2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 Station mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_sta.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
64 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
66 static void sta_vattach(struct ieee80211vap *);
67 static void sta_beacon_miss(struct ieee80211vap *);
68 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
69 static int sta_input(struct ieee80211_node *, struct mbuf *,
70 int rssi, int noise, uint32_t rstamp);
71 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
72 int subtype, int rssi, int noise, uint32_t rstamp);
73 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
76 ieee80211_sta_attach(struct ieee80211com *ic)
78 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
82 ieee80211_sta_detach(struct ieee80211com *ic)
87 sta_vdetach(struct ieee80211vap *vap)
92 sta_vattach(struct ieee80211vap *vap)
94 vap->iv_newstate = sta_newstate;
95 vap->iv_input = sta_input;
96 vap->iv_recv_mgmt = sta_recv_mgmt;
97 vap->iv_recv_ctl = sta_recv_ctl;
98 vap->iv_opdetach = sta_vdetach;
99 vap->iv_bmiss = sta_beacon_miss;
103 * Handle a beacon miss event. The common code filters out
104 * spurious events that can happen when scanning and/or before
105 * reaching RUN state.
108 sta_beacon_miss(struct ieee80211vap *vap)
110 KASSERT((vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
111 KASSERT(vap->iv_state == IEEE80211_S_RUN,
112 ("wrong state %d", vap->iv_state));
114 IEEE80211_DPRINTF(vap,
115 IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
116 "beacon miss, mode %u state %s\n",
117 vap->iv_opmode, ieee80211_state_name[vap->iv_state]);
119 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
121 * Send a directed probe req before falling back to a
122 * scan; if we receive a response ic_bmiss_count will
123 * be reset. Some cards mistakenly report beacon miss
124 * so this avoids the expensive scan if the ap is
127 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
128 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
129 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
132 vap->iv_bmiss_count = 0;
133 vap->iv_stats.is_beacon_miss++;
134 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
135 #ifdef IEEE80211_SUPPORT_SUPERG
136 struct ieee80211com *ic = vap->iv_ic;
139 * If we receive a beacon miss interrupt when using
140 * dynamic turbo, attempt to switch modes before
143 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
144 ieee80211_dturbo_switch(vap,
145 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
148 * Try to reassociate before scanning for a new ap.
150 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
153 * Somebody else is controlling state changes (e.g.
154 * a user-mode app) don't do anything that would
155 * confuse them; just drop into scan mode so they'll
156 * notified of the state change and given control.
158 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
163 * Handle deauth with reason. We retry only for
164 * the cases where we might succeed. Otherwise
165 * we downgrade the ap and scan.
168 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
171 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
172 case IEEE80211_STATUS_TIMEOUT:
173 case IEEE80211_REASON_ASSOC_EXPIRE:
174 case IEEE80211_REASON_NOT_AUTHED:
175 case IEEE80211_REASON_NOT_ASSOCED:
176 case IEEE80211_REASON_ASSOC_LEAVE:
177 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
178 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
181 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
182 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
183 ieee80211_check_scan_current(vap);
189 * IEEE80211_M_STA vap state machine handler.
190 * This routine handles the main states in the 802.11 protocol.
193 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
195 struct ieee80211com *ic = vap->iv_ic;
196 struct ieee80211_node *ni;
197 enum ieee80211_state ostate;
199 IEEE80211_LOCK_ASSERT(ic);
201 ostate = vap->iv_state;
202 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
203 __func__, ieee80211_state_name[ostate],
204 ieee80211_state_name[nstate], arg);
205 vap->iv_state = nstate; /* state transition */
206 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
207 if (ostate != IEEE80211_S_SCAN)
208 ieee80211_cancel_scan(vap); /* background scan */
209 ni = vap->iv_bss; /* NB: no reference held */
210 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
211 callout_stop(&vap->iv_swbmiss);
213 case IEEE80211_S_INIT:
215 case IEEE80211_S_SLEEP:
217 case IEEE80211_S_RUN:
218 IEEE80211_SEND_MGMT(ni,
219 IEEE80211_FC0_SUBTYPE_DISASSOC,
220 IEEE80211_REASON_ASSOC_LEAVE);
221 ieee80211_sta_leave(ni);
223 case IEEE80211_S_ASSOC:
224 IEEE80211_SEND_MGMT(ni,
225 IEEE80211_FC0_SUBTYPE_DEAUTH,
226 IEEE80211_REASON_AUTH_LEAVE);
228 case IEEE80211_S_SCAN:
229 ieee80211_cancel_scan(vap);
234 if (ostate != IEEE80211_S_INIT) {
235 /* NB: optimize INIT -> INIT case */
236 ieee80211_reset_bss(vap);
238 if (vap->iv_auth->ia_detach != NULL)
239 vap->iv_auth->ia_detach(vap);
241 case IEEE80211_S_SCAN:
243 case IEEE80211_S_INIT:
245 * Initiate a scan. We can come here as a result
246 * of an IEEE80211_IOC_SCAN_REQ too in which case
247 * the vap will be marked with IEEE80211_FEXT_SCANREQ
248 * and the scan request parameters will be present
249 * in iv_scanreq. Otherwise we do the default.
251 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
252 ieee80211_check_scan(vap,
253 vap->iv_scanreq_flags,
254 vap->iv_scanreq_duration,
255 vap->iv_scanreq_mindwell,
256 vap->iv_scanreq_maxdwell,
257 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
258 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
260 ieee80211_check_scan_current(vap);
262 case IEEE80211_S_SCAN:
263 case IEEE80211_S_AUTH:
264 case IEEE80211_S_ASSOC:
266 * These can happen either because of a timeout
267 * on an assoc/auth response or because of a
268 * change in state that requires a reset. For
269 * the former we're called with a non-zero arg
270 * that is the cause for the failure; pass this
271 * to the scan code so it can update state.
272 * Otherwise trigger a new scan unless we're in
273 * manual roaming mode in which case an application
274 * must issue an explicit scan request.
277 ieee80211_scan_assoc_fail(vap,
278 vap->iv_bss->ni_macaddr, arg);
279 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
280 ieee80211_check_scan_current(vap);
282 case IEEE80211_S_RUN: /* beacon miss */
284 * Beacon miss. Notify user space and if not
285 * under control of a user application (roaming
286 * manual) kick off a scan to re-connect.
288 ieee80211_sta_leave(ni);
289 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
290 ieee80211_check_scan_current(vap);
296 case IEEE80211_S_AUTH:
298 case IEEE80211_S_INIT:
299 case IEEE80211_S_SCAN:
300 IEEE80211_SEND_MGMT(ni,
301 IEEE80211_FC0_SUBTYPE_AUTH, 1);
303 case IEEE80211_S_AUTH:
304 case IEEE80211_S_ASSOC:
305 switch (arg & 0xff) {
306 case IEEE80211_FC0_SUBTYPE_AUTH:
308 IEEE80211_SEND_MGMT(ni,
309 IEEE80211_FC0_SUBTYPE_AUTH, 2);
311 case IEEE80211_FC0_SUBTYPE_DEAUTH:
312 sta_authretry(vap, ni, arg>>8);
316 case IEEE80211_S_RUN:
317 switch (arg & 0xff) {
318 case IEEE80211_FC0_SUBTYPE_AUTH:
319 IEEE80211_SEND_MGMT(ni,
320 IEEE80211_FC0_SUBTYPE_AUTH, 2);
321 vap->iv_state = ostate; /* stay RUN */
323 case IEEE80211_FC0_SUBTYPE_DEAUTH:
324 ieee80211_sta_leave(ni);
325 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
327 IEEE80211_SEND_MGMT(ni,
328 IEEE80211_FC0_SUBTYPE_AUTH, 1);
337 case IEEE80211_S_ASSOC:
339 case IEEE80211_S_AUTH:
340 case IEEE80211_S_ASSOC:
341 IEEE80211_SEND_MGMT(ni,
342 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
344 case IEEE80211_S_SLEEP: /* cannot happen */
345 case IEEE80211_S_RUN:
346 ieee80211_sta_leave(ni);
347 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
348 IEEE80211_SEND_MGMT(ni, arg ?
349 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
350 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
357 case IEEE80211_S_RUN:
358 if (vap->iv_flags & IEEE80211_F_WPA) {
359 /* XXX validate prerequisites */
362 case IEEE80211_S_RUN:
364 case IEEE80211_S_AUTH: /* when join is done in fw */
365 case IEEE80211_S_ASSOC:
366 #ifdef IEEE80211_DEBUG
367 if (ieee80211_msg_debug(vap)) {
368 ieee80211_note(vap, "%s with %s ssid ",
369 (vap->iv_opmode == IEEE80211_M_STA ?
370 "associated" : "synchronized"),
371 ether_sprintf(ni->ni_bssid));
372 ieee80211_print_essid(vap->iv_bss->ni_essid,
375 printf(" channel %d start %uMb\n",
376 ieee80211_chan2ieee(ic, ic->ic_curchan),
377 IEEE80211_RATE2MBS(ni->ni_txrate));
380 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
381 ieee80211_notify_node_join(ni,
382 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
384 case IEEE80211_S_SLEEP:
385 ieee80211_sta_pwrsave(vap, 0);
390 ieee80211_sync_curchan(ic);
391 if (ostate != IEEE80211_S_RUN &&
392 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
394 * Start s/w beacon miss timer for devices w/o
395 * hardware support. We fudge a bit here since
396 * we're doing this in software.
398 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
399 2 * vap->iv_bmissthreshold * ni->ni_intval);
400 vap->iv_swbmiss_count = 0;
401 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
402 ieee80211_swbmiss, vap);
405 * When 802.1x is not in use mark the port authorized
406 * at this point so traffic can flow.
408 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
409 ieee80211_node_authorize(ni);
411 * Fake association when joining an existing bss.
413 if (ic->ic_newassoc != NULL)
414 ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN);
416 case IEEE80211_S_SLEEP:
417 ieee80211_sta_pwrsave(vap, 0);
421 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
422 "%s: unexpected state transition %s -> %s\n", __func__,
423 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
430 * Return non-zero if the frame is an echo of a multicast
431 * frame sent by ourself. The dir is known to be DSTODS.
434 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
436 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
437 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
440 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
442 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
444 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
445 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
451 * Return non-zero if the frame is an echo of a multicast
452 * frame sent by ourself. The dir is known to be FROMDS.
455 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
457 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
459 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
461 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
465 * Decide if a received management frame should be
466 * printed when debugging is enabled. This filters some
467 * of the less interesting frames that come frequently
471 doprint(struct ieee80211vap *vap, int subtype)
474 case IEEE80211_FC0_SUBTYPE_BEACON:
475 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
476 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
483 * Process a received frame. The node associated with the sender
484 * should be supplied. If nothing was found in the node table then
485 * the caller is assumed to supply a reference to iv_bss instead.
486 * The RSSI and a timestamp are also supplied. The RSSI data is used
487 * during AP scanning to select a AP to associate with; it can have
488 * any units so long as values have consistent units and higher values
489 * mean ``better signal''. The receive timestamp is currently not used
490 * by the 802.11 layer.
493 sta_input(struct ieee80211_node *ni, struct mbuf *m,
494 int rssi, int noise, uint32_t rstamp)
496 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
497 #define HAS_SEQ(type) ((type & 0x4) == 0)
498 struct ieee80211vap *vap = ni->ni_vap;
499 struct ieee80211com *ic = ni->ni_ic;
500 struct ifnet *ifp = vap->iv_ifp;
501 struct ieee80211_frame *wh;
502 struct ieee80211_key *key;
503 struct ether_header *eh;
504 int hdrspace, need_tap;
505 uint8_t dir, type, subtype, qos;
509 if (m->m_flags & M_AMPDU_MPDU) {
511 * Fastpath for A-MPDU reorder q resubmission. Frames
512 * w/ M_AMPDU_MPDU marked have already passed through
513 * here but were received out of order and been held on
514 * the reorder queue. When resubmitted they are marked
515 * with the M_AMPDU_MPDU flag and we can bypass most of
516 * the normal processing.
518 wh = mtod(m, struct ieee80211_frame *);
519 type = IEEE80211_FC0_TYPE_DATA;
520 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
521 subtype = IEEE80211_FC0_SUBTYPE_QOS;
522 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
526 KASSERT(ni != NULL, ("null node"));
527 ni->ni_inact = ni->ni_inact_reload;
529 need_tap = 1; /* mbuf need to be tapped. */
530 type = -1; /* undefined */
532 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
533 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
534 ni->ni_macaddr, NULL,
535 "too short (1): len %u", m->m_pkthdr.len);
536 vap->iv_stats.is_rx_tooshort++;
540 * Bit of a cheat here, we use a pointer for a 3-address
541 * frame format but don't reference fields past outside
542 * ieee80211_frame_min w/o first validating the data is
545 wh = mtod(m, struct ieee80211_frame *);
547 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
548 IEEE80211_FC0_VERSION_0) {
549 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
550 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
551 wh->i_fc[0], wh->i_fc[1]);
552 vap->iv_stats.is_rx_badversion++;
556 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
557 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
558 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
559 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
561 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
562 /* not interested in */
563 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
564 bssid, NULL, "%s", "not to bss");
565 vap->iv_stats.is_rx_wrongbss++;
568 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
569 ni->ni_noise = noise;
570 ni->ni_rstamp = rstamp;
572 uint8_t tid = ieee80211_gettid(wh);
573 if (IEEE80211_QOS_HAS_SEQ(wh) &&
574 TID_TO_WME_AC(tid) >= WME_AC_VI)
575 ic->ic_wme.wme_hipri_traffic++;
576 rxseq = le16toh(*(uint16_t *)wh->i_seq);
577 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
578 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
579 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
580 /* duplicate, discard */
581 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
583 "seqno <%u,%u> fragno <%u,%u> tid %u",
584 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
585 ni->ni_rxseqs[tid] >>
586 IEEE80211_SEQ_SEQ_SHIFT,
587 rxseq & IEEE80211_SEQ_FRAG_MASK,
589 IEEE80211_SEQ_FRAG_MASK,
591 vap->iv_stats.is_rx_dup++;
592 IEEE80211_NODE_STAT(ni, rx_dup);
595 ni->ni_rxseqs[tid] = rxseq;
600 case IEEE80211_FC0_TYPE_DATA:
601 hdrspace = ieee80211_hdrspace(ic, wh);
602 if (m->m_len < hdrspace &&
603 (m = m_pullup(m, hdrspace)) == NULL) {
604 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
605 ni->ni_macaddr, NULL,
606 "data too short: expecting %u", hdrspace);
607 vap->iv_stats.is_rx_tooshort++;
611 * Handle A-MPDU re-ordering. If the frame is to be
612 * processed directly then ieee80211_ampdu_reorder
613 * will return 0; otherwise it has consumed the mbuf
614 * and we should do nothing more with it.
616 if ((m->m_flags & M_AMPDU) &&
617 (dir == IEEE80211_FC1_DIR_FROMDS ||
618 dir == IEEE80211_FC1_DIR_DSTODS) &&
619 ieee80211_ampdu_reorder(ni, m) != 0) {
624 if (dir == IEEE80211_FC1_DIR_FROMDS) {
625 if ((ifp->if_flags & IFF_SIMPLEX) &&
626 isfromds_mcastecho(vap, wh)) {
628 * In IEEE802.11 network, multicast
629 * packets sent from "me" are broadcast
630 * from the AP; silently discard for
633 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
634 wh, "data", "%s", "multicast echo");
635 vap->iv_stats.is_rx_mcastecho++;
638 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
639 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
641 * DWDS sta's must drop 3-address mcast frames
642 * as they will be sent separately as a 4-addr
643 * frame. Accepting the 3-addr frame will
644 * confuse the bridge into thinking the sending
645 * sta is located at the end of WDS link.
647 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
648 "3-address data", "%s", "DWDS enabled");
649 vap->iv_stats.is_rx_mcastecho++;
652 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
653 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
654 IEEE80211_DISCARD(vap,
655 IEEE80211_MSG_INPUT, wh, "4-address data",
656 "%s", "DWDS not enabled");
657 vap->iv_stats.is_rx_wrongdir++;
660 if ((ifp->if_flags & IFF_SIMPLEX) &&
661 isdstods_mcastecho(vap, wh)) {
663 * In IEEE802.11 network, multicast
664 * packets sent from "me" are broadcast
665 * from the AP; silently discard for
668 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
669 "4-address data", "%s", "multicast echo");
670 vap->iv_stats.is_rx_mcastecho++;
674 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
675 "data", "incorrect dir 0x%x", dir);
676 vap->iv_stats.is_rx_wrongdir++;
681 * Handle privacy requirements. Note that we
682 * must not be preempted from here until after
683 * we (potentially) call ieee80211_crypto_demic;
684 * otherwise we may violate assumptions in the
685 * crypto cipher modules used to do delayed update
686 * of replay sequence numbers.
688 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
689 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
691 * Discard encrypted frames when privacy is off.
693 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
694 wh, "WEP", "%s", "PRIVACY off");
695 vap->iv_stats.is_rx_noprivacy++;
696 IEEE80211_NODE_STAT(ni, rx_noprivacy);
699 key = ieee80211_crypto_decap(ni, m, hdrspace);
701 /* NB: stats+msgs handled in crypto_decap */
702 IEEE80211_NODE_STAT(ni, rx_wepfail);
705 wh = mtod(m, struct ieee80211_frame *);
706 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
708 /* XXX M_WEP and IEEE80211_F_PRIVACY */
713 * Save QoS bits for use below--before we strip the header.
715 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
716 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
717 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
718 ((struct ieee80211_qosframe *)wh)->i_qos[0];
723 * Next up, any fragmentation.
725 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
726 m = ieee80211_defrag(ni, m, hdrspace);
728 /* Fragment dropped or frame not complete yet */
732 wh = NULL; /* no longer valid, catch any uses */
735 * Next strip any MSDU crypto bits.
737 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
738 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
739 ni->ni_macaddr, "data", "%s", "demic error");
740 vap->iv_stats.is_rx_demicfail++;
741 IEEE80211_NODE_STAT(ni, rx_demicfail);
745 /* copy to listener after decrypt */
746 if (bpf_peers_present(vap->iv_rawbpf))
747 bpf_mtap(vap->iv_rawbpf, m);
751 * Finally, strip the 802.11 header.
753 m = ieee80211_decap(vap, m, hdrspace);
755 /* XXX mask bit to check for both */
756 /* don't count Null data frames as errors */
757 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
758 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
760 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
761 ni->ni_macaddr, "data", "%s", "decap error");
762 vap->iv_stats.is_rx_decap++;
763 IEEE80211_NODE_STAT(ni, rx_decap);
766 eh = mtod(m, struct ether_header *);
767 if (!ieee80211_node_is_authorized(ni)) {
769 * Deny any non-PAE frames received prior to
770 * authorization. For open/shared-key
771 * authentication the port is mark authorized
772 * after authentication completes. For 802.1x
773 * the port is not marked authorized by the
774 * authenticator until the handshake has completed.
776 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
777 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
778 eh->ether_shost, "data",
779 "unauthorized port: ether type 0x%x len %u",
780 eh->ether_type, m->m_pkthdr.len);
781 vap->iv_stats.is_rx_unauth++;
782 IEEE80211_NODE_STAT(ni, rx_unauth);
787 * When denying unencrypted frames, discard
788 * any non-PAE frames received without encryption.
790 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
791 (key == NULL && (m->m_flags & M_WEP) == 0) &&
792 eh->ether_type != htons(ETHERTYPE_PAE)) {
794 * Drop unencrypted frames.
796 vap->iv_stats.is_rx_unencrypted++;
797 IEEE80211_NODE_STAT(ni, rx_unencrypted);
801 /* XXX require HT? */
802 if (qos & IEEE80211_QOS_AMSDU) {
803 m = ieee80211_decap_amsdu(ni, m);
805 return IEEE80211_FC0_TYPE_DATA;
807 #ifdef IEEE80211_SUPPORT_SUPERG
808 m = ieee80211_decap_fastframe(vap, ni, m);
810 return IEEE80211_FC0_TYPE_DATA;
813 ieee80211_deliver_data(vap, ni, m);
814 return IEEE80211_FC0_TYPE_DATA;
816 case IEEE80211_FC0_TYPE_MGT:
817 vap->iv_stats.is_rx_mgmt++;
818 IEEE80211_NODE_STAT(ni, rx_mgmt);
819 if (dir != IEEE80211_FC1_DIR_NODS) {
820 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
821 wh, "data", "incorrect dir 0x%x", dir);
822 vap->iv_stats.is_rx_wrongdir++;
825 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
826 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
827 ni->ni_macaddr, "mgt", "too short: len %u",
829 vap->iv_stats.is_rx_tooshort++;
832 #ifdef IEEE80211_DEBUG
833 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
834 ieee80211_msg_dumppkts(vap)) {
835 if_printf(ifp, "received %s from %s rssi %d\n",
836 ieee80211_mgt_subtype_name[subtype >>
837 IEEE80211_FC0_SUBTYPE_SHIFT],
838 ether_sprintf(wh->i_addr2), rssi);
841 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
842 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
844 * Only shared key auth frames with a challenge
845 * should be encrypted, discard all others.
847 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
848 wh, ieee80211_mgt_subtype_name[subtype >>
849 IEEE80211_FC0_SUBTYPE_SHIFT],
850 "%s", "WEP set but not permitted");
851 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
854 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
856 * Discard encrypted frames when privacy is off.
858 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
859 wh, "mgt", "%s", "WEP set but PRIVACY off");
860 vap->iv_stats.is_rx_noprivacy++;
863 hdrspace = ieee80211_hdrspace(ic, wh);
864 key = ieee80211_crypto_decap(ni, m, hdrspace);
866 /* NB: stats+msgs handled in crypto_decap */
869 wh = mtod(m, struct ieee80211_frame *);
870 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
872 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
875 case IEEE80211_FC0_TYPE_CTL:
876 vap->iv_stats.is_rx_ctl++;
877 IEEE80211_NODE_STAT(ni, rx_ctrl);
878 vap->iv_recv_ctl(ni, m, subtype);
882 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
883 wh, NULL, "bad frame type 0x%x", type);
884 /* should not come here */
891 if (need_tap && bpf_peers_present(vap->iv_rawbpf))
892 bpf_mtap(vap->iv_rawbpf, m);
900 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
901 int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
903 struct ieee80211vap *vap = ni->ni_vap;
905 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
906 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
907 ni->ni_macaddr, "open auth",
908 "bad sta auth mode %u", ni->ni_authmode);
909 vap->iv_stats.is_rx_bad_auth++; /* XXX */
912 if (vap->iv_state != IEEE80211_S_AUTH ||
913 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
914 vap->iv_stats.is_rx_bad_auth++;
918 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
919 ni, "open auth failed (reason %d)", status);
920 vap->iv_stats.is_rx_auth_fail++;
921 vap->iv_stats.is_rx_authfail_code = status;
922 ieee80211_new_state(vap, IEEE80211_S_SCAN,
923 IEEE80211_SCAN_FAIL_STATUS);
925 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
929 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
930 uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp,
931 uint16_t seq, uint16_t status)
933 struct ieee80211vap *vap = ni->ni_vap;
938 * NB: this can happen as we allow pre-shared key
939 * authentication to be enabled w/o wep being turned
940 * on so that configuration of these can be done
941 * in any order. It may be better to enforce the
942 * ordering in which case this check would just be
943 * for sanity/consistency.
945 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
946 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
947 ni->ni_macaddr, "shared key auth",
948 "%s", " PRIVACY is disabled");
949 estatus = IEEE80211_STATUS_ALG;
953 * Pre-shared key authentication is evil; accept
954 * it only if explicitly configured (it is supported
955 * mainly for compatibility with clients like OS X).
957 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
958 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
959 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
960 ni->ni_macaddr, "shared key auth",
961 "bad sta auth mode %u", ni->ni_authmode);
962 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
963 estatus = IEEE80211_STATUS_ALG;
968 if (frm + 1 < efrm) {
969 if ((frm[1] + 2) > (efrm - frm)) {
970 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
971 ni->ni_macaddr, "shared key auth",
973 frm[0], (frm[1] + 2) - (efrm - frm));
974 vap->iv_stats.is_rx_bad_auth++;
975 estatus = IEEE80211_STATUS_CHALLENGE;
978 if (*frm == IEEE80211_ELEMID_CHALLENGE)
983 case IEEE80211_AUTH_SHARED_CHALLENGE:
984 case IEEE80211_AUTH_SHARED_RESPONSE:
985 if (challenge == NULL) {
986 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
987 ni->ni_macaddr, "shared key auth",
988 "%s", "no challenge");
989 vap->iv_stats.is_rx_bad_auth++;
990 estatus = IEEE80211_STATUS_CHALLENGE;
993 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
994 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
995 ni->ni_macaddr, "shared key auth",
996 "bad challenge len %d", challenge[1]);
997 vap->iv_stats.is_rx_bad_auth++;
998 estatus = IEEE80211_STATUS_CHALLENGE;
1004 if (vap->iv_state != IEEE80211_S_AUTH)
1007 case IEEE80211_AUTH_SHARED_PASS:
1008 if (ni->ni_challenge != NULL) {
1009 free(ni->ni_challenge, M_80211_NODE);
1010 ni->ni_challenge = NULL;
1013 IEEE80211_NOTE_FRAME(vap,
1014 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1015 "shared key auth failed (reason %d)", status);
1016 vap->iv_stats.is_rx_auth_fail++;
1017 vap->iv_stats.is_rx_authfail_code = status;
1020 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1022 case IEEE80211_AUTH_SHARED_CHALLENGE:
1023 if (!ieee80211_alloc_challenge(ni))
1025 /* XXX could optimize by passing recvd challenge */
1026 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1027 IEEE80211_SEND_MGMT(ni,
1028 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1031 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1032 wh, "shared key auth", "bad seq %d", seq);
1033 vap->iv_stats.is_rx_bad_auth++;
1039 * Kick the state machine. This short-circuits
1040 * using the mgt frame timeout to trigger the
1043 if (vap->iv_state == IEEE80211_S_AUTH)
1044 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1045 IEEE80211_SCAN_FAIL_STATUS);
1049 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1050 const struct ieee80211_frame *wh)
1052 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1053 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1054 u_int len = frm[1], qosinfo;
1057 if (len < sizeof(struct ieee80211_wme_param)-2) {
1058 IEEE80211_DISCARD_IE(vap,
1059 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1060 wh, "WME", "too short, len %u", len);
1063 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1064 qosinfo &= WME_QOSINFO_COUNT;
1065 /* XXX do proper check for wraparound */
1066 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1068 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1069 for (i = 0; i < WME_NUM_AC; i++) {
1070 struct wmeParams *wmep =
1071 &wme->wme_wmeChanParams.cap_wmeParams[i];
1072 /* NB: ACI not used */
1073 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1074 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1075 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1076 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1077 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1080 wme->wme_wmeChanParams.cap_info = qosinfo;
1086 * Return non-zero if a background scan may be continued:
1087 * o bg scan is active
1088 * o no channel switch is pending
1089 * o there has not been any traffic recently
1091 * Note we do not check if there is an administrative enable;
1092 * this is only done to start the scan. We assume that any
1093 * change in state will be accompanied by a request to cancel
1094 * active scans which will otherwise cause this test to fail.
1097 contbgscan(struct ieee80211vap *vap)
1099 struct ieee80211com *ic = vap->iv_ic;
1101 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1102 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1103 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1104 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1108 * Return non-zero if a backgrond scan may be started:
1109 * o bg scanning is administratively enabled
1110 * o no channel switch is pending
1111 * o we are not boosted on a dynamic turbo channel
1112 * o there has not been a scan recently
1113 * o there has not been any traffic recently
1116 startbgscan(struct ieee80211vap *vap)
1118 struct ieee80211com *ic = vap->iv_ic;
1120 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1121 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1122 #ifdef IEEE80211_SUPPORT_SUPERG
1123 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1125 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1126 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1130 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1131 int subtype, int rssi, int noise, uint32_t rstamp)
1133 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1134 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1135 struct ieee80211vap *vap = ni->ni_vap;
1136 struct ieee80211com *ic = ni->ni_ic;
1137 struct ieee80211_frame *wh;
1138 uint8_t *frm, *efrm;
1139 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1142 wh = mtod(m0, struct ieee80211_frame *);
1143 frm = (uint8_t *)&wh[1];
1144 efrm = mtod(m0, uint8_t *) + m0->m_len;
1146 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1147 case IEEE80211_FC0_SUBTYPE_BEACON: {
1148 struct ieee80211_scanparams scan;
1150 * We process beacon/probe response frames:
1151 * o when scanning, or
1152 * o station mode when associated (to collect state
1153 * updates such as 802.11g slot time)
1154 * Frames otherwise received are discarded.
1156 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1157 vap->iv_stats.is_rx_mgtdiscard++;
1160 /* XXX probe response in sta mode when !scanning? */
1161 if (ieee80211_parse_beacon(ni, m0, &scan) != 0)
1164 * Count frame now that we know it's to be processed.
1166 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1167 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1168 IEEE80211_NODE_STAT(ni, rx_beacons);
1170 IEEE80211_NODE_STAT(ni, rx_proberesp);
1172 * When operating in station mode, check for state updates.
1173 * Be careful to ignore beacons received while doing a
1174 * background scan. We consider only 11g/WMM stuff right now.
1176 if (ni->ni_associd != 0 &&
1177 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1178 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1179 /* record tsf of last beacon */
1180 memcpy(ni->ni_tstamp.data, scan.tstamp,
1181 sizeof(ni->ni_tstamp));
1182 /* count beacon frame for s/w bmiss handling */
1183 vap->iv_swbmiss_count++;
1184 vap->iv_bmiss_count = 0;
1185 if (ni->ni_erp != scan.erp) {
1186 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1188 "erp change: was 0x%x, now 0x%x",
1189 ni->ni_erp, scan.erp);
1190 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1191 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1192 ic->ic_flags |= IEEE80211_F_USEPROT;
1194 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1195 ni->ni_erp = scan.erp;
1197 /* XXX driver notification */
1199 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1200 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1202 "capabilities change: was 0x%x, now 0x%x",
1203 ni->ni_capinfo, scan.capinfo);
1205 * NB: we assume short preamble doesn't
1206 * change dynamically
1208 ieee80211_set_shortslottime(ic,
1209 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1210 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1211 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1212 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1215 if (scan.wme != NULL &&
1216 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1217 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1218 ieee80211_wme_updateparams(vap);
1219 #ifdef IEEE80211_SUPPORT_SUPERG
1220 if (scan.ath != NULL)
1221 ieee80211_parse_athparams(ni, scan.ath, wh);
1223 if (scan.htcap != NULL && scan.htinfo != NULL &&
1224 (vap->iv_flags_ext & IEEE80211_FEXT_HT)) {
1225 ieee80211_ht_updateparams(ni,
1226 scan.htcap, scan.htinfo);
1227 /* XXX state changes? */
1229 if (scan.tim != NULL) {
1230 struct ieee80211_tim_ie *tim =
1231 (struct ieee80211_tim_ie *) scan.tim;
1233 int aid = IEEE80211_AID(ni->ni_associd);
1234 int ix = aid / NBBY;
1235 int min = tim->tim_bitctl &~ 1;
1236 int max = tim->tim_len + min - 4;
1237 if ((tim->tim_bitctl&1) ||
1238 (min <= ix && ix <= max &&
1239 isset(tim->tim_bitmap - min, aid))) {
1241 * XXX Do not let bg scan kick off
1242 * we are expecting data.
1244 ic->ic_lastdata = ticks;
1245 ieee80211_sta_pwrsave(vap, 0);
1248 ni->ni_dtim_count = tim->tim_count;
1249 ni->ni_dtim_period = tim->tim_period;
1252 * If scanning, pass the info to the scan module.
1253 * Otherwise, check if it's the right time to do
1254 * a background scan. Background scanning must
1255 * be enabled and we must not be operating in the
1256 * turbo phase of dynamic turbo mode. Then,
1257 * it's been a while since the last background
1258 * scan and if no data frames have come through
1259 * recently, kick off a scan. Note that this
1260 * is the mechanism by which a background scan
1261 * is started _and_ continued each time we
1262 * return on-channel to receive a beacon from
1265 if (ic->ic_flags & IEEE80211_F_SCAN) {
1266 ieee80211_add_scan(vap, &scan, wh,
1267 subtype, rssi, noise, rstamp);
1268 } else if (contbgscan(vap)) {
1269 ieee80211_bg_scan(vap, 0);
1270 } else if (startbgscan(vap)) {
1271 vap->iv_stats.is_scan_bg++;
1273 /* wakeup if we are sleeing */
1274 ieee80211_set_pwrsave(vap, 0);
1276 ieee80211_bg_scan(vap, 0);
1281 * If scanning, just pass information to the scan module.
1283 if (ic->ic_flags & IEEE80211_F_SCAN) {
1284 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1286 * Actively scanning a channel marked passive;
1287 * send a probe request now that we know there
1288 * is 802.11 traffic present.
1290 * XXX check if the beacon we recv'd gives
1291 * us what we need and suppress the probe req
1293 ieee80211_probe_curchan(vap, 1);
1294 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1296 ieee80211_add_scan(vap, &scan, wh,
1297 subtype, rssi, noise, rstamp);
1303 case IEEE80211_FC0_SUBTYPE_AUTH: {
1304 uint16_t algo, seq, status;
1312 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1313 algo = le16toh(*(uint16_t *)frm);
1314 seq = le16toh(*(uint16_t *)(frm + 2));
1315 status = le16toh(*(uint16_t *)(frm + 4));
1316 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1317 "recv auth frame with algorithm %d seq %d", algo, seq);
1319 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1320 IEEE80211_DISCARD(vap,
1321 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1322 wh, "auth", "%s", "TKIP countermeasures enabled");
1323 vap->iv_stats.is_rx_auth_countermeasures++;
1324 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1325 ieee80211_send_error(ni, wh->i_addr2,
1326 IEEE80211_FC0_SUBTYPE_AUTH,
1327 IEEE80211_REASON_MIC_FAILURE);
1331 if (algo == IEEE80211_AUTH_ALG_SHARED)
1332 sta_auth_shared(ni, wh, frm + 6, efrm, rssi,
1333 noise, rstamp, seq, status);
1334 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1335 sta_auth_open(ni, wh, rssi, noise, rstamp,
1338 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1339 wh, "auth", "unsupported alg %d", algo);
1340 vap->iv_stats.is_rx_auth_unsupported++;
1346 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1347 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1348 uint16_t capinfo, associd;
1351 if (vap->iv_state != IEEE80211_S_ASSOC) {
1352 vap->iv_stats.is_rx_mgtdiscard++;
1357 * asresp frame format
1358 * [2] capability information
1360 * [2] association ID
1361 * [tlv] supported rates
1362 * [tlv] extended supported rates
1364 * [tlv] HT capabilities
1367 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1369 capinfo = le16toh(*(uint16_t *)frm);
1371 status = le16toh(*(uint16_t *)frm);
1374 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1375 wh->i_addr2, "%sassoc failed (reason %d)",
1376 ISREASSOC(subtype) ? "re" : "", status);
1377 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1380 associd = le16toh(*(uint16_t *)frm);
1383 rates = xrates = wme = htcap = htinfo = NULL;
1384 while (efrm - frm > 1) {
1385 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1387 case IEEE80211_ELEMID_RATES:
1390 case IEEE80211_ELEMID_XRATES:
1393 case IEEE80211_ELEMID_HTCAP:
1396 case IEEE80211_ELEMID_HTINFO:
1399 case IEEE80211_ELEMID_VENDOR:
1402 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1404 * Accept pre-draft HT ie's if the
1405 * standard ones have not been seen.
1407 if (ishtcapoui(frm)) {
1410 } else if (ishtinfooui(frm)) {
1415 /* XXX Atheros OUI support */
1421 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1423 IEEE80211_VERIFY_ELEMENT(xrates,
1424 IEEE80211_RATE_MAXSIZE - rates[1], return);
1425 rate = ieee80211_setup_rates(ni, rates, xrates,
1427 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1428 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1429 if (rate & IEEE80211_RATE_BASIC) {
1430 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1432 "%sassoc failed (rate set mismatch)",
1433 ISREASSOC(subtype) ? "re" : "");
1434 vap->iv_stats.is_rx_assoc_norate++;
1435 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1436 IEEE80211_SCAN_FAIL_STATUS);
1440 ni->ni_capinfo = capinfo;
1441 ni->ni_associd = associd;
1442 if (ni->ni_jointime == 0)
1443 ni->ni_jointime = time_uptime;
1445 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1446 ni->ni_flags |= IEEE80211_NODE_QOS;
1447 ieee80211_wme_updateparams(vap);
1449 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1451 * Setup HT state according to the negotiation.
1453 * NB: shouldn't need to check if HT use is enabled but some
1454 * ap's send back HT ie's even when we don't indicate we
1455 * are HT capable in our AssocReq.
1457 if (htcap != NULL && htinfo != NULL &&
1458 (vap->iv_flags_ext & IEEE80211_FEXT_HT)) {
1459 ieee80211_ht_node_init(ni);
1460 ieee80211_ht_updateparams(ni, htcap, htinfo);
1461 ieee80211_setup_htrates(ni, htcap,
1462 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1463 ieee80211_setup_basic_htrates(ni, htinfo);
1465 #ifdef IEEE80211_SUPPORT_SUPERG
1466 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1467 ieee80211_ff_node_init(ni);
1471 * Configure state now that we are associated.
1473 * XXX may need different/additional driver callbacks?
1475 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1476 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1477 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1478 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1480 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1481 ic->ic_flags |= IEEE80211_F_USEBARKER;
1483 ieee80211_set_shortslottime(ic,
1484 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1485 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1487 * Honor ERP protection.
1489 * NB: ni_erp should zero for non-11g operation.
1491 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1492 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1493 ic->ic_flags |= IEEE80211_F_USEPROT;
1495 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1496 IEEE80211_NOTE_MAC(vap,
1497 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1498 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1499 ISREASSOC(subtype) ? "re" : "",
1500 IEEE80211_NODE_AID(ni),
1501 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1502 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1503 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1504 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1505 ni->ni_flags & IEEE80211_NODE_HT ?
1506 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1507 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1508 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1509 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1510 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1511 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1512 ", fast-frames" : "",
1513 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1516 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1520 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1523 if (vap->iv_state == IEEE80211_S_SCAN) {
1524 vap->iv_stats.is_rx_mgtdiscard++;
1527 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1528 /* NB: can happen when in promiscuous mode */
1529 vap->iv_stats.is_rx_mgtdiscard++;
1534 * deauth frame format
1537 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1538 reason = le16toh(*(uint16_t *)frm);
1540 vap->iv_stats.is_rx_deauth++;
1541 vap->iv_stats.is_rx_deauth_code = reason;
1542 IEEE80211_NODE_STAT(ni, rx_deauth);
1544 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1545 "recv deauthenticate (reason %d)", reason);
1546 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1547 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1551 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1554 if (vap->iv_state != IEEE80211_S_RUN &&
1555 vap->iv_state != IEEE80211_S_ASSOC &&
1556 vap->iv_state != IEEE80211_S_AUTH) {
1557 vap->iv_stats.is_rx_mgtdiscard++;
1560 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1561 /* NB: can happen when in promiscuous mode */
1562 vap->iv_stats.is_rx_mgtdiscard++;
1567 * disassoc frame format
1570 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1571 reason = le16toh(*(uint16_t *)frm);
1573 vap->iv_stats.is_rx_disassoc++;
1574 vap->iv_stats.is_rx_disassoc_code = reason;
1575 IEEE80211_NODE_STAT(ni, rx_disassoc);
1577 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1578 "recv disassociate (reason %d)", reason);
1579 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1583 case IEEE80211_FC0_SUBTYPE_ACTION:
1584 if (vap->iv_state == IEEE80211_S_RUN) {
1585 if (ieee80211_parse_action(ni, m0) == 0)
1586 ic->ic_recv_action(ni, frm, efrm);
1588 vap->iv_stats.is_rx_mgtdiscard++;
1591 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1592 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1593 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1594 vap->iv_stats.is_rx_mgtdiscard++;
1597 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1598 wh, "mgt", "subtype 0x%x not handled", subtype);
1599 vap->iv_stats.is_rx_badsubtype++;
1607 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype)