2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
32 * IEEE 802.11 Station mode support.
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/if_dl.h>
54 #include <net/if_var.h>
55 #include <net/ethernet.h>
59 #include <net80211/ieee80211_var.h>
60 #include <net80211/ieee80211_sta.h>
61 #include <net80211/ieee80211_input.h>
62 #ifdef IEEE80211_SUPPORT_SUPERG
63 #include <net80211/ieee80211_superg.h>
65 #include <net80211/ieee80211_ratectl.h>
66 #include <net80211/ieee80211_sta.h>
68 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
70 static void sta_vattach(struct ieee80211vap *);
71 static void sta_beacon_miss(struct ieee80211vap *);
72 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
73 static int sta_input(struct ieee80211_node *, struct mbuf *,
74 const struct ieee80211_rx_stats *, int, int);
75 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
76 int subtype, const struct ieee80211_rx_stats *, int rssi, int nf);
77 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
80 ieee80211_sta_attach(struct ieee80211com *ic)
82 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
86 ieee80211_sta_detach(struct ieee80211com *ic)
91 sta_vdetach(struct ieee80211vap *vap)
96 sta_vattach(struct ieee80211vap *vap)
98 vap->iv_newstate = sta_newstate;
99 vap->iv_input = sta_input;
100 vap->iv_recv_mgmt = sta_recv_mgmt;
101 vap->iv_recv_ctl = sta_recv_ctl;
102 vap->iv_opdetach = sta_vdetach;
103 vap->iv_bmiss = sta_beacon_miss;
107 * Handle a beacon miss event. The common code filters out
108 * spurious events that can happen when scanning and/or before
109 * reaching RUN state.
112 sta_beacon_miss(struct ieee80211vap *vap)
114 struct ieee80211com *ic = vap->iv_ic;
116 IEEE80211_LOCK_ASSERT(ic);
118 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
119 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
120 ("wrong state %s", ieee80211_state_name[vap->iv_state]));
122 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
123 "beacon miss, mode %s state %s\n",
124 ieee80211_opmode_name[vap->iv_opmode],
125 ieee80211_state_name[vap->iv_state]);
127 if (vap->iv_state == IEEE80211_S_CSA) {
129 * A Channel Switch is pending; assume we missed the
130 * beacon that would've completed the process and just
131 * force the switch. If we made a mistake we'll not
132 * find the AP on the new channel and fall back to a
135 ieee80211_csa_completeswitch(ic);
138 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
140 * Send a directed probe req before falling back to a
141 * scan; if we receive a response ic_bmiss_count will
142 * be reset. Some cards mistakenly report beacon miss
143 * so this avoids the expensive scan if the ap is
146 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
147 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
148 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
152 callout_stop(&vap->iv_swbmiss);
153 vap->iv_bmiss_count = 0;
154 vap->iv_stats.is_beacon_miss++;
155 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
156 #ifdef IEEE80211_SUPPORT_SUPERG
157 struct ieee80211com *ic = vap->iv_ic;
160 * If we receive a beacon miss interrupt when using
161 * dynamic turbo, attempt to switch modes before
164 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
165 ieee80211_dturbo_switch(vap,
166 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
169 * Try to reassociate before scanning for a new ap.
171 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
174 * Somebody else is controlling state changes (e.g.
175 * a user-mode app) don't do anything that would
176 * confuse them; just drop into scan mode so they'll
177 * notified of the state change and given control.
179 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
184 * Handle deauth with reason. We retry only for
185 * the cases where we might succeed. Otherwise
186 * we downgrade the ap and scan.
189 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
192 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
193 case IEEE80211_STATUS_TIMEOUT:
194 case IEEE80211_REASON_ASSOC_EXPIRE:
195 case IEEE80211_REASON_NOT_AUTHED:
196 case IEEE80211_REASON_NOT_ASSOCED:
197 case IEEE80211_REASON_ASSOC_LEAVE:
198 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
199 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
202 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
203 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
204 ieee80211_check_scan_current(vap);
210 sta_swbmiss_start(struct ieee80211vap *vap)
213 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) {
215 * Start s/w beacon miss timer for devices w/o
216 * hardware support. We fudge a bit here since
217 * we're doing this in software.
219 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
220 2 * vap->iv_bmissthreshold * vap->iv_bss->ni_intval);
221 vap->iv_swbmiss_count = 0;
222 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
223 ieee80211_swbmiss, vap);
228 * IEEE80211_M_STA vap state machine handler.
229 * This routine handles the main states in the 802.11 protocol.
232 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
234 struct ieee80211com *ic = vap->iv_ic;
235 struct ieee80211_node *ni;
236 enum ieee80211_state ostate;
238 IEEE80211_LOCK_ASSERT(ic);
240 ostate = vap->iv_state;
241 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
242 __func__, ieee80211_state_name[ostate],
243 ieee80211_state_name[nstate], arg);
244 vap->iv_state = nstate; /* state transition */
245 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
246 if (ostate != IEEE80211_S_SCAN)
247 ieee80211_cancel_scan(vap); /* background scan */
248 ni = vap->iv_bss; /* NB: no reference held */
249 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
250 callout_stop(&vap->iv_swbmiss);
252 case IEEE80211_S_INIT:
254 case IEEE80211_S_SLEEP:
256 /* XXX driver hook to wakeup the hardware? */
257 case IEEE80211_S_RUN:
258 IEEE80211_SEND_MGMT(ni,
259 IEEE80211_FC0_SUBTYPE_DISASSOC,
260 IEEE80211_REASON_ASSOC_LEAVE);
261 ieee80211_sta_leave(ni);
263 case IEEE80211_S_ASSOC:
264 IEEE80211_SEND_MGMT(ni,
265 IEEE80211_FC0_SUBTYPE_DEAUTH,
266 IEEE80211_REASON_AUTH_LEAVE);
268 case IEEE80211_S_SCAN:
269 ieee80211_cancel_scan(vap);
274 if (ostate != IEEE80211_S_INIT) {
275 /* NB: optimize INIT -> INIT case */
276 ieee80211_reset_bss(vap);
278 if (vap->iv_auth->ia_detach != NULL)
279 vap->iv_auth->ia_detach(vap);
281 case IEEE80211_S_SCAN:
283 case IEEE80211_S_INIT:
285 * Initiate a scan. We can come here as a result
286 * of an IEEE80211_IOC_SCAN_REQ too in which case
287 * the vap will be marked with IEEE80211_FEXT_SCANREQ
288 * and the scan request parameters will be present
289 * in iv_scanreq. Otherwise we do the default.
291 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
292 ieee80211_check_scan(vap,
293 vap->iv_scanreq_flags,
294 vap->iv_scanreq_duration,
295 vap->iv_scanreq_mindwell,
296 vap->iv_scanreq_maxdwell,
297 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
298 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
300 ieee80211_check_scan_current(vap);
302 case IEEE80211_S_SCAN:
303 case IEEE80211_S_AUTH:
304 case IEEE80211_S_ASSOC:
306 * These can happen either because of a timeout
307 * on an assoc/auth response or because of a
308 * change in state that requires a reset. For
309 * the former we're called with a non-zero arg
310 * that is the cause for the failure; pass this
311 * to the scan code so it can update state.
312 * Otherwise trigger a new scan unless we're in
313 * manual roaming mode in which case an application
314 * must issue an explicit scan request.
317 ieee80211_scan_assoc_fail(vap,
318 vap->iv_bss->ni_macaddr, arg);
319 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
320 ieee80211_check_scan_current(vap);
322 case IEEE80211_S_SLEEP: /* beacon miss */
324 * XXX if in sleep we need to wakeup the hardware.
327 case IEEE80211_S_RUN: /* beacon miss */
329 * Beacon miss. Notify user space and if not
330 * under control of a user application (roaming
331 * manual) kick off a scan to re-connect.
334 ieee80211_sta_leave(ni);
335 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
336 ieee80211_check_scan_current(vap);
342 case IEEE80211_S_AUTH:
344 case IEEE80211_S_INIT:
345 case IEEE80211_S_SCAN:
346 IEEE80211_SEND_MGMT(ni,
347 IEEE80211_FC0_SUBTYPE_AUTH, 1);
349 case IEEE80211_S_AUTH:
350 case IEEE80211_S_ASSOC:
351 switch (arg & 0xff) {
352 case IEEE80211_FC0_SUBTYPE_AUTH:
354 IEEE80211_SEND_MGMT(ni,
355 IEEE80211_FC0_SUBTYPE_AUTH, 2);
357 case IEEE80211_FC0_SUBTYPE_DEAUTH:
358 sta_authretry(vap, ni, arg>>8);
362 case IEEE80211_S_SLEEP:
363 case IEEE80211_S_RUN:
364 switch (arg & 0xff) {
365 case IEEE80211_FC0_SUBTYPE_AUTH:
366 IEEE80211_SEND_MGMT(ni,
367 IEEE80211_FC0_SUBTYPE_AUTH, 2);
368 vap->iv_state = IEEE80211_S_RUN; /* stay RUN */
370 case IEEE80211_FC0_SUBTYPE_DEAUTH:
371 ieee80211_sta_leave(ni);
372 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
374 IEEE80211_SEND_MGMT(ni,
375 IEEE80211_FC0_SUBTYPE_AUTH, 1);
384 case IEEE80211_S_ASSOC:
386 case IEEE80211_S_AUTH:
387 case IEEE80211_S_ASSOC:
388 IEEE80211_SEND_MGMT(ni,
389 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
391 case IEEE80211_S_SLEEP: /* cannot happen */
392 case IEEE80211_S_RUN:
393 ieee80211_sta_leave(ni);
394 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
395 IEEE80211_SEND_MGMT(ni, arg ?
396 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
397 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
404 case IEEE80211_S_RUN:
405 if (vap->iv_flags & IEEE80211_F_WPA) {
406 /* XXX validate prerequisites */
409 case IEEE80211_S_RUN:
410 case IEEE80211_S_CSA:
412 case IEEE80211_S_AUTH: /* when join is done in fw */
413 case IEEE80211_S_ASSOC:
414 #ifdef IEEE80211_DEBUG
415 if (ieee80211_msg_debug(vap)) {
416 ieee80211_note(vap, "%s with %s ssid ",
417 (vap->iv_opmode == IEEE80211_M_STA ?
418 "associated" : "synchronized"),
419 ether_sprintf(ni->ni_bssid));
420 ieee80211_print_essid(vap->iv_bss->ni_essid,
423 printf(" channel %d start %uMb\n",
424 ieee80211_chan2ieee(ic, ic->ic_curchan),
425 IEEE80211_RATE2MBS(ni->ni_txrate));
428 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
429 ieee80211_notify_node_join(ni,
430 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
432 case IEEE80211_S_SLEEP:
433 /* Wake up from sleep */
434 vap->iv_sta_ps(vap, 0);
439 ieee80211_sync_curchan(ic);
440 if (ostate != IEEE80211_S_RUN)
441 sta_swbmiss_start(vap);
443 * When 802.1x is not in use mark the port authorized
444 * at this point so traffic can flow.
446 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
447 ieee80211_node_authorize(ni);
449 * Fake association when joining an existing bss.
451 * Don't do this if we're doing SLEEP->RUN.
453 if (ic->ic_newassoc != NULL && ostate != IEEE80211_S_SLEEP)
454 ic->ic_newassoc(vap->iv_bss, (ostate != IEEE80211_S_RUN));
456 case IEEE80211_S_CSA:
457 if (ostate != IEEE80211_S_RUN)
460 case IEEE80211_S_SLEEP:
461 sta_swbmiss_start(vap);
462 vap->iv_sta_ps(vap, 1);
466 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
467 "%s: unexpected state transition %s -> %s\n", __func__,
468 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
475 * Return non-zero if the frame is an echo of a multicast
476 * frame sent by ourself. The dir is known to be DSTODS.
479 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
481 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
482 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
485 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
487 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
489 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
490 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
496 * Return non-zero if the frame is an echo of a multicast
497 * frame sent by ourself. The dir is known to be FROMDS.
500 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
502 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
504 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
506 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
510 * Decide if a received management frame should be
511 * printed when debugging is enabled. This filters some
512 * of the less interesting frames that come frequently
516 doprint(struct ieee80211vap *vap, int subtype)
519 case IEEE80211_FC0_SUBTYPE_BEACON:
520 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
521 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
528 * Process a received frame. The node associated with the sender
529 * should be supplied. If nothing was found in the node table then
530 * the caller is assumed to supply a reference to iv_bss instead.
531 * The RSSI and a timestamp are also supplied. The RSSI data is used
532 * during AP scanning to select a AP to associate with; it can have
533 * any units so long as values have consistent units and higher values
534 * mean ``better signal''. The receive timestamp is currently not used
535 * by the 802.11 layer.
538 sta_input(struct ieee80211_node *ni, struct mbuf *m,
539 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
541 struct ieee80211vap *vap = ni->ni_vap;
542 struct ieee80211com *ic = ni->ni_ic;
543 struct ifnet *ifp = vap->iv_ifp;
544 struct ieee80211_frame *wh;
545 struct ieee80211_key *key;
546 struct ether_header *eh;
547 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
548 uint8_t dir, type, subtype, qos;
551 if (m->m_flags & M_AMPDU_MPDU) {
553 * Fastpath for A-MPDU reorder q resubmission. Frames
554 * w/ M_AMPDU_MPDU marked have already passed through
555 * here but were received out of order and been held on
556 * the reorder queue. When resubmitted they are marked
557 * with the M_AMPDU_MPDU flag and we can bypass most of
558 * the normal processing.
560 wh = mtod(m, struct ieee80211_frame *);
561 type = IEEE80211_FC0_TYPE_DATA;
562 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
563 subtype = IEEE80211_FC0_SUBTYPE_QOS;
564 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
568 KASSERT(ni != NULL, ("null node"));
569 ni->ni_inact = ni->ni_inact_reload;
571 type = -1; /* undefined */
573 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
574 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
575 ni->ni_macaddr, NULL,
576 "too short (1): len %u", m->m_pkthdr.len);
577 vap->iv_stats.is_rx_tooshort++;
581 * Bit of a cheat here, we use a pointer for a 3-address
582 * frame format but don't reference fields past outside
583 * ieee80211_frame_min w/o first validating the data is
586 wh = mtod(m, struct ieee80211_frame *);
588 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
589 IEEE80211_FC0_VERSION_0) {
590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
591 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
592 wh->i_fc[0], wh->i_fc[1]);
593 vap->iv_stats.is_rx_badversion++;
597 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
598 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
599 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
600 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
602 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
603 /* not interested in */
604 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
605 bssid, NULL, "%s", "not to bss");
606 vap->iv_stats.is_rx_wrongbss++;
611 * Some devices may be in a promiscuous mode
612 * where they receive frames for multiple station
615 * If we receive a data frame that isn't
616 * destined to our VAP MAC, drop it.
618 * XXX TODO: This is only enforced when not scanning;
619 * XXX it assumes a software-driven scan will put the NIC
620 * XXX into a "no data frames" mode before setting this
621 * XXX flag. Otherwise it may be possible that we'll still
622 * XXX process data frames whilst scanning.
624 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
625 && (! IEEE80211_ADDR_EQ(wh->i_addr1, IF_LLADDR(ifp)))) {
626 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
627 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
628 IF_LLADDR(ifp), ":", wh->i_addr1, ":");
629 vap->iv_stats.is_rx_wrongbss++;
633 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
635 if ( IEEE80211_HAS_SEQ(type, subtype) &&
636 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
637 uint8_t tid = ieee80211_gettid(wh);
638 if (IEEE80211_QOS_HAS_SEQ(wh) &&
639 TID_TO_WME_AC(tid) >= WME_AC_VI)
640 ic->ic_wme.wme_hipri_traffic++;
641 if (! ieee80211_check_rxseq(ni, wh, bssid))
647 case IEEE80211_FC0_TYPE_DATA:
648 hdrspace = ieee80211_hdrspace(ic, wh);
649 if (m->m_len < hdrspace &&
650 (m = m_pullup(m, hdrspace)) == NULL) {
651 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
652 ni->ni_macaddr, NULL,
653 "data too short: expecting %u", hdrspace);
654 vap->iv_stats.is_rx_tooshort++;
658 * Handle A-MPDU re-ordering. If the frame is to be
659 * processed directly then ieee80211_ampdu_reorder
660 * will return 0; otherwise it has consumed the mbuf
661 * and we should do nothing more with it.
663 if ((m->m_flags & M_AMPDU) &&
664 (dir == IEEE80211_FC1_DIR_FROMDS ||
665 dir == IEEE80211_FC1_DIR_DSTODS) &&
666 ieee80211_ampdu_reorder(ni, m) != 0) {
671 if (dir == IEEE80211_FC1_DIR_FROMDS) {
672 if ((ifp->if_flags & IFF_SIMPLEX) &&
673 isfromds_mcastecho(vap, wh)) {
675 * In IEEE802.11 network, multicast
676 * packets sent from "me" are broadcast
677 * from the AP; silently discard for
680 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
681 wh, "data", "%s", "multicast echo");
682 vap->iv_stats.is_rx_mcastecho++;
685 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
686 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
688 * DWDS sta's must drop 3-address mcast frames
689 * as they will be sent separately as a 4-addr
690 * frame. Accepting the 3-addr frame will
691 * confuse the bridge into thinking the sending
692 * sta is located at the end of WDS link.
694 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
695 "3-address data", "%s", "DWDS enabled");
696 vap->iv_stats.is_rx_mcastecho++;
699 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
700 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
701 IEEE80211_DISCARD(vap,
702 IEEE80211_MSG_INPUT, wh, "4-address data",
703 "%s", "DWDS not enabled");
704 vap->iv_stats.is_rx_wrongdir++;
707 if ((ifp->if_flags & IFF_SIMPLEX) &&
708 isdstods_mcastecho(vap, wh)) {
710 * In IEEE802.11 network, multicast
711 * packets sent from "me" are broadcast
712 * from the AP; silently discard for
715 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
716 "4-address data", "%s", "multicast echo");
717 vap->iv_stats.is_rx_mcastecho++;
721 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
722 "data", "incorrect dir 0x%x", dir);
723 vap->iv_stats.is_rx_wrongdir++;
728 * Handle privacy requirements. Note that we
729 * must not be preempted from here until after
730 * we (potentially) call ieee80211_crypto_demic;
731 * otherwise we may violate assumptions in the
732 * crypto cipher modules used to do delayed update
733 * of replay sequence numbers.
735 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
736 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
738 * Discard encrypted frames when privacy is off.
740 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
741 wh, "WEP", "%s", "PRIVACY off");
742 vap->iv_stats.is_rx_noprivacy++;
743 IEEE80211_NODE_STAT(ni, rx_noprivacy);
746 key = ieee80211_crypto_decap(ni, m, hdrspace);
748 /* NB: stats+msgs handled in crypto_decap */
749 IEEE80211_NODE_STAT(ni, rx_wepfail);
752 wh = mtod(m, struct ieee80211_frame *);
753 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
755 /* XXX M_WEP and IEEE80211_F_PRIVACY */
760 * Save QoS bits for use below--before we strip the header.
762 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
763 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
764 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
765 ((struct ieee80211_qosframe *)wh)->i_qos[0];
770 * Next up, any fragmentation.
772 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
773 m = ieee80211_defrag(ni, m, hdrspace);
775 /* Fragment dropped or frame not complete yet */
779 wh = NULL; /* no longer valid, catch any uses */
782 * Next strip any MSDU crypto bits.
784 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
785 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
786 ni->ni_macaddr, "data", "%s", "demic error");
787 vap->iv_stats.is_rx_demicfail++;
788 IEEE80211_NODE_STAT(ni, rx_demicfail);
792 /* copy to listener after decrypt */
793 if (ieee80211_radiotap_active_vap(vap))
794 ieee80211_radiotap_rx(vap, m);
798 * Finally, strip the 802.11 header.
800 m = ieee80211_decap(vap, m, hdrspace);
802 /* XXX mask bit to check for both */
803 /* don't count Null data frames as errors */
804 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
805 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
807 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
808 ni->ni_macaddr, "data", "%s", "decap error");
809 vap->iv_stats.is_rx_decap++;
810 IEEE80211_NODE_STAT(ni, rx_decap);
813 eh = mtod(m, struct ether_header *);
814 if (!ieee80211_node_is_authorized(ni)) {
816 * Deny any non-PAE frames received prior to
817 * authorization. For open/shared-key
818 * authentication the port is mark authorized
819 * after authentication completes. For 802.1x
820 * the port is not marked authorized by the
821 * authenticator until the handshake has completed.
823 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
824 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
825 eh->ether_shost, "data",
826 "unauthorized port: ether type 0x%x len %u",
827 eh->ether_type, m->m_pkthdr.len);
828 vap->iv_stats.is_rx_unauth++;
829 IEEE80211_NODE_STAT(ni, rx_unauth);
834 * When denying unencrypted frames, discard
835 * any non-PAE frames received without encryption.
837 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
838 (key == NULL && (m->m_flags & M_WEP) == 0) &&
839 eh->ether_type != htons(ETHERTYPE_PAE)) {
841 * Drop unencrypted frames.
843 vap->iv_stats.is_rx_unencrypted++;
844 IEEE80211_NODE_STAT(ni, rx_unencrypted);
848 /* XXX require HT? */
849 if (qos & IEEE80211_QOS_AMSDU) {
850 m = ieee80211_decap_amsdu(ni, m);
852 return IEEE80211_FC0_TYPE_DATA;
854 #ifdef IEEE80211_SUPPORT_SUPERG
855 m = ieee80211_decap_fastframe(vap, ni, m);
857 return IEEE80211_FC0_TYPE_DATA;
860 ieee80211_deliver_data(vap, ni, m);
861 return IEEE80211_FC0_TYPE_DATA;
863 case IEEE80211_FC0_TYPE_MGT:
864 vap->iv_stats.is_rx_mgmt++;
865 IEEE80211_NODE_STAT(ni, rx_mgmt);
866 if (dir != IEEE80211_FC1_DIR_NODS) {
867 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
868 wh, "data", "incorrect dir 0x%x", dir);
869 vap->iv_stats.is_rx_wrongdir++;
872 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
873 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
874 ni->ni_macaddr, "mgt", "too short: len %u",
876 vap->iv_stats.is_rx_tooshort++;
879 #ifdef IEEE80211_DEBUG
880 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
881 ieee80211_msg_dumppkts(vap)) {
882 if_printf(ifp, "received %s from %s rssi %d\n",
883 ieee80211_mgt_subtype_name[subtype >>
884 IEEE80211_FC0_SUBTYPE_SHIFT],
885 ether_sprintf(wh->i_addr2), rssi);
888 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
889 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
891 * Only shared key auth frames with a challenge
892 * should be encrypted, discard all others.
894 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
895 wh, ieee80211_mgt_subtype_name[subtype >>
896 IEEE80211_FC0_SUBTYPE_SHIFT],
897 "%s", "WEP set but not permitted");
898 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
901 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
903 * Discard encrypted frames when privacy is off.
905 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
906 wh, "mgt", "%s", "WEP set but PRIVACY off");
907 vap->iv_stats.is_rx_noprivacy++;
910 hdrspace = ieee80211_hdrspace(ic, wh);
911 key = ieee80211_crypto_decap(ni, m, hdrspace);
913 /* NB: stats+msgs handled in crypto_decap */
916 wh = mtod(m, struct ieee80211_frame *);
917 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
919 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
922 case IEEE80211_FC0_TYPE_CTL:
923 vap->iv_stats.is_rx_ctl++;
924 IEEE80211_NODE_STAT(ni, rx_ctrl);
925 vap->iv_recv_ctl(ni, m, subtype);
929 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
930 wh, NULL, "bad frame type 0x%x", type);
931 /* should not come here */
935 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
938 if (need_tap && ieee80211_radiotap_active_vap(vap))
939 ieee80211_radiotap_rx(vap, m);
946 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
947 int rssi, int nf, uint16_t seq, uint16_t status)
949 struct ieee80211vap *vap = ni->ni_vap;
951 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
952 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
953 ni->ni_macaddr, "open auth",
954 "bad sta auth mode %u", ni->ni_authmode);
955 vap->iv_stats.is_rx_bad_auth++; /* XXX */
958 if (vap->iv_state != IEEE80211_S_AUTH ||
959 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
960 vap->iv_stats.is_rx_bad_auth++;
964 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
965 ni, "open auth failed (reason %d)", status);
966 vap->iv_stats.is_rx_auth_fail++;
967 vap->iv_stats.is_rx_authfail_code = status;
968 ieee80211_new_state(vap, IEEE80211_S_SCAN,
969 IEEE80211_SCAN_FAIL_STATUS);
971 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
975 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
976 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
977 uint16_t seq, uint16_t status)
979 struct ieee80211vap *vap = ni->ni_vap;
984 * NB: this can happen as we allow pre-shared key
985 * authentication to be enabled w/o wep being turned
986 * on so that configuration of these can be done
987 * in any order. It may be better to enforce the
988 * ordering in which case this check would just be
989 * for sanity/consistency.
991 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
992 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
993 ni->ni_macaddr, "shared key auth",
994 "%s", " PRIVACY is disabled");
995 estatus = IEEE80211_STATUS_ALG;
999 * Pre-shared key authentication is evil; accept
1000 * it only if explicitly configured (it is supported
1001 * mainly for compatibility with clients like OS X).
1003 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1004 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1005 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1006 ni->ni_macaddr, "shared key auth",
1007 "bad sta auth mode %u", ni->ni_authmode);
1008 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1009 estatus = IEEE80211_STATUS_ALG;
1014 if (frm + 1 < efrm) {
1015 if ((frm[1] + 2) > (efrm - frm)) {
1016 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1017 ni->ni_macaddr, "shared key auth",
1018 "ie %d/%d too long",
1019 frm[0], (frm[1] + 2) - (efrm - frm));
1020 vap->iv_stats.is_rx_bad_auth++;
1021 estatus = IEEE80211_STATUS_CHALLENGE;
1024 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1029 case IEEE80211_AUTH_SHARED_CHALLENGE:
1030 case IEEE80211_AUTH_SHARED_RESPONSE:
1031 if (challenge == NULL) {
1032 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1033 ni->ni_macaddr, "shared key auth",
1034 "%s", "no challenge");
1035 vap->iv_stats.is_rx_bad_auth++;
1036 estatus = IEEE80211_STATUS_CHALLENGE;
1039 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1040 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1041 ni->ni_macaddr, "shared key auth",
1042 "bad challenge len %d", challenge[1]);
1043 vap->iv_stats.is_rx_bad_auth++;
1044 estatus = IEEE80211_STATUS_CHALLENGE;
1050 if (vap->iv_state != IEEE80211_S_AUTH)
1053 case IEEE80211_AUTH_SHARED_PASS:
1054 if (ni->ni_challenge != NULL) {
1055 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
1056 ni->ni_challenge = NULL;
1059 IEEE80211_NOTE_FRAME(vap,
1060 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1061 "shared key auth failed (reason %d)", status);
1062 vap->iv_stats.is_rx_auth_fail++;
1063 vap->iv_stats.is_rx_authfail_code = status;
1066 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1068 case IEEE80211_AUTH_SHARED_CHALLENGE:
1069 if (!ieee80211_alloc_challenge(ni))
1071 /* XXX could optimize by passing recvd challenge */
1072 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1073 IEEE80211_SEND_MGMT(ni,
1074 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1077 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1078 wh, "shared key auth", "bad seq %d", seq);
1079 vap->iv_stats.is_rx_bad_auth++;
1085 * Kick the state machine. This short-circuits
1086 * using the mgt frame timeout to trigger the
1089 if (vap->iv_state == IEEE80211_S_AUTH)
1090 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1091 IEEE80211_SCAN_FAIL_STATUS);
1095 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1096 const struct ieee80211_frame *wh)
1098 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1099 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1100 u_int len = frm[1], qosinfo;
1103 if (len < sizeof(struct ieee80211_wme_param)-2) {
1104 IEEE80211_DISCARD_IE(vap,
1105 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1106 wh, "WME", "too short, len %u", len);
1109 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1110 qosinfo &= WME_QOSINFO_COUNT;
1111 /* XXX do proper check for wraparound */
1112 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1114 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1115 for (i = 0; i < WME_NUM_AC; i++) {
1116 struct wmeParams *wmep =
1117 &wme->wme_wmeChanParams.cap_wmeParams[i];
1118 /* NB: ACI not used */
1119 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1120 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1121 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1122 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1123 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1126 wme->wme_wmeChanParams.cap_info = qosinfo;
1132 * Process 11h Channel Switch Announcement (CSA) ie. If this
1133 * is the first CSA then initiate the switch. Otherwise we
1134 * track state and trigger completion and/or cancel of the switch.
1135 * XXX should be public for IBSS use
1138 ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm,
1139 const struct ieee80211_frame *wh)
1141 struct ieee80211com *ic = vap->iv_ic;
1142 const struct ieee80211_csa_ie *csa =
1143 (const struct ieee80211_csa_ie *) frm;
1145 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
1146 ("state %s", ieee80211_state_name[vap->iv_state]));
1148 if (csa->csa_mode > 1) {
1149 IEEE80211_DISCARD_IE(vap,
1150 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1151 wh, "CSA", "invalid mode %u", csa->csa_mode);
1155 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) {
1157 * Convert the channel number to a channel reference. We
1158 * try first to preserve turbo attribute of the current
1159 * channel then fallback. Note this will not work if the
1160 * CSA specifies a channel that requires a band switch (e.g.
1161 * 11a => 11g). This is intentional as 11h is defined only
1162 * for 5GHz/11a and because the switch does not involve a
1163 * reassociation, protocol state (capabilities, negotated
1164 * rates, etc) may/will be wrong.
1166 struct ieee80211_channel *c =
1167 ieee80211_find_channel_byieee(ic, csa->csa_newchan,
1168 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO));
1170 c = ieee80211_find_channel_byieee(ic,
1172 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL));
1174 IEEE80211_DISCARD_IE(vap,
1175 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1176 wh, "CSA", "invalid channel %u",
1181 #if IEEE80211_CSA_COUNT_MIN > 0
1182 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) {
1184 * Require at least IEEE80211_CSA_COUNT_MIN count to
1185 * reduce the risk of being redirected by a fabricated
1186 * CSA. If a valid CSA is dropped we'll still get a
1187 * beacon miss when the AP leaves the channel so we'll
1188 * eventually follow to the new channel.
1190 * NOTE: this violates the 11h spec that states that
1191 * count may be any value and if 0 then a switch
1192 * should happen asap.
1194 IEEE80211_DISCARD_IE(vap,
1195 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1196 wh, "CSA", "count %u too small, must be >= %u",
1197 csa->csa_count, IEEE80211_CSA_COUNT_MIN);
1201 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count);
1204 * Validate this ie against the initial CSA. We require
1205 * mode and channel not change and the count must be
1206 * monotonically decreasing. This may be pointless and
1207 * canceling the switch as a result may be too paranoid but
1208 * in the worst case if we drop out of CSA because of this
1209 * and the AP does move then we'll just end up taking a
1210 * beacon miss and scan to find the AP.
1212 * XXX may want <= on count as we also process ProbeResp
1213 * frames and those may come in w/ the same count as the
1214 * previous beacon; but doing so leaves us open to a stuck
1215 * count until we add a dead-man timer
1217 if (!(csa->csa_count < ic->ic_csa_count &&
1218 csa->csa_mode == ic->ic_csa_mode &&
1219 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) {
1220 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh,
1221 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1222 "this ie <%d,%d,%d>", ic->ic_csa_mode,
1223 ic->ic_csa_newchan, ic->ic_csa_count,
1224 csa->csa_mode, csa->csa_newchan, csa->csa_count);
1225 ieee80211_csa_cancelswitch(ic);
1227 if (csa->csa_count <= 1)
1228 ieee80211_csa_completeswitch(ic);
1230 ic->ic_csa_count = csa->csa_count;
1234 IEEE80211_UNLOCK(ic);
1238 * Return non-zero if a background scan may be continued:
1239 * o bg scan is active
1240 * o no channel switch is pending
1241 * o there has not been any traffic recently
1243 * Note we do not check if there is an administrative enable;
1244 * this is only done to start the scan. We assume that any
1245 * change in state will be accompanied by a request to cancel
1246 * active scans which will otherwise cause this test to fail.
1249 contbgscan(struct ieee80211vap *vap)
1251 struct ieee80211com *ic = vap->iv_ic;
1253 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1254 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1255 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1256 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1260 * Return non-zero if a backgrond scan may be started:
1261 * o bg scanning is administratively enabled
1262 * o no channel switch is pending
1263 * o we are not boosted on a dynamic turbo channel
1264 * o there has not been a scan recently
1265 * o there has not been any traffic recently
1268 startbgscan(struct ieee80211vap *vap)
1270 struct ieee80211com *ic = vap->iv_ic;
1272 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1273 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1274 #ifdef IEEE80211_SUPPORT_SUPERG
1275 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1277 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1278 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1282 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, int subtype,
1283 const struct ieee80211_rx_stats *rxs,
1286 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1287 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1288 struct ieee80211vap *vap = ni->ni_vap;
1289 struct ieee80211com *ic = ni->ni_ic;
1290 struct ieee80211_channel *rxchan = ic->ic_curchan;
1291 struct ieee80211_frame *wh;
1292 uint8_t *frm, *efrm;
1293 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1295 int ht_state_change = 0;
1297 wh = mtod(m0, struct ieee80211_frame *);
1298 frm = (uint8_t *)&wh[1];
1299 efrm = mtod(m0, uint8_t *) + m0->m_len;
1301 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1302 case IEEE80211_FC0_SUBTYPE_BEACON: {
1303 struct ieee80211_scanparams scan;
1304 struct ieee80211_channel *c;
1306 * We process beacon/probe response frames:
1307 * o when scanning, or
1308 * o station mode when associated (to collect state
1309 * updates such as 802.11g slot time)
1310 * Frames otherwise received are discarded.
1312 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1313 vap->iv_stats.is_rx_mgtdiscard++;
1317 /* Override RX channel as appropriate */
1319 c = ieee80211_lookup_channel_rxstatus(vap, rxs);
1324 /* XXX probe response in sta mode when !scanning? */
1325 if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0) {
1326 if (! (ic->ic_flags & IEEE80211_F_SCAN))
1327 vap->iv_stats.is_beacon_bad++;
1332 * Count frame now that we know it's to be processed.
1334 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1335 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1336 IEEE80211_NODE_STAT(ni, rx_beacons);
1338 IEEE80211_NODE_STAT(ni, rx_proberesp);
1340 * When operating in station mode, check for state updates.
1341 * Be careful to ignore beacons received while doing a
1342 * background scan. We consider only 11g/WMM stuff right now.
1344 if (ni->ni_associd != 0 &&
1345 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1346 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1347 /* record tsf of last beacon */
1348 memcpy(ni->ni_tstamp.data, scan.tstamp,
1349 sizeof(ni->ni_tstamp));
1350 /* count beacon frame for s/w bmiss handling */
1351 vap->iv_swbmiss_count++;
1352 vap->iv_bmiss_count = 0;
1353 if (ni->ni_erp != scan.erp) {
1354 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1356 "erp change: was 0x%x, now 0x%x",
1357 ni->ni_erp, scan.erp);
1358 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1359 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1360 ic->ic_flags |= IEEE80211_F_USEPROT;
1362 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1363 ni->ni_erp = scan.erp;
1365 /* XXX driver notification */
1367 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1368 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1370 "capabilities change: was 0x%x, now 0x%x",
1371 ni->ni_capinfo, scan.capinfo);
1373 * NB: we assume short preamble doesn't
1374 * change dynamically
1376 ieee80211_set_shortslottime(ic,
1377 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1378 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1379 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1380 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1383 if (scan.wme != NULL &&
1384 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1385 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1386 ieee80211_wme_updateparams(vap);
1387 #ifdef IEEE80211_SUPPORT_SUPERG
1388 if (scan.ath != NULL)
1389 ieee80211_parse_athparams(ni, scan.ath, wh);
1391 if (scan.htcap != NULL && scan.htinfo != NULL &&
1392 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1393 /* XXX state changes? */
1394 if (ieee80211_ht_updateparams(ni,
1395 scan.htcap, scan.htinfo))
1396 ht_state_change = 1;
1399 ic->ic_set_quiet(ni, scan.quiet);
1401 if (scan.tim != NULL) {
1402 struct ieee80211_tim_ie *tim =
1403 (struct ieee80211_tim_ie *) scan.tim;
1405 * XXX Check/debug this code; see if it's about
1406 * the right time to force the VAP awake if we
1407 * receive a frame destined for us?
1409 int aid = IEEE80211_AID(ni->ni_associd);
1410 int ix = aid / NBBY;
1411 int min = tim->tim_bitctl &~ 1;
1412 int max = tim->tim_len + min - 4;
1413 int tim_ucast = 0, tim_mcast = 0;
1416 * Only do this for unicast traffic in the TIM
1417 * The multicast traffic notification for
1418 * the scan notification stuff should occur
1421 if (min <= ix && ix <= max &&
1422 isset(tim->tim_bitmap - min, aid)) {
1427 * Do a separate notification
1428 * for the multicast bit being set.
1430 if (tim->tim_bitctl & 1) {
1435 * If the TIM indicates there's traffic for
1436 * us then get us out of STA mode powersave.
1438 if (tim_ucast == 1) {
1441 * Wake us out of SLEEP state if we're
1442 * in it; and if we're doing bgscan
1443 * then wake us out of STA powersave.
1445 ieee80211_sta_tim_notify(vap, 1);
1448 * This is preventing us from
1449 * continuing a bgscan; because it
1450 * tricks the contbgscan()
1451 * routine to think there's always
1454 * I think we need both an RX and
1455 * TX ic_lastdata field.
1457 ic->ic_lastdata = ticks;
1460 ni->ni_dtim_count = tim->tim_count;
1461 ni->ni_dtim_period = tim->tim_period;
1463 if (scan.csa != NULL &&
1464 (vap->iv_flags & IEEE80211_F_DOTH))
1465 ieee80211_parse_csaparams(vap, scan.csa, wh);
1466 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
1468 * No CSA ie or 11h disabled, but a channel
1469 * switch is pending; drop out so we aren't
1470 * stuck in CSA state. If the AP really is
1471 * moving we'll get a beacon miss and scan.
1474 ieee80211_csa_cancelswitch(ic);
1475 IEEE80211_UNLOCK(ic);
1478 * If scanning, pass the info to the scan module.
1479 * Otherwise, check if it's the right time to do
1480 * a background scan. Background scanning must
1481 * be enabled and we must not be operating in the
1482 * turbo phase of dynamic turbo mode. Then,
1483 * it's been a while since the last background
1484 * scan and if no data frames have come through
1485 * recently, kick off a scan. Note that this
1486 * is the mechanism by which a background scan
1487 * is started _and_ continued each time we
1488 * return on-channel to receive a beacon from
1491 if (ic->ic_flags & IEEE80211_F_SCAN) {
1492 ieee80211_add_scan(vap, rxchan,
1493 &scan, wh, subtype, rssi, nf);
1494 } else if (contbgscan(vap)) {
1495 ieee80211_bg_scan(vap, 0);
1496 } else if (startbgscan(vap)) {
1497 vap->iv_stats.is_scan_bg++;
1499 /* wakeup if we are sleeing */
1500 ieee80211_set_pwrsave(vap, 0);
1502 ieee80211_bg_scan(vap, 0);
1506 * Put the station to sleep if we haven't seen
1507 * traffic in a while.
1510 ieee80211_sta_ps_timer_check(vap);
1511 IEEE80211_UNLOCK(ic);
1514 * If we've had a channel width change (eg HT20<->HT40)
1515 * then schedule a delayed driver notification.
1517 if (ht_state_change)
1518 ieee80211_update_chw(ic);
1522 * If scanning, just pass information to the scan module.
1524 if (ic->ic_flags & IEEE80211_F_SCAN) {
1525 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1527 * Actively scanning a channel marked passive;
1528 * send a probe request now that we know there
1529 * is 802.11 traffic present.
1531 * XXX check if the beacon we recv'd gives
1532 * us what we need and suppress the probe req
1534 ieee80211_probe_curchan(vap, 1);
1535 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1537 ieee80211_add_scan(vap, rxchan, &scan, wh,
1544 case IEEE80211_FC0_SUBTYPE_AUTH: {
1545 uint16_t algo, seq, status;
1553 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1554 algo = le16toh(*(uint16_t *)frm);
1555 seq = le16toh(*(uint16_t *)(frm + 2));
1556 status = le16toh(*(uint16_t *)(frm + 4));
1557 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1558 "recv auth frame with algorithm %d seq %d", algo, seq);
1560 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1561 IEEE80211_DISCARD(vap,
1562 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1563 wh, "auth", "%s", "TKIP countermeasures enabled");
1564 vap->iv_stats.is_rx_auth_countermeasures++;
1565 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1566 ieee80211_send_error(ni, wh->i_addr2,
1567 IEEE80211_FC0_SUBTYPE_AUTH,
1568 IEEE80211_REASON_MIC_FAILURE);
1572 if (algo == IEEE80211_AUTH_ALG_SHARED)
1573 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1575 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1576 sta_auth_open(ni, wh, rssi, nf, seq, status);
1578 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1579 wh, "auth", "unsupported alg %d", algo);
1580 vap->iv_stats.is_rx_auth_unsupported++;
1586 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1587 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1588 uint16_t capinfo, associd;
1591 if (vap->iv_state != IEEE80211_S_ASSOC) {
1592 vap->iv_stats.is_rx_mgtdiscard++;
1597 * asresp frame format
1598 * [2] capability information
1600 * [2] association ID
1601 * [tlv] supported rates
1602 * [tlv] extended supported rates
1604 * [tlv] HT capabilities
1607 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1609 capinfo = le16toh(*(uint16_t *)frm);
1611 status = le16toh(*(uint16_t *)frm);
1614 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1615 wh->i_addr2, "%sassoc failed (reason %d)",
1616 ISREASSOC(subtype) ? "re" : "", status);
1617 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1620 associd = le16toh(*(uint16_t *)frm);
1623 rates = xrates = wme = htcap = htinfo = NULL;
1624 while (efrm - frm > 1) {
1625 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1627 case IEEE80211_ELEMID_RATES:
1630 case IEEE80211_ELEMID_XRATES:
1633 case IEEE80211_ELEMID_HTCAP:
1636 case IEEE80211_ELEMID_HTINFO:
1639 case IEEE80211_ELEMID_VENDOR:
1642 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1644 * Accept pre-draft HT ie's if the
1645 * standard ones have not been seen.
1647 if (ishtcapoui(frm)) {
1650 } else if (ishtinfooui(frm)) {
1655 /* XXX Atheros OUI support */
1661 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1663 IEEE80211_VERIFY_ELEMENT(xrates,
1664 IEEE80211_RATE_MAXSIZE - rates[1], return);
1665 rate = ieee80211_setup_rates(ni, rates, xrates,
1667 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1668 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1669 if (rate & IEEE80211_RATE_BASIC) {
1670 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1672 "%sassoc failed (rate set mismatch)",
1673 ISREASSOC(subtype) ? "re" : "");
1674 vap->iv_stats.is_rx_assoc_norate++;
1675 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1676 IEEE80211_SCAN_FAIL_STATUS);
1680 ni->ni_capinfo = capinfo;
1681 ni->ni_associd = associd;
1682 if (ni->ni_jointime == 0)
1683 ni->ni_jointime = time_uptime;
1685 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1686 ni->ni_flags |= IEEE80211_NODE_QOS;
1687 ieee80211_wme_updateparams(vap);
1689 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1691 * Setup HT state according to the negotiation.
1693 * NB: shouldn't need to check if HT use is enabled but some
1694 * ap's send back HT ie's even when we don't indicate we
1695 * are HT capable in our AssocReq.
1697 if (htcap != NULL && htinfo != NULL &&
1698 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1699 ieee80211_ht_node_init(ni);
1700 ieee80211_ht_updateparams(ni, htcap, htinfo);
1701 ieee80211_setup_htrates(ni, htcap,
1702 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1703 ieee80211_setup_basic_htrates(ni, htinfo);
1704 ieee80211_node_setuptxparms(ni);
1705 ieee80211_ratectl_node_init(ni);
1707 #ifdef IEEE80211_SUPPORT_SUPERG
1708 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1709 ieee80211_ff_node_init(ni);
1713 * Configure state now that we are associated.
1715 * XXX may need different/additional driver callbacks?
1717 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1718 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1719 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1720 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1722 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1723 ic->ic_flags |= IEEE80211_F_USEBARKER;
1725 ieee80211_set_shortslottime(ic,
1726 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1727 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1729 * Honor ERP protection.
1731 * NB: ni_erp should zero for non-11g operation.
1733 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1734 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1735 ic->ic_flags |= IEEE80211_F_USEPROT;
1737 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1738 IEEE80211_NOTE_MAC(vap,
1739 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1740 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1741 ISREASSOC(subtype) ? "re" : "",
1742 IEEE80211_NODE_AID(ni),
1743 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1744 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1745 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1746 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1747 ni->ni_flags & IEEE80211_NODE_HT ?
1748 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1749 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1750 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1751 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1752 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1753 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1754 ", fast-frames" : "",
1755 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1758 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1762 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1765 if (vap->iv_state == IEEE80211_S_SCAN) {
1766 vap->iv_stats.is_rx_mgtdiscard++;
1769 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1770 /* NB: can happen when in promiscuous mode */
1771 vap->iv_stats.is_rx_mgtdiscard++;
1776 * deauth frame format
1779 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1780 reason = le16toh(*(uint16_t *)frm);
1782 vap->iv_stats.is_rx_deauth++;
1783 vap->iv_stats.is_rx_deauth_code = reason;
1784 IEEE80211_NODE_STAT(ni, rx_deauth);
1786 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1787 "recv deauthenticate (reason %d)", reason);
1788 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1789 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1793 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1796 if (vap->iv_state != IEEE80211_S_RUN &&
1797 vap->iv_state != IEEE80211_S_ASSOC &&
1798 vap->iv_state != IEEE80211_S_AUTH) {
1799 vap->iv_stats.is_rx_mgtdiscard++;
1802 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1803 /* NB: can happen when in promiscuous mode */
1804 vap->iv_stats.is_rx_mgtdiscard++;
1809 * disassoc frame format
1812 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1813 reason = le16toh(*(uint16_t *)frm);
1815 vap->iv_stats.is_rx_disassoc++;
1816 vap->iv_stats.is_rx_disassoc_code = reason;
1817 IEEE80211_NODE_STAT(ni, rx_disassoc);
1819 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1820 "recv disassociate (reason %d)", reason);
1821 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1825 case IEEE80211_FC0_SUBTYPE_ACTION:
1826 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
1827 if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
1828 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1829 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1830 wh, NULL, "%s", "not for us");
1831 vap->iv_stats.is_rx_mgtdiscard++;
1832 } else if (vap->iv_state != IEEE80211_S_RUN) {
1833 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1834 wh, NULL, "wrong state %s",
1835 ieee80211_state_name[vap->iv_state]);
1836 vap->iv_stats.is_rx_mgtdiscard++;
1838 if (ieee80211_parse_action(ni, m0) == 0)
1839 (void)ic->ic_recv_action(ni, wh, frm, efrm);
1843 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1844 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1845 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1846 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
1847 case IEEE80211_FC0_SUBTYPE_ATIM:
1848 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1849 wh, NULL, "%s", "not handled");
1850 vap->iv_stats.is_rx_mgtdiscard++;
1854 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1855 wh, "mgt", "subtype 0x%x not handled", subtype);
1856 vap->iv_stats.is_rx_badsubtype++;
1864 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
1867 case IEEE80211_FC0_SUBTYPE_BAR:
1868 ieee80211_recv_bar(ni, m);