2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 Station mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/if_dl.h>
54 #include <net/if_var.h>
55 #include <net/ethernet.h>
59 #include <net80211/ieee80211_var.h>
60 #include <net80211/ieee80211_sta.h>
61 #include <net80211/ieee80211_input.h>
62 #ifdef IEEE80211_SUPPORT_SUPERG
63 #include <net80211/ieee80211_superg.h>
65 #include <net80211/ieee80211_ratectl.h>
67 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
69 static void sta_vattach(struct ieee80211vap *);
70 static void sta_beacon_miss(struct ieee80211vap *);
71 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
72 static int sta_input(struct ieee80211_node *, struct mbuf *, int, int);
73 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
74 int subtype, int rssi, int nf);
75 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
78 ieee80211_sta_attach(struct ieee80211com *ic)
80 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
84 ieee80211_sta_detach(struct ieee80211com *ic)
89 sta_vdetach(struct ieee80211vap *vap)
94 sta_vattach(struct ieee80211vap *vap)
96 vap->iv_newstate = sta_newstate;
97 vap->iv_input = sta_input;
98 vap->iv_recv_mgmt = sta_recv_mgmt;
99 vap->iv_recv_ctl = sta_recv_ctl;
100 vap->iv_opdetach = sta_vdetach;
101 vap->iv_bmiss = sta_beacon_miss;
105 * Handle a beacon miss event. The common code filters out
106 * spurious events that can happen when scanning and/or before
107 * reaching RUN state.
110 sta_beacon_miss(struct ieee80211vap *vap)
112 struct ieee80211com *ic = vap->iv_ic;
114 IEEE80211_LOCK_ASSERT(ic);
116 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
117 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
118 ("wrong state %s", ieee80211_state_name[vap->iv_state]));
120 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
121 "beacon miss, mode %s state %s\n",
122 ieee80211_opmode_name[vap->iv_opmode],
123 ieee80211_state_name[vap->iv_state]);
125 if (vap->iv_state == IEEE80211_S_CSA) {
127 * A Channel Switch is pending; assume we missed the
128 * beacon that would've completed the process and just
129 * force the switch. If we made a mistake we'll not
130 * find the AP on the new channel and fall back to a
133 ieee80211_csa_completeswitch(ic);
136 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
138 * Send a directed probe req before falling back to a
139 * scan; if we receive a response ic_bmiss_count will
140 * be reset. Some cards mistakenly report beacon miss
141 * so this avoids the expensive scan if the ap is
144 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
145 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
146 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
150 callout_stop(&vap->iv_swbmiss);
151 vap->iv_bmiss_count = 0;
152 vap->iv_stats.is_beacon_miss++;
153 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
154 #ifdef IEEE80211_SUPPORT_SUPERG
155 struct ieee80211com *ic = vap->iv_ic;
158 * If we receive a beacon miss interrupt when using
159 * dynamic turbo, attempt to switch modes before
162 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
163 ieee80211_dturbo_switch(vap,
164 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
167 * Try to reassociate before scanning for a new ap.
169 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
172 * Somebody else is controlling state changes (e.g.
173 * a user-mode app) don't do anything that would
174 * confuse them; just drop into scan mode so they'll
175 * notified of the state change and given control.
177 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
182 * Handle deauth with reason. We retry only for
183 * the cases where we might succeed. Otherwise
184 * we downgrade the ap and scan.
187 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
190 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
191 case IEEE80211_STATUS_TIMEOUT:
192 case IEEE80211_REASON_ASSOC_EXPIRE:
193 case IEEE80211_REASON_NOT_AUTHED:
194 case IEEE80211_REASON_NOT_ASSOCED:
195 case IEEE80211_REASON_ASSOC_LEAVE:
196 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
197 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
200 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
201 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
202 ieee80211_check_scan_current(vap);
208 * IEEE80211_M_STA vap state machine handler.
209 * This routine handles the main states in the 802.11 protocol.
212 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
214 struct ieee80211com *ic = vap->iv_ic;
215 struct ieee80211_node *ni;
216 enum ieee80211_state ostate;
218 IEEE80211_LOCK_ASSERT(ic);
220 ostate = vap->iv_state;
221 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
222 __func__, ieee80211_state_name[ostate],
223 ieee80211_state_name[nstate], arg);
224 vap->iv_state = nstate; /* state transition */
225 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
226 if (ostate != IEEE80211_S_SCAN)
227 ieee80211_cancel_scan(vap); /* background scan */
228 ni = vap->iv_bss; /* NB: no reference held */
229 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
230 callout_stop(&vap->iv_swbmiss);
232 case IEEE80211_S_INIT:
234 case IEEE80211_S_SLEEP:
236 case IEEE80211_S_RUN:
237 IEEE80211_SEND_MGMT(ni,
238 IEEE80211_FC0_SUBTYPE_DISASSOC,
239 IEEE80211_REASON_ASSOC_LEAVE);
240 ieee80211_sta_leave(ni);
242 case IEEE80211_S_ASSOC:
243 IEEE80211_SEND_MGMT(ni,
244 IEEE80211_FC0_SUBTYPE_DEAUTH,
245 IEEE80211_REASON_AUTH_LEAVE);
247 case IEEE80211_S_SCAN:
248 ieee80211_cancel_scan(vap);
253 if (ostate != IEEE80211_S_INIT) {
254 /* NB: optimize INIT -> INIT case */
255 ieee80211_reset_bss(vap);
257 if (vap->iv_auth->ia_detach != NULL)
258 vap->iv_auth->ia_detach(vap);
260 case IEEE80211_S_SCAN:
262 case IEEE80211_S_INIT:
264 * Initiate a scan. We can come here as a result
265 * of an IEEE80211_IOC_SCAN_REQ too in which case
266 * the vap will be marked with IEEE80211_FEXT_SCANREQ
267 * and the scan request parameters will be present
268 * in iv_scanreq. Otherwise we do the default.
270 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
271 ieee80211_check_scan(vap,
272 vap->iv_scanreq_flags,
273 vap->iv_scanreq_duration,
274 vap->iv_scanreq_mindwell,
275 vap->iv_scanreq_maxdwell,
276 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
277 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
279 ieee80211_check_scan_current(vap);
281 case IEEE80211_S_SCAN:
282 case IEEE80211_S_AUTH:
283 case IEEE80211_S_ASSOC:
285 * These can happen either because of a timeout
286 * on an assoc/auth response or because of a
287 * change in state that requires a reset. For
288 * the former we're called with a non-zero arg
289 * that is the cause for the failure; pass this
290 * to the scan code so it can update state.
291 * Otherwise trigger a new scan unless we're in
292 * manual roaming mode in which case an application
293 * must issue an explicit scan request.
296 ieee80211_scan_assoc_fail(vap,
297 vap->iv_bss->ni_macaddr, arg);
298 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
299 ieee80211_check_scan_current(vap);
301 case IEEE80211_S_RUN: /* beacon miss */
303 * Beacon miss. Notify user space and if not
304 * under control of a user application (roaming
305 * manual) kick off a scan to re-connect.
307 ieee80211_sta_leave(ni);
308 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
309 ieee80211_check_scan_current(vap);
315 case IEEE80211_S_AUTH:
317 case IEEE80211_S_INIT:
318 case IEEE80211_S_SCAN:
319 IEEE80211_SEND_MGMT(ni,
320 IEEE80211_FC0_SUBTYPE_AUTH, 1);
322 case IEEE80211_S_AUTH:
323 case IEEE80211_S_ASSOC:
324 switch (arg & 0xff) {
325 case IEEE80211_FC0_SUBTYPE_AUTH:
327 IEEE80211_SEND_MGMT(ni,
328 IEEE80211_FC0_SUBTYPE_AUTH, 2);
330 case IEEE80211_FC0_SUBTYPE_DEAUTH:
331 sta_authretry(vap, ni, arg>>8);
335 case IEEE80211_S_RUN:
336 switch (arg & 0xff) {
337 case IEEE80211_FC0_SUBTYPE_AUTH:
338 IEEE80211_SEND_MGMT(ni,
339 IEEE80211_FC0_SUBTYPE_AUTH, 2);
340 vap->iv_state = ostate; /* stay RUN */
342 case IEEE80211_FC0_SUBTYPE_DEAUTH:
343 ieee80211_sta_leave(ni);
344 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
346 IEEE80211_SEND_MGMT(ni,
347 IEEE80211_FC0_SUBTYPE_AUTH, 1);
356 case IEEE80211_S_ASSOC:
358 case IEEE80211_S_AUTH:
359 case IEEE80211_S_ASSOC:
360 IEEE80211_SEND_MGMT(ni,
361 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
363 case IEEE80211_S_SLEEP: /* cannot happen */
364 case IEEE80211_S_RUN:
365 ieee80211_sta_leave(ni);
366 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
367 IEEE80211_SEND_MGMT(ni, arg ?
368 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
369 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
376 case IEEE80211_S_RUN:
377 if (vap->iv_flags & IEEE80211_F_WPA) {
378 /* XXX validate prerequisites */
381 case IEEE80211_S_RUN:
382 case IEEE80211_S_CSA:
384 case IEEE80211_S_AUTH: /* when join is done in fw */
385 case IEEE80211_S_ASSOC:
386 #ifdef IEEE80211_DEBUG
387 if (ieee80211_msg_debug(vap)) {
388 ieee80211_note(vap, "%s with %s ssid ",
389 (vap->iv_opmode == IEEE80211_M_STA ?
390 "associated" : "synchronized"),
391 ether_sprintf(ni->ni_bssid));
392 ieee80211_print_essid(vap->iv_bss->ni_essid,
395 printf(" channel %d start %uMb\n",
396 ieee80211_chan2ieee(ic, ic->ic_curchan),
397 IEEE80211_RATE2MBS(ni->ni_txrate));
400 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
401 ieee80211_notify_node_join(ni,
402 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
404 case IEEE80211_S_SLEEP:
405 vap->iv_sta_ps(vap, 0);
410 ieee80211_sync_curchan(ic);
411 if (ostate != IEEE80211_S_RUN &&
412 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
414 * Start s/w beacon miss timer for devices w/o
415 * hardware support. We fudge a bit here since
416 * we're doing this in software.
418 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
419 2 * vap->iv_bmissthreshold * ni->ni_intval);
420 vap->iv_swbmiss_count = 0;
421 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
422 ieee80211_swbmiss, vap);
425 * When 802.1x is not in use mark the port authorized
426 * at this point so traffic can flow.
428 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
429 ieee80211_node_authorize(ni);
431 * Fake association when joining an existing bss.
433 if (ic->ic_newassoc != NULL)
434 ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN);
436 case IEEE80211_S_CSA:
437 if (ostate != IEEE80211_S_RUN)
440 case IEEE80211_S_SLEEP:
441 vap->iv_sta_ps(vap, 1);
445 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
446 "%s: unexpected state transition %s -> %s\n", __func__,
447 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
454 * Return non-zero if the frame is an echo of a multicast
455 * frame sent by ourself. The dir is known to be DSTODS.
458 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
460 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
461 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
464 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
466 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
468 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
469 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
475 * Return non-zero if the frame is an echo of a multicast
476 * frame sent by ourself. The dir is known to be FROMDS.
479 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
481 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
483 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
485 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
489 * Decide if a received management frame should be
490 * printed when debugging is enabled. This filters some
491 * of the less interesting frames that come frequently
495 doprint(struct ieee80211vap *vap, int subtype)
498 case IEEE80211_FC0_SUBTYPE_BEACON:
499 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
500 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
507 * Process a received frame. The node associated with the sender
508 * should be supplied. If nothing was found in the node table then
509 * the caller is assumed to supply a reference to iv_bss instead.
510 * The RSSI and a timestamp are also supplied. The RSSI data is used
511 * during AP scanning to select a AP to associate with; it can have
512 * any units so long as values have consistent units and higher values
513 * mean ``better signal''. The receive timestamp is currently not used
514 * by the 802.11 layer.
517 sta_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
519 #define HAS_SEQ(type) ((type & 0x4) == 0)
520 struct ieee80211vap *vap = ni->ni_vap;
521 struct ieee80211com *ic = ni->ni_ic;
522 struct ifnet *ifp = vap->iv_ifp;
523 struct ieee80211_frame *wh;
524 struct ieee80211_key *key;
525 struct ether_header *eh;
526 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
527 uint8_t dir, type, subtype, qos;
531 if (m->m_flags & M_AMPDU_MPDU) {
533 * Fastpath for A-MPDU reorder q resubmission. Frames
534 * w/ M_AMPDU_MPDU marked have already passed through
535 * here but were received out of order and been held on
536 * the reorder queue. When resubmitted they are marked
537 * with the M_AMPDU_MPDU flag and we can bypass most of
538 * the normal processing.
540 wh = mtod(m, struct ieee80211_frame *);
541 type = IEEE80211_FC0_TYPE_DATA;
542 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
543 subtype = IEEE80211_FC0_SUBTYPE_QOS;
544 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
548 KASSERT(ni != NULL, ("null node"));
549 ni->ni_inact = ni->ni_inact_reload;
551 type = -1; /* undefined */
553 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
554 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
555 ni->ni_macaddr, NULL,
556 "too short (1): len %u", m->m_pkthdr.len);
557 vap->iv_stats.is_rx_tooshort++;
561 * Bit of a cheat here, we use a pointer for a 3-address
562 * frame format but don't reference fields past outside
563 * ieee80211_frame_min w/o first validating the data is
566 wh = mtod(m, struct ieee80211_frame *);
568 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
569 IEEE80211_FC0_VERSION_0) {
570 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
571 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
572 wh->i_fc[0], wh->i_fc[1]);
573 vap->iv_stats.is_rx_badversion++;
577 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
578 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
579 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
580 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
582 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
583 /* not interested in */
584 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
585 bssid, NULL, "%s", "not to bss");
586 vap->iv_stats.is_rx_wrongbss++;
591 * Some devices may be in a promiscuous mode
592 * where they receive frames for multiple station
595 * If we receive a data frame that isn't
596 * destined to our VAP MAC, drop it.
598 * XXX TODO: This is only enforced when not scanning;
599 * XXX it assumes a software-driven scan will put the NIC
600 * XXX into a "no data frames" mode before setting this
601 * XXX flag. Otherwise it may be possible that we'll still
602 * XXX process data frames whilst scanning.
604 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
605 && (! IEEE80211_ADDR_EQ(wh->i_addr1, IF_LLADDR(ifp)))) {
606 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
607 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
608 IF_LLADDR(ifp), ":", wh->i_addr1, ":");
609 vap->iv_stats.is_rx_wrongbss++;
613 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
615 if (HAS_SEQ(type) && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
616 uint8_t tid = ieee80211_gettid(wh);
617 if (IEEE80211_QOS_HAS_SEQ(wh) &&
618 TID_TO_WME_AC(tid) >= WME_AC_VI)
619 ic->ic_wme.wme_hipri_traffic++;
620 rxseq = le16toh(*(uint16_t *)wh->i_seq);
621 if (! ieee80211_check_rxseq(ni, wh)) {
622 /* duplicate, discard */
623 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
625 "seqno <%u,%u> fragno <%u,%u> tid %u",
626 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
627 ni->ni_rxseqs[tid] >>
628 IEEE80211_SEQ_SEQ_SHIFT,
629 rxseq & IEEE80211_SEQ_FRAG_MASK,
631 IEEE80211_SEQ_FRAG_MASK,
633 vap->iv_stats.is_rx_dup++;
634 IEEE80211_NODE_STAT(ni, rx_dup);
637 ni->ni_rxseqs[tid] = rxseq;
642 case IEEE80211_FC0_TYPE_DATA:
643 hdrspace = ieee80211_hdrspace(ic, wh);
644 if (m->m_len < hdrspace &&
645 (m = m_pullup(m, hdrspace)) == NULL) {
646 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
647 ni->ni_macaddr, NULL,
648 "data too short: expecting %u", hdrspace);
649 vap->iv_stats.is_rx_tooshort++;
653 * Handle A-MPDU re-ordering. If the frame is to be
654 * processed directly then ieee80211_ampdu_reorder
655 * will return 0; otherwise it has consumed the mbuf
656 * and we should do nothing more with it.
658 if ((m->m_flags & M_AMPDU) &&
659 (dir == IEEE80211_FC1_DIR_FROMDS ||
660 dir == IEEE80211_FC1_DIR_DSTODS) &&
661 ieee80211_ampdu_reorder(ni, m) != 0) {
666 if (dir == IEEE80211_FC1_DIR_FROMDS) {
667 if ((ifp->if_flags & IFF_SIMPLEX) &&
668 isfromds_mcastecho(vap, wh)) {
670 * In IEEE802.11 network, multicast
671 * packets sent from "me" are broadcast
672 * from the AP; silently discard for
675 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
676 wh, "data", "%s", "multicast echo");
677 vap->iv_stats.is_rx_mcastecho++;
680 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
681 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
683 * DWDS sta's must drop 3-address mcast frames
684 * as they will be sent separately as a 4-addr
685 * frame. Accepting the 3-addr frame will
686 * confuse the bridge into thinking the sending
687 * sta is located at the end of WDS link.
689 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
690 "3-address data", "%s", "DWDS enabled");
691 vap->iv_stats.is_rx_mcastecho++;
694 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
695 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
696 IEEE80211_DISCARD(vap,
697 IEEE80211_MSG_INPUT, wh, "4-address data",
698 "%s", "DWDS not enabled");
699 vap->iv_stats.is_rx_wrongdir++;
702 if ((ifp->if_flags & IFF_SIMPLEX) &&
703 isdstods_mcastecho(vap, wh)) {
705 * In IEEE802.11 network, multicast
706 * packets sent from "me" are broadcast
707 * from the AP; silently discard for
710 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
711 "4-address data", "%s", "multicast echo");
712 vap->iv_stats.is_rx_mcastecho++;
716 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
717 "data", "incorrect dir 0x%x", dir);
718 vap->iv_stats.is_rx_wrongdir++;
723 * Handle privacy requirements. Note that we
724 * must not be preempted from here until after
725 * we (potentially) call ieee80211_crypto_demic;
726 * otherwise we may violate assumptions in the
727 * crypto cipher modules used to do delayed update
728 * of replay sequence numbers.
730 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
731 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
733 * Discard encrypted frames when privacy is off.
735 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
736 wh, "WEP", "%s", "PRIVACY off");
737 vap->iv_stats.is_rx_noprivacy++;
738 IEEE80211_NODE_STAT(ni, rx_noprivacy);
741 key = ieee80211_crypto_decap(ni, m, hdrspace);
743 /* NB: stats+msgs handled in crypto_decap */
744 IEEE80211_NODE_STAT(ni, rx_wepfail);
747 wh = mtod(m, struct ieee80211_frame *);
748 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
750 /* XXX M_WEP and IEEE80211_F_PRIVACY */
755 * Save QoS bits for use below--before we strip the header.
757 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
758 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
759 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
760 ((struct ieee80211_qosframe *)wh)->i_qos[0];
765 * Next up, any fragmentation.
767 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
768 m = ieee80211_defrag(ni, m, hdrspace);
770 /* Fragment dropped or frame not complete yet */
774 wh = NULL; /* no longer valid, catch any uses */
777 * Next strip any MSDU crypto bits.
779 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
780 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
781 ni->ni_macaddr, "data", "%s", "demic error");
782 vap->iv_stats.is_rx_demicfail++;
783 IEEE80211_NODE_STAT(ni, rx_demicfail);
787 /* copy to listener after decrypt */
788 if (ieee80211_radiotap_active_vap(vap))
789 ieee80211_radiotap_rx(vap, m);
793 * Finally, strip the 802.11 header.
795 m = ieee80211_decap(vap, m, hdrspace);
797 /* XXX mask bit to check for both */
798 /* don't count Null data frames as errors */
799 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
800 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
802 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
803 ni->ni_macaddr, "data", "%s", "decap error");
804 vap->iv_stats.is_rx_decap++;
805 IEEE80211_NODE_STAT(ni, rx_decap);
808 eh = mtod(m, struct ether_header *);
809 if (!ieee80211_node_is_authorized(ni)) {
811 * Deny any non-PAE frames received prior to
812 * authorization. For open/shared-key
813 * authentication the port is mark authorized
814 * after authentication completes. For 802.1x
815 * the port is not marked authorized by the
816 * authenticator until the handshake has completed.
818 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
819 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
820 eh->ether_shost, "data",
821 "unauthorized port: ether type 0x%x len %u",
822 eh->ether_type, m->m_pkthdr.len);
823 vap->iv_stats.is_rx_unauth++;
824 IEEE80211_NODE_STAT(ni, rx_unauth);
829 * When denying unencrypted frames, discard
830 * any non-PAE frames received without encryption.
832 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
833 (key == NULL && (m->m_flags & M_WEP) == 0) &&
834 eh->ether_type != htons(ETHERTYPE_PAE)) {
836 * Drop unencrypted frames.
838 vap->iv_stats.is_rx_unencrypted++;
839 IEEE80211_NODE_STAT(ni, rx_unencrypted);
843 /* XXX require HT? */
844 if (qos & IEEE80211_QOS_AMSDU) {
845 m = ieee80211_decap_amsdu(ni, m);
847 return IEEE80211_FC0_TYPE_DATA;
849 #ifdef IEEE80211_SUPPORT_SUPERG
850 m = ieee80211_decap_fastframe(vap, ni, m);
852 return IEEE80211_FC0_TYPE_DATA;
855 ieee80211_deliver_data(vap, ni, m);
856 return IEEE80211_FC0_TYPE_DATA;
858 case IEEE80211_FC0_TYPE_MGT:
859 vap->iv_stats.is_rx_mgmt++;
860 IEEE80211_NODE_STAT(ni, rx_mgmt);
861 if (dir != IEEE80211_FC1_DIR_NODS) {
862 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
863 wh, "data", "incorrect dir 0x%x", dir);
864 vap->iv_stats.is_rx_wrongdir++;
867 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
868 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
869 ni->ni_macaddr, "mgt", "too short: len %u",
871 vap->iv_stats.is_rx_tooshort++;
874 #ifdef IEEE80211_DEBUG
875 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
876 ieee80211_msg_dumppkts(vap)) {
877 if_printf(ifp, "received %s from %s rssi %d\n",
878 ieee80211_mgt_subtype_name[subtype >>
879 IEEE80211_FC0_SUBTYPE_SHIFT],
880 ether_sprintf(wh->i_addr2), rssi);
883 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
884 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
886 * Only shared key auth frames with a challenge
887 * should be encrypted, discard all others.
889 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
890 wh, ieee80211_mgt_subtype_name[subtype >>
891 IEEE80211_FC0_SUBTYPE_SHIFT],
892 "%s", "WEP set but not permitted");
893 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
896 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
898 * Discard encrypted frames when privacy is off.
900 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
901 wh, "mgt", "%s", "WEP set but PRIVACY off");
902 vap->iv_stats.is_rx_noprivacy++;
905 hdrspace = ieee80211_hdrspace(ic, wh);
906 key = ieee80211_crypto_decap(ni, m, hdrspace);
908 /* NB: stats+msgs handled in crypto_decap */
911 wh = mtod(m, struct ieee80211_frame *);
912 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
914 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
917 case IEEE80211_FC0_TYPE_CTL:
918 vap->iv_stats.is_rx_ctl++;
919 IEEE80211_NODE_STAT(ni, rx_ctrl);
920 vap->iv_recv_ctl(ni, m, subtype);
924 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
925 wh, NULL, "bad frame type 0x%x", type);
926 /* should not come here */
933 if (need_tap && ieee80211_radiotap_active_vap(vap))
934 ieee80211_radiotap_rx(vap, m);
941 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
942 int rssi, int nf, uint16_t seq, uint16_t status)
944 struct ieee80211vap *vap = ni->ni_vap;
946 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
947 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
948 ni->ni_macaddr, "open auth",
949 "bad sta auth mode %u", ni->ni_authmode);
950 vap->iv_stats.is_rx_bad_auth++; /* XXX */
953 if (vap->iv_state != IEEE80211_S_AUTH ||
954 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
955 vap->iv_stats.is_rx_bad_auth++;
959 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
960 ni, "open auth failed (reason %d)", status);
961 vap->iv_stats.is_rx_auth_fail++;
962 vap->iv_stats.is_rx_authfail_code = status;
963 ieee80211_new_state(vap, IEEE80211_S_SCAN,
964 IEEE80211_SCAN_FAIL_STATUS);
966 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
970 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
971 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
972 uint16_t seq, uint16_t status)
974 struct ieee80211vap *vap = ni->ni_vap;
979 * NB: this can happen as we allow pre-shared key
980 * authentication to be enabled w/o wep being turned
981 * on so that configuration of these can be done
982 * in any order. It may be better to enforce the
983 * ordering in which case this check would just be
984 * for sanity/consistency.
986 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
987 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
988 ni->ni_macaddr, "shared key auth",
989 "%s", " PRIVACY is disabled");
990 estatus = IEEE80211_STATUS_ALG;
994 * Pre-shared key authentication is evil; accept
995 * it only if explicitly configured (it is supported
996 * mainly for compatibility with clients like OS X).
998 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
999 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1000 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1001 ni->ni_macaddr, "shared key auth",
1002 "bad sta auth mode %u", ni->ni_authmode);
1003 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1004 estatus = IEEE80211_STATUS_ALG;
1009 if (frm + 1 < efrm) {
1010 if ((frm[1] + 2) > (efrm - frm)) {
1011 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1012 ni->ni_macaddr, "shared key auth",
1013 "ie %d/%d too long",
1014 frm[0], (frm[1] + 2) - (efrm - frm));
1015 vap->iv_stats.is_rx_bad_auth++;
1016 estatus = IEEE80211_STATUS_CHALLENGE;
1019 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1024 case IEEE80211_AUTH_SHARED_CHALLENGE:
1025 case IEEE80211_AUTH_SHARED_RESPONSE:
1026 if (challenge == NULL) {
1027 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1028 ni->ni_macaddr, "shared key auth",
1029 "%s", "no challenge");
1030 vap->iv_stats.is_rx_bad_auth++;
1031 estatus = IEEE80211_STATUS_CHALLENGE;
1034 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1035 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1036 ni->ni_macaddr, "shared key auth",
1037 "bad challenge len %d", challenge[1]);
1038 vap->iv_stats.is_rx_bad_auth++;
1039 estatus = IEEE80211_STATUS_CHALLENGE;
1045 if (vap->iv_state != IEEE80211_S_AUTH)
1048 case IEEE80211_AUTH_SHARED_PASS:
1049 if (ni->ni_challenge != NULL) {
1050 free(ni->ni_challenge, M_80211_NODE);
1051 ni->ni_challenge = NULL;
1054 IEEE80211_NOTE_FRAME(vap,
1055 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1056 "shared key auth failed (reason %d)", status);
1057 vap->iv_stats.is_rx_auth_fail++;
1058 vap->iv_stats.is_rx_authfail_code = status;
1061 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1063 case IEEE80211_AUTH_SHARED_CHALLENGE:
1064 if (!ieee80211_alloc_challenge(ni))
1066 /* XXX could optimize by passing recvd challenge */
1067 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1068 IEEE80211_SEND_MGMT(ni,
1069 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1072 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1073 wh, "shared key auth", "bad seq %d", seq);
1074 vap->iv_stats.is_rx_bad_auth++;
1080 * Kick the state machine. This short-circuits
1081 * using the mgt frame timeout to trigger the
1084 if (vap->iv_state == IEEE80211_S_AUTH)
1085 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1086 IEEE80211_SCAN_FAIL_STATUS);
1090 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1091 const struct ieee80211_frame *wh)
1093 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1094 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1095 u_int len = frm[1], qosinfo;
1098 if (len < sizeof(struct ieee80211_wme_param)-2) {
1099 IEEE80211_DISCARD_IE(vap,
1100 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1101 wh, "WME", "too short, len %u", len);
1104 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1105 qosinfo &= WME_QOSINFO_COUNT;
1106 /* XXX do proper check for wraparound */
1107 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1109 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1110 for (i = 0; i < WME_NUM_AC; i++) {
1111 struct wmeParams *wmep =
1112 &wme->wme_wmeChanParams.cap_wmeParams[i];
1113 /* NB: ACI not used */
1114 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1115 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1116 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1117 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1118 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1121 wme->wme_wmeChanParams.cap_info = qosinfo;
1127 * Process 11h Channel Switch Announcement (CSA) ie. If this
1128 * is the first CSA then initiate the switch. Otherwise we
1129 * track state and trigger completion and/or cancel of the switch.
1130 * XXX should be public for IBSS use
1133 ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm,
1134 const struct ieee80211_frame *wh)
1136 struct ieee80211com *ic = vap->iv_ic;
1137 const struct ieee80211_csa_ie *csa =
1138 (const struct ieee80211_csa_ie *) frm;
1140 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
1141 ("state %s", ieee80211_state_name[vap->iv_state]));
1143 if (csa->csa_mode > 1) {
1144 IEEE80211_DISCARD_IE(vap,
1145 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1146 wh, "CSA", "invalid mode %u", csa->csa_mode);
1150 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) {
1152 * Convert the channel number to a channel reference. We
1153 * try first to preserve turbo attribute of the current
1154 * channel then fallback. Note this will not work if the
1155 * CSA specifies a channel that requires a band switch (e.g.
1156 * 11a => 11g). This is intentional as 11h is defined only
1157 * for 5GHz/11a and because the switch does not involve a
1158 * reassociation, protocol state (capabilities, negotated
1159 * rates, etc) may/will be wrong.
1161 struct ieee80211_channel *c =
1162 ieee80211_find_channel_byieee(ic, csa->csa_newchan,
1163 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO));
1165 c = ieee80211_find_channel_byieee(ic,
1167 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL));
1169 IEEE80211_DISCARD_IE(vap,
1170 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1171 wh, "CSA", "invalid channel %u",
1176 #if IEEE80211_CSA_COUNT_MIN > 0
1177 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) {
1179 * Require at least IEEE80211_CSA_COUNT_MIN count to
1180 * reduce the risk of being redirected by a fabricated
1181 * CSA. If a valid CSA is dropped we'll still get a
1182 * beacon miss when the AP leaves the channel so we'll
1183 * eventually follow to the new channel.
1185 * NOTE: this violates the 11h spec that states that
1186 * count may be any value and if 0 then a switch
1187 * should happen asap.
1189 IEEE80211_DISCARD_IE(vap,
1190 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1191 wh, "CSA", "count %u too small, must be >= %u",
1192 csa->csa_count, IEEE80211_CSA_COUNT_MIN);
1196 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count);
1199 * Validate this ie against the initial CSA. We require
1200 * mode and channel not change and the count must be
1201 * monotonically decreasing. This may be pointless and
1202 * canceling the switch as a result may be too paranoid but
1203 * in the worst case if we drop out of CSA because of this
1204 * and the AP does move then we'll just end up taking a
1205 * beacon miss and scan to find the AP.
1207 * XXX may want <= on count as we also process ProbeResp
1208 * frames and those may come in w/ the same count as the
1209 * previous beacon; but doing so leaves us open to a stuck
1210 * count until we add a dead-man timer
1212 if (!(csa->csa_count < ic->ic_csa_count &&
1213 csa->csa_mode == ic->ic_csa_mode &&
1214 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) {
1215 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh,
1216 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1217 "this ie <%d,%d,%d>", ic->ic_csa_mode,
1218 ic->ic_csa_newchan, ic->ic_csa_count,
1219 csa->csa_mode, csa->csa_newchan, csa->csa_count);
1220 ieee80211_csa_cancelswitch(ic);
1222 if (csa->csa_count <= 1)
1223 ieee80211_csa_completeswitch(ic);
1225 ic->ic_csa_count = csa->csa_count;
1229 IEEE80211_UNLOCK(ic);
1233 * Return non-zero if a background scan may be continued:
1234 * o bg scan is active
1235 * o no channel switch is pending
1236 * o there has not been any traffic recently
1238 * Note we do not check if there is an administrative enable;
1239 * this is only done to start the scan. We assume that any
1240 * change in state will be accompanied by a request to cancel
1241 * active scans which will otherwise cause this test to fail.
1244 contbgscan(struct ieee80211vap *vap)
1246 struct ieee80211com *ic = vap->iv_ic;
1248 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1249 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1250 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1251 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1255 * Return non-zero if a backgrond scan may be started:
1256 * o bg scanning is administratively enabled
1257 * o no channel switch is pending
1258 * o we are not boosted on a dynamic turbo channel
1259 * o there has not been a scan recently
1260 * o there has not been any traffic recently
1263 startbgscan(struct ieee80211vap *vap)
1265 struct ieee80211com *ic = vap->iv_ic;
1267 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1268 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1269 #ifdef IEEE80211_SUPPORT_SUPERG
1270 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1272 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1273 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1277 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1278 int subtype, int rssi, int nf)
1280 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1281 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1282 struct ieee80211vap *vap = ni->ni_vap;
1283 struct ieee80211com *ic = ni->ni_ic;
1284 struct ieee80211_frame *wh;
1285 uint8_t *frm, *efrm;
1286 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1288 int ht_state_change = 0;
1290 wh = mtod(m0, struct ieee80211_frame *);
1291 frm = (uint8_t *)&wh[1];
1292 efrm = mtod(m0, uint8_t *) + m0->m_len;
1294 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1295 case IEEE80211_FC0_SUBTYPE_BEACON: {
1296 struct ieee80211_scanparams scan;
1298 * We process beacon/probe response frames:
1299 * o when scanning, or
1300 * o station mode when associated (to collect state
1301 * updates such as 802.11g slot time)
1302 * Frames otherwise received are discarded.
1304 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1305 vap->iv_stats.is_rx_mgtdiscard++;
1308 /* XXX probe response in sta mode when !scanning? */
1309 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) {
1310 if (! (ic->ic_flags & IEEE80211_F_SCAN))
1311 vap->iv_stats.is_beacon_bad++;
1315 * Count frame now that we know it's to be processed.
1317 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1318 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1319 IEEE80211_NODE_STAT(ni, rx_beacons);
1321 IEEE80211_NODE_STAT(ni, rx_proberesp);
1323 * When operating in station mode, check for state updates.
1324 * Be careful to ignore beacons received while doing a
1325 * background scan. We consider only 11g/WMM stuff right now.
1327 if (ni->ni_associd != 0 &&
1328 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1329 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1330 /* record tsf of last beacon */
1331 memcpy(ni->ni_tstamp.data, scan.tstamp,
1332 sizeof(ni->ni_tstamp));
1333 /* count beacon frame for s/w bmiss handling */
1334 vap->iv_swbmiss_count++;
1335 vap->iv_bmiss_count = 0;
1336 if (ni->ni_erp != scan.erp) {
1337 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1339 "erp change: was 0x%x, now 0x%x",
1340 ni->ni_erp, scan.erp);
1341 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1342 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1343 ic->ic_flags |= IEEE80211_F_USEPROT;
1345 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1346 ni->ni_erp = scan.erp;
1348 /* XXX driver notification */
1350 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1351 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1353 "capabilities change: was 0x%x, now 0x%x",
1354 ni->ni_capinfo, scan.capinfo);
1356 * NB: we assume short preamble doesn't
1357 * change dynamically
1359 ieee80211_set_shortslottime(ic,
1360 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1361 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1362 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1363 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1366 if (scan.wme != NULL &&
1367 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1368 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1369 ieee80211_wme_updateparams(vap);
1370 #ifdef IEEE80211_SUPPORT_SUPERG
1371 if (scan.ath != NULL)
1372 ieee80211_parse_athparams(ni, scan.ath, wh);
1374 if (scan.htcap != NULL && scan.htinfo != NULL &&
1375 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1376 /* XXX state changes? */
1377 if (ieee80211_ht_updateparams(ni,
1378 scan.htcap, scan.htinfo))
1379 ht_state_change = 1;
1382 ic->ic_set_quiet(ni, scan.quiet);
1383 if (scan.tim != NULL) {
1384 struct ieee80211_tim_ie *tim =
1385 (struct ieee80211_tim_ie *) scan.tim;
1387 int aid = IEEE80211_AID(ni->ni_associd);
1388 int ix = aid / NBBY;
1389 int min = tim->tim_bitctl &~ 1;
1390 int max = tim->tim_len + min - 4;
1391 if ((tim->tim_bitctl&1) ||
1392 (min <= ix && ix <= max &&
1393 isset(tim->tim_bitmap - min, aid))) {
1395 * XXX Do not let bg scan kick off
1396 * we are expecting data.
1398 ic->ic_lastdata = ticks;
1399 vap->iv_sta_ps(vap, 0);
1402 ni->ni_dtim_count = tim->tim_count;
1403 ni->ni_dtim_period = tim->tim_period;
1405 if (scan.csa != NULL &&
1406 (vap->iv_flags & IEEE80211_F_DOTH))
1407 ieee80211_parse_csaparams(vap, scan.csa, wh);
1408 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
1410 * No CSA ie or 11h disabled, but a channel
1411 * switch is pending; drop out so we aren't
1412 * stuck in CSA state. If the AP really is
1413 * moving we'll get a beacon miss and scan.
1416 ieee80211_csa_cancelswitch(ic);
1417 IEEE80211_UNLOCK(ic);
1420 * If scanning, pass the info to the scan module.
1421 * Otherwise, check if it's the right time to do
1422 * a background scan. Background scanning must
1423 * be enabled and we must not be operating in the
1424 * turbo phase of dynamic turbo mode. Then,
1425 * it's been a while since the last background
1426 * scan and if no data frames have come through
1427 * recently, kick off a scan. Note that this
1428 * is the mechanism by which a background scan
1429 * is started _and_ continued each time we
1430 * return on-channel to receive a beacon from
1433 if (ic->ic_flags & IEEE80211_F_SCAN) {
1434 ieee80211_add_scan(vap, &scan, wh,
1436 } else if (contbgscan(vap)) {
1437 ieee80211_bg_scan(vap, 0);
1438 } else if (startbgscan(vap)) {
1439 vap->iv_stats.is_scan_bg++;
1441 /* wakeup if we are sleeing */
1442 ieee80211_set_pwrsave(vap, 0);
1444 ieee80211_bg_scan(vap, 0);
1448 * If we've had a channel width change (eg HT20<->HT40)
1449 * then schedule a delayed driver notification.
1451 if (ht_state_change)
1452 ieee80211_update_chw(ic);
1456 * If scanning, just pass information to the scan module.
1458 if (ic->ic_flags & IEEE80211_F_SCAN) {
1459 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1461 * Actively scanning a channel marked passive;
1462 * send a probe request now that we know there
1463 * is 802.11 traffic present.
1465 * XXX check if the beacon we recv'd gives
1466 * us what we need and suppress the probe req
1468 ieee80211_probe_curchan(vap, 1);
1469 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1471 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1477 case IEEE80211_FC0_SUBTYPE_AUTH: {
1478 uint16_t algo, seq, status;
1486 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1487 algo = le16toh(*(uint16_t *)frm);
1488 seq = le16toh(*(uint16_t *)(frm + 2));
1489 status = le16toh(*(uint16_t *)(frm + 4));
1490 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1491 "recv auth frame with algorithm %d seq %d", algo, seq);
1493 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1494 IEEE80211_DISCARD(vap,
1495 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1496 wh, "auth", "%s", "TKIP countermeasures enabled");
1497 vap->iv_stats.is_rx_auth_countermeasures++;
1498 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1499 ieee80211_send_error(ni, wh->i_addr2,
1500 IEEE80211_FC0_SUBTYPE_AUTH,
1501 IEEE80211_REASON_MIC_FAILURE);
1505 if (algo == IEEE80211_AUTH_ALG_SHARED)
1506 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1508 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1509 sta_auth_open(ni, wh, rssi, nf, seq, status);
1511 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1512 wh, "auth", "unsupported alg %d", algo);
1513 vap->iv_stats.is_rx_auth_unsupported++;
1519 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1520 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1521 uint16_t capinfo, associd;
1524 if (vap->iv_state != IEEE80211_S_ASSOC) {
1525 vap->iv_stats.is_rx_mgtdiscard++;
1530 * asresp frame format
1531 * [2] capability information
1533 * [2] association ID
1534 * [tlv] supported rates
1535 * [tlv] extended supported rates
1537 * [tlv] HT capabilities
1540 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1542 capinfo = le16toh(*(uint16_t *)frm);
1544 status = le16toh(*(uint16_t *)frm);
1547 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1548 wh->i_addr2, "%sassoc failed (reason %d)",
1549 ISREASSOC(subtype) ? "re" : "", status);
1550 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1553 associd = le16toh(*(uint16_t *)frm);
1556 rates = xrates = wme = htcap = htinfo = NULL;
1557 while (efrm - frm > 1) {
1558 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1560 case IEEE80211_ELEMID_RATES:
1563 case IEEE80211_ELEMID_XRATES:
1566 case IEEE80211_ELEMID_HTCAP:
1569 case IEEE80211_ELEMID_HTINFO:
1572 case IEEE80211_ELEMID_VENDOR:
1575 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1577 * Accept pre-draft HT ie's if the
1578 * standard ones have not been seen.
1580 if (ishtcapoui(frm)) {
1583 } else if (ishtinfooui(frm)) {
1588 /* XXX Atheros OUI support */
1594 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1596 IEEE80211_VERIFY_ELEMENT(xrates,
1597 IEEE80211_RATE_MAXSIZE - rates[1], return);
1598 rate = ieee80211_setup_rates(ni, rates, xrates,
1600 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1601 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1602 if (rate & IEEE80211_RATE_BASIC) {
1603 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1605 "%sassoc failed (rate set mismatch)",
1606 ISREASSOC(subtype) ? "re" : "");
1607 vap->iv_stats.is_rx_assoc_norate++;
1608 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1609 IEEE80211_SCAN_FAIL_STATUS);
1613 ni->ni_capinfo = capinfo;
1614 ni->ni_associd = associd;
1615 if (ni->ni_jointime == 0)
1616 ni->ni_jointime = time_uptime;
1618 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1619 ni->ni_flags |= IEEE80211_NODE_QOS;
1620 ieee80211_wme_updateparams(vap);
1622 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1624 * Setup HT state according to the negotiation.
1626 * NB: shouldn't need to check if HT use is enabled but some
1627 * ap's send back HT ie's even when we don't indicate we
1628 * are HT capable in our AssocReq.
1630 if (htcap != NULL && htinfo != NULL &&
1631 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1632 ieee80211_ht_node_init(ni);
1633 ieee80211_ht_updateparams(ni, htcap, htinfo);
1634 ieee80211_setup_htrates(ni, htcap,
1635 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1636 ieee80211_setup_basic_htrates(ni, htinfo);
1637 ieee80211_node_setuptxparms(ni);
1638 ieee80211_ratectl_node_init(ni);
1640 #ifdef IEEE80211_SUPPORT_SUPERG
1641 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1642 ieee80211_ff_node_init(ni);
1646 * Configure state now that we are associated.
1648 * XXX may need different/additional driver callbacks?
1650 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1651 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1652 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1653 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1655 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1656 ic->ic_flags |= IEEE80211_F_USEBARKER;
1658 ieee80211_set_shortslottime(ic,
1659 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1660 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1662 * Honor ERP protection.
1664 * NB: ni_erp should zero for non-11g operation.
1666 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1667 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1668 ic->ic_flags |= IEEE80211_F_USEPROT;
1670 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1671 IEEE80211_NOTE_MAC(vap,
1672 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1673 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1674 ISREASSOC(subtype) ? "re" : "",
1675 IEEE80211_NODE_AID(ni),
1676 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1677 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1678 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1679 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1680 ni->ni_flags & IEEE80211_NODE_HT ?
1681 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1682 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1683 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1684 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1685 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1686 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1687 ", fast-frames" : "",
1688 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1691 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1695 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1698 if (vap->iv_state == IEEE80211_S_SCAN) {
1699 vap->iv_stats.is_rx_mgtdiscard++;
1702 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1703 /* NB: can happen when in promiscuous mode */
1704 vap->iv_stats.is_rx_mgtdiscard++;
1709 * deauth frame format
1712 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1713 reason = le16toh(*(uint16_t *)frm);
1715 vap->iv_stats.is_rx_deauth++;
1716 vap->iv_stats.is_rx_deauth_code = reason;
1717 IEEE80211_NODE_STAT(ni, rx_deauth);
1719 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1720 "recv deauthenticate (reason %d)", reason);
1721 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1722 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1726 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1729 if (vap->iv_state != IEEE80211_S_RUN &&
1730 vap->iv_state != IEEE80211_S_ASSOC &&
1731 vap->iv_state != IEEE80211_S_AUTH) {
1732 vap->iv_stats.is_rx_mgtdiscard++;
1735 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1736 /* NB: can happen when in promiscuous mode */
1737 vap->iv_stats.is_rx_mgtdiscard++;
1742 * disassoc frame format
1745 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1746 reason = le16toh(*(uint16_t *)frm);
1748 vap->iv_stats.is_rx_disassoc++;
1749 vap->iv_stats.is_rx_disassoc_code = reason;
1750 IEEE80211_NODE_STAT(ni, rx_disassoc);
1752 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1753 "recv disassociate (reason %d)", reason);
1754 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1758 case IEEE80211_FC0_SUBTYPE_ACTION:
1759 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
1760 if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
1761 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1762 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1763 wh, NULL, "%s", "not for us");
1764 vap->iv_stats.is_rx_mgtdiscard++;
1765 } else if (vap->iv_state != IEEE80211_S_RUN) {
1766 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1767 wh, NULL, "wrong state %s",
1768 ieee80211_state_name[vap->iv_state]);
1769 vap->iv_stats.is_rx_mgtdiscard++;
1771 if (ieee80211_parse_action(ni, m0) == 0)
1772 (void)ic->ic_recv_action(ni, wh, frm, efrm);
1776 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1777 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1778 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1779 case IEEE80211_FC0_SUBTYPE_ATIM:
1780 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1781 wh, NULL, "%s", "not handled");
1782 vap->iv_stats.is_rx_mgtdiscard++;
1786 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1787 wh, "mgt", "subtype 0x%x not handled", subtype);
1788 vap->iv_stats.is_rx_badsubtype++;
1796 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
1799 case IEEE80211_FC0_SUBTYPE_BAR:
1800 ieee80211_recv_bar(ni, m);