2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 * $FreeBSD: head/sys/net80211/ieee80211_sta.c 203422 2010-02-03 10:07:43Z rpaulo $
29 * IEEE 802.11 Station mode support.
34 #include <sys/param.h>
35 #include <sys/systm.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
45 #include <sys/sysctl.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/ethernet.h>
51 #include <net/route.h>
55 #include <netproto/802_11/ieee80211_var.h>
56 #include <netproto/802_11/ieee80211_sta.h>
57 #include <netproto/802_11/ieee80211_input.h>
58 #include <netproto/802_11/ieee80211_ratectl.h>
59 #ifdef IEEE80211_SUPPORT_SUPERG
60 #include <netproto/802_11/ieee80211_superg.h>
63 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
65 static void sta_vattach(struct ieee80211vap *);
66 static void sta_beacon_miss(struct ieee80211vap *);
67 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
68 static int sta_input(struct ieee80211_node *, struct mbuf *, int, int);
69 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
70 int subtype, int rssi, int nf);
71 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
74 ieee80211_sta_attach(struct ieee80211com *ic)
76 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
80 ieee80211_sta_detach(struct ieee80211com *ic)
85 sta_vdetach(struct ieee80211vap *vap)
90 sta_vattach(struct ieee80211vap *vap)
92 vap->iv_newstate = sta_newstate;
93 vap->iv_input = sta_input;
94 vap->iv_recv_mgmt = sta_recv_mgmt;
95 vap->iv_recv_ctl = sta_recv_ctl;
96 vap->iv_opdetach = sta_vdetach;
97 vap->iv_bmiss = sta_beacon_miss;
101 * Handle a beacon miss event. The common code filters out
102 * spurious events that can happen when scanning and/or before
103 * reaching RUN state.
106 sta_beacon_miss(struct ieee80211vap *vap)
108 struct ieee80211com *ic = vap->iv_ic;
110 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
111 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
112 ("wrong state %s", ieee80211_state_name[vap->iv_state]));
114 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
115 "beacon miss, mode %s state %s\n",
116 ieee80211_opmode_name[vap->iv_opmode],
117 ieee80211_state_name[vap->iv_state]);
119 if (vap->iv_state == IEEE80211_S_CSA) {
121 * A Channel Switch is pending; assume we missed the
122 * beacon that would've completed the process and just
123 * force the switch. If we made a mistake we'll not
124 * find the AP on the new channel and fall back to a
127 ieee80211_csa_completeswitch(ic);
130 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
132 * Send a directed probe req before falling back to a
133 * scan; if we receive a response ic_bmiss_count will
134 * be reset. Some cards mistakenly report beacon miss
135 * so this avoids the expensive scan if the ap is
138 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
139 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
140 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
143 vap->iv_bmiss_count = 0;
144 vap->iv_stats.is_beacon_miss++;
145 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
146 #ifdef IEEE80211_SUPPORT_SUPERG
147 struct ieee80211com *ic = vap->iv_ic;
150 * If we receive a beacon miss interrupt when using
151 * dynamic turbo, attempt to switch modes before
154 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
155 ieee80211_dturbo_switch(vap,
156 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
159 * Try to reassociate before scanning for a new ap.
161 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
164 * Somebody else is controlling state changes (e.g.
165 * a user-mode app) don't do anything that would
166 * confuse them; just drop into scan mode so they'll
167 * notified of the state change and given control.
169 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
174 * Handle deauth with reason. We retry only for
175 * the cases where we might succeed. Otherwise
176 * we downgrade the ap and scan.
179 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
182 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
183 case IEEE80211_STATUS_TIMEOUT:
184 case IEEE80211_REASON_ASSOC_EXPIRE:
185 case IEEE80211_REASON_NOT_AUTHED:
186 case IEEE80211_REASON_NOT_ASSOCED:
187 case IEEE80211_REASON_ASSOC_LEAVE:
188 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
189 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
192 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
193 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
194 ieee80211_check_scan_current(vap);
200 * IEEE80211_M_STA vap state machine handler.
201 * This routine handles the main states in the 802.11 protocol.
204 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
206 struct ieee80211com *ic = vap->iv_ic;
207 struct ieee80211_node *ni;
208 enum ieee80211_state ostate;
209 #ifdef IEEE80211_DEBUG
210 char ethstr[ETHER_ADDRSTRLEN + 1];
212 ostate = vap->iv_state;
213 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
214 __func__, ieee80211_state_name[ostate],
215 ieee80211_state_name[nstate], arg);
216 vap->iv_state = nstate; /* state transition */
217 callout_stop(&vap->iv_mgtsend);
218 if (ostate != IEEE80211_S_SCAN)
219 ieee80211_cancel_scan(vap); /* background scan */
220 ni = vap->iv_bss; /* NB: no reference held */
221 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
222 callout_stop(&vap->iv_swbmiss);
224 case IEEE80211_S_INIT:
226 case IEEE80211_S_SLEEP:
228 /* XXX driver hook to wakeup the hardware? */
229 case IEEE80211_S_RUN:
230 IEEE80211_SEND_MGMT(ni,
231 IEEE80211_FC0_SUBTYPE_DISASSOC,
232 IEEE80211_REASON_ASSOC_LEAVE);
233 ieee80211_sta_leave(ni);
235 case IEEE80211_S_ASSOC:
236 IEEE80211_SEND_MGMT(ni,
237 IEEE80211_FC0_SUBTYPE_DEAUTH,
238 IEEE80211_REASON_AUTH_LEAVE);
240 case IEEE80211_S_SCAN:
241 ieee80211_cancel_scan(vap);
246 if (ostate != IEEE80211_S_INIT) {
247 /* NB: optimize INIT -> INIT case */
248 ieee80211_reset_bss(vap);
250 if (vap->iv_auth->ia_detach != NULL)
251 vap->iv_auth->ia_detach(vap);
253 case IEEE80211_S_SCAN:
255 case IEEE80211_S_INIT:
257 * Initiate a scan. We can come here as a result
258 * of an IEEE80211_IOC_SCAN_REQ too in which case
259 * the vap will be marked with IEEE80211_FEXT_SCANREQ
260 * and the scan request parameters will be present
261 * in iv_scanreq. Otherwise we do the default.
263 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
264 ieee80211_check_scan(vap,
265 vap->iv_scanreq_flags,
266 vap->iv_scanreq_duration,
267 vap->iv_scanreq_mindwell,
268 vap->iv_scanreq_maxdwell,
269 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
270 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
272 ieee80211_check_scan_current(vap);
274 case IEEE80211_S_SCAN:
275 case IEEE80211_S_AUTH:
276 case IEEE80211_S_ASSOC:
278 * These can happen either because of a timeout
279 * on an assoc/auth response or because of a
280 * change in state that requires a reset. For
281 * the former we're called with a non-zero arg
282 * that is the cause for the failure; pass this
283 * to the scan code so it can update state.
284 * Otherwise trigger a new scan unless we're in
285 * manual roaming mode in which case an application
286 * must issue an explicit scan request.
289 ieee80211_scan_assoc_fail(vap,
290 vap->iv_bss->ni_macaddr, arg);
291 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
292 ieee80211_check_scan_current(vap);
294 case IEEE80211_S_SLEEP: /* beacon miss */
296 * XXX if in sleep we need to wakeup the hardware.
299 case IEEE80211_S_RUN: /* beacon miss */
301 * Beacon miss. Notify user space and if not
302 * under control of a user application (roaming
303 * manual) kick off a scan to re-connect.
306 ieee80211_sta_leave(ni);
307 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
308 ieee80211_check_scan_current(vap);
314 case IEEE80211_S_AUTH:
316 case IEEE80211_S_INIT:
317 case IEEE80211_S_SCAN:
318 IEEE80211_SEND_MGMT(ni,
319 IEEE80211_FC0_SUBTYPE_AUTH, 1);
321 case IEEE80211_S_AUTH:
322 case IEEE80211_S_ASSOC:
323 switch (arg & 0xff) {
324 case IEEE80211_FC0_SUBTYPE_AUTH:
326 IEEE80211_SEND_MGMT(ni,
327 IEEE80211_FC0_SUBTYPE_AUTH, 2);
329 case IEEE80211_FC0_SUBTYPE_DEAUTH:
330 sta_authretry(vap, ni, arg>>8);
334 case IEEE80211_S_RUN:
335 switch (arg & 0xff) {
336 case IEEE80211_FC0_SUBTYPE_AUTH:
337 IEEE80211_SEND_MGMT(ni,
338 IEEE80211_FC0_SUBTYPE_AUTH, 2);
339 vap->iv_state = ostate; /* stay RUN */
341 case IEEE80211_FC0_SUBTYPE_DEAUTH:
342 ieee80211_sta_leave(ni);
343 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
345 IEEE80211_SEND_MGMT(ni,
346 IEEE80211_FC0_SUBTYPE_AUTH, 1);
355 case IEEE80211_S_ASSOC:
357 case IEEE80211_S_AUTH:
358 case IEEE80211_S_ASSOC:
359 IEEE80211_SEND_MGMT(ni,
360 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
362 case IEEE80211_S_SLEEP: /* cannot happen */
363 case IEEE80211_S_RUN:
364 ieee80211_sta_leave(ni);
365 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
366 IEEE80211_SEND_MGMT(ni, arg ?
367 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
368 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
375 case IEEE80211_S_RUN:
376 if (vap->iv_flags & IEEE80211_F_WPA) {
377 /* XXX validate prerequisites */
380 case IEEE80211_S_RUN:
381 case IEEE80211_S_CSA:
383 case IEEE80211_S_AUTH: /* when join is done in fw */
384 case IEEE80211_S_ASSOC:
385 #ifdef IEEE80211_DEBUG
386 if (ieee80211_msg_debug(vap)) {
387 ieee80211_note(vap, "%s with %s ssid ",
388 (vap->iv_opmode == IEEE80211_M_STA ?
389 "associated" : "synchronized"),
390 kether_ntoa(ni->ni_bssid, ethstr));
391 ieee80211_print_essid(vap->iv_bss->ni_essid,
394 kprintf(" channel %d start %uMb\n",
395 ieee80211_chan2ieee(ic, ic->ic_curchan),
396 IEEE80211_RATE2MBS(ni->ni_txrate));
399 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
400 ieee80211_notify_node_join(ni,
401 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
403 case IEEE80211_S_SLEEP:
404 /* Wake up from sleep */
405 vap->iv_sta_ps(vap, 0);
410 ieee80211_sync_curchan(ic);
411 if (ostate != IEEE80211_S_RUN &&
412 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) {
414 * Start s/w beacon miss timer for devices w/o
415 * hardware support. We fudge a bit here since
416 * we're doing this in software.
418 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
419 2 * vap->iv_bmissthreshold * ni->ni_intval);
420 vap->iv_swbmiss_count = 0;
421 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
422 ieee80211_swbmiss_callout, vap);
425 * When 802.1x is not in use mark the port authorized
426 * at this point so traffic can flow.
428 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
429 ieee80211_node_authorize(ni);
431 * Fake association when joining an existing bss.
433 * Don't do this if we're doing SLEEP->RUN.
435 if (ic->ic_newassoc != NULL && ostate != IEEE80211_S_SLEEP)
436 ic->ic_newassoc(vap->iv_bss, (ostate != IEEE80211_S_RUN));
438 case IEEE80211_S_CSA:
439 if (ostate != IEEE80211_S_RUN)
442 case IEEE80211_S_SLEEP:
443 ieee80211_sta_pwrsave(vap, 1);
447 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
448 "%s: unexpected state transition %s -> %s\n", __func__,
449 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
456 * Return non-zero if the frame is an echo of a multicast
457 * frame sent by ourself. The dir is known to be DSTODS.
