2 * Copyright (c) 2001 Atsushi Onoe
3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
17 * Alternatively, this software may be distributed under the terms of the
18 * GNU General Public License ("GPL") version 2 as published by the Free
19 * Software Foundation.
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 * $FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.62.2.14 2006/09/02 15:16:12 sam Exp $
33 * $DragonFly: src/sys/netproto/802_11/wlan/ieee80211_input.c,v 1.22 2008/03/04 13:48:40 sephe Exp $
36 #include <sys/param.h>
37 #include <sys/systm.h>
39 #include <sys/malloc.h>
40 #include <sys/endian.h>
41 #include <sys/kernel.h>
42 #include <sys/serialize.h>
44 #include <sys/socket.h>
47 #include <net/if_arp.h>
48 #include <net/ifq_var.h>
49 #include <net/if_media.h>
50 #include <net/ethernet.h>
51 #include <net/if_llc.h>
52 #include <net/vlan/if_vlan_var.h>
54 #include <netproto/802_11/ieee80211_var.h>
58 #ifdef IEEE80211_DEBUG
59 #include <machine/stdarg.h>
62 * Decide if a received management frame should be
63 * printed when debugging is enabled. This filters some
64 * of the less interesting frames that come frequently
68 doprint(struct ieee80211com *ic, int subtype)
71 case IEEE80211_FC0_SUBTYPE_BEACON:
72 return (ic->ic_flags & IEEE80211_F_SCAN);
73 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
74 return (ic->ic_opmode == IEEE80211_M_IBSS);
80 * Emit a debug message about discarding a frame or information
81 * element. One format is for extracting the mac address from
82 * the frame header; the other is for when a header is not
83 * available or otherwise appropriate.
85 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \
86 if ((_ic)->ic_debug & (_m)) \
87 ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\
89 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \
90 if ((_ic)->ic_debug & (_m)) \
91 ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\
93 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \
94 if ((_ic)->ic_debug & (_m)) \
95 ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\
98 static const uint8_t *ieee80211_getbssid(struct ieee80211com *,
99 const struct ieee80211_frame *);
100 static void ieee80211_discard_frame(struct ieee80211com *,
101 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
102 static void ieee80211_discard_ie(struct ieee80211com *,
103 const struct ieee80211_frame *, const char *type, const char *fmt, ...);
104 static void ieee80211_discard_mac(struct ieee80211com *,
105 const uint8_t mac[IEEE80211_ADDR_LEN], const char *type,
106 const char *fmt, ...);
108 #define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...)
109 #define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...)
110 #define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...)
111 #endif /* IEEE80211_DEBUG */
113 static struct mbuf *ieee80211_defrag(struct ieee80211com *,
114 struct ieee80211_node *, struct mbuf *, int);
115 static struct mbuf *ieee80211_decap(struct ieee80211com *, struct mbuf *, int);
116 static void ieee80211_send_error(struct ieee80211com *, struct ieee80211_node *,
117 const uint8_t *mac, int subtype, int arg);
118 static void ieee80211_deliver_data(struct ieee80211com *,
119 struct ieee80211_node *, struct mbuf *);
120 static void ieee80211_node_pwrsave(struct ieee80211_node *, int enable);
121 static void ieee80211_recv_pspoll(struct ieee80211com *,
122 struct ieee80211_node *, struct mbuf *);
125 * Process a received frame. The node associated with the sender
126 * should be supplied. If nothing was found in the node table then
127 * the caller is assumed to supply a reference to ic_bss instead.
128 * The RSSI and a timestamp are also supplied. The RSSI data is used
129 * during AP scanning to select a AP to associate with; it can have
130 * any units so long as values have consistent units and higher values
131 * mean ``better signal''. The receive timestamp is currently not used
132 * by the 802.11 layer.
135 ieee80211_input(struct ieee80211com *ic, struct mbuf *m,
136 struct ieee80211_node *ni, int rssi, uint32_t rstamp)
138 return ieee80211_input_withiv(ic, m, ni, rssi, rstamp, NULL);
142 ieee80211_input_withiv(struct ieee80211com *ic, struct mbuf *m,
143 struct ieee80211_node *ni, int rssi, uint32_t rstamp,
144 const struct ieee80211_crypto_iv *iv)
146 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
147 #define HAS_SEQ(type) ((type & 0x4) == 0)
148 struct ifnet *ifp = ic->ic_ifp;
149 struct ieee80211_frame *wh;
150 struct ieee80211_key *key;
151 struct ether_header *eh;
152 int hdrspace, need_tap;
153 uint8_t dir, type, subtype;
157 ASSERT_SERIALIZED(ifp->if_serializer);
159 KASSERT(ni != NULL, ("null node"));
160 ni->ni_inact = ni->ni_inact_reload;
162 need_tap = 1; /* mbuf need to be tapped */
163 type = -1; /* undefined */
165 * In monitor mode, send everything directly to bpf.
166 * XXX may want to include the CRC
168 if (ic->ic_opmode == IEEE80211_M_MONITOR)
171 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
172 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
173 ni->ni_macaddr, NULL,
174 "too short (1): len %u", m->m_pkthdr.len);
175 ic->ic_stats.is_rx_tooshort++;
179 * Bit of a cheat here, we use a pointer for a 3-address
180 * frame format but don't reference fields past outside
181 * ieee80211_frame_min w/o first validating the data is
184 wh = mtod(m, struct ieee80211_frame *);
186 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
187 IEEE80211_FC0_VERSION_0) {
188 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
189 ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
190 ic->ic_stats.is_rx_badversion++;
194 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
195 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
196 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
197 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
198 switch (ic->ic_opmode) {
199 case IEEE80211_M_STA:
201 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
202 /* not interested in */
203 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
204 bssid, NULL, "%s", "not to bss");
205 ic->ic_stats.is_rx_wrongbss++;
209 case IEEE80211_M_IBSS:
210 case IEEE80211_M_AHDEMO:
211 case IEEE80211_M_HOSTAP:
212 if (dir != IEEE80211_FC1_DIR_NODS)
214 else if (type == IEEE80211_FC0_TYPE_CTL)
217 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
218 IEEE80211_DISCARD_MAC(ic,
219 IEEE80211_MSG_ANY, ni->ni_macaddr,
220 NULL, "too short (2): len %u",
222 ic->ic_stats.is_rx_tooshort++;
227 if (type != IEEE80211_FC0_TYPE_DATA)
230 * Data frame, validate the bssid.
232 if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
233 !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
234 /* not interested in */
235 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
236 bssid, NULL, "%s", "not to bss");
237 ic->ic_stats.is_rx_wrongbss++;
241 * For adhoc mode we cons up a node when it doesn't
242 * exist. This should probably done after an ACL check.
244 if (ni == ic->ic_bss &&
245 ic->ic_opmode != IEEE80211_M_HOSTAP &&
246 !IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
248 * Fake up a node for this newly
249 * discovered member of the IBSS.
251 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
254 /* NB: stat kept for alloc failure */
263 ni->ni_rstamp = rstamp;
264 if (HAS_SEQ(type) && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
266 if (IEEE80211_QOS_HAS_SEQ(wh)) {
267 tid = ((struct ieee80211_qosframe *)wh)->
268 i_qos[0] & IEEE80211_QOS_TID;
269 if (TID_TO_WME_AC(tid) >= WME_AC_VI)
270 ic->ic_wme.wme_hipri_traffic++;
274 rxseq = le16toh(*(uint16_t *)wh->i_seq);
275 if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
276 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
277 /* duplicate, discard */
278 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
280 "seqno <%u,%u> fragno <%u,%u> tid %u",
281 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
282 ni->ni_rxseqs[tid] >>
283 IEEE80211_SEQ_SEQ_SHIFT,
284 rxseq & IEEE80211_SEQ_FRAG_MASK,
286 IEEE80211_SEQ_FRAG_MASK,
288 ic->ic_stats.is_rx_dup++;
289 IEEE80211_NODE_STAT(ni, rx_dup);
292 ni->ni_rxseqs[tid] = rxseq;
297 case IEEE80211_FC0_TYPE_DATA:
298 hdrspace = ieee80211_hdrspace(ic, wh);
299 if (m->m_len < hdrspace &&
300 (m = m_pullup(m, hdrspace)) == NULL) {
301 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
302 ni->ni_macaddr, NULL,
303 "data too short: expecting %u", hdrspace);
304 ic->ic_stats.is_rx_tooshort++;
307 switch (ic->ic_opmode) {
308 case IEEE80211_M_STA:
309 if (dir != IEEE80211_FC1_DIR_FROMDS) {
310 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
311 wh, "data", "%s", "unknown dir 0x%x", dir);
312 ic->ic_stats.is_rx_wrongdir++;
315 if ((ifp->if_flags & IFF_SIMPLEX) &&
316 IEEE80211_IS_MULTICAST(wh->i_addr1) &&
317 IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
319 * In IEEE802.11 network, multicast packet
320 * sent from me is broadcasted from AP.
321 * It should be silently discarded for
324 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
325 wh, NULL, "%s", "multicast echo");
326 ic->ic_stats.is_rx_mcastecho++;
330 case IEEE80211_M_IBSS:
331 case IEEE80211_M_AHDEMO:
332 if (dir != IEEE80211_FC1_DIR_NODS) {
333 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
334 wh, "data", "%s", "unknown dir 0x%x", dir);
335 ic->ic_stats.is_rx_wrongdir++;
338 /* XXX no power-save support */
340 case IEEE80211_M_HOSTAP:
341 if (dir != IEEE80211_FC1_DIR_TODS) {
342 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
343 wh, "data", "%s", "unknown dir 0x%x", dir);
344 ic->ic_stats.is_rx_wrongdir++;
347 /* check if source STA is associated */
348 if (ni == ic->ic_bss) {
349 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
350 wh, "data", "%s", "unknown src");
351 ieee80211_send_error(ic, ni, wh->i_addr2,
352 IEEE80211_FC0_SUBTYPE_DEAUTH,
353 IEEE80211_REASON_NOT_AUTHED);
354 ic->ic_stats.is_rx_notassoc++;
357 if (ni->ni_associd == 0) {
358 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
359 wh, "data", "%s", "unassoc src");
360 IEEE80211_SEND_MGMT(ic, ni,
361 IEEE80211_FC0_SUBTYPE_DISASSOC,
362 IEEE80211_REASON_NOT_ASSOCED);
363 ic->ic_stats.is_rx_notassoc++;
368 * Check for power save state change.
370 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
371 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
372 ieee80211_node_pwrsave(ni,
373 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
376 /* XXX here to keep compiler happy */
381 * Handle privacy requirements. Note that we
382 * must not be preempted from here until after
383 * we (potentially) call ieee80211_crypto_demic;
384 * otherwise we may violate assumptions in the
385 * crypto cipher modules used to do delayed update
386 * of replay sequence numbers.
388 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
389 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
391 * Discard encrypted frames when privacy is off.
393 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
394 wh, "WEP", "%s", "PRIVACY off");
395 ic->ic_stats.is_rx_noprivacy++;
396 IEEE80211_NODE_STAT(ni, rx_noprivacy);
400 key = ieee80211_crypto_decap(ic, ni, m,
403 key = ieee80211_crypto_update(ic, ni, iv, wh);
406 /* NB: stats+msgs handled in crypto_decap */
407 IEEE80211_NODE_STAT(ni, rx_wepfail);
410 wh = mtod(m, struct ieee80211_frame *);
411 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
417 * Next up, any fragmentation.
419 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
420 m = ieee80211_defrag(ic, ni, m, hdrspace);
422 /* Fragment dropped or frame not complete yet */
426 wh = NULL; /* no longer valid, catch any uses */
429 * Next strip any MSDU crypto bits.
431 if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
432 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
433 ni->ni_macaddr, "data", "%s", "demic error");
434 ic->ic_stats.is_rx_demicfail++;
435 IEEE80211_NODE_STAT(ni, rx_demicfail);
439 /* copy to listener after decrypt */
441 bpf_mtap(ic->ic_rawbpf, m);
445 * Finally, strip the 802.11 header.
447 m = ieee80211_decap(ic, m, hdrspace);
449 /* don't count Null data frames as errors */
450 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA)
452 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
453 ni->ni_macaddr, "data", "%s", "decap error");
454 ic->ic_stats.is_rx_decap++;
455 IEEE80211_NODE_STAT(ni, rx_decap);
458 eh = mtod(m, struct ether_header *);
459 if (!ieee80211_node_is_authorized(ni)) {
461 * Deny any non-PAE frames received prior to
462 * authorization. For open/shared-key
463 * authentication the port is mark authorized
464 * after authentication completes. For 802.1x
465 * the port is not marked authorized by the
466 * authenticator until the handshake has completed.
468 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
469 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
470 eh->ether_shost, "data",
471 "unauthorized port: ether type 0x%x len %u",
472 eh->ether_type, m->m_pkthdr.len);
473 ic->ic_stats.is_rx_unauth++;
474 IEEE80211_NODE_STAT(ni, rx_unauth);
479 * When denying unencrypted frames, discard
480 * any non-PAE frames received without encryption.
482 if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
484 eh->ether_type != htons(ETHERTYPE_PAE)) {
486 * Drop unencrypted frames.
488 ic->ic_stats.is_rx_unencrypted++;
489 IEEE80211_NODE_STAT(ni, rx_unencrypted);
493 ieee80211_deliver_data(ic, ni, m);
494 return IEEE80211_FC0_TYPE_DATA;
496 case IEEE80211_FC0_TYPE_MGT:
497 ic->ic_stats.is_rx_mgmt++;
498 IEEE80211_NODE_STAT(ni, rx_mgmt);
499 if (dir != IEEE80211_FC1_DIR_NODS) {
500 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
501 wh, "data", "%s", "unknown dir 0x%x", dir);
502 ic->ic_stats.is_rx_wrongdir++;
505 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
506 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
507 ni->ni_macaddr, "mgt", "too short: len %u",
509 ic->ic_stats.is_rx_tooshort++;
512 #ifdef IEEE80211_DEBUG
513 if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) ||
514 ieee80211_msg_dumppkts(ic)) {
515 if_printf(ic->ic_ifp, "received %s from %6D rssi %d\n",
516 ieee80211_mgt_subtype_name[subtype >>
517 IEEE80211_FC0_SUBTYPE_SHIFT],
518 wh->i_addr2, ":", rssi);
521 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
522 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
524 * Only shared key auth frames with a challenge
525 * should be encrypted, discard all others.
527 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
528 wh, ieee80211_mgt_subtype_name[subtype >>
529 IEEE80211_FC0_SUBTYPE_SHIFT],
530 "%s", "WEP set but not permitted");
531 ic->ic_stats.is_rx_mgtdiscard++; /* XXX */
534 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
536 * Discard encrypted frames when privacy is off.
538 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
539 wh, "mgt", "%s", "WEP set but PRIVACY off");
540 ic->ic_stats.is_rx_noprivacy++;
544 hdrspace = ieee80211_hdrspace(ic, wh);
545 key = ieee80211_crypto_decap(ic, ni, m,
548 key = ieee80211_crypto_update(ic, ni, iv, wh);
551 /* NB: stats+msgs handled in crypto_decap */
554 wh = mtod(m, struct ieee80211_frame *);
555 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
558 bpf_mtap(ic->ic_rawbpf, m);
559 (*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp);
563 case IEEE80211_FC0_TYPE_CTL:
564 IEEE80211_NODE_STAT(ni, rx_ctrl);
565 ic->ic_stats.is_rx_ctl++;
566 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
568 case IEEE80211_FC0_SUBTYPE_PS_POLL:
569 ieee80211_recv_pspoll(ic, ni, m);
575 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
576 wh, NULL, "bad frame type 0x%x", type);
577 /* should not come here */
584 if (ic->ic_rawbpf && need_tap)
585 bpf_mtap(ic->ic_rawbpf, m);
593 * This function reassemble fragments.
596 ieee80211_defrag(struct ieee80211com *ic, struct ieee80211_node *ni,
597 struct mbuf *m, int hdrspace)
599 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
600 struct ieee80211_frame *lwh;
603 uint8_t more_frag = wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG;
606 KASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
608 rxseq = le16toh(*(uint16_t *)wh->i_seq);
609 fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
611 /* Quick way out, if there's nothing to defragment */
612 if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
616 * Remove frag to insure it doesn't get reaped by timer.
618 if (ni->ni_table == NULL) {
620 * Should never happen. If the node is orphaned (not in
621 * the table) then input packets should not reach here.
622 * Otherwise, a concurrent request that yanks the table
623 * should be blocked by other interlocking and/or by first
624 * shutting the driver down. Regardless, be defensive
627 /* XXX need msg+stat */
631 mfrag = ni->ni_rxfrag[0];
632 ni->ni_rxfrag[0] = NULL;
635 * Validate new fragment is in order and
636 * related to the previous ones.
641 lwh = mtod(mfrag, struct ieee80211_frame *);
642 last_rxseq = le16toh(*(uint16_t *)lwh->i_seq);
643 /* NB: check seq # and frag together */
644 if (rxseq != last_rxseq+1 ||
645 !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
646 !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
648 * Unrelated fragment or no space for it,
649 * clear current fragments.
657 if (fragno != 0) { /* !first fragment, discard */
658 ic->ic_stats.is_rx_defrag++;
659 IEEE80211_NODE_STAT(ni, rx_defrag);
664 } else { /* concatenate */
665 m_adj(m, hdrspace); /* strip header */
667 /* NB: m_cat doesn't update the packet header */
668 mfrag->m_pkthdr.len += m->m_pkthdr.len;
669 /* track last seqnum and fragno */
670 lwh = mtod(mfrag, struct ieee80211_frame *);
671 *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
673 if (more_frag) { /* more to come, save */
674 ni->ni_rxfragstamp = ticks;
675 ni->ni_rxfrag[0] = mfrag;
682 ieee80211_deliver_data(struct ieee80211com *ic,
683 struct ieee80211_node *ni, struct mbuf *m)
685 struct ether_header *eh = mtod(m, struct ether_header *);
686 struct ifnet *ifp = ic->ic_ifp;
692 IEEE80211_NODE_STAT(ni, rx_data);
693 IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
694 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
695 m->m_flags |= M_MCAST; /* XXX M_BCAST? */
696 IEEE80211_NODE_STAT(ni, rx_mcast);
698 IEEE80211_NODE_STAT(ni, rx_ucast);
701 /* perform as a bridge within the AP */
702 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
703 (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0) {
704 struct mbuf *m1 = NULL;
706 if (m->m_flags & M_MCAST) {
707 m1 = m_dup(m, MB_DONTWAIT);
711 m1->m_flags |= M_MCAST;
714 * Check if the destination is known; if so
715 * and the port is authorized dispatch directly.
717 struct ieee80211_node *sta =
718 ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
720 if (ieee80211_node_is_authorized(sta)) {
722 * Beware of sending to ourself; this
723 * needs to happen via the normal
726 if (sta != ic->ic_bss) {
731 ic->ic_stats.is_rx_unauth++;
732 IEEE80211_NODE_STAT(sta, rx_unauth);
734 ieee80211_free_node(sta);
738 /* XXX bypasses ALTQ */
739 ifq_handoff(ifp, m1, NULL);
744 if (ni->ni_vlan != 0) {
745 /* attach vlan tag */
746 VLAN_INPUT_TAG_NEW(ifp, m, ni->ni_vlan);
748 goto out; /* XXX goto err? */
751 m->m_flags &= ~M_IEEE80211;
752 ifp->if_input(ifp, m);
760 bpf_mtap(ic->ic_rawbpf, m);
767 ieee80211_decap(struct ieee80211com *ic, struct mbuf *m, int hdrlen)
769 struct ieee80211_qosframe_addr4 wh; /* Max size address frames */
770 struct ether_header *eh;
773 if (m->m_len < hdrlen + sizeof(*llc) &&
774 (m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
778 memcpy(&wh, mtod(m, caddr_t), hdrlen);
779 llc = (struct llc *)(mtod(m, caddr_t) + hdrlen);
780 if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
781 llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
782 llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
783 m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
786 m_adj(m, hdrlen - sizeof(*eh));
788 eh = mtod(m, struct ether_header *);
789 switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
790 case IEEE80211_FC1_DIR_NODS:
791 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
792 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
794 case IEEE80211_FC1_DIR_TODS:
795 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
796 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
798 case IEEE80211_FC1_DIR_FROMDS:
799 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
800 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
802 case IEEE80211_FC1_DIR_DSTODS:
803 IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
804 IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
807 #ifdef ALIGNED_POINTER
808 if (!ALIGNED_POINTER(mtod(m, caddr_t) + sizeof(*eh), uint32_t)) {
809 struct mbuf *n, *n0, **np;
816 pktlen = m->m_pkthdr.len;
817 while (pktlen > off) {
819 MGETHDR(n, M_DONTWAIT, MT_DATA);
827 MGET(n, M_DONTWAIT, MT_DATA);
835 if (pktlen - off >= MINCLSIZE) {
836 MCLGET(n, M_DONTWAIT);
837 if (n->m_flags & M_EXT)
838 n->m_len = n->m_ext.ext_size;
842 (caddr_t)ALIGN(n->m_data + sizeof(*eh)) -
844 n->m_len -= newdata - n->m_data;
847 if (n->m_len > pktlen - off)
848 n->m_len = pktlen - off;
849 m_copydata(m, off, n->m_len, mtod(n, caddr_t));
857 #endif /* ALIGNED_POINTER */
859 eh = mtod(m, struct ether_header *);
860 eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
866 * Install received rate set information in the node's state block.
869 ieee80211_setup_rates(struct ieee80211_node *ni,
870 const uint8_t *rates, const uint8_t *xrates, int flags, int join)
872 struct ieee80211com *ic = ni->ni_ic;
873 struct ieee80211_rateset *rs = &ni->ni_rates;
875 memset(rs, 0, sizeof(*rs));
876 rs->rs_nrates = rates[1];
877 memcpy(rs->rs_rates, rates + 2, rs->rs_nrates);
878 if (xrates != NULL) {
881 * Tack on 11g extended supported rate element.
884 if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
885 nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
886 IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
887 "[%6D] extended rate set too large;"
888 " only using %u of %u rates\n",
889 ni->ni_macaddr, ":", nxrates, xrates[1]);
890 ic->ic_stats.is_rx_rstoobig++;
892 memcpy(rs->rs_rates + rs->rs_nrates, xrates+2, nxrates);
893 rs->rs_nrates += nxrates;
895 return ieee80211_fix_rate(ni, flags, join);
899 ieee80211_auth_open(struct ieee80211com *ic, struct ieee80211_frame *wh,
900 struct ieee80211_node *ni, int rssi, uint32_t rstamp, uint16_t seq,
903 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
904 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
905 ni->ni_macaddr, "open auth",
906 "bad sta auth mode %u", ni->ni_authmode);
907 ic->ic_stats.is_rx_bad_auth++; /* XXX */
908 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
910 * Clear any challenge text that may be there if
911 * a previous shared key auth failed and then an
912 * open auth is attempted.
914 if (ni->ni_challenge != NULL) {
915 FREE(ni->ni_challenge, M_DEVBUF);
916 ni->ni_challenge = NULL;
918 /* XXX hack to workaround calling convention */
919 ieee80211_send_error(ic, ni, wh->i_addr2,
920 IEEE80211_FC0_SUBTYPE_AUTH,
921 (seq + 1) | (IEEE80211_STATUS_ALG<<16));
925 switch (ic->ic_opmode) {
926 case IEEE80211_M_IBSS:
927 case IEEE80211_M_AHDEMO:
928 case IEEE80211_M_MONITOR:
929 /* should not come here */
930 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
931 ni->ni_macaddr, "open auth",
932 "bad operating mode %u", ic->ic_opmode);
935 case IEEE80211_M_HOSTAP:
936 if (ic->ic_state != IEEE80211_S_RUN ||
937 seq != IEEE80211_AUTH_OPEN_REQUEST) {
938 ic->ic_stats.is_rx_bad_auth++;
941 /* always accept open authentication requests */
942 if (ni == ic->ic_bss) {
943 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
946 } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
947 (void) ieee80211_ref_node(ni);
949 * Mark the node as referenced to reflect that it's
950 * reference count has been bumped to insure it remains
951 * after the transaction completes.
953 ni->ni_flags |= IEEE80211_NODE_AREF;
955 IEEE80211_SEND_MGMT(ic, ni,
956 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
957 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
958 "[%6D] station authenticated (open)\n",
959 ni->ni_macaddr, ":");
961 * When 802.1x is not in use mark the port
962 * authorized at this point so traffic can flow.
964 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
965 ieee80211_node_authorize(ni);
968 case IEEE80211_M_STA:
969 if (ic->ic_state != IEEE80211_S_AUTH ||
970 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
971 ic->ic_stats.is_rx_bad_auth++;
975 IEEE80211_DPRINTF(ic,
976 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
977 "[%6D] open auth failed (reason %d)\n",
978 ni->ni_macaddr, ":", status);
979 /* XXX can this happen? */
980 if (ni != ic->ic_bss)
982 ic->ic_stats.is_rx_auth_fail++;
983 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
985 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
986 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
992 * Send a management frame error response to the specified
993 * station. If ni is associated with the station then use
994 * it; otherwise allocate a temporary node suitable for
995 * transmitting the frame and then free the reference so
996 * it will go away as soon as the frame has been transmitted.
999 ieee80211_send_error(struct ieee80211com *ic, struct ieee80211_node *ni,
1000 const uint8_t *mac, int subtype, int arg)
1004 if (ni == ic->ic_bss) {
1005 ni = ieee80211_tmp_node(ic, mac);
1013 IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1015 ieee80211_free_node(ni);
1019 alloc_challenge(struct ieee80211com *ic, struct ieee80211_node *ni)
1021 if (ni->ni_challenge == NULL)
1022 MALLOC(ni->ni_challenge, uint32_t*, IEEE80211_CHALLENGE_LEN,
1023 M_DEVBUF, M_NOWAIT);
1024 if (ni->ni_challenge == NULL) {
1025 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1026 "[%6D] shared key challenge alloc failed\n",
1027 ni->ni_macaddr, ":");
1030 return (ni->ni_challenge != NULL);
1033 /* XXX TODO: add statistics */
1035 ieee80211_auth_shared(struct ieee80211com *ic, struct ieee80211_frame *wh,
1036 uint8_t *frm, uint8_t *efrm, struct ieee80211_node *ni, int rssi,
1037 uint32_t rstamp, uint16_t seq, uint16_t status)
1040 int allocbs, estatus;
1043 * NB: this can happen as we allow pre-shared key
1044 * authentication to be enabled w/o wep being turned
1045 * on so that configuration of these can be done
1046 * in any order. It may be better to enforce the
1047 * ordering in which case this check would just be
1048 * for sanity/consistency.
1050 if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
1051 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1052 ni->ni_macaddr, "shared key auth",
1053 "%s", " PRIVACY is disabled");
1054 estatus = IEEE80211_STATUS_ALG;
1058 * Pre-shared key authentication is evil; accept
1059 * it only if explicitly configured (it is supported
1060 * mainly for compatibility with clients like OS X).
1062 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1063 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1064 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1065 ni->ni_macaddr, "shared key auth",
1066 "bad sta auth mode %u", ni->ni_authmode);
1067 ic->ic_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1068 estatus = IEEE80211_STATUS_ALG;
1073 if (frm + 1 < efrm) {
1074 if ((frm[1] + 2) > (efrm - frm)) {
1075 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1076 ni->ni_macaddr, "shared key auth",
1077 "ie %d/%d too long",
1078 frm[0], (frm[1] + 2) - (efrm - frm));
1079 ic->ic_stats.is_rx_bad_auth++;
1080 estatus = IEEE80211_STATUS_CHALLENGE;
1083 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1088 case IEEE80211_AUTH_SHARED_CHALLENGE:
1089 case IEEE80211_AUTH_SHARED_RESPONSE:
1090 if (challenge == NULL) {
1091 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1092 ni->ni_macaddr, "shared key auth",
1093 "%s", "no challenge");
1094 ic->ic_stats.is_rx_bad_auth++;
1095 estatus = IEEE80211_STATUS_CHALLENGE;
1098 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1099 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1100 ni->ni_macaddr, "shared key auth",
1101 "bad challenge len %d", challenge[1]);
1102 ic->ic_stats.is_rx_bad_auth++;
1103 estatus = IEEE80211_STATUS_CHALLENGE;
1109 switch (ic->ic_opmode) {
1110 case IEEE80211_M_MONITOR:
1111 case IEEE80211_M_AHDEMO:
1112 case IEEE80211_M_IBSS:
1113 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1114 ni->ni_macaddr, "shared key auth",
1115 "bad operating mode %u", ic->ic_opmode);
1117 case IEEE80211_M_HOSTAP:
1118 if (ic->ic_state != IEEE80211_S_RUN) {
1119 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1120 ni->ni_macaddr, "shared key auth",
1121 "bad state %u", ic->ic_state);
1122 estatus = IEEE80211_STATUS_ALG; /* XXX */
1126 case IEEE80211_AUTH_SHARED_REQUEST:
1127 if (ni == ic->ic_bss) {
1128 ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1130 /* NB: no way to return an error */
1135 if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1136 (void) ieee80211_ref_node(ni);
1140 * Mark the node as referenced to reflect that it's
1141 * reference count has been bumped to insure it remains
1142 * after the transaction completes.
1144 ni->ni_flags |= IEEE80211_NODE_AREF;
1146 ni->ni_rstamp = rstamp;
1147 if (!alloc_challenge(ic, ni)) {
1148 /* NB: don't return error so they rexmit */
1151 get_random_bytes(ni->ni_challenge,
1152 IEEE80211_CHALLENGE_LEN);
1153 IEEE80211_DPRINTF(ic,
1154 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1155 "[%6D] shared key %sauth request\n",
1156 ni->ni_macaddr, ":",
1157 allocbs ? "" : "re");
1159 case IEEE80211_AUTH_SHARED_RESPONSE:
1160 if (ni == ic->ic_bss) {
1161 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1162 ni->ni_macaddr, "shared key response",
1163 "%s", "unknown station");
1164 /* NB: don't send a response */
1167 if (ni->ni_challenge == NULL) {
1168 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1169 ni->ni_macaddr, "shared key response",
1170 "%s", "no challenge recorded");
1171 ic->ic_stats.is_rx_bad_auth++;
1172 estatus = IEEE80211_STATUS_CHALLENGE;
1175 if (memcmp(ni->ni_challenge, &challenge[2],
1176 challenge[1]) != 0) {
1177 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1178 ni->ni_macaddr, "shared key response",
1179 "%s", "challenge mismatch");
1180 ic->ic_stats.is_rx_auth_fail++;
1181 estatus = IEEE80211_STATUS_CHALLENGE;
1184 IEEE80211_DPRINTF(ic,
1185 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1186 "[%6D] station authenticated (shared key)\n",
1187 ni->ni_macaddr, ":");
1188 ieee80211_node_authorize(ni);
1191 IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1192 ni->ni_macaddr, "shared key auth",
1194 ic->ic_stats.is_rx_bad_auth++;
1195 estatus = IEEE80211_STATUS_SEQUENCE;
1198 IEEE80211_SEND_MGMT(ic, ni,
1199 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1202 case IEEE80211_M_STA:
1203 if (ic->ic_state != IEEE80211_S_AUTH)
1206 case IEEE80211_AUTH_SHARED_PASS:
1207 if (ni->ni_challenge != NULL) {
1208 FREE(ni->ni_challenge, M_DEVBUF);
1209 ni->ni_challenge = NULL;
1212 IEEE80211_DPRINTF(ic,
1213 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1214 "[%6D] shared key auth failed (reason %d)\n",
1215 ieee80211_getbssid(ic, wh), ":", status);
1216 /* XXX can this happen? */
1217 if (ni != ic->ic_bss)
1219 ic->ic_stats.is_rx_auth_fail++;
1222 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1223 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
1225 case IEEE80211_AUTH_SHARED_CHALLENGE:
1226 if (!alloc_challenge(ic, ni))
1228 /* XXX could optimize by passing recvd challenge */
1229 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1230 IEEE80211_SEND_MGMT(ic, ni,
1231 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1234 IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1235 wh, "shared key auth", "bad seq %d", seq);
1236 ic->ic_stats.is_rx_bad_auth++;
1244 * Send an error response; but only when operating as an AP.
1246 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1247 /* XXX hack to workaround calling convention */
1248 ieee80211_send_error(ic, ni, wh->i_addr2,
1249 IEEE80211_FC0_SUBTYPE_AUTH,
1250 (seq + 1) | (estatus<<16));
1251 } else if (ic->ic_opmode == IEEE80211_M_STA) {
1253 * Kick the state machine. This short-circuits
1254 * using the mgt frame timeout to trigger the
1257 if (ic->ic_state == IEEE80211_S_AUTH)
1258 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
1262 /* Verify the existence and length of __elem or get out. */
1263 #define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
1264 if ((__elem) == NULL) { \
1265 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1266 wh, ieee80211_mgt_subtype_name[subtype >> \
1267 IEEE80211_FC0_SUBTYPE_SHIFT], \
1268 "%s", "no " #__elem ); \
1269 ic->ic_stats.is_rx_elem_missing++; \
1272 if ((__elem)[1] > (__maxlen)) { \
1273 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1274 wh, ieee80211_mgt_subtype_name[subtype >> \
1275 IEEE80211_FC0_SUBTYPE_SHIFT], \
1276 "bad " #__elem " len %d", (__elem)[1]); \
1277 ic->ic_stats.is_rx_elem_toobig++; \
1282 #define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
1283 if ((_len) < (_minlen)) { \
1284 IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1285 wh, ieee80211_mgt_subtype_name[subtype >> \
1286 IEEE80211_FC0_SUBTYPE_SHIFT], \
1287 "%s", "ie too short"); \
1288 ic->ic_stats.is_rx_elem_toosmall++; \
1293 #ifdef IEEE80211_DEBUG
1295 ieee80211_ssid_mismatch(struct ieee80211com *ic, const char *tag,
1296 uint8_t mac[IEEE80211_ADDR_LEN], uint8_t *ssid)
1298 kprintf("[%6D] discard %s frame, ssid mismatch: ", mac, ":", tag);
1299 ieee80211_print_essid(ssid + 2, ssid[1]);
1303 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1304 if ((_ssid)[1] != 0 && \
1305 ((_ssid)[1] != (_ni)->ni_esslen || \
1306 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1307 if (ieee80211_msg_input(ic)) \
1308 ieee80211_ssid_mismatch(ic, \
1309 ieee80211_mgt_subtype_name[subtype >> \
1310 IEEE80211_FC0_SUBTYPE_SHIFT], \
1311 wh->i_addr2, _ssid); \
1312 ic->ic_stats.is_rx_ssidmismatch++; \
1316 #else /* !IEEE80211_DEBUG */
1317 #define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1318 if ((_ssid)[1] != 0 && \
1319 ((_ssid)[1] != (_ni)->ni_esslen || \
1320 memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1321 ic->ic_stats.is_rx_ssidmismatch++; \
1325 #endif /* !IEEE80211_DEBUG */
1327 /* unalligned little endian access */
1328 #define LE_READ_2(p) \
1330 ((((const uint8_t *)(p))[0] ) | \
1331 (((const uint8_t *)(p))[1] << 8)))
1332 #define LE_READ_4(p) \
1334 ((((const uint8_t *)(p))[0] ) | \
1335 (((const uint8_t *)(p))[1] << 8) | \
1336 (((const uint8_t *)(p))[2] << 16) | \
1337 (((const uint8_t *)(p))[3] << 24)))
1340 iswpaoui(const uint8_t *frm)
1342 return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI);
1346 iswmeoui(const uint8_t *frm)
1348 return frm[1] > 3 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI);
1352 iswmeparam(const uint8_t *frm)
1354 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1355 frm[6] == WME_PARAM_OUI_SUBTYPE;
1359 iswmeinfo(const uint8_t *frm)
1361 return frm[1] > 5 && LE_READ_4(frm+2) == ((WME_OUI_TYPE<<24)|WME_OUI) &&
1362 frm[6] == WME_INFO_OUI_SUBTYPE;
1366 isatherosoui(const uint8_t *frm)
1368 return frm[1] > 3 && LE_READ_4(frm+2) == ((ATH_OUI_TYPE<<24)|ATH_OUI);
1372 * Convert a WPA cipher selector OUI to an internal
1373 * cipher algorithm. Where appropriate we also
1374 * record any key length.
1377 wpa_cipher(uint8_t *sel, uint8_t *keylen)
1379 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1380 uint32_t w = LE_READ_4(sel);
1383 case WPA_SEL(WPA_CSE_NULL):
1384 return IEEE80211_CIPHER_NONE;
1385 case WPA_SEL(WPA_CSE_WEP40):
1387 *keylen = 40 / NBBY;
1388 return IEEE80211_CIPHER_WEP;
1389 case WPA_SEL(WPA_CSE_WEP104):
1391 *keylen = 104 / NBBY;
1392 return IEEE80211_CIPHER_WEP;
1393 case WPA_SEL(WPA_CSE_TKIP):
1394 return IEEE80211_CIPHER_TKIP;
1395 case WPA_SEL(WPA_CSE_CCMP):
1396 return IEEE80211_CIPHER_AES_CCM;
1398 return 32; /* NB: so 1<< is discarded */
1403 * Convert a WPA key management/authentication algorithm
1404 * to an internal code.
1407 wpa_keymgmt(uint8_t *sel)
1409 #define WPA_SEL(x) (((x)<<24)|WPA_OUI)
1410 uint32_t w = LE_READ_4(sel);
1413 case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1414 return WPA_ASE_8021X_UNSPEC;
1415 case WPA_SEL(WPA_ASE_8021X_PSK):
1416 return WPA_ASE_8021X_PSK;
1417 case WPA_SEL(WPA_ASE_NONE):
1418 return WPA_ASE_NONE;
1420 return 0; /* NB: so is discarded */
1425 * Parse a WPA information element to collect parameters
1426 * and validate the parameters against what has been
1427 * configured for the system.
1430 ieee80211_parse_wpa(struct ieee80211com *ic, uint8_t *frm,
1431 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1433 uint8_t len = frm[1];
1438 * Check the length once for fixed parts: OUI, type,
1439 * version, mcast cipher, and 2 selector counts.
1440 * Other, variable-length data, must be checked separately.
1442 if ((ic->ic_flags & IEEE80211_F_WPA1) == 0) {
1443 IEEE80211_DISCARD_IE(ic,
1444 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1445 wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1446 return IEEE80211_REASON_IE_INVALID;
1449 IEEE80211_DISCARD_IE(ic,
1450 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1451 wh, "WPA", "too short, len %u", len);
1452 return IEEE80211_REASON_IE_INVALID;
1454 frm += 6, len -= 4; /* NB: len is payload only */
1455 /* NB: iswapoui already validated the OUI and type */
1457 if (w != WPA_VERSION) {
1458 IEEE80211_DISCARD_IE(ic,
1459 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1460 wh, "WPA", "bad version %u", w);
1461 return IEEE80211_REASON_IE_INVALID;
1465 /* multicast/group cipher */
1466 w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1467 if (w != rsn->rsn_mcastcipher) {
1468 IEEE80211_DISCARD_IE(ic,
1469 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1470 wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1471 w, rsn->rsn_mcastcipher);
1472 return IEEE80211_REASON_IE_INVALID;
1476 /* unicast ciphers */
1480 IEEE80211_DISCARD_IE(ic,
1481 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1482 wh, "WPA", "ucast cipher data too short; len %u, n %u",
1484 return IEEE80211_REASON_IE_INVALID;
1487 for (; n > 0; n--) {
1488 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1491 w &= rsn->rsn_ucastcipherset;
1493 IEEE80211_DISCARD_IE(ic,
1494 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1495 wh, "WPA", "%s", "ucast cipher set empty");
1496 return IEEE80211_REASON_IE_INVALID;
1498 if (w & (1<<IEEE80211_CIPHER_TKIP))
1499 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1501 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1503 /* key management algorithms */
1507 IEEE80211_DISCARD_IE(ic,
1508 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1509 wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1511 return IEEE80211_REASON_IE_INVALID;
1514 for (; n > 0; n--) {
1515 w |= wpa_keymgmt(frm);
1518 w &= rsn->rsn_keymgmtset;
1520 IEEE80211_DISCARD_IE(ic,
1521 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1522 wh, "WPA", "%s", "no acceptable key mgmt alg");
1523 return IEEE80211_REASON_IE_INVALID;
1525 if (w & WPA_ASE_8021X_UNSPEC)
1526 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1528 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1530 if (len > 2) /* optional capabilities */
1531 rsn->rsn_caps = LE_READ_2(frm);
1537 * Convert an RSN cipher selector OUI to an internal
1538 * cipher algorithm. Where appropriate we also
1539 * record any key length.
1542 rsn_cipher(uint8_t *sel, uint8_t *keylen)
1544 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1545 uint32_t w = LE_READ_4(sel);
1548 case RSN_SEL(RSN_CSE_NULL):
1549 return IEEE80211_CIPHER_NONE;
1550 case RSN_SEL(RSN_CSE_WEP40):
1552 *keylen = 40 / NBBY;
1553 return IEEE80211_CIPHER_WEP;
1554 case RSN_SEL(RSN_CSE_WEP104):
1556 *keylen = 104 / NBBY;
1557 return IEEE80211_CIPHER_WEP;
1558 case RSN_SEL(RSN_CSE_TKIP):
1559 return IEEE80211_CIPHER_TKIP;
1560 case RSN_SEL(RSN_CSE_CCMP):
1561 return IEEE80211_CIPHER_AES_CCM;
1562 case RSN_SEL(RSN_CSE_WRAP):
1563 return IEEE80211_CIPHER_AES_OCB;
1565 return 32; /* NB: so 1<< is discarded */
1570 * Convert an RSN key management/authentication algorithm
1571 * to an internal code.
1574 rsn_keymgmt(uint8_t *sel)
1576 #define RSN_SEL(x) (((x)<<24)|RSN_OUI)
1577 uint32_t w = LE_READ_4(sel);
1580 case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1581 return RSN_ASE_8021X_UNSPEC;
1582 case RSN_SEL(RSN_ASE_8021X_PSK):
1583 return RSN_ASE_8021X_PSK;
1584 case RSN_SEL(RSN_ASE_NONE):
1585 return RSN_ASE_NONE;
1587 return 0; /* NB: so is discarded */
1592 * Parse a WPA/RSN information element to collect parameters
1593 * and validate the parameters against what has been
1594 * configured for the system.
1597 ieee80211_parse_rsn(struct ieee80211com *ic, uint8_t *frm,
1598 struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1600 uint8_t len = frm[1];
1605 * Check the length once for fixed parts:
1606 * version, mcast cipher, and 2 selector counts.
1607 * Other, variable-length data, must be checked separately.
1609 if ((ic->ic_flags & IEEE80211_F_WPA2) == 0) {
1610 IEEE80211_DISCARD_IE(ic,
1611 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1612 wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1613 return IEEE80211_REASON_IE_INVALID;
1616 IEEE80211_DISCARD_IE(ic,
1617 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1618 wh, "RSN", "too short, len %u", len);
1619 return IEEE80211_REASON_IE_INVALID;
1623 if (w != RSN_VERSION) {
1624 IEEE80211_DISCARD_IE(ic,
1625 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1626 wh, "RSN", "bad version %u", w);
1627 return IEEE80211_REASON_IE_INVALID;
1631 /* multicast/group cipher */
1632 w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1633 if (w != rsn->rsn_mcastcipher) {
1634 IEEE80211_DISCARD_IE(ic,
1635 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1636 wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1637 w, rsn->rsn_mcastcipher);
1638 return IEEE80211_REASON_IE_INVALID;
1642 /* unicast ciphers */
1646 IEEE80211_DISCARD_IE(ic,
1647 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1648 wh, "RSN", "ucast cipher data too short; len %u, n %u",
1650 return IEEE80211_REASON_IE_INVALID;
1653 for (; n > 0; n--) {
1654 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1657 w &= rsn->rsn_ucastcipherset;
1659 IEEE80211_DISCARD_IE(ic,
1660 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1661 wh, "RSN", "%s", "ucast cipher set empty");
1662 return IEEE80211_REASON_IE_INVALID;
1664 if (w & (1<<IEEE80211_CIPHER_TKIP))
1665 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1667 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1669 /* key management algorithms */
1673 IEEE80211_DISCARD_IE(ic,
1674 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1675 wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1677 return IEEE80211_REASON_IE_INVALID;
1680 for (; n > 0; n--) {
1681 w |= rsn_keymgmt(frm);
1684 w &= rsn->rsn_keymgmtset;
1686 IEEE80211_DISCARD_IE(ic,
1687 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1688 wh, "RSN", "%s", "no acceptable key mgmt alg");
1689 return IEEE80211_REASON_IE_INVALID;
1691 if (w & RSN_ASE_8021X_UNSPEC)
1692 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1694 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1696 /* optional RSN capabilities */
1698 rsn->rsn_caps = LE_READ_2(frm);
1705 ieee80211_parse_wmeparams(struct ieee80211com *ic, uint8_t *frm,
1706 const struct ieee80211_frame *wh)
1708 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1709 struct ieee80211_wme_state *wme = &ic->ic_wme;
1710 u_int len = frm[1], qosinfo;
1713 if (len < sizeof(struct ieee80211_wme_param)-2) {
1714 IEEE80211_DISCARD_IE(ic,
1715 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1716 wh, "WME", "too short, len %u", len);
1719 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1720 qosinfo &= WME_QOSINFO_COUNT;
1721 /* XXX do proper check for wraparound */
1722 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1724 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1725 for (i = 0; i < WME_NUM_AC; i++) {
1726 struct wmeParams *wmep =
1727 &wme->wme_wmeChanParams.cap_wmeParams[i];
1728 /* NB: ACI not used */
1729 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1730 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1731 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1732 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1733 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1736 wme->wme_wmeChanParams.cap_info = qosinfo;
1742 ieee80211_saveie(uint8_t **iep, const uint8_t *ie)
1744 u_int ielen = ie[1]+2;
1746 * Record information element for later use.
1748 if (*iep == NULL || (*iep)[1] != ie[1]) {
1750 FREE(*iep, M_DEVBUF);
1751 MALLOC(*iep, void*, ielen, M_DEVBUF, M_NOWAIT);
1754 memcpy(*iep, ie, ielen);
1755 /* XXX note failure */
1758 /* XXX find a better place for definition */
1759 struct l2_update_frame {
1760 struct ether_header eh;
1768 * Deliver a TGf L2UF frame on behalf of a station.
1769 * This primes any bridge when the station is roaming
1770 * between ap's on the same wired network.
1773 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1775 struct ieee80211com *ic = ni->ni_ic;
1776 struct ifnet *ifp = ic->ic_ifp;
1778 struct l2_update_frame *l2uf;
1779 struct ether_header *eh;
1781 m = m_gethdr(MB_DONTWAIT, MT_DATA);
1783 IEEE80211_NOTE(ic, IEEE80211_MSG_ASSOC, ni,
1784 "%s", "no mbuf for l2uf frame");
1785 ic->ic_stats.is_rx_nobuf++; /* XXX not right */
1788 l2uf = mtod(m, struct l2_update_frame *);
1790 /* dst: Broadcast address */
1791 IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1792 /* src: associated STA */
1793 IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1794 eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1798 l2uf->control = 0xf5;
1799 l2uf->xid[0] = 0x81;
1800 l2uf->xid[1] = 0x80;
1801 l2uf->xid[2] = 0x00;
1803 m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1804 m->m_pkthdr.rcvif = ifp;
1805 ieee80211_deliver_data(ic, ni, m);
1809 ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
1810 struct ieee80211_node *ni,
1811 int subtype, int rssi, uint32_t rstamp)
1813 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1814 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1815 struct ieee80211_frame *wh;
1816 uint8_t *frm, *efrm;
1817 uint8_t *ssid, *rates, *xrates, *wpa, *wme;
1821 wh = mtod(m0, struct ieee80211_frame *);
1822 frm = (uint8_t *)&wh[1];
1823 efrm = mtod(m0, uint8_t *) + m0->m_len;
1825 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1826 case IEEE80211_FC0_SUBTYPE_BEACON: {
1827 struct ieee80211_scanparams scan;
1830 * We process beacon/probe response frames:
1831 * o when scanning, or
1832 * o station mode when associated (to collect state
1833 * updates such as 802.11g slot time), or
1834 * o adhoc mode (to discover neighbors)
1835 * Frames otherwise received are discarded.
1837 if (!((ic->ic_flags & IEEE80211_F_SCAN) ||
1838 (ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) ||
1839 ic->ic_opmode == IEEE80211_M_IBSS)) {
1840 ic->ic_stats.is_rx_mgtdiscard++;
1844 * beacon/probe response frame format
1846 * [2] beacon interval
1847 * [2] capability information
1849 * [tlv] supported rates
1850 * [tlv] country information
1851 * [tlv] parameter set (FH/DS)
1852 * [tlv] erp information
1853 * [tlv] extended supported rates
1857 IEEE80211_VERIFY_LENGTH(efrm - frm, 12);
1858 memset(&scan, 0, sizeof(scan));
1859 scan.tstamp = frm; frm += 8;
1860 scan.bintval = le16toh(*(uint16_t *)frm); frm += 2;
1861 scan.capinfo = le16toh(*(uint16_t *)frm); frm += 2;
1862 scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan);
1863 scan.chan = scan.bchan;
1865 while (efrm - frm > 1) {
1866 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
1868 case IEEE80211_ELEMID_SSID:
1871 case IEEE80211_ELEMID_RATES:
1874 case IEEE80211_ELEMID_COUNTRY:
1877 case IEEE80211_ELEMID_FHPARMS:
1878 if (ic->ic_phytype == IEEE80211_T_FH) {
1879 scan.fhdwell = LE_READ_2(&frm[2]);
1880 scan.chan = IEEE80211_FH_CHAN(frm[4], frm[5]);
1881 scan.fhindex = frm[6];
1884 case IEEE80211_ELEMID_DSPARMS:
1886 * XXX hack this since depending on phytype
1887 * is problematic for multi-mode devices.
1889 if (ic->ic_phytype != IEEE80211_T_FH)
1892 case IEEE80211_ELEMID_TIM:
1895 scan.timoff = frm - mtod(m0, uint8_t *);
1897 case IEEE80211_ELEMID_IBSSPARMS:
1899 case IEEE80211_ELEMID_XRATES:
1902 case IEEE80211_ELEMID_ERP:
1904 IEEE80211_DISCARD_IE(ic,
1905 IEEE80211_MSG_ELEMID, wh, "ERP",
1906 "bad len %u", frm[1]);
1907 ic->ic_stats.is_rx_elem_toobig++;
1912 case IEEE80211_ELEMID_RSN:
1915 case IEEE80211_ELEMID_VENDOR:
1918 else if (iswmeparam(frm) || iswmeinfo(frm))
1920 /* XXX Atheros OUI support */
1923 IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
1925 "id %u, len %u", *frm, frm[1]);
1926 ic->ic_stats.is_rx_elem_unknown++;
1931 IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
1932 if (scan.xrates != NULL) {
1933 IEEE80211_VERIFY_ELEMENT(scan.xrates,
1934 IEEE80211_RATE_MAXSIZE - scan.rates[1]);
1936 IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
1938 #if IEEE80211_CHAN_MAX < 255
1939 scan.chan > IEEE80211_CHAN_MAX ||
1941 isclr(ic->ic_chan_active, scan.chan)) {
1942 IEEE80211_DISCARD(ic,
1943 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
1944 wh, ieee80211_mgt_subtype_name[subtype >>
1945 IEEE80211_FC0_SUBTYPE_SHIFT],
1946 "invalid channel %u", scan.chan);
1947 ic->ic_stats.is_rx_badchan++;
1950 if (scan.chan != scan.bchan &&
1951 ic->ic_phytype != IEEE80211_T_FH) {
1952 if ((ic->ic_caps_ext & IEEE80211_CEXT_AUTOSCAN) &&
1953 (ic->ic_flags & IEEE80211_F_SCAN) &&
1954 isset(ic->ic_chan_active, scan.chan)) {
1955 ieee80211_set_scanchan(ic,
1956 &ic->ic_channels[scan.chan]);
1957 scan.bchan = scan.chan;
1960 * Frame was received on a channel different
1961 * from the one indicated in the DS params
1962 * element id; silently discard it.
1964 * NB: this can happen due to signal leakage.
1965 * But we should take it for FH phy because
1966 * the rssi value should be correct even for
1967 * different hop pattern in FH.
1969 IEEE80211_DISCARD(ic,
1970 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
1971 wh, ieee80211_mgt_subtype_name[subtype >>
1972 IEEE80211_FC0_SUBTYPE_SHIFT],
1973 "for off-channel %u", scan.chan);
1974 ic->ic_stats.is_rx_chanmismatch++;
1978 if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
1979 scan.bintval <= IEEE80211_BINTVAL_MAX)) {
1980 IEEE80211_DISCARD(ic,
1981 IEEE80211_MSG_ELEMID | IEEE80211_MSG_INPUT,
1982 wh, ieee80211_mgt_subtype_name[subtype >>
1983 IEEE80211_FC0_SUBTYPE_SHIFT],
1984 "bogus beacon interval", scan.bintval);
1985 ic->ic_stats.is_rx_badbintval++;
1990 * Count frame now that we know it's to be processed.
1992 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1993 ic->ic_stats.is_rx_beacon++; /* XXX remove */
1994 IEEE80211_NODE_STAT(ni, rx_beacons);
1996 IEEE80211_NODE_STAT(ni, rx_proberesp);
1999 * When operating in station mode, check for state updates.
2000 * Be careful to ignore beacons received while doing a
2001 * background scan. We consider only 11g/WMM stuff right now.
2003 if (ic->ic_opmode == IEEE80211_M_STA &&
2004 ni->ni_associd != 0 &&
2005 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
2006 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2007 int update_shpreamble = 0;
2009 /* record tsf of last beacon */
2010 memcpy(ni->ni_tstamp.data, scan.tstamp,
2011 sizeof(ni->ni_tstamp));
2012 /* count beacon frame for s/w bmiss handling */
2013 ic->ic_swbmiss_count++;
2014 ic->ic_bmiss_count = 0;
2015 if (ni->ni_erp != scan.erp) {
2016 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2017 "[%6D] erp change: was 0x%x, now 0x%x\n",
2018 wh->i_addr2, ":", ni->ni_erp, scan.erp);
2019 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2020 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2021 ic->ic_flags |= IEEE80211_F_USEPROT;
2023 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2025 if ((ni->ni_erp ^ scan.erp) & IEEE80211_ERP_LONG_PREAMBLE)
2026 update_shpreamble = 1;
2028 ni->ni_erp = scan.erp;
2031 if (ni->ni_capinfo != scan.capinfo) {
2032 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2033 "[%6D] capabilities change: before 0x%x,"
2036 ni->ni_capinfo, scan.capinfo);
2038 if ((ni->ni_capinfo ^ scan.capinfo) &
2039 IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2040 ieee80211_set_shortslottime(ic,
2041 ic->ic_curmode == IEEE80211_MODE_11A ||
2042 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2045 if ((ni->ni_capinfo ^ scan.capinfo) &
2046 IEEE80211_CAPINFO_SHORT_PREAMBLE)
2047 update_shpreamble = 1;
2049 ni->ni_capinfo = scan.capinfo;
2053 if (update_shpreamble)
2054 ieee80211_update_shpreamble(ic, ni);
2056 if (scan.wme != NULL &&
2057 (ni->ni_flags & IEEE80211_NODE_QOS) &&
2058 ieee80211_parse_wmeparams(ic, scan.wme, wh) > 0)
2059 ieee80211_wme_updateparams(ic);
2060 if (scan.tim != NULL) {
2061 struct ieee80211_tim_ie *ie =
2062 (struct ieee80211_tim_ie *) scan.tim;
2064 ni->ni_dtim_count = ie->tim_count;
2065 ni->ni_dtim_period = ie->tim_period;
2067 if (ic->ic_flags & IEEE80211_F_SCAN)
2068 ieee80211_add_scan(ic, &scan, wh,
2069 subtype, rssi, rstamp);
2073 * If scanning, just pass information to the scan module.
2075 if (ic->ic_flags & IEEE80211_F_SCAN) {
2076 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2078 * Actively scanning a channel marked passive;
2079 * send a probe request now that we know there
2080 * is 802.11 traffic present.
2082 * XXX check if the beacon we recv'd gives
2083 * us what we need and suppress the probe req
2085 ieee80211_probe_curchan(ic, 1);
2086 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2088 ieee80211_add_scan(ic, &scan, wh,
2089 subtype, rssi, rstamp);
2092 if (scan.capinfo & IEEE80211_CAPINFO_IBSS) {
2093 if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2095 * Create a new entry in the neighbor table.
2097 ni = ieee80211_add_neighbor(ic, wh, &scan);
2098 } else if (ni->ni_capinfo == 0) {
2100 * Update faked node created on transmit.
2101 * Note this also updates the tsf.
2103 ieee80211_init_neighbor(ni, wh, &scan);
2106 * Record tsf for potential resync.
2108 memcpy(ni->ni_tstamp.data, scan.tstamp,
2109 sizeof(ni->ni_tstamp));
2113 ni->ni_rstamp = rstamp;
2119 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: {
2122 if (ic->ic_opmode == IEEE80211_M_STA ||
2123 ic->ic_state != IEEE80211_S_RUN) {
2124 ic->ic_stats.is_rx_mgtdiscard++;
2127 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2128 /* frame must be directed */
2129 ic->ic_stats.is_rx_mgtdiscard++; /* XXX stat */
2134 * prreq frame format
2136 * [tlv] supported rates
2137 * [tlv] extended supported rates
2139 ssid = rates = xrates = NULL;
2140 while (efrm - frm > 1) {
2141 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2143 case IEEE80211_ELEMID_SSID:
2146 case IEEE80211_ELEMID_RATES:
2149 case IEEE80211_ELEMID_XRATES:
2155 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2156 if (xrates != NULL) {
2157 IEEE80211_VERIFY_ELEMENT(xrates,
2158 IEEE80211_RATE_MAXSIZE - rates[1]);
2160 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2161 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2162 if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
2163 IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2164 wh, ieee80211_mgt_subtype_name[subtype >>
2165 IEEE80211_FC0_SUBTYPE_SHIFT],
2166 "%s", "no ssid with ssid suppression enabled");
2167 ic->ic_stats.is_rx_ssidmismatch++; /*XXX*/
2172 if (ni == ic->ic_bss) {
2173 if (ic->ic_opmode != IEEE80211_M_IBSS) {
2174 ni = ieee80211_tmp_node(ic, wh->i_addr2);
2176 } else if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
2178 * XXX Cannot tell if the sender is operating
2179 * in ibss mode. But we need a new node to
2180 * send the response so blindly add them to the
2183 ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2189 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2190 "[%6D] recv probe req\n", wh->i_addr2, ":");
2192 ni->ni_rstamp = rstamp;
2195 * Since temporary node's rate set will not be used,
2196 * there is no need to do rate negotiation for it.
2199 ieee80211_setup_rates(ni, rates, xrates,
2200 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2201 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 0);
2204 IEEE80211_SEND_MGMT(ic, ni,
2205 IEEE80211_FC0_SUBTYPE_PROBE_RESP, 0);
2208 * Temporary node created just to send a
2209 * response, reclaim immediately.
2211 ieee80211_free_node(ni);
2216 case IEEE80211_FC0_SUBTYPE_AUTH: {
2217 uint16_t algo, seq, status;
2225 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2226 algo = le16toh(*(uint16_t *)frm);
2227 seq = le16toh(*(uint16_t *)(frm + 2));
2228 status = le16toh(*(uint16_t *)(frm + 4));
2229 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2230 "[%6D] recv auth frame with algorithm %d seq %d\n",
2231 wh->i_addr2, ":", algo, seq);
2233 * Consult the ACL policy module if setup.
2235 if (ic->ic_acl != NULL &&
2236 !ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2237 IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2238 wh, "auth", "%s", "disallowed by ACL");
2239 ic->ic_stats.is_rx_acl++;
2240 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2241 IEEE80211_SEND_MGMT(ic, ni,
2242 IEEE80211_FC0_SUBTYPE_AUTH,
2243 (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
2247 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2248 IEEE80211_DISCARD(ic,
2249 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
2250 wh, "auth", "%s", "TKIP countermeasures enabled");
2251 ic->ic_stats.is_rx_auth_countermeasures++;
2252 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2253 IEEE80211_SEND_MGMT(ic, ni,
2254 IEEE80211_FC0_SUBTYPE_AUTH,
2255 IEEE80211_REASON_MIC_FAILURE);
2259 if (algo == IEEE80211_AUTH_ALG_SHARED)
2260 ieee80211_auth_shared(ic, wh, frm + 6, efrm, ni, rssi,
2261 rstamp, seq, status);
2262 else if (algo == IEEE80211_AUTH_ALG_OPEN)
2263 ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq,
2266 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2267 wh, "auth", "unsupported alg %d", algo);
2268 ic->ic_stats.is_rx_auth_unsupported++;
2269 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2271 IEEE80211_SEND_MGMT(ic, ni,
2272 IEEE80211_FC0_SUBTYPE_AUTH,
2273 (seq+1) | (IEEE80211_STATUS_ALG<<16));
2280 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2281 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2282 uint16_t capinfo, lintval;
2283 struct ieee80211_rsnparms rsn;
2286 if (ic->ic_opmode != IEEE80211_M_HOSTAP ||
2287 ic->ic_state != IEEE80211_S_RUN) {
2288 ic->ic_stats.is_rx_mgtdiscard++;
2292 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2294 resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2297 resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2300 * asreq frame format
2301 * [2] capability information
2302 * [2] listen interval
2303 * [6*] current AP address (reassoc only)
2305 * [tlv] supported rates
2306 * [tlv] extended supported rates
2309 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4));
2310 if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2311 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2312 wh, ieee80211_mgt_subtype_name[subtype >>
2313 IEEE80211_FC0_SUBTYPE_SHIFT],
2314 "%s", "wrong bssid");
2315 ic->ic_stats.is_rx_assoc_bss++;
2318 capinfo = le16toh(*(uint16_t *)frm); frm += 2;
2319 lintval = le16toh(*(uint16_t *)frm); frm += 2;
2321 frm += 6; /* ignore current AP info */
2322 ssid = rates = xrates = wpa = wme = NULL;
2323 while (efrm - frm > 1) {
2324 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2326 case IEEE80211_ELEMID_SSID:
2329 case IEEE80211_ELEMID_RATES:
2332 case IEEE80211_ELEMID_XRATES:
2335 /* XXX verify only one of RSN and WPA ie's? */
2336 case IEEE80211_ELEMID_RSN:
2339 case IEEE80211_ELEMID_VENDOR:
2342 else if (iswmeinfo(frm))
2344 /* XXX Atheros OUI support */
2349 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2350 if (xrates != NULL) {
2351 IEEE80211_VERIFY_ELEMENT(xrates,
2352 IEEE80211_RATE_MAXSIZE - rates[1]);
2354 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2355 IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2357 if (ni == ic->ic_bss) {
2358 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2359 "[%6D] deny %s request, sta not authenticated\n",
2360 wh->i_addr2, ":", reassoc ? "reassoc" : "assoc");
2361 ieee80211_send_error(ic, ni, wh->i_addr2,
2362 IEEE80211_FC0_SUBTYPE_DEAUTH,
2363 IEEE80211_REASON_ASSOC_NOT_AUTHED);
2364 ic->ic_stats.is_rx_assoc_notauth++;
2367 /* assert right associstion security credentials */
2368 if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) {
2369 IEEE80211_DPRINTF(ic,
2370 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2371 "[%6D] no WPA/RSN IE in association request\n",
2373 IEEE80211_SEND_MGMT(ic, ni,
2374 IEEE80211_FC0_SUBTYPE_DEAUTH,
2375 IEEE80211_REASON_RSN_REQUIRED);
2376 ieee80211_node_leave(ic, ni);
2377 /* XXX distinguish WPA/RSN? */
2378 ic->ic_stats.is_rx_assoc_badwpaie++;
2383 * Parse WPA information element. Note that
2384 * we initialize the param block from the node
2385 * state so that information in the IE overrides
2386 * our defaults. The resulting parameters are
2387 * installed below after the association is assured.
2390 if (wpa[0] != IEEE80211_ELEMID_RSN)
2391 reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh);
2393 reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh);
2395 IEEE80211_SEND_MGMT(ic, ni,
2396 IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2397 ieee80211_node_leave(ic, ni);
2398 /* XXX distinguish WPA/RSN? */
2399 ic->ic_stats.is_rx_assoc_badwpaie++;
2402 IEEE80211_DPRINTF(ic,
2403 IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
2404 "[%6D] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2406 wpa[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
2407 rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen,
2408 rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen,
2409 rsn.rsn_keymgmt, rsn.rsn_caps);
2411 /* discard challenge after association */
2412 if (ni->ni_challenge != NULL) {
2413 FREE(ni->ni_challenge, M_DEVBUF);
2414 ni->ni_challenge = NULL;
2416 /* NB: 802.11 spec says to ignore station's privacy bit */
2417 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2418 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2419 "[%6D] deny %s request, capability mismatch 0x%x\n",
2421 reassoc ? "reassoc" : "assoc", capinfo);
2422 IEEE80211_SEND_MGMT(ic, ni, resp,
2423 IEEE80211_STATUS_CAPINFO);
2424 ieee80211_node_leave(ic, ni);
2425 ic->ic_stats.is_rx_assoc_capmismatch++;
2428 rate = ieee80211_setup_rates(ni, rates, xrates,
2429 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2430 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 0);
2431 if (rate & IEEE80211_RATE_BASIC) {
2432 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2433 "[%6D] deny %s request, rate set mismatch\n",
2435 reassoc ? "reassoc" : "assoc");
2436 IEEE80211_SEND_MGMT(ic, ni, resp,
2437 IEEE80211_STATUS_BASIC_RATE);
2438 ieee80211_node_leave(ic, ni);
2439 ic->ic_stats.is_rx_assoc_norate++;
2443 ni->ni_rstamp = rstamp;
2444 ni->ni_intval = lintval;
2445 ni->ni_capinfo = capinfo;
2446 ni->ni_chan = ic->ic_bss->ni_chan;
2447 ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2448 ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2451 * Record WPA/RSN parameters for station, mark
2452 * node as using WPA and record information element
2453 * for applications that require it.
2456 ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2457 } else if (ni->ni_wpa_ie != NULL) {
2459 * Flush any state from a previous association.
2461 FREE(ni->ni_wpa_ie, M_DEVBUF);
2462 ni->ni_wpa_ie = NULL;
2466 * Record WME parameters for station, mark node
2467 * as capable of QoS and record information
2468 * element for applications that require it.
2470 ieee80211_saveie(&ni->ni_wme_ie, wme);
2471 ni->ni_flags |= IEEE80211_NODE_QOS;
2472 } else if (ni->ni_wme_ie != NULL) {
2474 * Flush any state from a previous association.
2476 FREE(ni->ni_wme_ie, M_DEVBUF);
2477 ni->ni_wme_ie = NULL;
2478 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2480 ieee80211_deliver_l2uf(ni);
2481 ieee80211_node_join(ic, ni, resp);
2485 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2486 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2487 uint16_t capinfo, associd;
2490 if (ic->ic_opmode != IEEE80211_M_STA ||
2491 ic->ic_state != IEEE80211_S_ASSOC) {
2492 ic->ic_stats.is_rx_mgtdiscard++;
2497 * asresp frame format
2498 * [2] capability information
2500 * [2] association ID
2501 * [tlv] supported rates
2502 * [tlv] extended supported rates
2505 IEEE80211_VERIFY_LENGTH(efrm - frm, 6);
2507 capinfo = le16toh(*(uint16_t *)frm);
2509 status = le16toh(*(uint16_t *)frm);
2512 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2513 "[%6D] %sassoc failed (reason %d)\n",
2515 ISREASSOC(subtype) ? "re" : "", status);
2516 if (ni != ic->ic_bss) /* XXX never true? */
2518 ic->ic_stats.is_rx_auth_fail++; /* XXX */
2521 associd = le16toh(*(uint16_t *)frm);
2524 rates = xrates = wpa = wme = NULL;
2525 while (efrm - frm > 1) {
2526 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
2528 case IEEE80211_ELEMID_RATES:
2531 case IEEE80211_ELEMID_XRATES:
2534 case IEEE80211_ELEMID_VENDOR:
2537 /* XXX Atheros OUI support */
2542 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2543 if (xrates != NULL) {
2544 IEEE80211_VERIFY_ELEMENT(xrates,
2545 IEEE80211_RATE_MAXSIZE - rates[1]);
2548 rate = ieee80211_setup_rates(ni, rates, xrates,
2549 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2550 IEEE80211_F_DONEGO | IEEE80211_F_DODEL, 1);
2551 if (rate & IEEE80211_RATE_BASIC) {
2552 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2553 "[%6D] %sassoc failed (rate set mismatch)\n",
2555 ISREASSOC(subtype) ? "re" : "");
2556 if (ni != ic->ic_bss) /* XXX never true? */
2558 ic->ic_stats.is_rx_assoc_norate++;
2559 ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
2563 ni->ni_capinfo = capinfo;
2564 ni->ni_associd = associd;
2566 ieee80211_parse_wmeparams(ic, wme, wh) >= 0) {
2567 ni->ni_flags |= IEEE80211_NODE_QOS;
2568 ieee80211_wme_updateparams(ic);
2570 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2572 * Configure state now that we are associated.
2574 * XXX may need different/additional driver callbacks?
2576 ieee80211_update_shpreamble(ic, ni);
2577 ieee80211_set_shortslottime(ic,
2578 ic->ic_curmode == IEEE80211_MODE_11A ||
2579 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2581 * Honor ERP protection.
2583 * NB: ni_erp should zero for non-11g operation.
2584 * XXX check ic_curmode anyway?
2586 if (ic->ic_curmode == IEEE80211_MODE_11G &&
2587 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2588 ic->ic_flags |= IEEE80211_F_USEPROT;
2590 ic->ic_flags &= ~IEEE80211_F_USEPROT;
2591 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2592 "[%6D] %sassoc success: %s preamble, %s slot time%s%s\n",
2594 ISREASSOC(subtype) ? "re" : "",
2595 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
2596 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
2597 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
2598 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : ""
2600 IEEE80211_PRINT_NODERATES(ic, ni, IEEE80211_MSG_ASSOC);
2601 ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
2605 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
2608 if (ic->ic_state == IEEE80211_S_SCAN) {
2609 ic->ic_stats.is_rx_mgtdiscard++;
2613 * deauth frame format
2616 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2617 reason = le16toh(*(uint16_t *)frm);
2618 ic->ic_stats.is_rx_deauth++;
2619 IEEE80211_NODE_STAT(ni, rx_deauth);
2621 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2622 /* NB: can happen when in promiscuous mode */
2623 ic->ic_stats.is_rx_mgtdiscard++;
2627 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2628 "[%6D] recv deauthenticate (reason %d)\n",
2629 ni->ni_macaddr, ":", reason);
2630 switch (ic->ic_opmode) {
2631 case IEEE80211_M_STA:
2632 ieee80211_new_state(ic, IEEE80211_S_AUTH,
2633 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2635 case IEEE80211_M_HOSTAP:
2636 if (ni != ic->ic_bss)
2637 ieee80211_node_leave(ic, ni);
2640 ic->ic_stats.is_rx_mgtdiscard++;
2646 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2649 if (ic->ic_state != IEEE80211_S_RUN &&
2650 ic->ic_state != IEEE80211_S_ASSOC &&
2651 ic->ic_state != IEEE80211_S_AUTH) {
2652 ic->ic_stats.is_rx_mgtdiscard++;
2656 * disassoc frame format
2659 IEEE80211_VERIFY_LENGTH(efrm - frm, 2);
2660 reason = le16toh(*(uint16_t *)frm);
2661 ic->ic_stats.is_rx_disassoc++;
2662 IEEE80211_NODE_STAT(ni, rx_disassoc);
2664 if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2665 /* NB: can happen when in promiscuous mode */
2666 ic->ic_stats.is_rx_mgtdiscard++;
2670 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2671 "[%6D] recv disassociate (reason %d)\n",
2672 ni->ni_macaddr, ":", reason);
2673 switch (ic->ic_opmode) {
2674 case IEEE80211_M_STA:
2675 ieee80211_new_state(ic, IEEE80211_S_ASSOC,
2676 wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
2678 case IEEE80211_M_HOSTAP:
2679 if (ni != ic->ic_bss)
2680 ieee80211_node_leave(ic, ni);
2683 ic->ic_stats.is_rx_mgtdiscard++;
2689 IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2690 wh, "mgt", "subtype 0x%x not handled", subtype);
2691 ic->ic_stats.is_rx_badsubtype++;
2697 #undef IEEE80211_VERIFY_LENGTH
2698 #undef IEEE80211_VERIFY_ELEMENT
2701 * Handle station power-save state change.
2704 ieee80211_node_pwrsave(struct ieee80211_node *ni, int enable)
2706 struct ieee80211com *ic = ni->ni_ic;
2709 ASSERT_SERIALIZED(ic->ic_ifp->if_serializer);
2712 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == 0)
2714 ni->ni_flags |= IEEE80211_NODE_PWR_MGT;
2715 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2716 "[%6D] power save mode on, %u sta's in ps mode\n",
2717 ni->ni_macaddr, ":", ic->ic_ps_sta);
2721 if (ni->ni_flags & IEEE80211_NODE_PWR_MGT)
2723 ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT;
2724 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2725 "[%6D] power save mode off, %u sta's in ps mode\n",
2726 ni->ni_macaddr, ":", ic->ic_ps_sta);
2727 /* XXX if no stations in ps mode, flush mc frames */
2730 * Flush queued unicast frames.
2732 if (IEEE80211_NODE_SAVEQ_QLEN(ni) == 0) {
2733 if (ic->ic_set_tim != NULL)
2734 ic->ic_set_tim(ni, 0); /* just in case */
2737 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2738 "[%6D] flush ps queue, %u packets queued\n",
2739 ni->ni_macaddr, ":", IEEE80211_NODE_SAVEQ_QLEN(ni));
2743 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2747 * If this is the last packet, turn off the TIM bit.
2748 * If there are more packets, set the more packets bit
2749 * in the mbuf so ieee80211_encap will mark the 802.11
2750 * head to indicate more data frames will follow.
2753 m->m_flags |= M_MORE_DATA;
2754 /* XXX need different driver interface */
2755 /* XXX bypasses q max */
2756 /* XXX bypasses ALTQ */
2757 ifq_enqueue(&ic->ic_ifp->if_snd, m, NULL);
2759 if (ic->ic_set_tim != NULL)
2760 ic->ic_set_tim(ni, 0);
2764 * Process a received ps-poll frame.
2767 ieee80211_recv_pspoll(struct ieee80211com *ic,
2768 struct ieee80211_node *ni, struct mbuf *m0)
2770 struct ieee80211_frame_min *wh;
2775 ASSERT_SERIALIZED(ic->ic_ifp->if_serializer);
2777 wh = mtod(m0, struct ieee80211_frame_min *);
2778 if (ni->ni_associd == 0) {
2779 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2780 (struct ieee80211_frame *) wh, "ps-poll",
2781 "%s", "unassociated station");
2782 ic->ic_stats.is_ps_unassoc++;
2783 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2784 IEEE80211_REASON_NOT_ASSOCED);
2788 aid = le16toh(*(uint16_t *)wh->i_dur);
2789 if (aid != ni->ni_associd) {
2790 IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2791 (struct ieee80211_frame *) wh, "ps-poll",
2792 "aid mismatch: sta aid 0x%x poll aid 0x%x",
2793 ni->ni_associd, aid);
2794 ic->ic_stats.is_ps_badaid++;
2795 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2796 IEEE80211_REASON_NOT_ASSOCED);
2800 /* Okay, take the first queued packet and put it out... */
2801 IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2803 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2804 "[%6D] recv ps-poll, but queue empty\n",
2806 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2807 ic->ic_stats.is_ps_qempty++; /* XXX node stat */
2808 if (ic->ic_set_tim != NULL)
2809 ic->ic_set_tim(ni, 0); /* just in case */
2813 * If there are more packets, set the more packets bit
2814 * in the packet dispatched to the station; otherwise
2815 * turn off the TIM bit.
2818 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2819 "[%6D] recv ps-poll, send packet, %u still queued\n",
2820 ni->ni_macaddr, ":", qlen);
2821 m->m_flags |= M_MORE_DATA;
2823 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2824 "[%6D] recv ps-poll, send packet, queue empty\n",
2825 ni->ni_macaddr, ":");
2826 if (ic->ic_set_tim != NULL)
2827 ic->ic_set_tim(ni, 0);
2829 m->m_flags |= M_PWR_SAV; /* bypass PS handling */
2830 ifq_enqueue(&ic->ic_ifp->if_snd, m, NULL); /* XXX bypasses ALTQ */
2833 #ifdef IEEE80211_DEBUG
2835 * Debugging support.
2839 * Return the bssid of a frame.
2841 static const uint8_t *
2842 ieee80211_getbssid(struct ieee80211com *ic, const struct ieee80211_frame *wh)
2844 if (ic->ic_opmode == IEEE80211_M_STA)
2846 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
2848 if ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
2854 ieee80211_note(struct ieee80211com *ic, const char *fmt, ...)
2856 char buf[128]; /* XXX */
2859 __va_start(ap, fmt);
2860 kvsnprintf(buf, sizeof(buf), fmt, ap);
2863 if_printf(ic->ic_ifp, "%s", buf); /* NB: no \n */
2867 ieee80211_note_frame(struct ieee80211com *ic,
2868 const struct ieee80211_frame *wh,
2869 const char *fmt, ...)
2871 char buf[128]; /* XXX */
2874 __va_start(ap, fmt);
2875 kvsnprintf(buf, sizeof(buf), fmt, ap);
2877 if_printf(ic->ic_ifp, "[%6D] %s\n",
2878 ieee80211_getbssid(ic, wh), ":", buf);
2882 ieee80211_note_mac(struct ieee80211com *ic,
2883 const uint8_t mac[IEEE80211_ADDR_LEN],
2884 const char *fmt, ...)
2886 char buf[128]; /* XXX */
2889 __va_start(ap, fmt);
2890 kvsnprintf(buf, sizeof(buf), fmt, ap);
2892 if_printf(ic->ic_ifp, "[%6D] %s\n", mac, ":", buf);
2896 ieee80211_discard_frame(struct ieee80211com *ic,
2897 const struct ieee80211_frame *wh,
2898 const char *type, const char *fmt, ...)
2902 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname,
2903 ieee80211_getbssid(ic, wh), ":");
2905 kprintf("%s frame, ", type);
2908 __va_start(ap, fmt);
2915 ieee80211_discard_ie(struct ieee80211com *ic,
2916 const struct ieee80211_frame *wh,
2917 const char *type, const char *fmt, ...)
2921 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname,
2922 ieee80211_getbssid(ic, wh), ":");
2924 kprintf("%s information element, ", type);
2926 kprintf("information element, ");
2927 __va_start(ap, fmt);
2934 ieee80211_discard_mac(struct ieee80211com *ic,
2935 const uint8_t mac[IEEE80211_ADDR_LEN],
2936 const char *type, const char *fmt, ...)
2940 kprintf("[%s:%6D] discard ", ic->ic_ifp->if_xname, mac, ":");
2942 kprintf("%s frame, ", type);
2945 __va_start(ap, fmt);
2950 #endif /* IEEE80211_DEBUG */