2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 Station mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/if_dl.h>
54 #include <net/if_var.h>
55 #include <net/ethernet.h>
59 #include <net80211/ieee80211_var.h>
60 #include <net80211/ieee80211_sta.h>
61 #include <net80211/ieee80211_input.h>
62 #ifdef IEEE80211_SUPPORT_SUPERG
63 #include <net80211/ieee80211_superg.h>
65 #include <net80211/ieee80211_ratectl.h>
66 #include <net80211/ieee80211_sta.h>
68 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
70 static void sta_vattach(struct ieee80211vap *);
71 static void sta_beacon_miss(struct ieee80211vap *);
72 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
73 static int sta_input(struct ieee80211_node *, struct mbuf *,
74 const struct ieee80211_rx_stats *, int, int);
75 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
76 int subtype, const struct ieee80211_rx_stats *, int rssi, int nf);
77 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
80 ieee80211_sta_attach(struct ieee80211com *ic)
82 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
86 ieee80211_sta_detach(struct ieee80211com *ic)
91 sta_vdetach(struct ieee80211vap *vap)
96 sta_vattach(struct ieee80211vap *vap)
98 vap->iv_newstate = sta_newstate;
99 vap->iv_input = sta_input;
100 vap->iv_recv_mgmt = sta_recv_mgmt;
101 vap->iv_recv_ctl = sta_recv_ctl;
102 vap->iv_opdetach = sta_vdetach;
103 vap->iv_bmiss = sta_beacon_miss;
107 * Handle a beacon miss event. The common code filters out
108 * spurious events that can happen when scanning and/or before
109 * reaching RUN state.
112 sta_beacon_miss(struct ieee80211vap *vap)
114 struct ieee80211com *ic = vap->iv_ic;
116 IEEE80211_LOCK_ASSERT(ic);
118 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
119 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
120 ("wrong state %s", ieee80211_state_name[vap->iv_state]));
122 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
123 "beacon miss, mode %s state %s\n",
124 ieee80211_opmode_name[vap->iv_opmode],
125 ieee80211_state_name[vap->iv_state]);
127 if (vap->iv_state == IEEE80211_S_CSA) {
129 * A Channel Switch is pending; assume we missed the
130 * beacon that would've completed the process and just
131 * force the switch. If we made a mistake we'll not
132 * find the AP on the new channel and fall back to a
135 ieee80211_csa_completeswitch(ic);
138 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
140 * Send a directed probe req before falling back to a
141 * scan; if we receive a response ic_bmiss_count will
142 * be reset. Some cards mistakenly report beacon miss
143 * so this avoids the expensive scan if the ap is
146 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
147 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
148 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
152 callout_stop(&vap->iv_swbmiss);
153 vap->iv_bmiss_count = 0;
154 vap->iv_stats.is_beacon_miss++;
155 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
156 #ifdef IEEE80211_SUPPORT_SUPERG
159 * If we receive a beacon miss interrupt when using
160 * dynamic turbo, attempt to switch modes before
163 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
164 ieee80211_dturbo_switch(vap,
165 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
168 * Try to reassociate before scanning for a new ap.
170 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
173 * Somebody else is controlling state changes (e.g.
174 * a user-mode app) don't do anything that would
175 * confuse them; just drop into scan mode so they'll
176 * notified of the state change and given control.
178 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
183 * Handle deauth with reason. We retry only for
184 * the cases where we might succeed. Otherwise
185 * we downgrade the ap and scan.
188 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
191 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
192 case IEEE80211_STATUS_TIMEOUT:
193 case IEEE80211_REASON_ASSOC_EXPIRE:
194 case IEEE80211_REASON_NOT_AUTHED:
195 case IEEE80211_REASON_NOT_ASSOCED:
196 case IEEE80211_REASON_ASSOC_LEAVE:
197 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
198 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
201 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
202 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
203 ieee80211_check_scan_current(vap);
209 sta_swbmiss_start(struct ieee80211vap *vap)
212 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) {
214 * Start s/w beacon miss timer for devices w/o
215 * hardware support. We fudge a bit here since
216 * we're doing this in software.
218 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
219 2 * vap->iv_bmissthreshold * vap->iv_bss->ni_intval);
220 vap->iv_swbmiss_count = 0;
221 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
222 ieee80211_swbmiss, vap);
227 * IEEE80211_M_STA vap state machine handler.
228 * This routine handles the main states in the 802.11 protocol.
231 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
233 struct ieee80211com *ic = vap->iv_ic;
234 struct ieee80211_node *ni;
235 enum ieee80211_state ostate;
237 IEEE80211_LOCK_ASSERT(ic);
239 ostate = vap->iv_state;
240 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
241 __func__, ieee80211_state_name[ostate],
242 ieee80211_state_name[nstate], arg);
243 vap->iv_state = nstate; /* state transition */
244 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
245 if (ostate != IEEE80211_S_SCAN)
246 ieee80211_cancel_scan(vap); /* background scan */
247 ni = vap->iv_bss; /* NB: no reference held */
248 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
249 callout_stop(&vap->iv_swbmiss);
251 case IEEE80211_S_INIT:
253 case IEEE80211_S_SLEEP:
255 /* XXX driver hook to wakeup the hardware? */
256 case IEEE80211_S_RUN:
257 IEEE80211_SEND_MGMT(ni,
258 IEEE80211_FC0_SUBTYPE_DISASSOC,
259 IEEE80211_REASON_ASSOC_LEAVE);
260 ieee80211_sta_leave(ni);
262 case IEEE80211_S_ASSOC:
263 IEEE80211_SEND_MGMT(ni,
264 IEEE80211_FC0_SUBTYPE_DEAUTH,
265 IEEE80211_REASON_AUTH_LEAVE);
267 case IEEE80211_S_SCAN:
268 ieee80211_cancel_scan(vap);
273 if (ostate != IEEE80211_S_INIT) {
274 /* NB: optimize INIT -> INIT case */
275 ieee80211_reset_bss(vap);
277 if (vap->iv_auth->ia_detach != NULL)
278 vap->iv_auth->ia_detach(vap);
280 case IEEE80211_S_SCAN:
282 case IEEE80211_S_INIT:
284 * Initiate a scan. We can come here as a result
285 * of an IEEE80211_IOC_SCAN_REQ too in which case
286 * the vap will be marked with IEEE80211_FEXT_SCANREQ
287 * and the scan request parameters will be present
288 * in iv_scanreq. Otherwise we do the default.
290 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
291 ieee80211_check_scan(vap,
292 vap->iv_scanreq_flags,
293 vap->iv_scanreq_duration,
294 vap->iv_scanreq_mindwell,
295 vap->iv_scanreq_maxdwell,
296 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
297 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
299 ieee80211_check_scan_current(vap);
301 case IEEE80211_S_SCAN:
302 case IEEE80211_S_AUTH:
303 case IEEE80211_S_ASSOC:
305 * These can happen either because of a timeout
306 * on an assoc/auth response or because of a
307 * change in state that requires a reset. For
308 * the former we're called with a non-zero arg
309 * that is the cause for the failure; pass this
310 * to the scan code so it can update state.
311 * Otherwise trigger a new scan unless we're in
312 * manual roaming mode in which case an application
313 * must issue an explicit scan request.
316 ieee80211_scan_assoc_fail(vap,
317 vap->iv_bss->ni_macaddr, arg);
318 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
319 ieee80211_check_scan_current(vap);
321 case IEEE80211_S_SLEEP: /* beacon miss */
323 * XXX if in sleep we need to wakeup the hardware.
326 case IEEE80211_S_RUN: /* beacon miss */
328 * Beacon miss. Notify user space and if not
329 * under control of a user application (roaming
330 * manual) kick off a scan to re-connect.
333 ieee80211_sta_leave(ni);
334 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
335 ieee80211_check_scan_current(vap);
341 case IEEE80211_S_AUTH:
343 case IEEE80211_S_INIT:
344 case IEEE80211_S_SCAN:
345 IEEE80211_SEND_MGMT(ni,
346 IEEE80211_FC0_SUBTYPE_AUTH, 1);
348 case IEEE80211_S_AUTH:
349 case IEEE80211_S_ASSOC:
350 switch (arg & 0xff) {
351 case IEEE80211_FC0_SUBTYPE_AUTH:
353 IEEE80211_SEND_MGMT(ni,
354 IEEE80211_FC0_SUBTYPE_AUTH, 2);
356 case IEEE80211_FC0_SUBTYPE_DEAUTH:
357 sta_authretry(vap, ni, arg>>8);
361 case IEEE80211_S_SLEEP:
362 case IEEE80211_S_RUN:
363 switch (arg & 0xff) {
364 case IEEE80211_FC0_SUBTYPE_AUTH:
365 IEEE80211_SEND_MGMT(ni,
366 IEEE80211_FC0_SUBTYPE_AUTH, 2);
367 vap->iv_state = IEEE80211_S_RUN; /* stay RUN */
369 case IEEE80211_FC0_SUBTYPE_DEAUTH:
370 ieee80211_sta_leave(ni);
371 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
373 IEEE80211_SEND_MGMT(ni,
374 IEEE80211_FC0_SUBTYPE_AUTH, 1);
383 case IEEE80211_S_ASSOC:
385 case IEEE80211_S_AUTH:
386 case IEEE80211_S_ASSOC:
387 IEEE80211_SEND_MGMT(ni,
388 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
390 case IEEE80211_S_SLEEP: /* cannot happen */
391 case IEEE80211_S_RUN:
392 ieee80211_sta_leave(ni);
393 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
394 IEEE80211_SEND_MGMT(ni, arg ?
395 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
396 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
403 case IEEE80211_S_RUN:
404 if (vap->iv_flags & IEEE80211_F_WPA) {
405 /* XXX validate prerequisites */
408 case IEEE80211_S_RUN:
409 case IEEE80211_S_CSA:
411 case IEEE80211_S_AUTH: /* when join is done in fw */
412 case IEEE80211_S_ASSOC:
413 #ifdef IEEE80211_DEBUG
414 if (ieee80211_msg_debug(vap)) {
415 ieee80211_note(vap, "%s with %s ssid ",
416 (vap->iv_opmode == IEEE80211_M_STA ?
417 "associated" : "synchronized"),
418 ether_sprintf(ni->ni_bssid));
419 ieee80211_print_essid(vap->iv_bss->ni_essid,
422 printf(" channel %d start %uMb\n",
423 ieee80211_chan2ieee(ic, ic->ic_curchan),
424 IEEE80211_RATE2MBS(ni->ni_txrate));
427 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
428 ieee80211_notify_node_join(ni,
429 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
431 case IEEE80211_S_SLEEP:
432 /* Wake up from sleep */
433 vap->iv_sta_ps(vap, 0);
438 ieee80211_sync_curchan(ic);
439 if (ostate != IEEE80211_S_RUN)
440 sta_swbmiss_start(vap);
442 * When 802.1x is not in use mark the port authorized
443 * at this point so traffic can flow.
445 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
446 ieee80211_node_authorize(ni);
448 * Fake association when joining an existing bss.
450 * Don't do this if we're doing SLEEP->RUN.
452 if (ic->ic_newassoc != NULL && ostate != IEEE80211_S_SLEEP)
453 ic->ic_newassoc(vap->iv_bss, (ostate != IEEE80211_S_RUN));
455 case IEEE80211_S_CSA:
456 if (ostate != IEEE80211_S_RUN)
459 case IEEE80211_S_SLEEP:
460 sta_swbmiss_start(vap);
461 vap->iv_sta_ps(vap, 1);
465 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
466 "%s: unexpected state transition %s -> %s\n", __func__,
467 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
474 * Return non-zero if the frame is an echo of a multicast
475 * frame sent by ourself. The dir is known to be DSTODS.
478 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
480 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
481 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
484 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
486 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
488 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
489 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
495 * Return non-zero if the frame is an echo of a multicast
496 * frame sent by ourself. The dir is known to be FROMDS.
499 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
501 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
503 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
505 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
509 * Decide if a received management frame should be
510 * printed when debugging is enabled. This filters some
511 * of the less interesting frames that come frequently
515 doprint(struct ieee80211vap *vap, int subtype)
518 case IEEE80211_FC0_SUBTYPE_BEACON:
519 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
520 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
527 * Process a received frame. The node associated with the sender
528 * should be supplied. If nothing was found in the node table then
529 * the caller is assumed to supply a reference to iv_bss instead.
530 * The RSSI and a timestamp are also supplied. The RSSI data is used
531 * during AP scanning to select a AP to associate with; it can have
532 * any units so long as values have consistent units and higher values
533 * mean ``better signal''. The receive timestamp is currently not used
534 * by the 802.11 layer.
537 sta_input(struct ieee80211_node *ni, struct mbuf *m,
538 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
540 struct ieee80211vap *vap = ni->ni_vap;
541 struct ieee80211com *ic = ni->ni_ic;
542 struct ifnet *ifp = vap->iv_ifp;
543 struct ieee80211_frame *wh;
544 struct ieee80211_key *key;
545 struct ether_header *eh;
546 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
547 uint8_t dir, type, subtype, qos;
549 int is_hw_decrypted = 0;
550 int has_decrypted = 0;
553 * Some devices do hardware decryption all the way through
554 * to pretending the frame wasn't encrypted in the first place.
555 * So, tag it appropriately so it isn't discarded inappropriately.
557 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
560 if (m->m_flags & M_AMPDU_MPDU) {
562 * Fastpath for A-MPDU reorder q resubmission. Frames
563 * w/ M_AMPDU_MPDU marked have already passed through
564 * here but were received out of order and been held on
565 * the reorder queue. When resubmitted they are marked
566 * with the M_AMPDU_MPDU flag and we can bypass most of
567 * the normal processing.
569 wh = mtod(m, struct ieee80211_frame *);
570 type = IEEE80211_FC0_TYPE_DATA;
571 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
572 subtype = IEEE80211_FC0_SUBTYPE_QOS;
573 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
577 KASSERT(ni != NULL, ("null node"));
578 ni->ni_inact = ni->ni_inact_reload;
580 type = -1; /* undefined */
582 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
583 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
584 ni->ni_macaddr, NULL,
585 "too short (1): len %u", m->m_pkthdr.len);
586 vap->iv_stats.is_rx_tooshort++;
590 * Bit of a cheat here, we use a pointer for a 3-address
591 * frame format but don't reference fields past outside
592 * ieee80211_frame_min w/o first validating the data is
595 wh = mtod(m, struct ieee80211_frame *);
597 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
598 IEEE80211_FC0_VERSION_0) {
599 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
600 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
601 wh->i_fc[0], wh->i_fc[1]);
602 vap->iv_stats.is_rx_badversion++;
606 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
607 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
608 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
609 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
611 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
612 /* not interested in */
613 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
614 bssid, NULL, "%s", "not to bss");
615 vap->iv_stats.is_rx_wrongbss++;
620 * Some devices may be in a promiscuous mode
621 * where they receive frames for multiple station
624 * If we receive a data frame that isn't
625 * destined to our VAP MAC, drop it.
627 * XXX TODO: This is only enforced when not scanning;
628 * XXX it assumes a software-driven scan will put the NIC
629 * XXX into a "no data frames" mode before setting this
630 * XXX flag. Otherwise it may be possible that we'll still
631 * XXX process data frames whilst scanning.
633 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
634 && (! IEEE80211_ADDR_EQ(wh->i_addr1, IF_LLADDR(ifp)))) {
635 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
636 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
637 IF_LLADDR(ifp), ":", wh->i_addr1, ":");
638 vap->iv_stats.is_rx_wrongbss++;
642 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
644 if ( IEEE80211_HAS_SEQ(type, subtype) &&
645 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
646 uint8_t tid = ieee80211_gettid(wh);
647 if (IEEE80211_QOS_HAS_SEQ(wh) &&
648 TID_TO_WME_AC(tid) >= WME_AC_VI)
649 ic->ic_wme.wme_hipri_traffic++;
650 if (! ieee80211_check_rxseq(ni, wh, bssid))
656 case IEEE80211_FC0_TYPE_DATA:
657 hdrspace = ieee80211_hdrspace(ic, wh);
658 if (m->m_len < hdrspace &&
659 (m = m_pullup(m, hdrspace)) == NULL) {
660 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
661 ni->ni_macaddr, NULL,
662 "data too short: expecting %u", hdrspace);
663 vap->iv_stats.is_rx_tooshort++;
667 * Handle A-MPDU re-ordering. If the frame is to be
668 * processed directly then ieee80211_ampdu_reorder
669 * will return 0; otherwise it has consumed the mbuf
670 * and we should do nothing more with it.
672 if ((m->m_flags & M_AMPDU) &&
673 (dir == IEEE80211_FC1_DIR_FROMDS ||
674 dir == IEEE80211_FC1_DIR_DSTODS) &&
675 ieee80211_ampdu_reorder(ni, m) != 0) {
680 if (dir == IEEE80211_FC1_DIR_FROMDS) {
681 if ((ifp->if_flags & IFF_SIMPLEX) &&
682 isfromds_mcastecho(vap, wh)) {
684 * In IEEE802.11 network, multicast
685 * packets sent from "me" are broadcast
686 * from the AP; silently discard for
689 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
690 wh, "data", "%s", "multicast echo");
691 vap->iv_stats.is_rx_mcastecho++;
694 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
695 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
697 * DWDS sta's must drop 3-address mcast frames
698 * as they will be sent separately as a 4-addr
699 * frame. Accepting the 3-addr frame will
700 * confuse the bridge into thinking the sending
701 * sta is located at the end of WDS link.
703 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
704 "3-address data", "%s", "DWDS enabled");
705 vap->iv_stats.is_rx_mcastecho++;
708 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
709 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
710 IEEE80211_DISCARD(vap,
711 IEEE80211_MSG_INPUT, wh, "4-address data",
712 "%s", "DWDS not enabled");
713 vap->iv_stats.is_rx_wrongdir++;
716 if ((ifp->if_flags & IFF_SIMPLEX) &&
717 isdstods_mcastecho(vap, wh)) {
719 * In IEEE802.11 network, multicast
720 * packets sent from "me" are broadcast
721 * from the AP; silently discard for
724 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
725 "4-address data", "%s", "multicast echo");
726 vap->iv_stats.is_rx_mcastecho++;
730 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
731 "data", "incorrect dir 0x%x", dir);
732 vap->iv_stats.is_rx_wrongdir++;
737 * Handle privacy requirements for hardware decryption
740 * For those devices, a handful of things happen.
742 * + If IV has been stripped, then we can't run
743 * ieee80211_crypto_decap() - none of the key
744 * + If MIC has been stripped, we can't validate
746 * + If MIC fails, then we need to communicate a
747 * MIC failure up to the stack - but we don't know
748 * which key was used.
752 * Handle privacy requirements. Note that we
753 * must not be preempted from here until after
754 * we (potentially) call ieee80211_crypto_demic;
755 * otherwise we may violate assumptions in the
756 * crypto cipher modules used to do delayed update
757 * of replay sequence numbers.
759 if (is_hw_decrypted || wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
760 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
762 * Discard encrypted frames when privacy is off.
764 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
765 wh, "WEP", "%s", "PRIVACY off");
766 vap->iv_stats.is_rx_noprivacy++;
767 IEEE80211_NODE_STAT(ni, rx_noprivacy);
770 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
771 /* NB: stats+msgs handled in crypto_decap */
772 IEEE80211_NODE_STAT(ni, rx_wepfail);
775 wh = mtod(m, struct ieee80211_frame *);
776 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
779 /* XXX M_WEP and IEEE80211_F_PRIVACY */
784 * Save QoS bits for use below--before we strip the header.
786 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
787 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
788 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
789 ((struct ieee80211_qosframe *)wh)->i_qos[0];
794 * Next up, any fragmentation.
796 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
797 m = ieee80211_defrag(ni, m, hdrspace);
799 /* Fragment dropped or frame not complete yet */
803 wh = NULL; /* no longer valid, catch any uses */
806 * Next strip any MSDU crypto bits.
808 * Note: we can't do MIC stripping/verification if the
809 * upper layer has stripped it. We have to check MIC
810 * ourselves. So, key may be NULL, but we have to check
813 if (!ieee80211_crypto_demic(vap, key, m, 0)) {
814 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
815 ni->ni_macaddr, "data", "%s", "demic error");
816 vap->iv_stats.is_rx_demicfail++;
817 IEEE80211_NODE_STAT(ni, rx_demicfail);
821 /* copy to listener after decrypt */
822 if (ieee80211_radiotap_active_vap(vap))
823 ieee80211_radiotap_rx(vap, m);
827 * Finally, strip the 802.11 header.
829 m = ieee80211_decap(vap, m, hdrspace);
831 /* XXX mask bit to check for both */
832 /* don't count Null data frames as errors */
833 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
834 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
836 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
837 ni->ni_macaddr, "data", "%s", "decap error");
838 vap->iv_stats.is_rx_decap++;
839 IEEE80211_NODE_STAT(ni, rx_decap);
842 eh = mtod(m, struct ether_header *);
843 if (!ieee80211_node_is_authorized(ni)) {
845 * Deny any non-PAE frames received prior to
846 * authorization. For open/shared-key
847 * authentication the port is mark authorized
848 * after authentication completes. For 802.1x
849 * the port is not marked authorized by the
850 * authenticator until the handshake has completed.
852 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
853 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
854 eh->ether_shost, "data",
855 "unauthorized port: ether type 0x%x len %u",
856 eh->ether_type, m->m_pkthdr.len);
857 vap->iv_stats.is_rx_unauth++;
858 IEEE80211_NODE_STAT(ni, rx_unauth);
863 * When denying unencrypted frames, discard
864 * any non-PAE frames received without encryption.
866 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
867 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
868 (is_hw_decrypted == 0) &&
869 eh->ether_type != htons(ETHERTYPE_PAE)) {
871 * Drop unencrypted frames.
873 vap->iv_stats.is_rx_unencrypted++;
874 IEEE80211_NODE_STAT(ni, rx_unencrypted);
878 /* XXX require HT? */
879 if (qos & IEEE80211_QOS_AMSDU) {
880 m = ieee80211_decap_amsdu(ni, m);
882 return IEEE80211_FC0_TYPE_DATA;
884 #ifdef IEEE80211_SUPPORT_SUPERG
885 m = ieee80211_decap_fastframe(vap, ni, m);
887 return IEEE80211_FC0_TYPE_DATA;
890 ieee80211_deliver_data(vap, ni, m);
891 return IEEE80211_FC0_TYPE_DATA;
893 case IEEE80211_FC0_TYPE_MGT:
894 vap->iv_stats.is_rx_mgmt++;
895 IEEE80211_NODE_STAT(ni, rx_mgmt);
896 if (dir != IEEE80211_FC1_DIR_NODS) {
897 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
898 wh, "data", "incorrect dir 0x%x", dir);
899 vap->iv_stats.is_rx_wrongdir++;
902 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
903 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
904 ni->ni_macaddr, "mgt", "too short: len %u",
906 vap->iv_stats.is_rx_tooshort++;
909 #ifdef IEEE80211_DEBUG
910 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
911 ieee80211_msg_dumppkts(vap)) {
912 if_printf(ifp, "received %s from %s rssi %d\n",
913 ieee80211_mgt_subtype_name(subtype),
914 ether_sprintf(wh->i_addr2), rssi);
919 * Note: See above for hardware offload privacy requirements.
920 * It also applies here.
924 * Again, having encrypted flag set check would be good, but
925 * then we have to also handle crypto_decap() like above.
927 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
928 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
930 * Only shared key auth frames with a challenge
931 * should be encrypted, discard all others.
933 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
934 wh, ieee80211_mgt_subtype_name(subtype),
935 "%s", "WEP set but not permitted");
936 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
939 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
941 * Discard encrypted frames when privacy is off.
943 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
944 wh, "mgt", "%s", "WEP set but PRIVACY off");
945 vap->iv_stats.is_rx_noprivacy++;
948 hdrspace = ieee80211_hdrspace(ic, wh);
951 * Again, if IV/MIC was stripped, then this whole
952 * setup will fail. That's going to need some poking.
954 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
955 /* NB: stats+msgs handled in crypto_decap */
959 wh = mtod(m, struct ieee80211_frame *);
960 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
962 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
965 case IEEE80211_FC0_TYPE_CTL:
966 vap->iv_stats.is_rx_ctl++;
967 IEEE80211_NODE_STAT(ni, rx_ctrl);
968 vap->iv_recv_ctl(ni, m, subtype);
972 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
973 wh, NULL, "bad frame type 0x%x", type);
974 /* should not come here */
978 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
981 if (need_tap && ieee80211_radiotap_active_vap(vap))
982 ieee80211_radiotap_rx(vap, m);
989 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
990 int rssi, int nf, uint16_t seq, uint16_t status)
992 struct ieee80211vap *vap = ni->ni_vap;
994 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
995 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
996 ni->ni_macaddr, "open auth",
997 "bad sta auth mode %u", ni->ni_authmode);
998 vap->iv_stats.is_rx_bad_auth++; /* XXX */
1001 if (vap->iv_state != IEEE80211_S_AUTH ||
1002 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1003 vap->iv_stats.is_rx_bad_auth++;
1007 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1008 ni, "open auth failed (reason %d)", status);
1009 vap->iv_stats.is_rx_auth_fail++;
1010 vap->iv_stats.is_rx_authfail_code = status;
1011 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1012 IEEE80211_SCAN_FAIL_STATUS);
1014 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1018 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
1019 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
1020 uint16_t seq, uint16_t status)
1022 struct ieee80211vap *vap = ni->ni_vap;
1026 * NB: this can happen as we allow pre-shared key
1027 * authentication to be enabled w/o wep being turned
1028 * on so that configuration of these can be done
1029 * in any order. It may be better to enforce the
1030 * ordering in which case this check would just be
1031 * for sanity/consistency.
1033 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1034 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1035 ni->ni_macaddr, "shared key auth",
1036 "%s", " PRIVACY is disabled");
1040 * Pre-shared key authentication is evil; accept
1041 * it only if explicitly configured (it is supported
1042 * mainly for compatibility with clients like OS X).
1044 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1045 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1046 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1047 ni->ni_macaddr, "shared key auth",
1048 "bad sta auth mode %u", ni->ni_authmode);
1049 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1054 if (frm + 1 < efrm) {
1055 if ((frm[1] + 2) > (efrm - frm)) {
1056 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1057 ni->ni_macaddr, "shared key auth",
1058 "ie %d/%d too long",
1059 frm[0], (frm[1] + 2) - (efrm - frm));
1060 vap->iv_stats.is_rx_bad_auth++;
1063 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1068 case IEEE80211_AUTH_SHARED_CHALLENGE:
1069 case IEEE80211_AUTH_SHARED_RESPONSE:
1070 if (challenge == NULL) {
1071 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1072 ni->ni_macaddr, "shared key auth",
1073 "%s", "no challenge");
1074 vap->iv_stats.is_rx_bad_auth++;
1077 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1078 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1079 ni->ni_macaddr, "shared key auth",
1080 "bad challenge len %d", challenge[1]);
1081 vap->iv_stats.is_rx_bad_auth++;
1087 if (vap->iv_state != IEEE80211_S_AUTH)
1090 case IEEE80211_AUTH_SHARED_PASS:
1091 if (ni->ni_challenge != NULL) {
1092 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
1093 ni->ni_challenge = NULL;
1096 IEEE80211_NOTE_FRAME(vap,
1097 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1098 "shared key auth failed (reason %d)", status);
1099 vap->iv_stats.is_rx_auth_fail++;
1100 vap->iv_stats.is_rx_authfail_code = status;
1103 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1105 case IEEE80211_AUTH_SHARED_CHALLENGE:
1106 if (!ieee80211_alloc_challenge(ni))
1108 /* XXX could optimize by passing recvd challenge */
1109 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1110 IEEE80211_SEND_MGMT(ni,
1111 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1114 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1115 wh, "shared key auth", "bad seq %d", seq);
1116 vap->iv_stats.is_rx_bad_auth++;
1122 * Kick the state machine. This short-circuits
1123 * using the mgt frame timeout to trigger the
1126 if (vap->iv_state == IEEE80211_S_AUTH)
1127 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1128 IEEE80211_SCAN_FAIL_STATUS);
1132 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1133 const struct ieee80211_frame *wh)
1135 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1136 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1137 u_int len = frm[1], qosinfo;
1140 if (len < sizeof(struct ieee80211_wme_param)-2) {
1141 IEEE80211_DISCARD_IE(vap,
1142 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1143 wh, "WME", "too short, len %u", len);
1146 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1147 qosinfo &= WME_QOSINFO_COUNT;
1148 /* XXX do proper check for wraparound */
1149 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1151 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1152 for (i = 0; i < WME_NUM_AC; i++) {
1153 struct wmeParams *wmep =
1154 &wme->wme_wmeChanParams.cap_wmeParams[i];
1155 /* NB: ACI not used */
1156 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1157 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1158 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1159 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1160 wmep->wmep_txopLimit = le16dec(frm+2);
1163 wme->wme_wmeChanParams.cap_info = qosinfo;
1169 * Process 11h Channel Switch Announcement (CSA) ie. If this
1170 * is the first CSA then initiate the switch. Otherwise we
1171 * track state and trigger completion and/or cancel of the switch.
1172 * XXX should be public for IBSS use
1175 ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm,
1176 const struct ieee80211_frame *wh)
1178 struct ieee80211com *ic = vap->iv_ic;
1179 const struct ieee80211_csa_ie *csa =
1180 (const struct ieee80211_csa_ie *) frm;
1182 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
1183 ("state %s", ieee80211_state_name[vap->iv_state]));
1185 if (csa->csa_mode > 1) {
1186 IEEE80211_DISCARD_IE(vap,
1187 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1188 wh, "CSA", "invalid mode %u", csa->csa_mode);
1192 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) {
1194 * Convert the channel number to a channel reference. We
1195 * try first to preserve turbo attribute of the current
1196 * channel then fallback. Note this will not work if the
1197 * CSA specifies a channel that requires a band switch (e.g.
1198 * 11a => 11g). This is intentional as 11h is defined only
1199 * for 5GHz/11a and because the switch does not involve a
1200 * reassociation, protocol state (capabilities, negotated
1201 * rates, etc) may/will be wrong.
1203 struct ieee80211_channel *c =
1204 ieee80211_find_channel_byieee(ic, csa->csa_newchan,
1205 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO));
1207 c = ieee80211_find_channel_byieee(ic,
1209 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL));
1211 IEEE80211_DISCARD_IE(vap,
1212 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1213 wh, "CSA", "invalid channel %u",
1218 #if IEEE80211_CSA_COUNT_MIN > 0
1219 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) {
1221 * Require at least IEEE80211_CSA_COUNT_MIN count to
1222 * reduce the risk of being redirected by a fabricated
1223 * CSA. If a valid CSA is dropped we'll still get a
1224 * beacon miss when the AP leaves the channel so we'll
1225 * eventually follow to the new channel.
1227 * NOTE: this violates the 11h spec that states that
1228 * count may be any value and if 0 then a switch
1229 * should happen asap.
1231 IEEE80211_DISCARD_IE(vap,
1232 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1233 wh, "CSA", "count %u too small, must be >= %u",
1234 csa->csa_count, IEEE80211_CSA_COUNT_MIN);
1238 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count);
1241 * Validate this ie against the initial CSA. We require
1242 * mode and channel not change and the count must be
1243 * monotonically decreasing. This may be pointless and
1244 * canceling the switch as a result may be too paranoid but
1245 * in the worst case if we drop out of CSA because of this
1246 * and the AP does move then we'll just end up taking a
1247 * beacon miss and scan to find the AP.
1249 * XXX may want <= on count as we also process ProbeResp
1250 * frames and those may come in w/ the same count as the
1251 * previous beacon; but doing so leaves us open to a stuck
1252 * count until we add a dead-man timer
1254 if (!(csa->csa_count < ic->ic_csa_count &&
1255 csa->csa_mode == ic->ic_csa_mode &&
1256 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) {
1257 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh,
1258 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1259 "this ie <%d,%d,%d>", ic->ic_csa_mode,
1260 ic->ic_csa_newchan, ic->ic_csa_count,
1261 csa->csa_mode, csa->csa_newchan, csa->csa_count);
1262 ieee80211_csa_cancelswitch(ic);
1264 if (csa->csa_count <= 1)
1265 ieee80211_csa_completeswitch(ic);
1267 ic->ic_csa_count = csa->csa_count;
1271 IEEE80211_UNLOCK(ic);
1275 * Return non-zero if a background scan may be continued:
1276 * o bg scan is active
1277 * o no channel switch is pending
1278 * o there has not been any traffic recently
1279 * o no full-offload scan support (no need for explicitly continuing scan then)
1281 * Note we do not check if there is an administrative enable;
1282 * this is only done to start the scan. We assume that any
1283 * change in state will be accompanied by a request to cancel
1284 * active scans which will otherwise cause this test to fail.
1287 contbgscan(struct ieee80211vap *vap)
1289 struct ieee80211com *ic = vap->iv_ic;
1291 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1292 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1293 !(vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) &&
1294 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1295 ieee80211_time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1299 * Return non-zero if a backgrond scan may be started:
1300 * o bg scanning is administratively enabled
1301 * o no channel switch is pending
1302 * o we are not boosted on a dynamic turbo channel
1303 * o there has not been a scan recently
1304 * o there has not been any traffic recently (don't check if full-offload scan)
1307 startbgscan(struct ieee80211vap *vap)
1309 struct ieee80211com *ic = vap->iv_ic;
1311 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1312 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1313 #ifdef IEEE80211_SUPPORT_SUPERG
1314 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1316 ieee80211_time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1317 ((vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) ||
1318 ieee80211_time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle)));
1322 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, int subtype,
1323 const struct ieee80211_rx_stats *rxs,
1326 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1327 struct ieee80211vap *vap = ni->ni_vap;
1328 struct ieee80211com *ic = ni->ni_ic;
1329 struct ieee80211_channel *rxchan = ic->ic_curchan;
1330 struct ieee80211_frame *wh;
1331 uint8_t *frm, *efrm;
1332 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1334 int ht_state_change = 0;
1336 wh = mtod(m0, struct ieee80211_frame *);
1337 frm = (uint8_t *)&wh[1];
1338 efrm = mtod(m0, uint8_t *) + m0->m_len;
1340 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1341 case IEEE80211_FC0_SUBTYPE_BEACON: {
1342 struct ieee80211_scanparams scan;
1343 struct ieee80211_channel *c;
1345 * We process beacon/probe response frames:
1346 * o when scanning, or
1347 * o station mode when associated (to collect state
1348 * updates such as 802.11g slot time)
1349 * Frames otherwise received are discarded.
1351 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1352 vap->iv_stats.is_rx_mgtdiscard++;
1356 /* Override RX channel as appropriate */
1358 c = ieee80211_lookup_channel_rxstatus(vap, rxs);
1363 /* XXX probe response in sta mode when !scanning? */
1364 if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0) {
1365 if (! (ic->ic_flags & IEEE80211_F_SCAN))
1366 vap->iv_stats.is_beacon_bad++;
1371 * Count frame now that we know it's to be processed.
1373 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1374 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1375 IEEE80211_NODE_STAT(ni, rx_beacons);
1377 IEEE80211_NODE_STAT(ni, rx_proberesp);
1379 * When operating in station mode, check for state updates.
1380 * Be careful to ignore beacons received while doing a
1381 * background scan. We consider only 11g/WMM stuff right now.
1383 if (ni->ni_associd != 0 &&
1384 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1385 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1386 /* record tsf of last beacon */
1387 memcpy(ni->ni_tstamp.data, scan.tstamp,
1388 sizeof(ni->ni_tstamp));
1389 /* count beacon frame for s/w bmiss handling */
1390 vap->iv_swbmiss_count++;
1391 vap->iv_bmiss_count = 0;
1392 if (ni->ni_erp != scan.erp) {
1393 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1395 "erp change: was 0x%x, now 0x%x",
1396 ni->ni_erp, scan.erp);
1397 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1398 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1399 ic->ic_flags |= IEEE80211_F_USEPROT;
1401 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1402 ni->ni_erp = scan.erp;
1404 /* XXX driver notification */
1406 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1407 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1409 "capabilities change: was 0x%x, now 0x%x",
1410 ni->ni_capinfo, scan.capinfo);
1412 * NB: we assume short preamble doesn't
1413 * change dynamically
1415 ieee80211_set_shortslottime(ic,
1416 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1417 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1418 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1419 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1422 if (scan.wme != NULL &&
1423 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1424 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1425 ieee80211_wme_updateparams(vap);
1426 #ifdef IEEE80211_SUPPORT_SUPERG
1427 if (scan.ath != NULL)
1428 ieee80211_parse_athparams(ni, scan.ath, wh);
1430 if (scan.htcap != NULL && scan.htinfo != NULL &&
1431 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1432 /* XXX state changes? */
1433 if (ieee80211_ht_updateparams(ni,
1434 scan.htcap, scan.htinfo))
1435 ht_state_change = 1;
1438 ic->ic_set_quiet(ni, scan.quiet);
1440 if (scan.tim != NULL) {
1441 struct ieee80211_tim_ie *tim =
1442 (struct ieee80211_tim_ie *) scan.tim;
1444 * XXX Check/debug this code; see if it's about
1445 * the right time to force the VAP awake if we
1446 * receive a frame destined for us?
1448 int aid = IEEE80211_AID(ni->ni_associd);
1449 int ix = aid / NBBY;
1450 int min = tim->tim_bitctl &~ 1;
1451 int max = tim->tim_len + min - 4;
1452 int tim_ucast = 0, tim_mcast = 0;
1455 * Only do this for unicast traffic in the TIM
1456 * The multicast traffic notification for
1457 * the scan notification stuff should occur
1460 if (min <= ix && ix <= max &&
1461 isset(tim->tim_bitmap - min, aid)) {
1466 * Do a separate notification
1467 * for the multicast bit being set.
1469 if (tim->tim_bitctl & 1) {
1474 * If the TIM indicates there's traffic for
1475 * us then get us out of STA mode powersave.
1477 if (tim_ucast == 1) {
1480 * Wake us out of SLEEP state if we're
1481 * in it; and if we're doing bgscan
1482 * then wake us out of STA powersave.
1484 ieee80211_sta_tim_notify(vap, 1);
1487 * This is preventing us from
1488 * continuing a bgscan; because it
1489 * tricks the contbgscan()
1490 * routine to think there's always
1493 * I think we need both an RX and
1494 * TX ic_lastdata field.
1496 ic->ic_lastdata = ticks;
1499 ni->ni_dtim_count = tim->tim_count;
1500 ni->ni_dtim_period = tim->tim_period;
1502 if (scan.csa != NULL &&
1503 (vap->iv_flags & IEEE80211_F_DOTH))
1504 ieee80211_parse_csaparams(vap, scan.csa, wh);
1505 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
1507 * No CSA ie or 11h disabled, but a channel
1508 * switch is pending; drop out so we aren't
1509 * stuck in CSA state. If the AP really is
1510 * moving we'll get a beacon miss and scan.
1513 ieee80211_csa_cancelswitch(ic);
1514 IEEE80211_UNLOCK(ic);
1517 * If scanning, pass the info to the scan module.
1518 * Otherwise, check if it's the right time to do
1519 * a background scan. Background scanning must
1520 * be enabled and we must not be operating in the
1521 * turbo phase of dynamic turbo mode. Then,
1522 * it's been a while since the last background
1523 * scan and if no data frames have come through
1524 * recently, kick off a scan. Note that this
1525 * is the mechanism by which a background scan
1526 * is started _and_ continued each time we
1527 * return on-channel to receive a beacon from
1530 if (ic->ic_flags & IEEE80211_F_SCAN) {
1531 ieee80211_add_scan(vap, rxchan,
1532 &scan, wh, subtype, rssi, nf);
1533 } else if (contbgscan(vap)) {
1534 ieee80211_bg_scan(vap, 0);
1535 } else if (startbgscan(vap)) {
1536 vap->iv_stats.is_scan_bg++;
1538 /* wakeup if we are sleeing */
1539 ieee80211_set_pwrsave(vap, 0);
1541 ieee80211_bg_scan(vap, 0);
1545 * Put the station to sleep if we haven't seen
1546 * traffic in a while.
1549 ieee80211_sta_ps_timer_check(vap);
1550 IEEE80211_UNLOCK(ic);
1553 * If we've had a channel width change (eg HT20<->HT40)
1554 * then schedule a delayed driver notification.
1556 if (ht_state_change)
1557 ieee80211_update_chw(ic);
1561 * If scanning, just pass information to the scan module.
1563 if (ic->ic_flags & IEEE80211_F_SCAN) {
1564 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1566 * Actively scanning a channel marked passive;
1567 * send a probe request now that we know there
1568 * is 802.11 traffic present.
1570 * XXX check if the beacon we recv'd gives
1571 * us what we need and suppress the probe req
1573 ieee80211_probe_curchan(vap, 1);
1574 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1576 ieee80211_add_scan(vap, rxchan, &scan, wh,
1583 case IEEE80211_FC0_SUBTYPE_AUTH: {
1584 uint16_t algo, seq, status;
1592 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1593 algo = le16toh(*(uint16_t *)frm);
1594 seq = le16toh(*(uint16_t *)(frm + 2));
1595 status = le16toh(*(uint16_t *)(frm + 4));
1596 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1597 "recv auth frame with algorithm %d seq %d", algo, seq);
1599 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1600 IEEE80211_DISCARD(vap,
1601 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1602 wh, "auth", "%s", "TKIP countermeasures enabled");
1603 vap->iv_stats.is_rx_auth_countermeasures++;
1604 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1605 ieee80211_send_error(ni, wh->i_addr2,
1606 IEEE80211_FC0_SUBTYPE_AUTH,
1607 IEEE80211_REASON_MIC_FAILURE);
1611 if (algo == IEEE80211_AUTH_ALG_SHARED)
1612 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1614 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1615 sta_auth_open(ni, wh, rssi, nf, seq, status);
1617 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1618 wh, "auth", "unsupported alg %d", algo);
1619 vap->iv_stats.is_rx_auth_unsupported++;
1625 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1626 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1627 uint16_t capinfo, associd;
1630 if (vap->iv_state != IEEE80211_S_ASSOC) {
1631 vap->iv_stats.is_rx_mgtdiscard++;
1636 * asresp frame format
1637 * [2] capability information
1639 * [2] association ID
1640 * [tlv] supported rates
1641 * [tlv] extended supported rates
1643 * [tlv] HT capabilities
1646 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1648 capinfo = le16toh(*(uint16_t *)frm);
1650 status = le16toh(*(uint16_t *)frm);
1653 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1654 wh->i_addr2, "%sassoc failed (reason %d)",
1655 ISREASSOC(subtype) ? "re" : "", status);
1656 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1659 associd = le16toh(*(uint16_t *)frm);
1662 rates = xrates = wme = htcap = htinfo = NULL;
1663 while (efrm - frm > 1) {
1664 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1666 case IEEE80211_ELEMID_RATES:
1669 case IEEE80211_ELEMID_XRATES:
1672 case IEEE80211_ELEMID_HTCAP:
1675 case IEEE80211_ELEMID_HTINFO:
1678 case IEEE80211_ELEMID_VENDOR:
1681 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1683 * Accept pre-draft HT ie's if the
1684 * standard ones have not been seen.
1686 if (ishtcapoui(frm)) {
1689 } else if (ishtinfooui(frm)) {
1694 /* XXX Atheros OUI support */
1700 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1702 IEEE80211_VERIFY_ELEMENT(xrates,
1703 IEEE80211_RATE_MAXSIZE - rates[1], return);
1704 rate = ieee80211_setup_rates(ni, rates, xrates,
1706 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1707 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1708 if (rate & IEEE80211_RATE_BASIC) {
1709 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1711 "%sassoc failed (rate set mismatch)",
1712 ISREASSOC(subtype) ? "re" : "");
1713 vap->iv_stats.is_rx_assoc_norate++;
1714 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1715 IEEE80211_SCAN_FAIL_STATUS);
1719 ni->ni_capinfo = capinfo;
1720 ni->ni_associd = associd;
1721 if (ni->ni_jointime == 0)
1722 ni->ni_jointime = time_uptime;
1724 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1725 ni->ni_flags |= IEEE80211_NODE_QOS;
1726 ieee80211_wme_updateparams(vap);
1728 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1730 * Setup HT state according to the negotiation.
1732 * NB: shouldn't need to check if HT use is enabled but some
1733 * ap's send back HT ie's even when we don't indicate we
1734 * are HT capable in our AssocReq.
1736 if (htcap != NULL && htinfo != NULL &&
1737 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1738 ieee80211_ht_node_init(ni);
1739 ieee80211_ht_updateparams(ni, htcap, htinfo);
1740 ieee80211_setup_htrates(ni, htcap,
1741 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1742 ieee80211_setup_basic_htrates(ni, htinfo);
1743 ieee80211_node_setuptxparms(ni);
1744 ieee80211_ratectl_node_init(ni);
1748 * Always initialise FF/superg state; we can use this
1749 * for doing A-MSDU encapsulation as well.
1751 #ifdef IEEE80211_SUPPORT_SUPERG
1752 ieee80211_ff_node_init(ni);
1756 * Configure state now that we are associated.
1758 * XXX may need different/additional driver callbacks?
1760 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1761 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1762 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1763 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1765 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1766 ic->ic_flags |= IEEE80211_F_USEBARKER;
1768 ieee80211_set_shortslottime(ic,
1769 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1770 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1772 * Honor ERP protection.
1774 * NB: ni_erp should zero for non-11g operation.
1776 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1777 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1778 ic->ic_flags |= IEEE80211_F_USEPROT;
1780 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1781 IEEE80211_NOTE_MAC(vap,
1782 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1783 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1784 ISREASSOC(subtype) ? "re" : "",
1785 IEEE80211_NODE_AID(ni),
1786 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1787 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1788 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1789 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1790 ni->ni_flags & IEEE80211_NODE_HT ?
1791 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1792 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1793 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1794 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1795 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1796 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1797 ", fast-frames" : "",
1798 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1801 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1805 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1808 if (vap->iv_state == IEEE80211_S_SCAN) {
1809 vap->iv_stats.is_rx_mgtdiscard++;
1812 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1813 /* NB: can happen when in promiscuous mode */
1814 vap->iv_stats.is_rx_mgtdiscard++;
1819 * deauth frame format
1822 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1823 reason = le16toh(*(uint16_t *)frm);
1825 vap->iv_stats.is_rx_deauth++;
1826 vap->iv_stats.is_rx_deauth_code = reason;
1827 IEEE80211_NODE_STAT(ni, rx_deauth);
1829 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1830 "recv deauthenticate (reason: %d (%s))", reason,
1831 ieee80211_reason_to_string(reason));
1832 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1833 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1837 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1840 if (vap->iv_state != IEEE80211_S_RUN &&
1841 vap->iv_state != IEEE80211_S_ASSOC &&
1842 vap->iv_state != IEEE80211_S_AUTH) {
1843 vap->iv_stats.is_rx_mgtdiscard++;
1846 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1847 /* NB: can happen when in promiscuous mode */
1848 vap->iv_stats.is_rx_mgtdiscard++;
1853 * disassoc frame format
1856 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1857 reason = le16toh(*(uint16_t *)frm);
1859 vap->iv_stats.is_rx_disassoc++;
1860 vap->iv_stats.is_rx_disassoc_code = reason;
1861 IEEE80211_NODE_STAT(ni, rx_disassoc);
1863 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1864 "recv disassociate (reason: %d (%s))", reason,
1865 ieee80211_reason_to_string(reason));
1866 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1870 case IEEE80211_FC0_SUBTYPE_ACTION:
1871 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
1872 if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
1873 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1874 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1875 wh, NULL, "%s", "not for us");
1876 vap->iv_stats.is_rx_mgtdiscard++;
1877 } else if (vap->iv_state != IEEE80211_S_RUN) {
1878 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1879 wh, NULL, "wrong state %s",
1880 ieee80211_state_name[vap->iv_state]);
1881 vap->iv_stats.is_rx_mgtdiscard++;
1883 if (ieee80211_parse_action(ni, m0) == 0)
1884 (void)ic->ic_recv_action(ni, wh, frm, efrm);
1888 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1889 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1890 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1891 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
1892 case IEEE80211_FC0_SUBTYPE_ATIM:
1893 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1894 wh, NULL, "%s", "not handled");
1895 vap->iv_stats.is_rx_mgtdiscard++;
1899 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1900 wh, "mgt", "subtype 0x%x not handled", subtype);
1901 vap->iv_stats.is_rx_badsubtype++;
1908 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
1911 case IEEE80211_FC0_SUBTYPE_BAR:
1912 ieee80211_recv_bar(ni, m);