460 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
462 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
463 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
466 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
468 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
470 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
471 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
477 * Return non-zero if the frame is an echo of a multicast
478 * frame sent by ourself. The dir is known to be FROMDS.
481 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
483 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
485 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
487 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
491 * Decide if a received management frame should be
492 * printed when debugging is enabled. This filters some
493 * of the less interesting frames that come frequently
497 doprint(struct ieee80211vap *vap, int subtype)
500 case IEEE80211_FC0_SUBTYPE_BEACON:
501 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
502 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
509 * Process a received frame. The node associated with the sender
510 * should be supplied. If nothing was found in the node table then
511 * the caller is assumed to supply a reference to iv_bss instead.
512 * The RSSI and a timestamp are also supplied. The RSSI data is used
513 * during AP scanning to select a AP to associate with; it can have
514 * any units so long as values have consistent units and higher values
515 * mean ``better signal''. The receive timestamp is currently not used
516 * by the 802.11 layer.
519 sta_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
521 #define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
522 #define HAS_SEQ(type) ((type & 0x4) == 0)
523 struct ieee80211vap *vap = ni->ni_vap;
524 struct ieee80211com *ic = ni->ni_ic;
525 struct ifnet *ifp = vap->iv_ifp;
526 struct ieee80211_frame *wh;
527 struct ieee80211_key *key;
528 struct ether_header *eh;
529 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
530 uint8_t dir, type, subtype, qos;
533 #ifdef IEEE80211_DEBUG
534 char ethstr[ETHER_ADDRSTRLEN + 1];
537 if (m->m_flags & M_AMPDU_MPDU) {
539 * Fastpath for A-MPDU reorder q resubmission. Frames
540 * w/ M_AMPDU_MPDU marked have already passed through
541 * here but were received out of order and been held on
542 * the reorder queue. When resubmitted they are marked
543 * with the M_AMPDU_MPDU flag and we can bypass most of
544 * the normal processing.
546 wh = mtod(m, struct ieee80211_frame *);
547 type = IEEE80211_FC0_TYPE_DATA;
548 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
549 subtype = IEEE80211_FC0_SUBTYPE_QOS;
550 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
554 KASSERT(ni != NULL, ("null node"));
555 ni->ni_inact = ni->ni_inact_reload;
557 type = -1; /* undefined */
559 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
560 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
561 ni->ni_macaddr, NULL,
562 "too short (1): len %u", m->m_pkthdr.len);
563 vap->iv_stats.is_rx_tooshort++;
567 * Bit of a cheat here, we use a pointer for a 3-address
568 * frame format but don't reference fields past outside
569 * ieee80211_frame_min w/o first validating the data is
572 wh = mtod(m, struct ieee80211_frame *);
574 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
575 IEEE80211_FC0_VERSION_0) {
576 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
577 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
578 wh->i_fc[0], wh->i_fc[1]);
579 vap->iv_stats.is_rx_badversion++;
583 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
584 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
585 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
586 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
588 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
589 /* not interested in */
590 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
591 bssid, NULL, "%s", "not to bss");
592 vap->iv_stats.is_rx_wrongbss++;
595 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
597 if (HAS_SEQ(type) && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
598 uint8_t tid = ieee80211_gettid(wh);
599 if (IEEE80211_QOS_HAS_SEQ(wh) &&
600 TID_TO_WME_AC(tid) >= WME_AC_VI)
601 ic->ic_wme.wme_hipri_traffic++;
602 rxseq = le16toh(*(uint16_t *)wh->i_seq);
603 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
604 (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
605 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
606 /* duplicate, discard */
607 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
609 "seqno <%u,%u> fragno <%u,%u> tid %u",
610 rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
611 ni->ni_rxseqs[tid] >>
612 IEEE80211_SEQ_SEQ_SHIFT,
613 rxseq & IEEE80211_SEQ_FRAG_MASK,
615 IEEE80211_SEQ_FRAG_MASK,
617 vap->iv_stats.is_rx_dup++;
618 IEEE80211_NODE_STAT(ni, rx_dup);
621 ni->ni_rxseqs[tid] = rxseq;
626 case IEEE80211_FC0_TYPE_DATA:
627 hdrspace = ieee80211_hdrspace(ic, wh);
628 if (m->m_len < hdrspace &&
629 (m = m_pullup(m, hdrspace)) == NULL) {
630 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
631 ni->ni_macaddr, NULL,
632 "data too short: expecting %u", hdrspace);
633 vap->iv_stats.is_rx_tooshort++;
637 * Handle A-MPDU re-ordering. If the frame is to be
638 * processed directly then ieee80211_ampdu_reorder
639 * will return 0; otherwise it has consumed the mbuf
640 * and we should do nothing more with it.
642 if ((m->m_flags & M_AMPDU) &&
643 (dir == IEEE80211_FC1_DIR_FROMDS ||
644 dir == IEEE80211_FC1_DIR_DSTODS) &&
645 ieee80211_ampdu_reorder(ni, m) != 0) {
650 if (dir == IEEE80211_FC1_DIR_FROMDS) {
651 if ((ifp->if_flags & IFF_SIMPLEX) &&
652 isfromds_mcastecho(vap, wh)) {
654 * In IEEE802.11 network, multicast
655 * packets sent from "me" are broadcast
656 * from the AP; silently discard for
659 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
660 wh, "data", "%s", "multicast echo");
661 vap->iv_stats.is_rx_mcastecho++;
664 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
665 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
667 * DWDS sta's must drop 3-address mcast frames
668 * as they will be sent separately as a 4-addr
669 * frame. Accepting the 3-addr frame will
670 * confuse the bridge into thinking the sending
671 * sta is located at the end of WDS link.
673 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
674 "3-address data", "%s", "DWDS enabled");
675 vap->iv_stats.is_rx_mcastecho++;
678 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
679 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
680 IEEE80211_DISCARD(vap,
681 IEEE80211_MSG_INPUT, wh, "4-address data",
682 "%s", "DWDS not enabled");
683 vap->iv_stats.is_rx_wrongdir++;
686 if ((ifp->if_flags & IFF_SIMPLEX) &&
687 isdstods_mcastecho(vap, wh)) {
689 * In IEEE802.11 network, multicast
690 * packets sent from "me" are broadcast
691 * from the AP; silently discard for
694 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
695 "4-address data", "%s", "multicast echo");
696 vap->iv_stats.is_rx_mcastecho++;
700 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
701 "data", "incorrect dir 0x%x", dir);
702 vap->iv_stats.is_rx_wrongdir++;
707 * Handle privacy requirements. Note that we
708 * must not be preempted from here until after
709 * we (potentially) call ieee80211_crypto_demic;
710 * otherwise we may violate assumptions in the
711 * crypto cipher modules used to do delayed update
712 * of replay sequence numbers.
714 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
715 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
717 * Discard encrypted frames when privacy is off.
719 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
720 wh, "WEP", "%s", "PRIVACY off");
721 vap->iv_stats.is_rx_noprivacy++;
722 IEEE80211_NODE_STAT(ni, rx_noprivacy);
725 key = ieee80211_crypto_decap(ni, m, hdrspace);
727 /* NB: stats+msgs handled in crypto_decap */
728 IEEE80211_NODE_STAT(ni, rx_wepfail);
731 wh = mtod(m, struct ieee80211_frame *);
732 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
734 /* XXX M_WEP and IEEE80211_F_PRIVACY */
739 * Save QoS bits for use below--before we strip the header.
741 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
742 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
743 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
744 ((struct ieee80211_qosframe *)wh)->i_qos[0];
749 * Next up, any fragmentation.
751 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
752 m = ieee80211_defrag(ni, m, hdrspace);
754 /* Fragment dropped or frame not complete yet */
758 wh = NULL; /* no longer valid, catch any uses */
761 * Next strip any MSDU crypto bits.
763 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
764 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
765 ni->ni_macaddr, "data", "%s", "demic error");
766 vap->iv_stats.is_rx_demicfail++;
767 IEEE80211_NODE_STAT(ni, rx_demicfail);
771 /* copy to listener after decrypt */
772 if (ieee80211_radiotap_active_vap(vap))
773 ieee80211_radiotap_rx(vap, m);
777 * Finally, strip the 802.11 header.
779 m = ieee80211_decap(vap, m, hdrspace);
781 /* XXX mask bit to check for both */
782 /* don't count Null data frames as errors */
783 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
784 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
786 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
787 ni->ni_macaddr, "data", "%s", "decap error");
788 vap->iv_stats.is_rx_decap++;
789 IEEE80211_NODE_STAT(ni, rx_decap);
792 eh = mtod(m, struct ether_header *);
793 if (!ieee80211_node_is_authorized(ni)) {
795 * Deny any non-PAE frames received prior to
796 * authorization. For open/shared-key
797 * authentication the port is mark authorized
798 * after authentication completes. For 802.1x
799 * the port is not marked authorized by the
800 * authenticator until the handshake has completed.
802 if (eh->ether_type != htons(ETHERTYPE_PAE)) {
803 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
804 eh->ether_shost, "data",
805 "unauthorized port: ether type 0x%x len %u",
806 eh->ether_type, m->m_pkthdr.len);
807 vap->iv_stats.is_rx_unauth++;
808 IEEE80211_NODE_STAT(ni, rx_unauth);
813 * When denying unencrypted frames, discard
814 * any non-PAE frames received without encryption.
816 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
817 (key == NULL && (m->m_flags & M_WEP) == 0) &&
818 eh->ether_type != htons(ETHERTYPE_PAE)) {
820 * Drop unencrypted frames.
822 vap->iv_stats.is_rx_unencrypted++;
823 IEEE80211_NODE_STAT(ni, rx_unencrypted);
827 /* XXX require HT? */
828 if (qos & IEEE80211_QOS_AMSDU) {
829 m = ieee80211_decap_amsdu(ni, m);
831 return IEEE80211_FC0_TYPE_DATA;
833 #ifdef IEEE80211_SUPPORT_SUPERG
834 m = ieee80211_decap_fastframe(vap, ni, m);
836 return IEEE80211_FC0_TYPE_DATA;
839 ieee80211_deliver_data(vap, ni, m);
840 return IEEE80211_FC0_TYPE_DATA;
842 case IEEE80211_FC0_TYPE_MGT:
843 vap->iv_stats.is_rx_mgmt++;
844 IEEE80211_NODE_STAT(ni, rx_mgmt);
845 if (dir != IEEE80211_FC1_DIR_NODS) {
846 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
847 wh, "data", "incorrect dir 0x%x", dir);
848 vap->iv_stats.is_rx_wrongdir++;
851 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
852 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
853 ni->ni_macaddr, "mgt", "too short: len %u",
855 vap->iv_stats.is_rx_tooshort++;
858 #ifdef IEEE80211_DEBUG
859 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
860 ieee80211_msg_dumppkts(vap)) {
861 if_printf(ifp, "received %s from %s rssi %d\n",
862 ieee80211_mgt_subtype_name[subtype >>
863 IEEE80211_FC0_SUBTYPE_SHIFT],
864 kether_ntoa(wh->i_addr2, ethstr), rssi);
867 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
868 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
870 * Only shared key auth frames with a challenge
871 * should be encrypted, discard all others.
873 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
874 wh, ieee80211_mgt_subtype_name[subtype >>
875 IEEE80211_FC0_SUBTYPE_SHIFT],
876 "%s", "WEP set but not permitted");
877 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
880 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
882 * Discard encrypted frames when privacy is off.
884 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
885 wh, "mgt", "%s", "WEP set but PRIVACY off");
886 vap->iv_stats.is_rx_noprivacy++;
889 hdrspace = ieee80211_hdrspace(ic, wh);
890 key = ieee80211_crypto_decap(ni, m, hdrspace);
892 /* NB: stats+msgs handled in crypto_decap */
895 wh = mtod(m, struct ieee80211_frame *);
896 wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
898 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
901 case IEEE80211_FC0_TYPE_CTL:
902 vap->iv_stats.is_rx_ctl++;
903 IEEE80211_NODE_STAT(ni, rx_ctrl);
904 vap->iv_recv_ctl(ni, m, subtype);
908 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
909 wh, NULL, "bad frame type 0x%x", type);
910 /* should not come here */
914 IFNET_STAT_INC(ifp, ierrors, 1);
917 if (need_tap && ieee80211_radiotap_active_vap(vap))
918 ieee80211_radiotap_rx(vap, m);
926 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
927 int rssi, int nf, uint16_t seq, uint16_t status)
929 struct ieee80211vap *vap = ni->ni_vap;
931 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
932 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
933 ni->ni_macaddr, "open auth",
934 "bad sta auth mode %u", ni->ni_authmode);
935 vap->iv_stats.is_rx_bad_auth++; /* XXX */
938 if (vap->iv_state != IEEE80211_S_AUTH ||
939 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
940 vap->iv_stats.is_rx_bad_auth++;
944 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
945 ni, "open auth failed (reason %d)", status);
946 vap->iv_stats.is_rx_auth_fail++;
947 vap->iv_stats.is_rx_authfail_code = status;
948 ieee80211_new_state(vap, IEEE80211_S_SCAN,
949 IEEE80211_SCAN_FAIL_STATUS);
951 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
955 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
956 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
957 uint16_t seq, uint16_t status)
959 struct ieee80211vap *vap = ni->ni_vap;
963 * NB: this can happen as we allow pre-shared key
964 * authentication to be enabled w/o wep being turned
965 * on so that configuration of these can be done
966 * in any order. It may be better to enforce the
967 * ordering in which case this check would just be
968 * for sanity/consistency.
970 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
971 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
972 ni->ni_macaddr, "shared key auth",
973 "%s", " PRIVACY is disabled");
977 * Pre-shared key authentication is evil; accept
978 * it only if explicitly configured (it is supported
979 * mainly for compatibility with clients like OS X).
981 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
982 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
983 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
984 ni->ni_macaddr, "shared key auth",
985 "bad sta auth mode %u", ni->ni_authmode);
986 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
991 if (frm + 1 < efrm) {
992 if ((frm[1] + 2) > (efrm - frm)) {
993 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
994 ni->ni_macaddr, "shared key auth",
996 frm[0], (int)((frm[1] + 2) - (efrm - frm)));
997 vap->iv_stats.is_rx_bad_auth++;
1000 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1005 case IEEE80211_AUTH_SHARED_CHALLENGE:
1006 case IEEE80211_AUTH_SHARED_RESPONSE:
1007 if (challenge == NULL) {
1008 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009 ni->ni_macaddr, "shared key auth",
1010 "%s", "no challenge");
1011 vap->iv_stats.is_rx_bad_auth++;
1014 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1015 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1016 ni->ni_macaddr, "shared key auth",
1017 "bad challenge len %d", challenge[1]);
1018 vap->iv_stats.is_rx_bad_auth++;
1024 if (vap->iv_state != IEEE80211_S_AUTH)
1027 case IEEE80211_AUTH_SHARED_PASS:
1028 if (ni->ni_challenge != NULL) {
1029 kfree(ni->ni_challenge, M_80211_NODE);
1030 ni->ni_challenge = NULL;
1033 IEEE80211_NOTE_FRAME(vap,
1034 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1035 "shared key auth failed (reason %d)", status);
1036 vap->iv_stats.is_rx_auth_fail++;
1037 vap->iv_stats.is_rx_authfail_code = status;
1040 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1042 case IEEE80211_AUTH_SHARED_CHALLENGE:
1043 if (!ieee80211_alloc_challenge(ni))
1045 /* XXX could optimize by passing recvd challenge */
1046 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1047 IEEE80211_SEND_MGMT(ni,
1048 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1051 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1052 wh, "shared key auth", "bad seq %d", seq);
1053 vap->iv_stats.is_rx_bad_auth++;
1059 * Kick the state machine. This short-circuits
1060 * using the mgt frame timeout to trigger the
1063 if (vap->iv_state == IEEE80211_S_AUTH)
1064 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1065 IEEE80211_SCAN_FAIL_STATUS);
1069 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1070 const struct ieee80211_frame *wh)
1072 #define MS(_v, _f) (((_v) & _f) >> _f##_S)
1073 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1074 u_int len = frm[1], qosinfo;
1077 if (len < sizeof(struct ieee80211_wme_param)-2) {
1078 IEEE80211_DISCARD_IE(vap,
1079 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1080 wh, "WME", "too short, len %u", len);
1083 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1084 qosinfo &= WME_QOSINFO_COUNT;
1085 /* XXX do proper check for wraparound */
1086 if (qosinfo == wme->wme_wmeChanParams.cap_info)
1088 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1089 for (i = 0; i < WME_NUM_AC; i++) {
1090 struct wmeParams *wmep =
1091 &wme->wme_wmeChanParams.cap_wmeParams[i];
1092 /* NB: ACI not used */
1093 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM);
1094 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN);
1095 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN);
1096 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX);
1097 wmep->wmep_txopLimit = LE_READ_2(frm+2);
1100 wme->wme_wmeChanParams.cap_info = qosinfo;
1106 * Process 11h Channel Switch Announcement (CSA) ie. If this
1107 * is the first CSA then initiate the switch. Otherwise we
1108 * track state and trigger completion and/or cancel of the switch.
1109 * XXX should be public for IBSS use
1112 ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm,
1113 const struct ieee80211_frame *wh)
1115 struct ieee80211com *ic = vap->iv_ic;
1116 const struct ieee80211_csa_ie *csa =
1117 (const struct ieee80211_csa_ie *) frm;
1119 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
1120 ("state %s", ieee80211_state_name[vap->iv_state]));
1122 if (csa->csa_mode > 1) {
1123 IEEE80211_DISCARD_IE(vap,
1124 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1125 wh, "CSA", "invalid mode %u", csa->csa_mode);
1128 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) {
1130 * Convert the channel number to a channel reference. We
1131 * try first to preserve turbo attribute of the current
1132 * channel then fallback. Note this will not work if the
1133 * CSA specifies a channel that requires a band switch (e.g.
1134 * 11a => 11g). This is intentional as 11h is defined only
1135 * for 5GHz/11a and because the switch does not involve a
1136 * reassociation, protocol state (capabilities, negotated
1137 * rates, etc) may/will be wrong.
1139 struct ieee80211_channel *c =
1140 ieee80211_find_channel_byieee(ic, csa->csa_newchan,
1141 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO));
1143 c = ieee80211_find_channel_byieee(ic,
1145 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL));
1147 IEEE80211_DISCARD_IE(vap,
1148 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1149 wh, "CSA", "invalid channel %u",
1154 #if IEEE80211_CSA_COUNT_MIN > 0
1155 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) {
1157 * Require at least IEEE80211_CSA_COUNT_MIN count to
1158 * reduce the risk of being redirected by a fabricated
1159 * CSA. If a valid CSA is dropped we'll still get a
1160 * beacon miss when the AP leaves the channel so we'll
1161 * eventually follow to the new channel.
1163 * NOTE: this violates the 11h spec that states that
1164 * count may be any value and if 0 then a switch
1165 * should happen asap.
1167 IEEE80211_DISCARD_IE(vap,
1168 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1169 wh, "CSA", "count %u too small, must be >= %u",
1170 csa->csa_count, IEEE80211_CSA_COUNT_MIN);
1174 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count);
1177 * Validate this ie against the initial CSA. We require
1178 * mode and channel not change and the count must be
1179 * monotonically decreasing. This may be pointless and
1180 * canceling the switch as a result may be too paranoid but
1181 * in the worst case if we drop out of CSA because of this
1182 * and the AP does move then we'll just end up taking a
1183 * beacon miss and scan to find the AP.
1185 * XXX may want <= on count as we also process ProbeResp
1186 * frames and those may come in w/ the same count as the
1187 * previous beacon; but doing so leaves us open to a stuck
1188 * count until we add a dead-man timer
1190 if (!(csa->csa_count < ic->ic_csa_count &&
1191 csa->csa_mode == ic->ic_csa_mode &&
1192 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) {
1193 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh,
1194 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1195 "this ie <%d,%d,%d>", ic->ic_csa_mode,
1196 ic->ic_csa_newchan->ic_ieee, ic->ic_csa_count,
1197 csa->csa_mode, csa->csa_newchan, csa->csa_count);
1198 ieee80211_csa_cancelswitch(ic);
1200 if (csa->csa_count <= 1)
1201 ieee80211_csa_completeswitch(ic);
1203 ic->ic_csa_count = csa->csa_count;
1211 * Return non-zero if a background scan may be continued:
1212 * o bg scan is active
1213 * o no channel switch is pending
1214 * o there has not been any traffic recently
1216 * Note we do not check if there is an administrative enable;
1217 * this is only done to start the scan. We assume that any
1218 * change in state will be accompanied by a request to cancel
1219 * active scans which will otherwise cause this test to fail.
1222 contbgscan(struct ieee80211vap *vap)
1224 struct ieee80211com *ic = vap->iv_ic;
1226 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1227 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1228 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1229 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1233 * Return non-zero if a backgrond scan may be started:
1234 * o bg scanning is administratively enabled
1235 * o no channel switch is pending
1236 * o we are not boosted on a dynamic turbo channel
1237 * o there has not been a scan recently
1238 * o there has not been any traffic recently
1241 startbgscan(struct ieee80211vap *vap)
1243 struct ieee80211com *ic = vap->iv_ic;
1245 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1246 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1247 #ifdef IEEE80211_SUPPORT_SUPERG
1248 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1250 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1251 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1255 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1256 int subtype, int rssi, int nf)
1258 #define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1259 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1260 struct ieee80211vap *vap = ni->ni_vap;
1261 struct ieee80211com *ic = ni->ni_ic;
1262 struct ieee80211_frame *wh;
1263 uint8_t *frm, *efrm;
1264 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1267 wh = mtod(m0, struct ieee80211_frame *);
1268 frm = (uint8_t *)&wh[1];
1269 efrm = mtod(m0, uint8_t *) + m0->m_len;
1271 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1272 case IEEE80211_FC0_SUBTYPE_BEACON: {
1273 struct ieee80211_scanparams scan;
1275 * We process beacon/probe response frames:
1276 * o when scanning, or
1277 * o station mode when associated (to collect state
1278 * updates such as 802.11g slot time)
1279 * Frames otherwise received are discarded.
1281 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1282 vap->iv_stats.is_rx_mgtdiscard++;
1285 /* XXX probe response in sta mode when !scanning? */
1286 if (ieee80211_parse_beacon(ni, m0, &scan) != 0)
1289 * Count frame now that we know it's to be processed.
1291 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1292 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1293 IEEE80211_NODE_STAT(ni, rx_beacons);
1295 IEEE80211_NODE_STAT(ni, rx_proberesp);
1297 * When operating in station mode, check for state updates.
1298 * Be careful to ignore beacons received while doing a
1299 * background scan. We consider only 11g/WMM stuff right now.
1301 if (ni->ni_associd != 0 &&
1302 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1303 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1304 /* record tsf of last beacon */
1305 memcpy(ni->ni_tstamp.data, scan.tstamp,
1306 sizeof(ni->ni_tstamp));
1307 /* count beacon frame for s/w bmiss handling */
1308 vap->iv_swbmiss_count++;
1309 vap->iv_bmiss_count = 0;
1310 if (ni->ni_erp != scan.erp) {
1311 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1313 "erp change: was 0x%x, now 0x%x",
1314 ni->ni_erp, scan.erp);
1315 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1316 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1317 ic->ic_flags |= IEEE80211_F_USEPROT;
1319 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1320 ni->ni_erp = scan.erp;
1322 /* XXX driver notification */
1324 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1325 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1327 "capabilities change: was 0x%x, now 0x%x",
1328 ni->ni_capinfo, scan.capinfo);
1330 * NB: we assume short preamble doesn't
1331 * change dynamically
1333 ieee80211_set_shortslottime(ic,
1334 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1335 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1336 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1337 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1340 if (scan.wme != NULL &&
1341 (ni->ni_flags & IEEE80211_NODE_QOS) &&
1342 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0)
1343 ieee80211_wme_updateparams(vap);
1344 #ifdef IEEE80211_SUPPORT_SUPERG
1345 if (scan.ath != NULL)
1346 ieee80211_parse_athparams(ni, scan.ath, wh);
1348 if (scan.htcap != NULL && scan.htinfo != NULL &&
1349 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1350 ieee80211_ht_updateparams(ni,
1351 scan.htcap, scan.htinfo);
1352 /* XXX state changes? */
1355 if (scan.tim != NULL) {
1356 struct ieee80211_tim_ie *tim =
1357 (struct ieee80211_tim_ie *) scan.tim;
1359 * XXX Check/debug this code; see if it's about
1360 * the right time to force the VAP awake if we
1361 * receive a frame destined for us?
1363 int aid = IEEE80211_AID(ni->ni_associd);
1364 int ix = aid / NBBY;
1365 int min = tim->tim_bitctl &~ 1;
1366 int max = tim->tim_len + min - 4;
1369 * Only do this for unicast traffic in the TIM
1370 * The multicast traffic notification for
1371 * the scan notification stuff should occur
1374 if (min <= ix && ix <= max &&
1375 isset(tim->tim_bitmap - min, aid)) {
1376 ieee80211_sta_tim_notify(vap, 1);
1377 ic->ic_lastdata = ticks;
1381 * XXX TODO: do a separate notification
1382 * for the multicast bit being set.
1385 if (tim->tim_bitctl & 1) {
1386 ieee80211_sta_tim_notify(vap, 1);
1387 ic->ic_lastdata = ticks;
1390 ni->ni_dtim_count = tim->tim_count;
1391 ni->ni_dtim_period = tim->tim_period;
1393 if (scan.csa != NULL &&
1394 (vap->iv_flags & IEEE80211_F_DOTH))
1395 ieee80211_parse_csaparams(vap, scan.csa, wh);
1396 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
1398 * No CSA ie or 11h disabled, but a channel
1399 * switch is pending; drop out so we aren't
1400 * stuck in CSA state. If the AP really is
1401 * moving we'll get a beacon miss and scan.
1403 ieee80211_csa_cancelswitch(ic);
1406 * If scanning, pass the info to the scan module.
1407 * Otherwise, check if it's the right time to do
1408 * a background scan. Background scanning must
1409 * be enabled and we must not be operating in the
1410 * turbo phase of dynamic turbo mode. Then,
1411 * it's been a while since the last background
1412 * scan and if no data frames have come through
1413 * recently, kick off a scan. Note that this
1414 * is the mechanism by which a background scan
1415 * is started _and_ continued each time we
1416 * return on-channel to receive a beacon from
1419 if (ic->ic_flags & IEEE80211_F_SCAN) {
1420 ieee80211_add_scan(vap, &scan, wh,
1422 } else if (contbgscan(vap)) {
1423 ieee80211_bg_scan(vap, 0);
1424 } else if (startbgscan(vap)) {
1425 vap->iv_stats.is_scan_bg++;
1427 /* wakeup if we are sleeing */
1428 ieee80211_set_pwrsave(vap, 0);
1430 ieee80211_bg_scan(vap, 0);
1434 * Put the station to sleep if we haven't seen
1435 * traffic in a while.
1437 ieee80211_sta_ps_timer_check(vap);
1443 * If scanning, just pass information to the scan module.
1445 if (ic->ic_flags & IEEE80211_F_SCAN) {
1446 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1448 * Actively scanning a channel marked passive;
1449 * send a probe request now that we know there
1450 * is 802.11 traffic present.
1452 * XXX check if the beacon we recv'd gives
1453 * us what we need and suppress the probe req
1455 ieee80211_probe_curchan(vap, 1);
1456 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1458 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1464 case IEEE80211_FC0_SUBTYPE_AUTH: {
1465 uint16_t algo, seq, status;
1473 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1474 algo = le16toh(*(uint16_t *)frm);
1475 seq = le16toh(*(uint16_t *)(frm + 2));
1476 status = le16toh(*(uint16_t *)(frm + 4));
1477 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1478 "recv auth frame with algorithm %d seq %d", algo, seq);
1480 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1481 IEEE80211_DISCARD(vap,
1482 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1483 wh, "auth", "%s", "TKIP countermeasures enabled");
1484 vap->iv_stats.is_rx_auth_countermeasures++;
1485 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1486 ieee80211_send_error(ni, wh->i_addr2,
1487 IEEE80211_FC0_SUBTYPE_AUTH,
1488 IEEE80211_REASON_MIC_FAILURE);
1492 if (algo == IEEE80211_AUTH_ALG_SHARED)
1493 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1495 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1496 sta_auth_open(ni, wh, rssi, nf, seq, status);
1498 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1499 wh, "auth", "unsupported alg %d", algo);
1500 vap->iv_stats.is_rx_auth_unsupported++;
1506 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1507 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1508 uint16_t capinfo, associd;
1511 if (vap->iv_state != IEEE80211_S_ASSOC) {
1512 vap->iv_stats.is_rx_mgtdiscard++;
1517 * asresp frame format
1518 * [2] capability information
1520 * [2] association ID
1521 * [tlv] supported rates
1522 * [tlv] extended supported rates
1524 * [tlv] HT capabilities
1527 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1529 capinfo = le16toh(*(uint16_t *)frm);
1531 status = le16toh(*(uint16_t *)frm);
1534 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1535 wh->i_addr2, "%sassoc failed (reason %d)",
1536 ISREASSOC(subtype) ? "re" : "", status);
1537 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1540 associd = le16toh(*(uint16_t *)frm);
1543 rates = xrates = wme = htcap = htinfo = NULL;
1544 while (efrm - frm > 1) {
1545 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1547 case IEEE80211_ELEMID_RATES:
1550 case IEEE80211_ELEMID_XRATES:
1553 case IEEE80211_ELEMID_HTCAP:
1556 case IEEE80211_ELEMID_HTINFO:
1559 case IEEE80211_ELEMID_VENDOR:
1562 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1564 * Accept pre-draft HT ie's if the
1565 * standard ones have not been seen.
1567 if (ishtcapoui(frm)) {
1570 } else if (ishtinfooui(frm)) {
1575 /* XXX Atheros OUI support */
1581 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1583 IEEE80211_VERIFY_ELEMENT(xrates,
1584 IEEE80211_RATE_MAXSIZE - rates[1], return);
1585 rate = ieee80211_setup_rates(ni, rates, xrates,
1587 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1588 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1589 if (rate & IEEE80211_RATE_BASIC) {
1590 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1592 "%sassoc failed (rate set mismatch)",
1593 ISREASSOC(subtype) ? "re" : "");
1594 vap->iv_stats.is_rx_assoc_norate++;
1595 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1596 IEEE80211_SCAN_FAIL_STATUS);
1600 ni->ni_capinfo = capinfo;
1601 ni->ni_associd = associd;
1602 if (ni->ni_jointime == 0)
1603 ni->ni_jointime = time_uptime;
1605 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) {
1606 ni->ni_flags |= IEEE80211_NODE_QOS;
1607 ieee80211_wme_updateparams(vap);
1609 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1611 * Setup HT state according to the negotiation.
1613 * NB: shouldn't need to check if HT use is enabled but some
1614 * ap's send back HT ie's even when we don't indicate we
1615 * are HT capable in our AssocReq.
1617 if (htcap != NULL && htinfo != NULL &&
1618 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1619 ieee80211_ht_node_init(ni);
1620 ieee80211_ht_updateparams(ni, htcap, htinfo);
1621 ieee80211_setup_htrates(ni, htcap,
1622 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1623 ieee80211_setup_basic_htrates(ni, htinfo);
1624 ieee80211_node_setuptxparms(ni);
1625 ieee80211_ratectl_node_init(ni);
1627 #ifdef IEEE80211_SUPPORT_SUPERG
1628 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH))
1629 ieee80211_ff_node_init(ni);
1633 * Configure state now that we are associated.
1635 * XXX may need different/additional driver callbacks?
1637 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1638 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1639 ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
1640 ic->ic_flags &= ~IEEE80211_F_USEBARKER;
1642 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
1643 ic->ic_flags |= IEEE80211_F_USEBARKER;
1645 ieee80211_set_shortslottime(ic,
1646 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1647 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1649 * Honor ERP protection.
1651 * NB: ni_erp should zero for non-11g operation.
1653 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1654 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1655 ic->ic_flags |= IEEE80211_F_USEPROT;
1657 ic->ic_flags &= ~IEEE80211_F_USEPROT;
1658 IEEE80211_NOTE_MAC(vap,
1659 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1660 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s",
1661 ISREASSOC(subtype) ? "re" : "",
1662 IEEE80211_NODE_AID(ni),
1663 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1664 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1665 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1666 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1667 ni->ni_flags & IEEE80211_NODE_HT ?
1668 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "",
1669 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1670 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1671 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1672 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1673 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1674 ", fast-frames" : "",
1675 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1678 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1682 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1685 if (vap->iv_state == IEEE80211_S_SCAN) {
1686 vap->iv_stats.is_rx_mgtdiscard++;
1689 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1690 /* NB: can happen when in promiscuous mode */
1691 vap->iv_stats.is_rx_mgtdiscard++;
1696 * deauth frame format
1699 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1700 reason = le16toh(*(uint16_t *)frm);
1702 vap->iv_stats.is_rx_deauth++;
1703 vap->iv_stats.is_rx_deauth_code = reason;
1704 IEEE80211_NODE_STAT(ni, rx_deauth);
1706 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1707 "recv deauthenticate (reason %d)", reason);
1708 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1709 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1713 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1716 if (vap->iv_state != IEEE80211_S_RUN &&
1717 vap->iv_state != IEEE80211_S_ASSOC &&
1718 vap->iv_state != IEEE80211_S_AUTH) {
1719 vap->iv_stats.is_rx_mgtdiscard++;
1722 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1723 /* NB: can happen when in promiscuous mode */
1724 vap->iv_stats.is_rx_mgtdiscard++;
1729 * disassoc frame format
1732 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1733 reason = le16toh(*(uint16_t *)frm);
1735 vap->iv_stats.is_rx_disassoc++;
1736 vap->iv_stats.is_rx_disassoc_code = reason;
1737 IEEE80211_NODE_STAT(ni, rx_disassoc);
1739 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1740 "recv disassociate (reason %d)", reason);
1741 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1745 case IEEE80211_FC0_SUBTYPE_ACTION:
1746 if (vap->iv_state == IEEE80211_S_RUN) {
1747 if (ieee80211_parse_action(ni, m0) == 0)
1748 ic->ic_recv_action(ni, wh, frm, efrm);
1750 vap->iv_stats.is_rx_mgtdiscard++;
1753 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1754 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1755 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1756 vap->iv_stats.is_rx_mgtdiscard++;
1759 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1760 wh, "mgt", "subtype 0x%x not handled", subtype);
1761 vap->iv_stats.is_rx_badsubtype++;
1769 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype)