2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 Station mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_sta.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
64 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
66 static void sta_vattach(struct ieee80211vap *);
67 static void sta_beacon_miss(struct ieee80211vap *);
68 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
69 static int sta_input(struct ieee80211_node *, struct mbuf *, int, int);
70 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
71 int subtype, int rssi, int nf);
72 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
75 ieee80211_sta_attach(struct ieee80211com *ic)
77 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
81 ieee80211_sta_detach(struct ieee80211com *ic)
86 sta_vdetach(struct ieee80211vap *vap)
91 sta_vattach(struct ieee80211vap *vap)
93 vap->iv_newstate = sta_newstate;
94 vap->iv_input = sta_input;
95 vap->iv_recv_mgmt = sta_recv_mgmt;
96 vap->iv_recv_ctl = sta_recv_ctl;
97 vap->iv_opdetach = sta_vdetach;
98 vap->iv_bmiss = sta_beacon_miss;
102 * Handle a beacon miss event. The common code filters out
103 * spurious events that can happen when scanning and/or before
104 * reaching RUN state.
107 sta_beacon_miss(struct ieee80211vap *vap)
109 KASSERT((vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
110 KASSERT(vap->iv_state == IEEE80211_S_RUN,
111 ("wrong state %d", vap->iv_state));
113 IEEE80211_DPRINTF(vap,
114 IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
115 "beacon miss, mode %u state %s\n",
116 vap->iv_opmode, ieee80211_state_name[vap->iv_state]);
118 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
120 * Send a directed probe req before falling back to a
121 * scan; if we receive a response ic_bmiss_count will
122 * be reset. Some cards mistakenly report beacon miss
123 * so this avoids the expensive scan if the ap is
126 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
127 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
128 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
131 vap->iv_bmiss_count = 0;
132 vap->iv_stats.is_beacon_miss++;
133 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
134 #ifdef IEEE80211_SUPPORT_SUPERG
135 struct ieee80211com *ic = vap->iv_ic;
138 * If we receive a beacon miss interrupt when using
139 * dynamic turbo, attempt to switch modes before
142 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
143 ieee80211_dturbo_switch(vap,
144 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
147 * Try to reassociate before scanning for a new ap.
149 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
152 * Somebody else is controlling state changes (e.g.
153 * a user-mode app) don't do anything that would
154 * confuse them; just drop into scan mode so they'll
155 * notified of the state change and given control.
157 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
162 * Handle deauth with reason. We retry only for
163 * the cases where we might succeed. Otherwise
164 * we downgrade the ap and scan.
167 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
170 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
171 case IEEE80211_STATUS_TIMEOUT:
172 case IEEE80211_REASON_ASSOC_EXPIRE:
173 case IEEE80211_REASON_NOT_AUTHED:
174 case IEEE80211_REASON_NOT_ASSOCED:
175 case IEEE80211_REASON_ASSOC_LEAVE:
176 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
177 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
180 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
181 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
182 ieee80211_check_scan_current(vap);
188 * IEEE80211_M_STA vap state machine handler.
189 * This routine handles the main states in the 802.11 protocol.
192 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
194 struct ieee80211com *ic = vap->iv_ic;
195 struct ieee80211_node *ni;
196 enum ieee80211_state ostate;
198 IEEE80211_LOCK_ASSERT(ic);
200 ostate = vap->iv_state;
201 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
202 __func__, ieee80211_state_name[ostate],
203 ieee80211_state_name[nstate], arg);
204 vap->iv_state = nstate; /* state transition */
205 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
206 if (ostate != IEEE80211_S_SCAN)
207 ieee80211_cancel_scan(vap); /* background scan */
208 ni = vap->iv_bss; /* NB: no reference held */
209 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
210 callout_stop(&vap->iv_swbmiss);
212 case IEEE80211_S_INIT:
214 case IEEE80211_S_SLEEP:
216 case IEEE80211_S_RUN:
217 IEEE80211_SEND_MGMT(ni,
218 IEEE80211_FC0_SUBTYPE_DISASSOC,
219 IEEE80211_REASON_ASSOC_LEAVE);
220 ieee80211_sta_leave(ni);
222 case IEEE80211_S_ASSOC:
223 IEEE80211_SEND_MGMT(ni,
224 IEEE80211_FC0_SUBTYPE_DEAUTH,
225 IEEE80211_REASON_AUTH_LEAVE);
227 case IEEE80211_S_SCAN:
228 ieee80211_cancel_scan(vap);
233 if (ostate != IEEE80211_S_INIT) {
234 /* NB: optimize INIT -> INIT case */
235 ieee80211_reset_bss(vap);
237 if (vap->iv_auth->ia_detach != NULL)
238 vap->iv_auth->ia_detach(vap);
240 case IEEE80211_S_SCAN:
242 case IEEE80211_S_INIT:
244 * Initiate a scan. We can come here as a result
245 * of an IEEE80211_IOC_SCAN_REQ too in which case
246 * the vap will be marked with IEEE80211_FEXT_SCANREQ
247 * and the scan request parameters will be present
248 * in iv_scanreq. Otherwise we do the default.
250 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
251 ieee80211_check_scan(vap,
252 vap->iv_scanreq_flags,
253 vap->iv_scanreq_duration,
254 vap->iv_scanreq_mindwell,
255 vap->iv_scanreq_maxdwell,
256 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
257 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
259 ieee80211_check_scan_current(vap);
261 case IEEE80211_S_SCAN:
262 case IEEE80211_S_AUTH:
263 case IEEE80211_S_ASSOC:
265 * These can happen either because of a timeout
266 * on an assoc/auth response or because of a
267 * change in state that requires a reset. For
268 * the former we're called with a non-zero arg
269 * that is the cause for the failure; pass this
270 * to the scan code so it can update state.
271 * Otherwise trigger a new scan unless we're in
272 * manual roaming mode in which case an application
273 * must issue an explicit scan request.
276 ieee80211_scan_assoc_fail(vap,
277 vap->iv_bss->ni_macaddr, arg);
278 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
279 ieee80211_check_scan_current(vap);
281 case IEEE80211_S_RUN: /* beacon miss */
283 * Beacon miss. Notify user space and if not
284 * under control of a user application (roaming
285 * manual) kick off a scan to re-connect.
287 ieee80211_sta_leave(ni);
288 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
289 ieee80211_check_scan_current(vap);
295 case IEEE80211_S_AUTH:
297 case IEEE80211_S_INIT:
298 case IEEE80211_S_SCAN:
299 IEEE80211_SEND_MGMT(ni,
300 IEEE80211_FC0_SUBTYPE_AUTH, 1);
302 case IEEE80211_S_AUTH:
303 case IEEE80211_S_ASSOC:
304 switch (arg & 0xff) {
305 case IEEE80211_FC0_SUBTYPE_AUTH:
307 IEEE80211_SEND_MGMT(ni,
308 IEEE80211_FC0_SUBTYPE_AUTH, 2);
310 case IEEE80211_FC0_SUBTYPE_DEAUTH:
311 sta_authretry(vap, ni, arg>>8);
315 case IEEE80211_S_RUN:
316 switch (arg & 0xff) {
317 case IEEE80211_FC0_SUBTYPE_AUTH:
318 IEEE80211_SEND_MGMT(ni,
319 IEEE80211_FC0_SUBTYPE_AUTH, 2);
320 vap->iv_state = ostate; /* stay RUN */
322 case IEEE80211_FC0_SUBTYPE_DEAUTH:
323 ieee80211_sta_leave(ni);
324 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
326 IEEE80211_SEND_MGMT(ni,
327 IEEE80211_FC0_SUBTYPE_AUTH, 1);
336 case IEEE80211_S_ASSOC:
338 case IEEE80211_S_AUTH:
339 case IEEE80211_S_ASSOC:
340 IEEE80211_SEND_MGMT(ni,
341 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
343 case IEEE80211_S_SLEEP: /* cannot happen */
344 case IEEE80211_S_RUN:
345 ieee80211_sta_leave(ni);
346 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
347 IEEE80211_SEND_MGMT(ni, arg ?
348 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
349 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
356 case IEEE80211_S_RUN:
357 if (vap->iv_flags & IEEE80211_F_WPA) {
358 /* XXX validate prerequisites */
361 case IEEE80211_S_RUN:
363 case IEEE80211_S_AUTH: /* when join is done in fw */
364 case IEEE80211_S_ASSOC:
365 #ifdef IEEE80211_DEBUG
366 if (ieee80211_msg_debug(vap)) {
367 ieee80211_note(vap, "%s with %s ssid ",
368 (vap->iv_opmode == IEEE80211_M_STA ?
369 "associated" : "synchronized"),
370 ether_sprintf(ni->ni_bssid));
371 ieee80211_print_essid(vap->iv_bss->ni_essid,
374 printf(" channel %d start %uMb\n",
375 ieee80211_chan2ieee(ic, ic->ic_curchan),
376 IEEE80211_RATE2MBS(ni->ni_txrate));
379 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
380 ieee80211_notify_node_join(ni,
381 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
383 case IEEE80211_S_SLEEP:
384 ieee80211_sta_pwrsave(vap, 0);
389 ieee80211_sync_curchan(ic);
390 if (ostate != IEEE80211_S_RUN &&
391 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
393 * Start s/w beacon miss timer for devices w/o
394 * hardware support. We fudge a bit here since
395 * we're doing this in software.
397 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
398 2 * vap->iv_bmissthreshold * ni->ni_intval);
399 vap->iv_swbmiss_count = 0;
400 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
401 ieee80211_swbmiss, vap);
404 * When 802.1x is not in use mark the port authorized
405 * at this point so traffic can flow.
407 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
408 ieee80211_node_authorize(ni);
410 * Fake association when joining an existing bss.
412 if (ic->ic_newassoc != NULL)
413 ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN);
415 case IEEE80211_S_SLEEP:
416 ieee80211_sta_pwrsave(vap, 0);
420 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
421 "%s: unexpected state transition %s -> %s\n", __func__,
422 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
429 * Return non-zero if the frame is an echo of a multicast
430 * frame sent by ourself. The dir is known to be DSTODS.
433 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
435 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
436 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
439 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
441 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
443 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
444 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
450 * Return non-zero if the frame is an echo of a multicast
451 * frame sent by ourself. The dir is known to be FROMDS.
454 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
456 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
458 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
460 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
464 * Decide if a received management frame should be
465 * printed when debugging is enabled. This filters some
466 * of the less interesting frames that come frequently
470 doprint(struct ieee80211vap *vap, int subtype)
473 case IEEE80211_FC0_SUBTYPE_BEACON:
474 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
475 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
482 * Process a received frame. The node associated with the sender
483 * should be supplied. If nothing was found in the node table then
484 * the caller is assumed to supply a reference to iv_bss instead.
485 * The RSSI and a timestamp are also supplied. The RSSI data is used
486 * during AP scanning to select a AP to associate with; it can have
487 * any units so long as values have consistent units and higher values
488 * mean ``better signal''. The receive timestamp is currently not used
489 * by the 802.11 layer.
492 sta_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
494 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
495 #define HAS_SEQ(type) ((type & 0x4) == 0)
496 struct ieee80211vap *vap = ni->ni_vap;
497 struct ieee80211com *ic = ni->ni_ic;
498 struct ifnet *ifp = vap->iv_ifp;
499 struct ieee80211_frame *wh;
500 struct ieee80211_key *key;
501 struct ether_header *eh;
502 int hdrspace, need_tap;
503 uint8_t dir, type, subtype, qos;
507 if (m->m_flags & M_AMPDU_MPDU) {
509 * Fastpath for A-MPDU reorder q resubmission. Frames
510 * w/ M_AMPDU_MPDU marked have already passed through
511 * here but were received out of order and been held on
512 * the reorder queue. When resubmitted they are marked
513 * with the M_AMPDU_MPDU flag and we can bypass most of
514 * the normal processing.
516 wh = mtod(m, struct ieee80211_frame *);
517 type = IEEE80211_FC0_TYPE_DATA;
518 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
519 subtype = IEEE80211_FC0_SUBTYPE_QOS;
520 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
524 KASSERT(ni != NULL, ("null node"));
525 ni->ni_inact = ni->ni_inact_reload;
527 need_tap = 1; /* mbuf need to be tapped. */
528 type = -1; /* undefined */
530 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
531 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
532 ni->ni_macaddr, NULL,
533 "too short (1): len %u", m->m_pkthdr.len);
534 vap->iv_stats.is_rx_tooshort++;
538 * Bit of a cheat here, we use a pointer for a 3-address
539 * frame format but don't reference fields past outside
540 * ieee80211_frame_min w/o first validating the data is
543 wh = mtod(m, struct ieee80211_frame *);
545 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
546 IEEE80211_FC0_VERSION_0) {
547 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
548 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
549 wh->i_fc[0], wh->i_fc[1]);
550 vap->iv_stats.is_rx_badversion++;
554 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
555 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
556 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
557 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
559 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
560 /* not interested in */
561 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
562 bssid, NULL, "%s", "not to bss");
563 vap->iv_stats.is_rx_wrongbss++;
566 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
569 uint8_t tid = ieee80211_gettid(wh);
570 if (IEEE80211_QOS_HAS_SEQ(wh) &&
571 TID_TO_WME_AC(tid) >= WME_AC_VI)
572 ic->ic_wme.wme_hipri_traffic++;
573 rxseq = le16toh(*(uint16_t *)wh->i_seq);
574 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
575 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
576 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
577 /* duplicate, discard */
578 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
580 "seqno <%u,%u> fragno <%u,%u> tid %u",
581 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
582 ni->ni_rxseqs[tid] >>
583 IEEE80211_SEQ_SEQ_SHIFT,
584 rxseq & IEEE80211_SEQ_FRAG_MASK,
586 IEEE80211_SEQ_FRAG_MASK,
588 vap->iv_stats.is_rx_dup++;
589 IEEE80211_NODE_STAT(ni, rx_dup);
592 ni->ni_rxseqs[tid] = rxseq;
597 case IEEE80211_FC0_TYPE_DATA:
598 hdrspace = ieee80211_hdrspace(ic, wh);
599 if (m->m_len < hdrspace &&
600 (m = m_pullup(m, hdrspace)) == NULL) {
601 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
602 ni->ni_macaddr, NULL,
603 "data too short: expecting %u", hdrspace);
604 vap->iv_stats.is_rx_tooshort++;
608 * Handle A-MPDU re-ordering. If the frame is to be
609 * processed directly then ieee80211_ampdu_reorder
610 * will return 0; otherwise it has consumed the mbuf
611 * and we should do nothing more with it.
613 if ((m->m_flags & M_AMPDU) &&
614 (dir == IEEE80211_FC1_DIR_FROMDS ||
615 dir == IEEE80211_FC1_DIR_DSTODS) &&
616 ieee80211_ampdu_reorder(ni, m) != 0) {
621 if (dir == IEEE80211_FC1_DIR_FROMDS) {
622 if ((ifp->if_flags & IFF_SIMPLEX) &&
623 isfromds_mcastecho(vap, wh)) {
625 * In IEEE802.11 network, multicast
626 * packets sent from "me" are broadcast
627 * from the AP; silently discard for
630 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
631 wh, "data", "%s", "multicast echo");
632 vap->iv_stats.is_rx_mcastecho++;
635 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
636 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
638 * DWDS sta's must drop 3-address mcast frames
639 * as they will be sent separately as a 4-addr
640 * frame. Accepting the 3-addr frame will
641 * confuse the bridge into thinking the sending
642 * sta is located at the end of WDS link.
644 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
645 "3-address data", "%s", "DWDS enabled");
646 vap->iv_stats.is_rx_mcastecho++;
649 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
650 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
651 IEEE80211_DISCARD(vap,
652 IEEE80211_MSG_INPUT, wh, "4-address data",
653 "%s", "DWDS not enabled");
654 vap->iv_stats.is_rx_wrongdir++;
657 if ((ifp->if_flags & IFF_SIMPLEX) &&
658 isdstods_mcastecho(vap, wh)) {
660 * In IEEE802.11 network, multicast
661 * packets sent from "me" are broadcast
662 * from the AP; silently discard for
665 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
666 "4-address data", "%s", "multicast echo");
667 vap->iv_stats.is_rx_mcastecho++;
671 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
672 "data", "incorrect dir 0x%x", dir);
673 vap->iv_stats.is_rx_wrongdir++;
678 * Handle privacy requirements. Note that we
679 * must not be preempted from here until after
680 * we (potentially) call ieee80211_crypto_demic;
681 * otherwise we may violate assumptions in the
682 * crypto cipher modules used to do delayed update
683 * of replay sequence numbers.
685 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
686 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
688 * Discard encrypted frames when privacy is off.
690 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
691 wh, "WEP", "%s", "PRIVACY off");
692 vap->iv_stats.is_rx_noprivacy++;
693 IEEE80211_NODE_STAT(ni, rx_noprivacy);
696 key = ieee80211_crypto_decap(ni, m, hdrspace);
698 /* NB: stats+msgs handled in crypto_decap */
699 IEEE80211_NODE_STAT(ni, rx_wepfail);
702 wh = mtod(m, struct ieee80211_frame *);
703 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
705 /* XXX M_WEP and IEEE80211_F_PRIVACY */
710 * Save QoS bits for use below--before we strip the header.
712 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
713 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
714 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
715 ((struct ieee80211_qosframe *)wh)->i_qos[0];
720 * Next up, any fragmentation.
722 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
723 m = ieee80211_defrag(ni, m, hdrspace);
725 /* Fragment dropped or frame not complete yet */
729 wh = NULL; /* no longer valid, catch any uses */
732 * Next strip any MSDU crypto bits.
734 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
735 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
736 ni->ni_macaddr, "data", "%s", "demic error");
737 vap->iv_stats.is_rx_demicfail++;
738 IEEE80211_NODE_STAT(ni, rx_demicfail);
742 /* copy to listener after decrypt */
743 if (ieee80211_radiotap_active_vap(vap))
744 ieee80211_radiotap_tx(vap, m);
748 * Finally, strip the 802.11 header.
750 m = ieee80211_decap(vap, m, hdrspace);
752 /* XXX mask bit to check for both */
753 /* don't count Null data frames as errors */
754 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
755 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
757 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
758 ni->ni_macaddr, "data", "%s", "decap error");
759 vap->iv_stats.is_rx_decap++;
760 IEEE80211_NODE_STAT(ni, rx_decap);
763 eh = mtod(m, struct ether_header *);
764 if (!ieee80211_node_is_authorized(ni)) {
766 * Deny any non-PAE frames received prior to
767 * authorization. For open/shared-key
768 * authentication the port is mark authorized
769 * after authentication completes. For 802.1x
770 * the port is not marked authorized by the
771 * authenticator until the handshake has completed.
773 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
774 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
775 eh->ether_shost, "data",
776 "unauthorized port: ether type 0x%x len %u",
777 eh->ether_type, m->m_pkthdr.len);
778 vap->iv_stats.is_rx_unauth++;
779 IEEE80211_NODE_STAT(ni, rx_unauth);
784 * When denying unencrypted frames, discard
785 * any non-PAE frames received without encryption.
787 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
788 (key == NULL && (m->m_flags & M_WEP) == 0) &&
789 eh->ether_type != htons(ETHERTYPE_PAE)) {
791 * Drop unencrypted frames.
793 vap->iv_stats.is_rx_unencrypted++;
794 IEEE80211_NODE_STAT(ni, rx_unencrypted);
798 /* XXX require HT? */
799 if (qos & IEEE80211_QOS_AMSDU) {
800 m = ieee80211_decap_amsdu(ni, m);
802 return IEEE80211_FC0_TYPE_DATA;
804 #ifdef IEEE80211_SUPPORT_SUPERG
805 m = ieee80211_decap_fastframe(vap, ni, m);
807 return IEEE80211_FC0_TYPE_DATA;
810 ieee80211_deliver_data(vap, ni, m);
811 return IEEE80211_FC0_TYPE_DATA;
813 case IEEE80211_FC0_TYPE_MGT:
814 vap->iv_stats.is_rx_mgmt++;
815 IEEE80211_NODE_STAT(ni, rx_mgmt);
816 if (dir != IEEE80211_FC1_DIR_NODS) {
817 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
818 wh, "data", "incorrect dir 0x%x", dir);
819 vap->iv_stats.is_rx_wrongdir++;
822 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
823 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
824 ni->ni_macaddr, "mgt", "too short: len %u",
826 vap->iv_stats.is_rx_tooshort++;
829 #ifdef IEEE80211_DEBUG
830 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
831 ieee80211_msg_dumppkts(vap)) {
832 if_printf(ifp, "received %s from %s rssi %d\n",
833 ieee80211_mgt_subtype_name[subtype >>
834 IEEE80211_FC0_SUBTYPE_SHIFT],
835 ether_sprintf(wh->i_addr2), rssi);
838 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
839 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
841 * Only shared key auth frames with a challenge
842 * should be encrypted, discard all others.
844 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
845 wh, ieee80211_mgt_subtype_name[subtype >>
846 IEEE80211_FC0_SUBTYPE_SHIFT],
847 "%s", "WEP set but not permitted");
848 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
851 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
853 * Discard encrypted frames when privacy is off.
855 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
856 wh, "mgt", "%s", "WEP set but PRIVACY off");
857 vap->iv_stats.is_rx_noprivacy++;
860 hdrspace = ieee80211_hdrspace(ic, wh);
861 key = ieee80211_crypto_decap(ni, m, hdrspace);
863 /* NB: stats+msgs handled in crypto_decap */
866 wh = mtod(m, struct ieee80211_frame *);
867 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
869 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
872 case IEEE80211_FC0_TYPE_CTL:
873 vap->iv_stats.is_rx_ctl++;
874 IEEE80211_NODE_STAT(ni, rx_ctrl);
875 vap->iv_recv_ctl(ni, m, subtype);
879 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
880 wh, NULL, "bad frame type 0x%x", type);
881 /* should not come here */
888 if (need_tap && ieee80211_radiotap_active_vap(vap))
889 ieee80211_radiotap_rx(vap, m);
897 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
898 int rssi, int nf, uint16_t seq, uint16_t status)
900 struct ieee80211vap *vap = ni->ni_vap;
902 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
903 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
904 ni->ni_macaddr, "open auth",
905 "bad sta auth mode %u", ni->ni_authmode);
906 vap->iv_stats.is_rx_bad_auth++; /* XXX */
909 if (vap->iv_state != IEEE80211_S_AUTH ||
910 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
911 vap->iv_stats.is_rx_bad_auth++;
915 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
916 ni, "open auth failed (reason %d)", status);
917 vap->iv_stats.is_rx_auth_fail++;
918 vap->iv_stats.is_rx_authfail_code = status;
919 ieee80211_new_state(vap, IEEE80211_S_SCAN,
920 IEEE80211_SCAN_FAIL_STATUS);
922 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
926 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
927 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
928 uint16_t seq, uint16_t status)
930 struct ieee80211vap *vap = ni->ni_vap;
935 * NB: this can happen as we allow pre-shared key
936 * authentication to be enabled w/o wep being turned
937 * on so that configuration of these can be done
938 * in any order. It may be better to enforce the
939 * ordering in which case this check would just be
940 * for sanity/consistency.
942 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
943 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
944 ni->ni_macaddr, "shared key auth",
945 "%s", " PRIVACY is disabled");
946 estatus = IEEE80211_STATUS_ALG;
950 * Pre-shared key authentication is evil; accept
951 * it only if explicitly configured (it is supported
952 * mainly for compatibility with clients like OS X).
954 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
955 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
956 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
957 ni->ni_macaddr, "shared key auth",
958 "bad sta auth mode %u", ni->ni_authmode);
959 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
960 estatus = IEEE80211_STATUS_ALG;
965 if (frm + 1 < efrm) {
966 if ((frm[1] + 2) > (efrm - frm)) {
967 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
968 ni->ni_macaddr, "shared key auth",
970 frm[0], (frm[1] + 2) - (efrm - frm));
971 vap->iv_stats.is_rx_bad_auth++;
972 estatus = IEEE80211_STATUS_CHALLENGE;
975 if (*frm == IEEE80211_ELEMID_CHALLENGE)
980 case IEEE80211_AUTH_SHARED_CHALLENGE:
981 case IEEE80211_AUTH_SHARED_RESPONSE:
982 if (challenge == NULL) {
983 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
984 ni->ni_macaddr, "shared key auth",
985 "%s", "no challenge");
986 vap->iv_stats.is_rx_bad_auth++;
987 estatus = IEEE80211_STATUS_CHALLENGE;
990 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
991 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
992 ni->ni_macaddr, "shared key auth",
993 "bad challenge len %d", challenge[1]);
994 vap->iv_stats.is_rx_bad_auth++;
995 estatus = IEEE80211_STATUS_CHALLENGE;
1001 if (vap->iv_state != IEEE80211_S_AUTH)
1004 case IEEE80211_AUTH_SHARED_PASS:
1005 if (ni->ni_challenge != NULL) {
1006 free(ni->ni_challenge, M_80211_NODE);
1007 ni->ni_challenge = NULL;
1010 IEEE80211_NOTE_FRAME(vap,
1011 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1012 "shared key auth failed (reason %d)", status);
1013 vap->iv_stats.is_rx_auth_fail++;
1014 vap->iv_stats.is_rx_authfail_code = status;
1017 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1019 case IEEE80211_AUTH_SHARED_CHALLENGE:
1020 if (!ieee80211_alloc_challenge(ni))
1022 /* XXX could optimize by passing recvd challenge */
1023 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1024 IEEE80211_SEND_MGMT(ni,
1025 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1028 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1029 wh, "shared key auth", "bad seq %d", seq);
1030 vap->iv_stats.is_rx_bad_auth++;
1036 * Kick the state machine. This short-circuits
1037 * using the mgt frame timeout to trigger the
1040 if (vap->iv_state == IEEE80211_S_AUTH)
1041 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1042 IEEE80211_SCAN_FAIL_STATUS);
1046 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1047 const struct ieee80211_frame *wh)
1049 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1050 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1051 u_int len = frm[1], qosinfo;
1054 if (len < sizeof(struct ieee80211_wme_param)-2) {
1055 IEEE80211_DISCARD_IE(vap,
1056 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1057 wh, "WME", "too short, len %u", len);
1060 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1061 qosinfo &= WME_QOSINFO_COUNT;
1062 /* XXX do proper check for wraparound */
1063 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1065 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1066 for (i = 0; i < WME_NUM_AC; i++) {
1067 struct wmeParams *wmep =
1068 &wme->wme_wmeChanParams.cap_wmeParams[i];
1069 /* NB: ACI not used */
1070 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1071 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1072 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1073 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1074 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1077 wme->wme_wmeChanParams.cap_info = qosinfo;
1083 * Return non-zero if a background scan may be continued:
1084 * o bg scan is active
1085 * o no channel switch is pending
1086 * o there has not been any traffic recently
1088 * Note we do not check if there is an administrative enable;
1089 * this is only done to start the scan. We assume that any
1090 * change in state will be accompanied by a request to cancel
1091 * active scans which will otherwise cause this test to fail.
1094 contbgscan(struct ieee80211vap *vap)
1096 struct ieee80211com *ic = vap->iv_ic;
1098 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1099 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1100 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1101 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1105 * Return non-zero if a backgrond scan may be started:
1106 * o bg scanning is administratively enabled
1107 * o no channel switch is pending
1108 * o we are not boosted on a dynamic turbo channel
1109 * o there has not been a scan recently
1110 * o there has not been any traffic recently
1113 startbgscan(struct ieee80211vap *vap)
1115 struct ieee80211com *ic = vap->iv_ic;
1117 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1118 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1119 #ifdef IEEE80211_SUPPORT_SUPERG
1120 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1122 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1123 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1127 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1128 int subtype, int rssi, int nf)
1130 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1131 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1132 struct ieee80211vap *vap = ni->ni_vap;
1133 struct ieee80211com *ic = ni->ni_ic;
1134 struct ieee80211_frame *wh;
1135 uint8_t *frm, *efrm;
1136 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1139 wh = mtod(m0, struct ieee80211_frame *);
1140 frm = (uint8_t *)&wh[1];
1141 efrm = mtod(m0, uint8_t *) + m0->m_len;
1143 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1144 case IEEE80211_FC0_SUBTYPE_BEACON: {
1145 struct ieee80211_scanparams scan;
1147 * We process beacon/probe response frames:
1148 * o when scanning, or
1149 * o station mode when associated (to collect state
1150 * updates such as 802.11g slot time)
1151 * Frames otherwise received are discarded.
1153 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1154 vap->iv_stats.is_rx_mgtdiscard++;
1157 /* XXX probe response in sta mode when !scanning? */
1158 if (ieee80211_parse_beacon(ni, m0, &scan) != 0)
1161 * Count frame now that we know it's to be processed.
1163 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1164 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1165 IEEE80211_NODE_STAT(ni, rx_beacons);
1167 IEEE80211_NODE_STAT(ni, rx_proberesp);
1169 * When operating in station mode, check for state updates.
1170 * Be careful to ignore beacons received while doing a
1171 * background scan. We consider only 11g/WMM stuff right now.
1173 if (ni->ni_associd != 0 &&
1174 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1175 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1176 /* record tsf of last beacon */
1177 memcpy(ni->ni_tstamp.data, scan.tstamp,
1178 sizeof(ni->ni_tstamp));
1179 /* count beacon frame for s/w bmiss handling */
1180 vap->iv_swbmiss_count++;
1181 vap->iv_bmiss_count = 0;
1182 if (ni->ni_erp != scan.erp) {
1183 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1185 "erp change: was 0x%x, now 0x%x",
1186 ni->ni_erp, scan.erp);
1187 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1188 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1189 ic->ic_flags |= IEEE80211_F_USEPROT;
1191 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1192 ni->ni_erp = scan.erp;
1194 /* XXX driver notification */
1196 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1197 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1199 "capabilities change: was 0x%x, now 0x%x",
1200 ni->ni_capinfo, scan.capinfo);
1202 * NB: we assume short preamble doesn't
1203 * change dynamically
1205 ieee80211_set_shortslottime(ic,
1206 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1207 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1208 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1209 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1212 if (scan.wme != NULL &&
1213 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1214 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1215 ieee80211_wme_updateparams(vap);
1216 #ifdef IEEE80211_SUPPORT_SUPERG
1217 if (scan.ath != NULL)
1218 ieee80211_parse_athparams(ni, scan.ath, wh);
1220 if (scan.htcap != NULL && scan.htinfo != NULL &&
1221 (vap->iv_flags_ext & IEEE80211_FEXT_HT)) {
1222 ieee80211_ht_updateparams(ni,
1223 scan.htcap, scan.htinfo);
1224 /* XXX state changes? */
1226 if (scan.tim != NULL) {
1227 struct ieee80211_tim_ie *tim =
1228 (struct ieee80211_tim_ie *) scan.tim;
1230 int aid = IEEE80211_AID(ni->ni_associd);
1231 int ix = aid / NBBY;
1232 int min = tim->tim_bitctl &~ 1;
1233 int max = tim->tim_len + min - 4;
1234 if ((tim->tim_bitctl&1) ||
1235 (min <= ix && ix <= max &&
1236 isset(tim->tim_bitmap - min, aid))) {
1238 * XXX Do not let bg scan kick off
1239 * we are expecting data.
1241 ic->ic_lastdata = ticks;
1242 ieee80211_sta_pwrsave(vap, 0);
1245 ni->ni_dtim_count = tim->tim_count;
1246 ni->ni_dtim_period = tim->tim_period;
1249 * If scanning, pass the info to the scan module.
1250 * Otherwise, check if it's the right time to do
1251 * a background scan. Background scanning must
1252 * be enabled and we must not be operating in the
1253 * turbo phase of dynamic turbo mode. Then,
1254 * it's been a while since the last background
1255 * scan and if no data frames have come through
1256 * recently, kick off a scan. Note that this
1257 * is the mechanism by which a background scan
1258 * is started _and_ continued each time we
1259 * return on-channel to receive a beacon from
1262 if (ic->ic_flags & IEEE80211_F_SCAN) {
1263 ieee80211_add_scan(vap, &scan, wh,
1265 } else if (contbgscan(vap)) {
1266 ieee80211_bg_scan(vap, 0);
1267 } else if (startbgscan(vap)) {
1268 vap->iv_stats.is_scan_bg++;
1270 /* wakeup if we are sleeing */
1271 ieee80211_set_pwrsave(vap, 0);
1273 ieee80211_bg_scan(vap, 0);
1278 * If scanning, just pass information to the scan module.
1280 if (ic->ic_flags & IEEE80211_F_SCAN) {
1281 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1283 * Actively scanning a channel marked passive;
1284 * send a probe request now that we know there
1285 * is 802.11 traffic present.
1287 * XXX check if the beacon we recv'd gives
1288 * us what we need and suppress the probe req
1290 ieee80211_probe_curchan(vap, 1);
1291 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1293 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1299 case IEEE80211_FC0_SUBTYPE_AUTH: {
1300 uint16_t algo, seq, status;
1308 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1309 algo = le16toh(*(uint16_t *)frm);
1310 seq = le16toh(*(uint16_t *)(frm + 2));
1311 status = le16toh(*(uint16_t *)(frm + 4));
1312 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1313 "recv auth frame with algorithm %d seq %d", algo, seq);
1315 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1316 IEEE80211_DISCARD(vap,
1317 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1318 wh, "auth", "%s", "TKIP countermeasures enabled");
1319 vap->iv_stats.is_rx_auth_countermeasures++;
1320 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1321 ieee80211_send_error(ni, wh->i_addr2,
1322 IEEE80211_FC0_SUBTYPE_AUTH,
1323 IEEE80211_REASON_MIC_FAILURE);
1327 if (algo == IEEE80211_AUTH_ALG_SHARED)
1328 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1330 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1331 sta_auth_open(ni, wh, rssi, nf, seq, status);
1333 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1334 wh, "auth", "unsupported alg %d", algo);
1335 vap->iv_stats.is_rx_auth_unsupported++;
1341 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1342 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1343 uint16_t capinfo, associd;
1346 if (vap->iv_state != IEEE80211_S_ASSOC) {
1347 vap->iv_stats.is_rx_mgtdiscard++;
1352 * asresp frame format
1353 * [2] capability information
1355 * [2] association ID
1356 * [tlv] supported rates
1357 * [tlv] extended supported rates
1359 * [tlv] HT capabilities
1362 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1364 capinfo = le16toh(*(uint16_t *)frm);
1366 status = le16toh(*(uint16_t *)frm);
1369 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1370 wh->i_addr2, "%sassoc failed (reason %d)",
1371 ISREASSOC(subtype) ? "re" : "", status);
1372 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1375 associd = le16toh(*(uint16_t *)frm);
1378 rates = xrates = wme = htcap = htinfo = NULL;
1379 while (efrm - frm > 1) {
1380 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1382 case IEEE80211_ELEMID_RATES:
1385 case IEEE80211_ELEMID_XRATES:
1388 case IEEE80211_ELEMID_HTCAP:
1391 case IEEE80211_ELEMID_HTINFO:
1394 case IEEE80211_ELEMID_VENDOR:
1397 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1399 * Accept pre-draft HT ie's if the
1400 * standard ones have not been seen.
1402 if (ishtcapoui(frm)) {
1405 } else if (ishtinfooui(frm)) {
1410 /* XXX Atheros OUI support */
1416 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1418 IEEE80211_VERIFY_ELEMENT(xrates,
1419 IEEE80211_RATE_MAXSIZE - rates[1], return);
1420 rate = ieee80211_setup_rates(ni, rates, xrates,
1422 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1423 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1424 if (rate & IEEE80211_RATE_BASIC) {
1425 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1427 "%sassoc failed (rate set mismatch)",
1428 ISREASSOC(subtype) ? "re" : "");
1429 vap->iv_stats.is_rx_assoc_norate++;
1430 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1431 IEEE80211_SCAN_FAIL_STATUS);
1435 ni->ni_capinfo = capinfo;
1436 ni->ni_associd = associd;
1437 if (ni->ni_jointime == 0)
1438 ni->ni_jointime = time_uptime;
1440 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1441 ni->ni_flags |= IEEE80211_NODE_QOS;
1442 ieee80211_wme_updateparams(vap);
1444 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1446 * Setup HT state according to the negotiation.
1448 * NB: shouldn't need to check if HT use is enabled but some
1449 * ap's send back HT ie's even when we don't indicate we
1450 * are HT capable in our AssocReq.
1452 if (htcap != NULL && htinfo != NULL &&
1453 (vap->iv_flags_ext & IEEE80211_FEXT_HT)) {
1454 ieee80211_ht_node_init(ni);
1455 ieee80211_ht_updateparams(ni, htcap, htinfo);
1456 ieee80211_setup_htrates(ni, htcap,
1457 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1458 ieee80211_setup_basic_htrates(ni, htinfo);
1460 #ifdef IEEE80211_SUPPORT_SUPERG
1461 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1462 ieee80211_ff_node_init(ni);
1466 * Configure state now that we are associated.
1468 * XXX may need different/additional driver callbacks?
1470 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1471 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1472 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1473 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1475 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1476 ic->ic_flags |= IEEE80211_F_USEBARKER;
1478 ieee80211_set_shortslottime(ic,
1479 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1480 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1482 * Honor ERP protection.
1484 * NB: ni_erp should zero for non-11g operation.
1486 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1487 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1488 ic->ic_flags |= IEEE80211_F_USEPROT;
1490 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1491 IEEE80211_NOTE_MAC(vap,
1492 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1493 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1494 ISREASSOC(subtype) ? "re" : "",
1495 IEEE80211_NODE_AID(ni),
1496 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1497 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1498 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1499 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1500 ni->ni_flags & IEEE80211_NODE_HT ?
1501 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1502 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1503 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1504 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1505 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1506 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1507 ", fast-frames" : "",
1508 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1511 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1515 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1518 if (vap->iv_state == IEEE80211_S_SCAN) {
1519 vap->iv_stats.is_rx_mgtdiscard++;
1522 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1523 /* NB: can happen when in promiscuous mode */
1524 vap->iv_stats.is_rx_mgtdiscard++;
1529 * deauth frame format
1532 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1533 reason = le16toh(*(uint16_t *)frm);
1535 vap->iv_stats.is_rx_deauth++;
1536 vap->iv_stats.is_rx_deauth_code = reason;
1537 IEEE80211_NODE_STAT(ni, rx_deauth);
1539 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1540 "recv deauthenticate (reason %d)", reason);
1541 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1542 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1546 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1549 if (vap->iv_state != IEEE80211_S_RUN &&
1550 vap->iv_state != IEEE80211_S_ASSOC &&
1551 vap->iv_state != IEEE80211_S_AUTH) {
1552 vap->iv_stats.is_rx_mgtdiscard++;
1555 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1556 /* NB: can happen when in promiscuous mode */
1557 vap->iv_stats.is_rx_mgtdiscard++;
1562 * disassoc frame format
1565 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1566 reason = le16toh(*(uint16_t *)frm);
1568 vap->iv_stats.is_rx_disassoc++;
1569 vap->iv_stats.is_rx_disassoc_code = reason;
1570 IEEE80211_NODE_STAT(ni, rx_disassoc);
1572 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1573 "recv disassociate (reason %d)", reason);
1574 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1578 case IEEE80211_FC0_SUBTYPE_ACTION:
1579 if (vap->iv_state == IEEE80211_S_RUN) {
1580 if (ieee80211_parse_action(ni, m0) == 0)
1581 ic->ic_recv_action(ni, frm, efrm);
1583 vap->iv_stats.is_rx_mgtdiscard++;
1586 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1587 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1588 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1589 vap->iv_stats.is_rx_mgtdiscard++;
1592 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1593 wh, "mgt", "subtype 0x%x not handled", subtype);
1594 vap->iv_stats.is_rx_badsubtype++;
1602 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype)