211_FC0_SUBTYPE_DEAUTH
,
234 IEEE80211_REASON_AUTH_LEAVE
);
236 case IEEE80211_S_SCAN
:
237 ieee80211_cancel_scan(vap
);
242 if (ostate
!= IEEE80211_S_INIT
) {
243 /* NB: optimize INIT -> INIT case */
244 ieee80211_reset_bss(vap
);
246 if (vap
->iv_auth
->ia_detach
!= NULL
)
247 vap
->iv_auth
->ia_detach(vap
);
249 case IEEE80211_S_SCAN
:
251 case IEEE80211_S_INIT
:
253 * Initiate a scan. We can come here as a result
254 * of an IEEE80211_IOC_SCAN_REQ too in which case
255 * the vap will be marked with IEEE80211_FEXT_SCANREQ
256 * and the scan request parameters will be present
257 * in iv_scanreq. Otherwise we do the default.
259 if (vap
->iv_flags_ext
& IEEE80211_FEXT_SCANREQ
) {
260 ieee80211_check_scan(vap
,
261 vap
->iv_scanreq_flags
,
262 vap
->iv_scanreq_duration
,
263 vap
->iv_scanreq_mindwell
,
264 vap
->iv_scanreq_maxdwell
,
265 vap
->iv_scanreq_nssid
, vap
->iv_scanreq_ssid
);
266 vap
->iv_flags_ext
&= ~IEEE80211_FEXT_SCANREQ
;
268 ieee80211_check_scan_current(vap
);
270 case IEEE80211_S_SCAN
:
271 case IEEE80211_S_AUTH
:
272 case IEEE80211_S_ASSOC
:
274 * These can happen either because of a timeout
275 * on an assoc/auth response or because of a
276 * change in state that requires a reset. For
277 * the former we're called with a non-zero arg
278 * that is the cause for the failure; pass this
279 * to the scan code so it can update state.
280 * Otherwise trigger a new scan unless we're in
281 * manual roaming mode in which case an application
282 * must issue an explicit scan request.
285 ieee80211_scan_assoc_fail(vap
,
286 vap
->iv_bss
->ni_macaddr
, arg
);
287 if (vap
->iv_roaming
== IEEE80211_ROAMING_AUTO
)
288 ieee80211_check_scan_current(vap
);
290 case IEEE80211_S_RUN
: /* beacon miss */
292 * Beacon miss. Notify user space and if not
293 * under control of a user application (roaming
294 * manual) kick off a scan to re-connect.
296 ieee80211_sta_leave(ni
);
297 if (vap
->iv_roaming
== IEEE80211_ROAMING_AUTO
)
298 ieee80211_check_scan_current(vap
);
304 case IEEE80211_S_AUTH
:
306 case IEEE80211_S_INIT
:
307 case IEEE80211_S_SCAN
:
308 IEEE80211_SEND_MGMT(ni
,
309 IEEE80211_FC0_SUBTYPE_AUTH
, 1);
311 case IEEE80211_S_AUTH
:
312 case IEEE80211_S_ASSOC
:
313 switch (arg
& 0xff) {
314 case IEEE80211_FC0_SUBTYPE_AUTH
:
316 IEEE80211_SEND_MGMT(ni
,
317 IEEE80211_FC0_SUBTYPE_AUTH
, 2);
319 case IEEE80211_FC0_SUBTYPE_DEAUTH
:
320 sta_authretry(vap
, ni
, arg
>>8);
324 case IEEE80211_S_RUN
:
325 switch (arg
& 0xff) {
326 case IEEE80211_FC0_SUBTYPE_AUTH
:
327 IEEE80211_SEND_MGMT(ni
,
328 IEEE80211_FC0_SUBTYPE_AUTH
, 2);
329 vap
->iv_state
= ostate
; /* stay RUN */
331 case IEEE80211_FC0_SUBTYPE_DEAUTH
:
332 ieee80211_sta_leave(ni
);
333 if (vap
->iv_roaming
== IEEE80211_ROAMING_AUTO
) {
335 IEEE80211_SEND_MGMT(ni
,
336 IEEE80211_FC0_SUBTYPE_AUTH
, 1);
345 case IEEE80211_S_ASSOC
:
347 case IEEE80211_S_AUTH
:
348 case IEEE80211_S_ASSOC
:
349 IEEE80211_SEND_MGMT(ni
,
350 IEEE80211_FC0_SUBTYPE_ASSOC_REQ
, 0);
352 case IEEE80211_S_SLEEP
: /* cannot happen */
353 case IEEE80211_S_RUN
:
354 ieee80211_sta_leave(ni
);
355 if (vap
->iv_roaming
== IEEE80211_ROAMING_AUTO
) {
356 IEEE80211_SEND_MGMT(ni
, arg
?
357 IEEE80211_FC0_SUBTYPE_REASSOC_REQ
:
358 IEEE80211_FC0_SUBTYPE_ASSOC_REQ
, 0);
365 case IEEE80211_S_RUN
:
366 if (vap
->iv_flags
& IEEE80211_F_WPA
) {
367 /* XXX validate prerequisites */
370 case IEEE80211_S_RUN
:
371 case IEEE80211_S_CSA
:
373 case IEEE80211_S_AUTH
: /* when join is done in fw */
374 case IEEE80211_S_ASSOC
:
375 #ifdef IEEE80211_DEBUG
376 if (ieee80211_msg_debug(vap
)) {
377 ieee80211_note(vap
, "%s with %6D ssid ",
378 (vap
->iv_opmode
== IEEE80211_M_STA
?
379 "associated" : "synchronized"),
381 ieee80211_print_essid(vap
->iv_bss
->ni_essid
,
384 kprintf(" channel %d start %uMb\n",
385 ieee80211_chan2ieee(ic
, ic
->ic_curchan
),
386 IEEE80211_RATE2MBS(ni
->ni_txrate
));
389 ieee80211_scan_assoc_success(vap
, ni
->ni_macaddr
);
390 ieee80211_notify_node_join(ni
,
391 arg
== IEEE80211_FC0_SUBTYPE_ASSOC_RESP
);
393 case IEEE80211_S_SLEEP
:
394 ieee80211_sta_pwrsave(vap
, 0);
399 ieee80211_sync_curchan(ic
);
400 if (ostate
!= IEEE80211_S_RUN
&&
401 (vap
->iv_flags_ext
& IEEE80211_FEXT_SWBMISS
)) {
403 * Start s/w beacon miss timer for devices w/o
404 * hardware support. We fudge a bit here since
405 * we're doing this in software.
407 vap
->iv_swbmiss_period
= IEEE80211_TU_TO_TICKS(
408 2 * vap
->iv_bmissthreshold
* ni
->ni_intval
);
409 vap
->iv_swbmiss_count
= 0;
410 callout_reset(&vap
->iv_swbmiss
, vap
->iv_swbmiss_period
,
411 ieee80211_swbmiss_callout
, vap
);
414 * When 802.1x is not in use mark the port authorized
415 * at this point so traffic can flow.
417 if (ni
->ni_authmode
!= IEEE80211_AUTH_8021X
)
418 ieee80211_node_authorize(ni
);
420 * Fake association when joining an existing bss.
422 if (ic
->ic_newassoc
!= NULL
)
423 ic
->ic_newassoc(vap
->iv_bss
, ostate
!= IEEE80211_S_RUN
);
425 case IEEE80211_S_CSA
:
426 if (ostate
!= IEEE80211_S_RUN
)
429 case IEEE80211_S_SLEEP
:
430 ieee80211_sta_pwrsave(vap
, 1);
434 IEEE80211_DPRINTF(vap
, IEEE80211_MSG_STATE
,
435 "%s: unexpected state transition %s -> %s\n", __func__
,
436 ieee80211_state_name
[ostate
], ieee80211_state_name
[nstate
]);
443 * Return non-zero if the frame is an echo of a multicast
444 * frame sent by ourself. The dir is known to be DSTODS.
447 isdstods_mcastecho(struct ieee80211vap
*vap
, const struct ieee80211_frame
*wh
)
449 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
450 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
453 KASSERT(vap
->iv_opmode
== IEEE80211_M_STA
, ("wrong mode"));
455 if (!IEEE80211_IS_MULTICAST(wh
->i_addr3
))
457 sa
= IEEE80211_QOS_HAS_SEQ(wh
) ? QWH4(wh
)->i_addr4
: WH4(wh
)->i_addr4
;
458 return IEEE80211_ADDR_EQ(sa
, vap
->iv_myaddr
);
464 * Return non-zero if the frame is an echo of a multicast
465 * frame sent by ourself. The dir is known to be FROMDS.
468 isfromds_mcastecho(struct ieee80211vap
*vap
, const struct ieee80211_frame
*wh
)
470 KASSERT(vap
->iv_opmode
== IEEE80211_M_STA
, ("wrong mode"));
472 if (!IEEE80211_IS_MULTICAST(wh
->i_addr1
))
474 return IEEE80211_ADDR_EQ(wh
->i_addr3
, vap
->iv_myaddr
);
478 * Decide if a received management frame should be
479 * printed when debugging is enabled. This filters some
480 * of the less interesting frames that come frequently
484 doprint(struct ieee80211vap
*vap
, int subtype
)
487 case IEEE80211_FC0_SUBTYPE_BEACON
:
488 return (vap
->iv_ic
->ic_flags
& IEEE80211_F_SCAN
);
489 case IEEE80211_FC0_SUBTYPE_PROBE_REQ
:
496 * Process a received frame. The node associated with the sender
497 * should be supplied. If nothing was found in the node table then
498 * the caller is assumed to supply a reference to iv_bss instead.
499 * The RSSI and a timestamp are also supplied. The RSSI data is used
500 * during AP scanning to select a AP to associate with; it can have
501 * any units so long as values have consistent units and higher values
502 * mean ``better signal''. The receive timestamp is currently not used
503 * by the 802.11 layer.
506 sta_input(struct ieee80211_node
*ni
, struct mbuf
*m
, int rssi
, int nf
)
508 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
509 #define HAS_SEQ(type) ((type & 0x4) == 0)
510 struct ieee80211vap
*vap
= ni
->ni_vap
;
511 struct ieee80211com
*ic
= ni
->ni_ic
;
512 struct ifnet
*ifp
= vap
->iv_ifp
;
513 struct ieee80211_frame
*wh
;
514 struct ieee80211_key
*key
;
515 struct ether_header
*eh
;
516 int hdrspace
, need_tap
= 1; /* mbuf need to be tapped. */
517 uint8_t dir
, type
, subtype
, qos
;
521 if (m
->m_flags
& M_AMPDU_MPDU
) {
523 * Fastpath for A-MPDU reorder q resubmission. Frames
524 * w/ M_AMPDU_MPDU marked have already passed through
525 * here but were received out of order and been held on
526 * the reorder queue. When resubmitted they are marked
527 * with the M_AMPDU_MPDU flag and we can bypass most of
528 * the normal processing.
530 wh
= mtod(m
, struct ieee80211_frame
*);
531 type
= IEEE80211_FC0_TYPE_DATA
;
532 dir
= wh
->i_fc
[1] & IEEE80211_FC1_DIR_MASK
;
533 subtype
= IEEE80211_FC0_SUBTYPE_QOS
;
534 hdrspace
= ieee80211_hdrspace(ic
, wh
); /* XXX optimize? */
538 KASSERT(ni
!= NULL
, ("null node"));
539 ni
->ni_inact
= ni
->ni_inact_reload
;
541 type
= -1; /* undefined */
543 if (m
->m_pkthdr
.len
< sizeof(struct ieee80211_frame_min
)) {
544 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_ANY
,
545 ni
->ni_macaddr
, NULL
,
546 "too short (1): len %u", m
->m_pkthdr
.len
);
547 vap
->iv_stats
.is_rx_tooshort
++;
551 * Bit of a cheat here, we use a pointer for a 3-address
552 * frame format but don't reference fields past outside
553 * ieee80211_frame_min w/o first validating the data is
556 wh
= mtod(m
, struct ieee80211_frame
*);
558 if ((wh
->i_fc
[0] & IEEE80211_FC0_VERSION_MASK
) !=
559 IEEE80211_FC0_VERSION_0
) {
560 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_ANY
,
561 ni
->ni_macaddr
, NULL
, "wrong version, fc %02x:%02x",
562 wh
->i_fc
[0], wh
->i_fc
[1]);
563 vap
->iv_stats
.is_rx_badversion
++;
567 dir
= wh
->i_fc
[1] & IEEE80211_FC1_DIR_MASK
;
568 type
= wh
->i_fc
[0] & IEEE80211_FC0_TYPE_MASK
;
569 subtype
= wh
->i_fc
[0] & IEEE80211_FC0_SUBTYPE_MASK
;
570 if ((ic
->ic_flags
& IEEE80211_F_SCAN
) == 0) {
572 if (!IEEE80211_ADDR_EQ(bssid
, ni
->ni_bssid
)) {
573 /* not interested in */
574 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_INPUT
,
575 bssid
, NULL
, "%s", "not to bss");
576 vap
->iv_stats
.is_rx_wrongbss
++;
579 IEEE80211_RSSI_LPF(ni
->ni_avgrssi
, rssi
);
581 if (HAS_SEQ(type
) && !IEEE80211_IS_MULTICAST(wh
->i_addr1
)) {
582 uint8_t tid
= ieee80211_gettid(wh
);
583 if (IEEE80211_QOS_HAS_SEQ(wh
) &&
584 TID_TO_WME_AC(tid
) >= WME_AC_VI
)
585 ic
->ic_wme
.wme_hipri_traffic
++;
586 rxseq
= le16toh(*(uint16_t *)wh
->i_seq
);
587 if ((ni
->ni_flags
& IEEE80211_NODE_HT
) == 0 &&
588 (wh
->i_fc
[1] & IEEE80211_FC1_RETRY
) &&
589 SEQ_LEQ(rxseq
, ni
->ni_rxseqs
[tid
])) {
590 /* duplicate, discard */
591 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_INPUT
,
593 "seqno <%u,%u> fragno <%u,%u> tid %u",
594 rxseq
>> IEEE80211_SEQ_SEQ_SHIFT
,
595 ni
->ni_rxseqs
[tid
] >>
596 IEEE80211_SEQ_SEQ_SHIFT
,
597 rxseq
& IEEE80211_SEQ_FRAG_MASK
,
599 IEEE80211_SEQ_FRAG_MASK
,
601 vap
->iv_stats
.is_rx_dup
++;
602 IEEE80211_NODE_STAT(ni
, rx_dup
);
605 ni
->ni_rxseqs
[tid
] = rxseq
;
610 case IEEE80211_FC0_TYPE_DATA
:
611 hdrspace
= ieee80211_hdrspace(ic
, wh
);
612 if (m
->m_len
< hdrspace
&&
613 (m
= m_pullup(m
, hdrspace
)) == NULL
) {
614 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_ANY
,
615 ni
->ni_macaddr
, NULL
,
616 "data too short: expecting %u", hdrspace
);
617 vap
->iv_stats
.is_rx_tooshort
++;
621 * Handle A-MPDU re-ordering. If the frame is to be
622 * processed directly then ieee80211_ampdu_reorder
623 * will return 0; otherwise it has consumed the mbuf
624 * and we should do nothing more with it.
626 if ((m
->m_flags
& M_AMPDU
) &&
627 (dir
== IEEE80211_FC1_DIR_FROMDS
||
628 dir
== IEEE80211_FC1_DIR_DSTODS
) &&
629 ieee80211_ampdu_reorder(ni
, m
) != 0) {
634 if (dir
== IEEE80211_FC1_DIR_FROMDS
) {
635 if ((ifp
->if_flags
& IFF_SIMPLEX
) &&
636 isfromds_mcastecho(vap
, wh
)) {
638 * In IEEE802.11 network, multicast
639 * packets sent from "me" are broadcast
640 * from the AP; silently discard for
643 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
,
644 wh
, "data", "%s", "multicast echo");
645 vap
->iv_stats
.is_rx_mcastecho
++;
648 if ((vap
->iv_flags
& IEEE80211_F_DWDS
) &&
649 IEEE80211_IS_MULTICAST(wh
->i_addr1
)) {
651 * DWDS sta's must drop 3-address mcast frames
652 * as they will be sent separately as a 4-addr
653 * frame. Accepting the 3-addr frame will
654 * confuse the bridge into thinking the sending
655 * sta is located at the end of WDS link.
657 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
, wh
,
658 "3-address data", "%s", "DWDS enabled");
659 vap
->iv_stats
.is_rx_mcastecho
++;
662 } else if (dir
== IEEE80211_FC1_DIR_DSTODS
) {
663 if ((vap
->iv_flags
& IEEE80211_F_DWDS
) == 0) {
664 IEEE80211_DISCARD(vap
,
665 IEEE80211_MSG_INPUT
, wh
, "4-address data",
666 "%s", "DWDS not enabled");
667 vap
->iv_stats
.is_rx_wrongdir
++;
670 if ((ifp
->if_flags
& IFF_SIMPLEX
) &&
671 isdstods_mcastecho(vap
, wh
)) {
673 * In IEEE802.11 network, multicast
674 * packets sent from "me" are broadcast
675 * from the AP; silently discard for
678 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
, wh
,
679 "4-address data", "%s", "multicast echo");
680 vap
->iv_stats
.is_rx_mcastecho
++;
684 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
, wh
,
685 "data", "incorrect dir 0x%x", dir
);
686 vap
->iv_stats
.is_rx_wrongdir
++;
691 * Handle privacy requirements. Note that we
692 * must not be preempted from here until after
693 * we (potentially) call ieee80211_crypto_demic;
694 * otherwise we may violate assumptions in the
695 * crypto cipher modules used to do delayed update
696 * of replay sequence numbers.
698 if (wh
->i_fc
[1] & IEEE80211_FC1_WEP
) {
699 if ((vap
->iv_flags
& IEEE80211_F_PRIVACY
) == 0) {
701 * Discard encrypted frames when privacy is off.
703 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
,
704 wh
, "WEP", "%s", "PRIVACY off");
705 vap
->iv_stats
.is_rx_noprivacy
++;
706 IEEE80211_NODE_STAT(ni
, rx_noprivacy
);
709 key
= ieee80211_crypto_decap(ni
, m
, hdrspace
);
711 /* NB: stats+msgs handled in crypto_decap */
712 IEEE80211_NODE_STAT(ni
, rx_wepfail
);
715 wh
= mtod(m
, struct ieee80211_frame
*);
716 wh
->i_fc
[1] &= ~IEEE80211_FC1_WEP
;
718 /* XXX M_WEP and IEEE80211_F_PRIVACY */
723 * Save QoS bits for use below--before we strip the header.
725 if (subtype
== IEEE80211_FC0_SUBTYPE_QOS
) {
726 qos
= (dir
== IEEE80211_FC1_DIR_DSTODS
) ?
727 ((struct ieee80211_qosframe_addr4
*)wh
)->i_qos
[0] :
728 ((struct ieee80211_qosframe
*)wh
)->i_qos
[0];
733 * Next up, any fragmentation.
735 if (!IEEE80211_IS_MULTICAST(wh
->i_addr1
)) {
736 m
= ieee80211_defrag(ni
, m
, hdrspace
);
738 /* Fragment dropped or frame not complete yet */
742 wh
= NULL
; /* no longer valid, catch any uses */
745 * Next strip any MSDU crypto bits.
747 if (key
!= NULL
&& !ieee80211_crypto_demic(vap
, key
, m
, 0)) {
748 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_INPUT
,
749 ni
->ni_macaddr
, "data", "%s", "demic error");
750 vap
->iv_stats
.is_rx_demicfail
++;
751 IEEE80211_NODE_STAT(ni
, rx_demicfail
);
755 /* copy to listener after decrypt */
756 if (ieee80211_radiotap_active_vap(vap
))
757 ieee80211_radiotap_rx(vap
, m
);
761 * Finally, strip the 802.11 header.
763 m
= ieee80211_decap(vap
, m
, hdrspace
);
765 /* XXX mask bit to check for both */
766 /* don't count Null data frames as errors */
767 if (subtype
== IEEE80211_FC0_SUBTYPE_NODATA
||
768 subtype
== IEEE80211_FC0_SUBTYPE_QOS_NULL
)
770 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_INPUT
,
771 ni
->ni_macaddr
, "data", "%s", "decap error");
772 vap
->iv_stats
.is_rx_decap
++;
773 IEEE80211_NODE_STAT(ni
, rx_decap
);
776 eh
= mtod(m
, struct ether_header
*);
777 if (!ieee80211_node_is_authorized(ni
)) {
779 * Deny any non-PAE frames received prior to
780 * authorization. For open/shared-key
781 * authentication the port is mark authorized
782 * after authentication completes. For 802.1x
783 * the port is not marked authorized by the
784 * authenticator until the handshake has completed.
786 if (eh
->ether_type
!= htons(ETHERTYPE_PAE
)) {
787 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_INPUT
,
788 eh
->ether_shost
, "data",
789 "unauthorized port: ether type 0x%x len %u",
790 eh
->ether_type
, m
->m_pkthdr
.len
);
791 vap
->iv_stats
.is_rx_unauth
++;
792 IEEE80211_NODE_STAT(ni
, rx_unauth
);
797 * When denying unencrypted frames, discard
798 * any non-PAE frames received without encryption.
800 if ((vap
->iv_flags
& IEEE80211_F_DROPUNENC
) &&
801 (key
== NULL
&& (m
->m_flags
& M_WEP
) == 0) &&
802 eh
->ether_type
!= htons(ETHERTYPE_PAE
)) {
804 * Drop unencrypted frames.
806 vap
->iv_stats
.is_rx_unencrypted
++;
807 IEEE80211_NODE_STAT(ni
, rx_unencrypted
);
811 /* XXX require HT? */
812 if (qos
& IEEE80211_QOS_AMSDU
) {
813 m
= ieee80211_decap_amsdu(ni
, m
);
815 return IEEE80211_FC0_TYPE_DATA
;
817 #ifdef IEEE80211_SUPPORT_SUPERG
818 m
= ieee80211_decap_fastframe(vap
, ni
, m
);
820 return IEEE80211_FC0_TYPE_DATA
;
823 ieee80211_deliver_data(vap
, ni
, m
);
824 return IEEE80211_FC0_TYPE_DATA
;
826 case IEEE80211_FC0_TYPE_MGT
:
827 vap
->iv_stats
.is_rx_mgmt
++;
828 IEEE80211_NODE_STAT(ni
, rx_mgmt
);
829 if (dir
!= IEEE80211_FC1_DIR_NODS
) {
830 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
,
831 wh
, "data", "incorrect dir 0x%x", dir
);
832 vap
->iv_stats
.is_rx_wrongdir
++;
835 if (m
->m_pkthdr
.len
< sizeof(struct ieee80211_frame
)) {
836 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_ANY
,
837 ni
->ni_macaddr
, "mgt", "too short: len %u",
839 vap
->iv_stats
.is_rx_tooshort
++;
842 #ifdef IEEE80211_DEBUG
843 if ((ieee80211_msg_debug(vap
) && doprint(vap
, subtype
)) ||
844 ieee80211_msg_dumppkts(vap
)) {
845 if_printf(ifp
, "received %s from %6D rssi %d\n",
846 ieee80211_mgt_subtype_name
[subtype
>>
847 IEEE80211_FC0_SUBTYPE_SHIFT
],
848 wh
->i_addr2
, ":", rssi
);
851 if (wh
->i_fc
[1] & IEEE80211_FC1_WEP
) {
852 if (subtype
!= IEEE80211_FC0_SUBTYPE_AUTH
) {
854 * Only shared key auth frames with a challenge
855 * should be encrypted, discard all others.
857 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
,
858 wh
, ieee80211_mgt_subtype_name
[subtype
>>
859 IEEE80211_FC0_SUBTYPE_SHIFT
],
860 "%s", "WEP set but not permitted");
861 vap
->iv_stats
.is_rx_mgtdiscard
++; /* XXX */
864 if ((vap
->iv_flags
& IEEE80211_F_PRIVACY
) == 0) {
866 * Discard encrypted frames when privacy is off.
868 IEEE80211_DISCARD(vap
, IEEE80211_MSG_INPUT
,
869 wh
, "mgt", "%s", "WEP set but PRIVACY off");
870 vap
->iv_stats
.is_rx_noprivacy
++;
873 hdrspace
= ieee80211_hdrspace(ic
, wh
);
874 key
= ieee80211_crypto_decap(ni
, m
, hdrspace
);
876 /* NB: stats+msgs handled in crypto_decap */
879 wh
= mtod(m
, struct ieee80211_frame
*);
880 wh
->i_fc
[1] &= ~IEEE80211_FC1_WEP
;
882 vap
->iv_recv_mgmt(ni
, m
, subtype
, rssi
, nf
);
885 case IEEE80211_FC0_TYPE_CTL
:
886 vap
->iv_stats
.is_rx_ctl
++;
887 IEEE80211_NODE_STAT(ni
, rx_ctrl
);
888 vap
->iv_recv_ctl(ni
, m
, subtype
);
892 IEEE80211_DISCARD(vap
, IEEE80211_MSG_ANY
,
893 wh
, NULL
, "bad frame type 0x%x", type
);
894 /* should not come here */
901 if (need_tap
&& ieee80211_radiotap_active_vap(vap
))
902 ieee80211_radiotap_rx(vap
, m
);
910 sta_auth_open(struct ieee80211_node
*ni
, struct ieee80211_frame
*wh
,
911 int rssi
, int nf
, uint16_t seq
, uint16_t status
)
913 struct ieee80211vap
*vap
= ni
->ni_vap
;
915 if (ni
->ni_authmode
== IEEE80211_AUTH_SHARED
) {
916 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_AUTH
,
917 ni
->ni_macaddr
, "open auth",
918 "bad sta auth mode %u", ni
->ni_authmode
);
919 vap
->iv_stats
.is_rx_bad_auth
++; /* XXX */
922 if (vap
->iv_state
!= IEEE80211_S_AUTH
||
923 seq
!= IEEE80211_AUTH_OPEN_RESPONSE
) {
924 vap
->iv_stats
.is_rx_bad_auth
++;
928 IEEE80211_NOTE(vap
, IEEE80211_MSG_DEBUG
| IEEE80211_MSG_AUTH
,
929 ni
, "open auth failed (reason %d)", status
);
930 vap
->iv_stats
.is_rx_auth_fail
++;
931 vap
->iv_stats
.is_rx_authfail_code
= status
;
932 ieee80211_new_state(vap
, IEEE80211_S_SCAN
,
933 IEEE80211_SCAN_FAIL_STATUS
);
935 ieee80211_new_state(vap
, IEEE80211_S_ASSOC
, 0);
939 sta_auth_shared(struct ieee80211_node
*ni
, struct ieee80211_frame
*wh
,
940 uint8_t *frm
, uint8_t *efrm
, int rssi
, int nf
,
941 uint16_t seq
, uint16_t status
)
943 struct ieee80211vap
*vap
= ni
->ni_vap
;
948 * NB: this can happen as we allow pre-shared key
949 * authentication to be enabled w/o wep being turned
950 * on so that configuration of these can be done
951 * in any order. It may be better to enforce the
952 * ordering in which case this check would just be
953 * for sanity/consistency.
955 if ((vap
->iv_flags
& IEEE80211_F_PRIVACY
) == 0) {
956 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_AUTH
,
957 ni
->ni_macaddr
, "shared key auth",
958 "%s", " PRIVACY is disabled");
959 estatus
= IEEE80211_STATUS_ALG
;
963 * Pre-shared key authentication is evil; accept
964 * it only if explicitly configured (it is supported
965 * mainly for compatibility with clients like OS X).
967 if (ni
->ni_authmode
!= IEEE80211_AUTH_AUTO
&&
968 ni
->ni_authmode
!= IEEE80211_AUTH_SHARED
) {
969 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_AUTH
,
970 ni
->ni_macaddr
, "shared key auth",
971 "bad sta auth mode %u", ni
->ni_authmode
);
972 vap
->iv_stats
.is_rx_bad_auth
++; /* XXX maybe a unique error? */
973 estatus
= IEEE80211_STATUS_ALG
;
978 if (frm
+ 1 < efrm
) {
979 if ((frm
[1] + 2) > (efrm
- frm
)) {
980 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_AUTH
,
981 ni
->ni_macaddr
, "shared key auth",
983 frm
[0], (int)((frm
[1] + 2) - (efrm
- frm
)));
984 vap
->iv_stats
.is_rx_bad_auth
++;
985 estatus
= IEEE80211_STATUS_CHALLENGE
;
988 if (*frm
== IEEE80211_ELEMID_CHALLENGE
)
993 case IEEE80211_AUTH_SHARED_CHALLENGE
:
994 case IEEE80211_AUTH_SHARED_RESPONSE
:
995 if (challenge
== NULL
) {
996 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_AUTH
,
997 ni
->ni_macaddr
, "shared key auth",
998 "%s", "no challenge");
999 vap
->iv_stats
.is_rx_bad_auth
++;
1000 estatus
= IEEE80211_STATUS_CHALLENGE
;
1003 if (challenge
[1] != IEEE80211_CHALLENGE_LEN
) {
1004 IEEE80211_DISCARD_MAC(vap
, IEEE80211_MSG_AUTH
,
1005 ni
->ni_macaddr
, "shared key auth",
1006 "bad challenge len %d", challenge
[1]);
1007 vap
->iv_stats
.is_rx_bad_auth
++;
1008 estatus
= IEEE80211_STATUS_CHALLENGE
;
1014 if (vap
->iv_state
!= IEEE80211_S_AUTH
)
1017 case IEEE80211_AUTH_SHARED_PASS
:
1018 if (ni
->ni_challenge
!= NULL
) {
1019 kfree(ni
->ni_challenge
, M_80211_NODE
);
1020 ni
->ni_challenge
= NULL
;
1023 IEEE80211_NOTE_FRAME(vap
,
1024 IEEE80211_MSG_DEBUG
| IEEE80211_MSG_AUTH
, wh
,
1025 "shared key auth failed (reason %d)", status
);
1026 vap
->iv_stats
.is_rx_auth_fail
++;
1027 vap
->iv_stats
.is_rx_authfail_code
= status
;
1030 ieee80211_new_state(vap
, IEEE80211_S_ASSOC
, 0);
1032 case IEEE80211_AUTH_SHARED_CHALLENGE
:
1033 if (!ieee80211_alloc_challenge(ni
))
1035 /* XXX could optimize by passing recvd challenge */
1036 memcpy(ni
->ni_challenge
, &challenge
[2], challenge
[1]);
1037 IEEE80211_SEND_MGMT(ni
,
1038 IEEE80211_FC0_SUBTYPE_AUTH
, seq
+ 1);
1041 IEEE80211_DISCARD(vap
, IEEE80211_MSG_AUTH
,
1042 wh
, "shared key auth", "bad seq %d", seq
);
1043 vap
->iv_stats
.is_rx_bad_auth
++;
1049 * Kick the state machine. This short-circuits
1050 * using the mgt frame timeout to trigger the
1053 if (vap
->iv_state
== IEEE80211_S_AUTH
)
1054 ieee80211_new_state(vap
, IEEE80211_S_SCAN
,
1055 IEEE80211_SCAN_FAIL_STATUS
);
1059 ieee80211_parse_wmeparams(struct ieee80211vap
*vap
, uint8_t *frm
,
1060 const struct ieee80211_frame
*wh
)
1062 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1063 struct ieee80211_wme_state
*wme
= &vap
->iv_ic
->ic_wme
;
1064 u_int len
= frm
[1], qosinfo
;
1067 if (len
< sizeof(struct ieee80211_wme_param
)-2) {
1068 IEEE80211_DISCARD_IE(vap
,
1069 IEEE80211_MSG_ELEMID
| IEEE80211_MSG_WME
,
1070 wh
, "WME", "too short, len %u", len
);
1073 qosinfo
= frm
[__offsetof(struct ieee80211_wme_param
, param_qosInfo
)];
1074 qosinfo
&= WME_QOSINFO_COUNT
;
1075 /* XXX do proper check for wraparound */
1076 if (qosinfo
== wme
->wme_wmeChanParams
.cap_info
)
1078 frm
+= __offsetof(struct ieee80211_wme_param
, params_acParams
);
1079 for (i
= 0; i
< WME_NUM_AC
; i
++) {
1080 struct wmeParams
*wmep
=
1081 &wme
->wme_wmeChanParams
.cap_wmeParams
[i
];
1082 /* NB: ACI not used */
1083 wmep
->wmep_acm
= MS(frm
[0], WME_PARAM_ACM
);
1084 wmep
->wmep_aifsn
= MS(frm
[0], WME_PARAM_AIFSN
);
1085 wmep
->wmep_logcwmin
= MS(frm
[1], WME_PARAM_LOGCWMIN
);
1086 wmep
->wmep_logcwmax
= MS(frm
[1], WME_PARAM_LOGCWMAX
);
1087 wmep
->wmep_txopLimit
= LE_READ_2(frm
+2);
1090 wme
->wme_wmeChanParams
.cap_info
= qosinfo
;
1096 * Process 11h Channel Switch Announcement (CSA) ie. If this
1097 * is the first CSA then initiate the switch. Otherwise we
1098 * track state and trigger completion and/or cancel of the switch.
1099 * XXX should be public for IBSS use
1102 ieee80211_parse_csaparams(struct ieee80211vap
*vap
, uint8_t *frm
,
1103 const struct ieee80211_frame
*wh
)
1105 struct ieee80211com
*ic
= vap
->iv_ic
;
1106 const struct ieee80211_csa_ie
*csa
=
1107 (const struct ieee80211_csa_ie
*) frm
;
1109 KASSERT(vap
->iv_state
>= IEEE80211_S_RUN
,
1110 ("state %s", ieee80211_state_name
[vap
->iv_state
]));
1112 if (csa
->csa_mode
> 1) {
1113 IEEE80211_DISCARD_IE(vap
,
1114 IEEE80211_MSG_ELEMID
| IEEE80211_MSG_DOTH
,
1115 wh
, "CSA", "invalid mode %u", csa
->csa_mode
);
1118 if ((ic
->ic_flags
& IEEE80211_F_CSAPENDING
) == 0) {
1120 * Convert the channel number to a channel reference. We
1121 * try first to preserve turbo attribute of the current
1122 * channel then fallback. Note this will not work if the
1123 * CSA specifies a channel that requires a band switch (e.g.
1124 * 11a => 11g). This is intentional as 11h is defined only
1125 * for 5GHz/11a and because the switch does not involve a
1126 * reassociation, protocol state (capabilities, negotated
1127 * rates, etc) may/will be wrong.
1129 struct ieee80211_channel
*c
=
1130 ieee80211_find_channel_byieee(ic
, csa
->csa_newchan
,
1131 (ic
->ic_bsschan
->ic_flags
& IEEE80211_CHAN_ALLTURBO
));
1133 c
= ieee80211_find_channel_byieee(ic
,
1135 (ic
->ic_bsschan
->ic_flags
& IEEE80211_CHAN_ALL
));
1137 IEEE80211_DISCARD_IE(vap
,
1138 IEEE80211_MSG_ELEMID
| IEEE80211_MSG_DOTH
,
1139 wh
, "CSA", "invalid channel %u",
1144 #if IEEE80211_CSA_COUNT_MIN > 0
1145 if (csa
->csa_count
< IEEE80211_CSA_COUNT_MIN
) {
1147 * Require at least IEEE80211_CSA_COUNT_MIN count to
1148 * reduce the risk of being redirected by a fabricated
1149 * CSA. If a valid CSA is dropped we'll still get a
1150 * beacon miss when the AP leaves the channel so we'll
1151 * eventually follow to the new channel.
1153 * NOTE: this violates the 11h spec that states that
1154 * count may be any value and if 0 then a switch
1155 * should happen asap.
1157 IEEE80211_DISCARD_IE(vap
,
1158 IEEE80211_MSG_ELEMID
| IEEE80211_MSG_DOTH
,
1159 wh
, "CSA", "count %u too small, must be >= %u",
1160 csa
->csa_count
, IEEE80211_CSA_COUNT_MIN
);
1164 ieee80211_csa_startswitch(ic
, c
, csa
->csa_mode
, csa
->csa_count
);
1167 * Validate this ie against the initial CSA. We require
1168 * mode and channel not change and the count must be
1169 * monotonically decreasing. This may be pointless and
1170 * canceling the switch as a result may be too paranoid but
1171 * in the worst case if we drop out of CSA because of this
1172 * and the AP does move then we'll just end up taking a
1173 * beacon miss and scan to find the AP.
1175 * XXX may want <= on count as we also process ProbeResp
1176 * frames and those may come in w/ the same count as the
1177 * previous beacon; but doing so leaves us open to a stuck
1178 * count until we add a dead-man timer
1180 if (!(csa
->csa_count
< ic
->ic_csa_count
&&
1181 csa
->csa_mode
== ic
->ic_csa_mode
&&
1182 csa
->csa_newchan
== ieee80211_chan2ieee(ic
, ic
->ic_csa_newchan
))) {
1183 IEEE80211_NOTE_FRAME(vap
, IEEE80211_MSG_DOTH
, wh
,
1184 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1185 "this ie <%d,%d,%d>", ic
->ic_csa_mode
,
1186 ic
->ic_csa_newchan
->ic_ieee
, ic
->ic_csa_count
,
1187 csa
->csa_mode
, csa
->csa_newchan
, csa
->csa_count
);
1188 ieee80211_csa_cancelswitch(ic
);
1190 if (csa
->csa_count
<= 1)
1191 ieee80211_csa_completeswitch(ic
);
1193 ic
->ic_csa_count
= csa
->csa_count
;
1201 * Return non-zero if a background scan may be continued:
1202 * o bg scan is active
1203 * o no channel switch is pending
1204 * o there has not been any traffic recently
1206 * Note we do not check if there is an administrative enable;
1207 * this is only done to start the scan. We assume that any
1208 * change in state will be accompanied by a request to cancel
1209 * active scans which will otherwise cause this test to fail.
1212 contbgscan(struct ieee80211vap
*vap
)
1214 struct ieee80211com
*ic
= vap
->iv_ic
;
1216 return ((ic
->ic_flags_ext
& IEEE80211_FEXT_BGSCAN
) &&
1217 (ic
->ic_flags
& IEEE80211_F_CSAPENDING
) == 0 &&
1218 vap
->iv_state
== IEEE80211_S_RUN
&& /* XXX? */
1219 time_after(ticks
, ic
->ic_lastdata
+ vap
->iv_bgscanidle
));
1223 * Return non-zero if a backgrond scan may be started:
1224 * o bg scanning is administratively enabled
1225 * o no channel switch is pending
1226 * o we are not boosted on a dynamic turbo channel
1227 * o there has not been a scan recently
1228 * o there has not been any traffic recently
1231 startbgscan(struct ieee80211vap
*vap
)
1233 struct ieee80211com
*ic
= vap
->iv_ic
;
1235 return ((vap
->iv_flags
& IEEE80211_F_BGSCAN
) &&
1236 (ic
->ic_flags
& IEEE80211_F_CSAPENDING
) == 0 &&
1237 #ifdef IEEE80211_SUPPORT_SUPERG
1238 !IEEE80211_IS_CHAN_DTURBO(ic
->ic_curchan
) &&
1240 time_after(ticks
, ic
->ic_lastscan
+ vap
->iv_bgscanintvl
) &&
1241 time_after(ticks
, ic
->ic_lastdata
+ vap
->iv_bgscanidle
));
1245 sta_recv_mgmt(struct ieee80211_node
*ni
, struct mbuf
*m0
,
1246 int subtype
, int rssi
, int nf
)
1248 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1249 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1250 struct ieee80211vap
*vap
= ni
->ni_vap
;
1251 struct ieee80211com
*ic
= ni
->ni_ic
;
1252 struct ieee80211_frame
*wh
;
1253 uint8_t *frm
, *efrm
;
1254 uint8_t *rates
, *xrates
, *wme
, *htcap
, *htinfo
;
1257 wh
= mtod(m0
, struct ieee80211_frame
*);
1258 frm
= (uint8_t *)&wh
[1];
1259 efrm
= mtod(m0
, uint8_t *) + m0
->m_len
;
1261 case IEEE80211_FC0_SUBTYPE_PROBE_RESP
:
1262 case IEEE80211_FC0_SUBTYPE_BEACON
: {
1263 struct ieee80211_scanparams scan
;
1265 * We process beacon/probe response frames:
1266 * o when scanning, or
1267 * o station mode when associated (to collect state
1268 * updates such as 802.11g slot time)
1269 * Frames otherwise received are discarded.
1271 if (!((ic
->ic_flags
& IEEE80211_F_SCAN
) || ni
->ni_associd
)) {
1272 vap
->iv_stats
.is_rx_mgtdiscard
++;
1275 /* XXX probe response in sta mode when !scanning? */
1276 if (ieee80211_parse_beacon(ni
, m0
, &scan
) != 0)
1279 * Count frame now that we know it's to be processed.
1281 if (subtype
== IEEE80211_FC0_SUBTYPE_BEACON
) {
1282 vap
->iv_stats
.is_rx_beacon
++; /* XXX remove */
1283 IEEE80211_NODE_STAT(ni
, rx_beacons
);
1285 IEEE80211_NODE_STAT(ni
, rx_proberesp
);
1287 * When operating in station mode, check for state updates.
1288 * Be careful to ignore beacons received while doing a
1289 * background scan. We consider only 11g/WMM stuff right now.
1291 if (ni
->ni_associd
!= 0 &&
1292 ((ic
->ic_flags
& IEEE80211_F_SCAN
) == 0 ||
1293 IEEE80211_ADDR_EQ(wh
->i_addr2
, ni
->ni_bssid
))) {
1294 /* record tsf of last beacon */
1295 memcpy(ni
->ni_tstamp
.data
, scan
.tstamp
,
1296 sizeof(ni
->ni_tstamp
));
1297 /* count beacon frame for s/w bmiss handling */
1298 vap
->iv_swbmiss_count
++;
1299 vap
->iv_bmiss_count
= 0;
1300 if (ni
->ni_erp
!= scan
.erp
) {
1301 IEEE80211_NOTE_MAC(vap
, IEEE80211_MSG_ASSOC
,
1303 "erp change: was 0x%x, now 0x%x",
1304 ni
->ni_erp
, scan
.erp
);
1305 if (IEEE80211_IS_CHAN_ANYG(ic
->ic_curchan
) &&
1306 (ni
->ni_erp
& IEEE80211_ERP_USE_PROTECTION
))
1307 ic
->ic_flags
|= IEEE80211_F_USEPROT
;
1309 ic
->ic_flags
&= ~IEEE80211_F_USEPROT
;
1310 ni
->ni_erp
= scan
.erp
;
1312 /* XXX driver notification */
1314 if ((ni
->ni_capinfo
^ scan
.capinfo
) & IEEE80211_CAPINFO_SHORT_SLOTTIME
) {
1315 IEEE80211_NOTE_MAC(vap
, IEEE80211_MSG_ASSOC
,
1317 "capabilities change: was 0x%x, now 0x%x",
1318 ni
->ni_capinfo
, scan
.capinfo
);
1320 * NB: we assume short preamble doesn't
1321 * change dynamically
1323 ieee80211_set_shortslottime(ic
,
1324 IEEE80211_IS_CHAN_A(ic
->ic_bsschan
) ||
1325 (scan
.capinfo
& IEEE80211_CAPINFO_SHORT_SLOTTIME
));
1326 ni
->ni_capinfo
= (ni
->ni_capinfo
&~ IEEE80211_CAPINFO_SHORT_SLOTTIME
)
1327 | (scan
.capinfo
& IEEE80211_CAPINFO_SHORT_SLOTTIME
);
1330 if (scan
.wme
!= NULL
&&
1331 (ni
->ni_flags
& IEEE80211_NODE_QOS
) &&
1332 ieee80211_parse_wmeparams(vap
, scan
.wme
, wh
) > 0)
1333 ieee80211_wme_updateparams(vap
);
1334 #ifdef IEEE80211_SUPPORT_SUPERG
1335 if (scan
.ath
!= NULL
)
1336 ieee80211_parse_athparams(ni
, scan
.ath
, wh
);
1338 if (scan
.htcap
!= NULL
&& scan
.htinfo
!= NULL
&&
1339 (vap
->iv_flags_ht
& IEEE80211_FHT_HT
)) {
1340 ieee80211_ht_updateparams(ni
,
1341 scan
.htcap
, scan
.htinfo
);
1342 /* XXX state changes? */
1344 if (scan
.tim
!= NULL
) {
1345 struct ieee80211_tim_ie
*tim
=
1346 (struct ieee80211_tim_ie
*) scan
.tim
;
1348 int aid
= IEEE80211_AID(ni
->ni_associd
);
1349 int ix
= aid
/ NBBY
;
1350 int min
= tim
->tim_bitctl
&~ 1;
1351 int max
= tim
->tim_len
+ min
- 4;
1352 if ((tim
->tim_bitctl
&1) ||
1353 (min
<= ix
&& ix
<= max
&&
1354 isset(tim
->tim_bitmap
- min
, aid
))) {
1356 * XXX Do not let bg scan kick off
1357 * we are expecting data.
1359 ic
->ic_lastdata
= ticks
;
1360 ieee80211_sta_pwrsave(vap
, 0);
1363 ni
->ni_dtim_count
= tim
->tim_count
;
1364 ni
->ni_dtim_period
= tim
->tim_period
;
1366 if (scan
.csa
!= NULL
&&
1367 (vap
->iv_flags
& IEEE80211_F_DOTH
))
1368 ieee80211_parse_csaparams(vap
, scan
.csa
, wh
);
1369 else if (ic
->ic_flags
& IEEE80211_F_CSAPENDING
) {
1371 * No CSA ie or 11h disabled, but a channel
1372 * switch is pending; drop out so we aren't
1373 * stuck in CSA state. If the AP really is
1374 * moving we'll get a beacon miss and scan.
1376 ieee80211_csa_cancelswitch(ic
);
1379 * If scanning, pass the info to the scan module.
1380 * Otherwise, check if it's the right time to do
1381 * a background scan. Background scanning must
1382 * be enabled and we must not be operating in the
1383 * turbo phase of dynamic turbo mode. Then,
1384 * it's been a while since the last background
1385 * scan and if no data frames have come through
1386 * recently, kick off a scan. Note that this
1387 * is the mechanism by which a background scan
1388 * is started _and_ continued each time we
1389 * return on-channel to receive a beacon from
1392 if (ic
->ic_flags
& IEEE80211_F_SCAN
) {
1393 ieee80211_add_scan(vap
, &scan
, wh
,
1395 } else if (contbgscan(vap
)) {
1396 ieee80211_bg_scan(vap
, 0);
1397 } else if (startbgscan(vap
)) {
1398 vap
->iv_stats
.is_scan_bg
++;
1400 /* wakeup if we are sleeing */
1401 ieee80211_set_pwrsave(vap
, 0);
1403 ieee80211_bg_scan(vap
, 0);
1408 * If scanning, just pass information to the scan module.
1410 if (ic
->ic_flags
& IEEE80211_F_SCAN
) {
1411 if (ic
->ic_flags_ext
& IEEE80211_FEXT_PROBECHAN
) {
1413 * Actively scanning a channel marked passive;
1414 * send a probe request now that we know there
1415 * is 802.11 traffic present.
1417 * XXX check if the beacon we recv'd gives
1418 * us what we need and suppress the probe req
1420 ieee80211_probe_curchan(vap
, 1);
1421 ic
->ic_flags_ext
&= ~IEEE80211_FEXT_PROBECHAN
;
1423 ieee80211_add_scan(vap
, &scan
, wh
, subtype
, rssi
, nf
);
1429 case IEEE80211_FC0_SUBTYPE_AUTH
: {
1430 uint16_t algo
, seq
, status
;
1438 IEEE80211_VERIFY_LENGTH(efrm
- frm
, 6, return);
1439 algo
= le16toh(*(uint16_t *)frm
);
1440 seq
= le16toh(*(uint16_t *)(frm
+ 2));
1441 status
= le16toh(*(uint16_t *)(frm
+ 4));
1442 IEEE80211_NOTE_MAC(vap
, IEEE80211_MSG_AUTH
, wh
->i_addr2
,
1443 "recv auth frame with algorithm %d seq %d", algo
, seq
);
1445 if (vap
->iv_flags
& IEEE80211_F_COUNTERM
) {
1446 IEEE80211_DISCARD(vap
,
1447 IEEE80211_MSG_AUTH
| IEEE80211_MSG_CRYPTO
,
1448 wh
, "auth", "%s", "TKIP countermeasures enabled");
1449 vap
->iv_stats
.is_rx_auth_countermeasures
++;
1450 if (vap
->iv_opmode
== IEEE80211_M_HOSTAP
) {
1451 ieee80211_send_error(ni
, wh
->i_addr2
,
1452 IEEE80211_FC0_SUBTYPE_AUTH
,
1453 IEEE80211_REASON_MIC_FAILURE
);
1457 if (algo
== IEEE80211_AUTH_ALG_SHARED
)
1458 sta_auth_shared(ni
, wh
, frm
+ 6, efrm
, rssi
, nf
,
1460 else if (algo
== IEEE80211_AUTH_ALG_OPEN
)
1461 sta_auth_open(ni
, wh
, rssi
, nf
, seq
, status
);
1463 IEEE80211_DISCARD(vap
, IEEE80211_MSG_ANY
,
1464 wh
, "auth", "unsupported alg %d", algo
);
1465 vap
->iv_stats
.is_rx_auth_unsupported
++;
1471 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP
:
1472 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP
: {
1473 uint16_t capinfo
, associd
;
1476 if (vap
->iv_state
!= IEEE80211_S_ASSOC
) {
1477 vap
->iv_stats
.is_rx_mgtdiscard
++;
1482 * asresp frame format
1483 * [2] capability information
1485 * [2] association ID
1486 * [tlv] supported rates
1487 * [tlv] extended supported rates
1489 * [tlv] HT capabilities
1492 IEEE80211_VERIFY_LENGTH(efrm
- frm
, 6, return);
1494 capinfo
= le16toh(*(uint16_t *)frm
);
1496 status
= le16toh(*(uint16_t *)frm
);
1499 IEEE80211_NOTE_MAC(vap
, IEEE80211_MSG_ASSOC
,
1500 wh
->i_addr2
, "%sassoc failed (reason %d)",
1501 ISREASSOC(subtype
) ? "re" : "", status
);
1502 vap
->iv_stats
.is_rx_auth_fail
++; /* XXX */
1505 associd
= le16toh(*(uint16_t *)frm
);
1508 rates
= xrates
= wme
= htcap
= htinfo
= NULL
;
1509 while (efrm
- frm
> 1) {
1510 IEEE80211_VERIFY_LENGTH(efrm
- frm
, frm
[1] + 2, return);
1512 case IEEE80211_ELEMID_RATES
:
1515 case IEEE80211_ELEMID_XRATES
:
1518 case IEEE80211_ELEMID_HTCAP
:
1521 case IEEE80211_ELEMID_HTINFO
:
1524 case IEEE80211_ELEMID_VENDOR
:
1527 else if (vap
->iv_flags_ht
& IEEE80211_FHT_HTCOMPAT
) {
1529 * Accept pre-draft HT ie's if the
1530 * standard ones have not been seen.
1532 if (ishtcapoui(frm
)) {
1535 } else if (ishtinfooui(frm
)) {
1540 /* XXX Atheros OUI support */
1546 IEEE80211_VERIFY_ELEMENT(rates
, IEEE80211_RATE_MAXSIZE
, return);
1548 IEEE80211_VERIFY_ELEMENT(xrates
,
1549 IEEE80211_RATE_MAXSIZE
- rates
[1], return);
1550 rate
= ieee80211_setup_rates(ni
, rates
, xrates
,
1552 IEEE80211_F_DOSORT
| IEEE80211_F_DOFRATE
|
1553 IEEE80211_F_DONEGO
| IEEE80211_F_DODEL
);
1554 if (rate
& IEEE80211_RATE_BASIC
) {
1555 IEEE80211_NOTE_MAC(vap
, IEEE80211_MSG_ASSOC
,
1557 "%sassoc failed (rate set mismatch)",
1558 ISREASSOC(subtype
) ? "re" : "");
1559 vap
->iv_stats
.is_rx_assoc_norate
++;
1560 ieee80211_new_state(vap
, IEEE80211_S_SCAN
,
1561 IEEE80211_SCAN_FAIL_STATUS
);
1565 ni
->ni_capinfo
= capinfo
;
1566 ni
->ni_associd
= associd
;
1567 if (ni
->ni_jointime
== 0)
1568 ni
->ni_jointime
= time_second
;
1570 ieee80211_parse_wmeparams(vap
, wme
, wh
) >= 0) {
1571 ni
->ni_flags
|= IEEE80211_NODE_QOS
;
1572 ieee80211_wme_updateparams(vap
);
1574 ni
->ni_flags
&= ~IEEE80211_NODE_QOS
;
1576 * Setup HT state according to the negotiation.
1578 * NB: shouldn't need to check if HT use is enabled but some
1579 * ap's send back HT ie's even when we don't indicate we
1580 * are HT capable in our AssocReq.
1582 if (htcap
!= NULL
&& htinfo
!= NULL
&&
1583 (vap
->iv_flags_ht
& IEEE80211_FHT_HT
)) {
1584 ieee80211_ht_node_init(ni
);
1585 ieee80211_ht_updateparams(ni
, htcap
, htinfo
);
1586 ieee80211_setup_htrates(ni
, htcap
,
1587 IEEE80211_F_JOIN
| IEEE80211_F_DOBRS
);
1588 ieee80211_setup_basic_htrates(ni
, htinfo
);
1589 ieee80211_node_setuptxparms(ni
);
1591 #ifdef IEEE80211_SUPPORT_SUPERG
1592 if (IEEE80211_ATH_CAP(vap
, ni
, IEEE80211_NODE_ATH
))
1593 ieee80211_ff_node_init(ni
);
1597 * Configure state now that we are associated.
1599 * XXX may need different/additional driver callbacks?
1601 if (IEEE80211_IS_CHAN_A(ic
->ic_curchan
) ||
1602 (ni
->ni_capinfo
& IEEE80211_CAPINFO_SHORT_PREAMBLE
)) {
1603 ic
->ic_flags
|= IEEE80211_F_SHPREAMBLE
;
1604 ic
->ic_flags
&= ~IEEE80211_F_USEBARKER
;
1606 ic
->ic_flags
&= ~IEEE80211_F_SHPREAMBLE
;
1607 ic
->ic_flags
|= IEEE80211_F_USEBARKER
;
1609 ieee80211_set_shortslottime(ic
,
1610 IEEE80211_IS_CHAN_A(ic
->ic_curchan
) ||
1611 (ni
->ni_capinfo
& IEEE80211_CAPINFO_SHORT_SLOTTIME
));
1613 * Honor ERP protection.
1615 * NB: ni_erp should zero for non-11g operation.
1617 if (IEEE80211_IS_CHAN_ANYG(ic
->ic_curchan
) &&
1618 (ni
->ni_erp
& IEEE80211_ERP_USE_PROTECTION
))
1619 ic
->ic_flags
|= IEEE80211_F_USEPROT
;
1621 ic
->ic_flags
&= ~IEEE80211_F_USEPROT
;
1622 IEEE80211_NOTE_MAC(vap
,
1623 IEEE80211_MSG_ASSOC
| IEEE80211_MSG_DEBUG
, wh
->i_addr2
,
1624 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1625 ISREASSOC(subtype
) ? "re" : "",
1626 IEEE80211_NODE_AID(ni
),
1627 ic
->ic_flags
&IEEE80211_F_SHPREAMBLE
? "short" : "long",
1628 ic
->ic_flags
&IEEE80211_F_SHSLOT
? "short" : "long",
1629 ic
->ic_flags
&IEEE80211_F_USEPROT
? ", protection" : "",
1630 ni
->ni_flags
& IEEE80211_NODE_QOS
? ", QoS" : "",
1631 ni
->ni_flags
& IEEE80211_NODE_HT
?
1632 (ni
->ni_chw
== 40 ? ", HT40" : ", HT20") : "",
1633 ni
->ni_flags
& IEEE80211_NODE_AMPDU
? " (+AMPDU)" : "",
1634 ni
->ni_flags
& IEEE80211_NODE_MIMO_RTS
? " (+SMPS-DYN)" :
1635 ni
->ni_flags
& IEEE80211_NODE_MIMO_PS
? " (+SMPS)" : "",
1636 ni
->ni_flags
& IEEE80211_NODE_RIFS
? " (+RIFS)" : "",
1637 IEEE80211_ATH_CAP(vap
, ni
, IEEE80211_NODE_FF
) ?
1638 ", fast-frames" : "",
1639 IEEE80211_ATH_CAP(vap
, ni
, IEEE80211_NODE_TURBOP
) ?
1642 ieee80211_new_state(vap
, IEEE80211_S_RUN
, subtype
);
1646 case IEEE80211_FC0_SUBTYPE_DEAUTH
: {
1649 if (vap
->iv_state
== IEEE80211_S_SCAN
) {
1650 vap
->iv_stats
.is_rx_mgtdiscard
++;
1653 if (!IEEE80211_ADDR_EQ(wh
->i_addr1
, vap
->iv_myaddr
)) {
1654 /* NB: can happen when in promiscuous mode */
1655 vap
->iv_stats
.is_rx_mgtdiscard
++;
1660 * deauth frame format
1663 IEEE80211_VERIFY_LENGTH(efrm
- frm
, 2, return);
1664 reason
= le16toh(*(uint16_t *)frm
);
1666 vap
->iv_stats
.is_rx_deauth
++;
1667 vap
->iv_stats
.is_rx_deauth_code
= reason
;
1668 IEEE80211_NODE_STAT(ni
, rx_deauth
);
1670 IEEE80211_NOTE(vap
, IEEE80211_MSG_AUTH
, ni
,
1671 "recv deauthenticate (reason %d)", reason
);
1672 ieee80211_new_state(vap
, IEEE80211_S_AUTH
,
1673 (reason
<< 8) | IEEE80211_FC0_SUBTYPE_DEAUTH
);
1677 case IEEE80211_FC0_SUBTYPE_DISASSOC
: {
1680 if (vap
->iv_state
!= IEEE80211_S_RUN
&&
1681 vap
->iv_state
!= IEEE80211_S_ASSOC
&&
1682 vap
->iv_state
!= IEEE80211_S_AUTH
) {
1683 vap
->iv_stats
.is_rx_mgtdiscard
++;
1686 if (!IEEE80211_ADDR_EQ(wh
->i_addr1
, vap
->iv_myaddr
)) {
1687 /* NB: can happen when in promiscuous mode */
1688 vap
->iv_stats
.is_rx_mgtdiscard
++;
1693 * disassoc frame format
1696 IEEE80211_VERIFY_LENGTH(efrm
- frm
, 2, return);
1697 reason
= le16toh(*(uint16_t *)frm
);
1699 vap
->iv_stats
.is_rx_disassoc
++;
1700 vap
->iv_stats
.is_rx_disassoc_code
= reason
;
1701 IEEE80211_NODE_STAT(ni
, rx_disassoc
);
1703 IEEE80211_NOTE(vap
, IEEE80211_MSG_ASSOC
, ni
,
1704 "recv disassociate (reason %d)", reason
);
1705 ieee80211_new_state(vap
, IEEE80211_S_ASSOC
, 0);
1709 case IEEE80211_FC0_SUBTYPE_ACTION
:
1710 if (vap
->iv_state
== IEEE80211_S_RUN
) {
1711 if (ieee80211_parse_action(ni
, m0
) == 0)
1712 ic
->ic_recv_action(ni
, wh
, frm
, efrm
);
1714 vap
->iv_stats
.is_rx_mgtdiscard
++;
1717 case IEEE80211_FC0_SUBTYPE_PROBE_REQ
:
1718 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ
:
1719 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ
:
1720 vap
->iv_stats
.is_rx_mgtdiscard
++;
1723 IEEE80211_DISCARD(vap
, IEEE80211_MSG_ANY
,
1724 wh
, "mgt", "subtype 0x%x not handled", subtype
);
1725 vap
->iv_stats
.is_rx_badsubtype
++;
1733 sta_recv_ctl(struct ieee80211_node
*ni
, struct mbuf
*m0
, int subtype
)