ieee80211_sta.c revision 192468
1/*- 2 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> 27#ifdef __FreeBSD__ 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_sta.c 192468 2009-05-20 20:00:40Z sam $"); 29#endif 30 31/* 32 * IEEE 802.11 Station mode support. 33 */ 34#include "opt_inet.h" 35#include "opt_wlan.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mbuf.h> 40#include <sys/malloc.h> 41#include <sys/kernel.h> 42 43#include <sys/socket.h> 44#include <sys/sockio.h> 45#include <sys/endian.h> 46#include <sys/errno.h> 47#include <sys/proc.h> 48#include <sys/sysctl.h> 49 50#include <net/if.h> 51#include <net/if_media.h> 52#include <net/if_llc.h> 53#include <net/ethernet.h> 54 55#include <net/bpf.h> 56 57#include <net80211/ieee80211_var.h> 58#include <net80211/ieee80211_sta.h> 59#include <net80211/ieee80211_input.h> 60#ifdef IEEE80211_SUPPORT_SUPERG 61#include <net80211/ieee80211_superg.h> 62#endif 63 64#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 65 66static void sta_vattach(struct ieee80211vap *); 67static void sta_beacon_miss(struct ieee80211vap *); 68static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int); 69static int sta_input(struct ieee80211_node *, struct mbuf *, int, int); 70static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *, 71 int subtype, int rssi, int nf); 72static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype); 73 74void 75ieee80211_sta_attach(struct ieee80211com *ic) 76{ 77 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach; 78} 79 80void 81ieee80211_sta_detach(struct ieee80211com *ic) 82{ 83} 84 85static void 86sta_vdetach(struct ieee80211vap *vap) 87{ 88} 89 90static void 91sta_vattach(struct ieee80211vap *vap) 92{ 93 vap->iv_newstate = sta_newstate; 94 vap->iv_input = sta_input; 95 vap->iv_recv_mgmt = sta_recv_mgmt; 96 vap->iv_recv_ctl = sta_recv_ctl; 97 vap->iv_opdetach = sta_vdetach; 98 vap->iv_bmiss = sta_beacon_miss; 99} 100 101/* 102 * Handle a beacon miss event. The common code filters out 103 * spurious events that can happen when scanning and/or before 104 * reaching RUN state. 105 */ 106static void 107sta_beacon_miss(struct ieee80211vap *vap) 108{ 109 KASSERT((vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning")); 110 KASSERT(vap->iv_state == IEEE80211_S_RUN, 111 ("wrong state %d", vap->iv_state)); 112 113 IEEE80211_DPRINTF(vap, 114 IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG, 115 "beacon miss, mode %u state %s\n", 116 vap->iv_opmode, ieee80211_state_name[vap->iv_state]); 117 118 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) { 119 /* 120 * Send a directed probe req before falling back to a 121 * scan; if we receive a response ic_bmiss_count will 122 * be reset. Some cards mistakenly report beacon miss 123 * so this avoids the expensive scan if the ap is 124 * still there. 125 */ 126 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr, 127 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid, 128 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen); 129 return; 130 } 131 vap->iv_bmiss_count = 0; 132 vap->iv_stats.is_beacon_miss++; 133 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) { 134#ifdef IEEE80211_SUPPORT_SUPERG 135 struct ieee80211com *ic = vap->iv_ic; 136 137 /* 138 * If we receive a beacon miss interrupt when using 139 * dynamic turbo, attempt to switch modes before 140 * reassociating. 141 */ 142 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP)) 143 ieee80211_dturbo_switch(vap, 144 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO); 145#endif 146 /* 147 * Try to reassociate before scanning for a new ap. 148 */ 149 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1); 150 } else { 151 /* 152 * Somebody else is controlling state changes (e.g. 153 * a user-mode app) don't do anything that would 154 * confuse them; just drop into scan mode so they'll 155 * notified of the state change and given control. 156 */ 157 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0); 158 } 159} 160 161/* 162 * Handle deauth with reason. We retry only for 163 * the cases where we might succeed. Otherwise 164 * we downgrade the ap and scan. 165 */ 166static void 167sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason) 168{ 169 switch (reason) { 170 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */ 171 case IEEE80211_STATUS_TIMEOUT: 172 case IEEE80211_REASON_ASSOC_EXPIRE: 173 case IEEE80211_REASON_NOT_AUTHED: 174 case IEEE80211_REASON_NOT_ASSOCED: 175 case IEEE80211_REASON_ASSOC_LEAVE: 176 case IEEE80211_REASON_ASSOC_NOT_AUTHED: 177 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1); 178 break; 179 default: 180 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason); 181 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 182 ieee80211_check_scan_current(vap); 183 break; 184 } 185} 186 187/* 188 * IEEE80211_M_STA vap state machine handler. 189 * This routine handles the main states in the 802.11 protocol. 190 */ 191static int 192sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 193{ 194 struct ieee80211com *ic = vap->iv_ic; 195 struct ieee80211_node *ni; 196 enum ieee80211_state ostate; 197 198 IEEE80211_LOCK_ASSERT(ic); 199 200 ostate = vap->iv_state; 201 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 202 __func__, ieee80211_state_name[ostate], 203 ieee80211_state_name[nstate], arg); 204 vap->iv_state = nstate; /* state transition */ 205 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */ 206 if (ostate != IEEE80211_S_SCAN) 207 ieee80211_cancel_scan(vap); /* background scan */ 208 ni = vap->iv_bss; /* NB: no reference held */ 209 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) 210 callout_stop(&vap->iv_swbmiss); 211 switch (nstate) { 212 case IEEE80211_S_INIT: 213 switch (ostate) { 214 case IEEE80211_S_SLEEP: 215 /* XXX wakeup */ 216 case IEEE80211_S_RUN: 217 IEEE80211_SEND_MGMT(ni, 218 IEEE80211_FC0_SUBTYPE_DISASSOC, 219 IEEE80211_REASON_ASSOC_LEAVE); 220 ieee80211_sta_leave(ni); 221 break; 222 case IEEE80211_S_ASSOC: 223 IEEE80211_SEND_MGMT(ni, 224 IEEE80211_FC0_SUBTYPE_DEAUTH, 225 IEEE80211_REASON_AUTH_LEAVE); 226 break; 227 case IEEE80211_S_SCAN: 228 ieee80211_cancel_scan(vap); 229 break; 230 default: 231 goto invalid; 232 } 233 if (ostate != IEEE80211_S_INIT) { 234 /* NB: optimize INIT -> INIT case */ 235 ieee80211_reset_bss(vap); 236 } 237 if (vap->iv_auth->ia_detach != NULL) 238 vap->iv_auth->ia_detach(vap); 239 break; 240 case IEEE80211_S_SCAN: 241 switch (ostate) { 242 case IEEE80211_S_INIT: 243 /* 244 * Initiate a scan. We can come here as a result 245 * of an IEEE80211_IOC_SCAN_REQ too in which case 246 * the vap will be marked with IEEE80211_FEXT_SCANREQ 247 * and the scan request parameters will be present 248 * in iv_scanreq. Otherwise we do the default. 249 */ 250 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 251 ieee80211_check_scan(vap, 252 vap->iv_scanreq_flags, 253 vap->iv_scanreq_duration, 254 vap->iv_scanreq_mindwell, 255 vap->iv_scanreq_maxdwell, 256 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 257 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 258 } else 259 ieee80211_check_scan_current(vap); 260 break; 261 case IEEE80211_S_SCAN: 262 case IEEE80211_S_AUTH: 263 case IEEE80211_S_ASSOC: 264 /* 265 * These can happen either because of a timeout 266 * on an assoc/auth response or because of a 267 * change in state that requires a reset. For 268 * the former we're called with a non-zero arg 269 * that is the cause for the failure; pass this 270 * to the scan code so it can update state. 271 * Otherwise trigger a new scan unless we're in 272 * manual roaming mode in which case an application 273 * must issue an explicit scan request. 274 */ 275 if (arg != 0) 276 ieee80211_scan_assoc_fail(vap, 277 vap->iv_bss->ni_macaddr, arg); 278 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 279 ieee80211_check_scan_current(vap); 280 break; 281 case IEEE80211_S_RUN: /* beacon miss */ 282 /* 283 * Beacon miss. Notify user space and if not 284 * under control of a user application (roaming 285 * manual) kick off a scan to re-connect. 286 */ 287 ieee80211_sta_leave(ni); 288 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 289 ieee80211_check_scan_current(vap); 290 break; 291 default: 292 goto invalid; 293 } 294 break; 295 case IEEE80211_S_AUTH: 296 switch (ostate) { 297 case IEEE80211_S_INIT: 298 case IEEE80211_S_SCAN: 299 IEEE80211_SEND_MGMT(ni, 300 IEEE80211_FC0_SUBTYPE_AUTH, 1); 301 break; 302 case IEEE80211_S_AUTH: 303 case IEEE80211_S_ASSOC: 304 switch (arg & 0xff) { 305 case IEEE80211_FC0_SUBTYPE_AUTH: 306 /* ??? */ 307 IEEE80211_SEND_MGMT(ni, 308 IEEE80211_FC0_SUBTYPE_AUTH, 2); 309 break; 310 case IEEE80211_FC0_SUBTYPE_DEAUTH: 311 sta_authretry(vap, ni, arg>>8); 312 break; 313 } 314 break; 315 case IEEE80211_S_RUN: 316 switch (arg & 0xff) { 317 case IEEE80211_FC0_SUBTYPE_AUTH: 318 IEEE80211_SEND_MGMT(ni, 319 IEEE80211_FC0_SUBTYPE_AUTH, 2); 320 vap->iv_state = ostate; /* stay RUN */ 321 break; 322 case IEEE80211_FC0_SUBTYPE_DEAUTH: 323 ieee80211_sta_leave(ni); 324 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) { 325 /* try to reauth */ 326 IEEE80211_SEND_MGMT(ni, 327 IEEE80211_FC0_SUBTYPE_AUTH, 1); 328 } 329 break; 330 } 331 break; 332 default: 333 goto invalid; 334 } 335 break; 336 case IEEE80211_S_ASSOC: 337 switch (ostate) { 338 case IEEE80211_S_AUTH: 339 case IEEE80211_S_ASSOC: 340 IEEE80211_SEND_MGMT(ni, 341 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 342 break; 343 case IEEE80211_S_SLEEP: /* cannot happen */ 344 case IEEE80211_S_RUN: 345 ieee80211_sta_leave(ni); 346 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) { 347 IEEE80211_SEND_MGMT(ni, arg ? 348 IEEE80211_FC0_SUBTYPE_REASSOC_REQ : 349 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 350 } 351 break; 352 default: 353 goto invalid; 354 } 355 break; 356 case IEEE80211_S_RUN: 357 if (vap->iv_flags & IEEE80211_F_WPA) { 358 /* XXX validate prerequisites */ 359 } 360 switch (ostate) { 361 case IEEE80211_S_RUN: 362 break; 363 case IEEE80211_S_AUTH: /* when join is done in fw */ 364 case IEEE80211_S_ASSOC: 365#ifdef IEEE80211_DEBUG 366 if (ieee80211_msg_debug(vap)) { 367 ieee80211_note(vap, "%s with %s ssid ", 368 (vap->iv_opmode == IEEE80211_M_STA ? 369 "associated" : "synchronized"), 370 ether_sprintf(ni->ni_bssid)); 371 ieee80211_print_essid(vap->iv_bss->ni_essid, 372 ni->ni_esslen); 373 /* XXX MCS/HT */ 374 printf(" channel %d start %uMb\n", 375 ieee80211_chan2ieee(ic, ic->ic_curchan), 376 IEEE80211_RATE2MBS(ni->ni_txrate)); 377 } 378#endif 379 ieee80211_scan_assoc_success(vap, ni->ni_macaddr); 380 ieee80211_notify_node_join(ni, 381 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 382 break; 383 case IEEE80211_S_SLEEP: 384 ieee80211_sta_pwrsave(vap, 0); 385 break; 386 default: 387 goto invalid; 388 } 389 ieee80211_sync_curchan(ic); 390 if (ostate != IEEE80211_S_RUN && 391 (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)) { 392 /* 393 * Start s/w beacon miss timer for devices w/o 394 * hardware support. We fudge a bit here since 395 * we're doing this in software. 396 */ 397 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS( 398 2 * vap->iv_bmissthreshold * ni->ni_intval); 399 vap->iv_swbmiss_count = 0; 400 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period, 401 ieee80211_swbmiss, vap); 402 } 403 /* 404 * When 802.1x is not in use mark the port authorized 405 * at this point so traffic can flow. 406 */ 407 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 408 ieee80211_node_authorize(ni); 409 /* 410 * Fake association when joining an existing bss. 411 */ 412 if (ic->ic_newassoc != NULL) 413 ic->ic_newassoc(vap->iv_bss, ostate != IEEE80211_S_RUN); 414 break; 415 case IEEE80211_S_SLEEP: 416 ieee80211_sta_pwrsave(vap, 0); 417 break; 418 default: 419 invalid: 420 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 421 "%s: unexpected state transition %s -> %s\n", __func__, 422 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 423 break; 424 } 425 return 0; 426} 427 428/* 429 * Return non-zero if the frame is an echo of a multicast 430 * frame sent by ourself. The dir is known to be DSTODS. 431 */ 432static __inline int 433isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh) 434{ 435#define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh) 436#define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh) 437 const uint8_t *sa; 438 439 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode")); 440 441 if (!IEEE80211_IS_MULTICAST(wh->i_addr3)) 442 return 0; 443 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4; 444 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr); 445#undef WH4 446#undef QWH4 447} 448 449/* 450 * Return non-zero if the frame is an echo of a multicast 451 * frame sent by ourself. The dir is known to be FROMDS. 452 */ 453static __inline int 454isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh) 455{ 456 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode")); 457 458 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) 459 return 0; 460 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr); 461} 462 463/* 464 * Decide if a received management frame should be 465 * printed when debugging is enabled. This filters some 466 * of the less interesting frames that come frequently 467 * (e.g. beacons). 468 */ 469static __inline int 470doprint(struct ieee80211vap *vap, int subtype) 471{ 472 switch (subtype) { 473 case IEEE80211_FC0_SUBTYPE_BEACON: 474 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 475 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 476 return 0; 477 } 478 return 1; 479} 480 481/* 482 * Process a received frame. The node associated with the sender 483 * should be supplied. If nothing was found in the node table then 484 * the caller is assumed to supply a reference to iv_bss instead. 485 * The RSSI and a timestamp are also supplied. The RSSI data is used 486 * during AP scanning to select a AP to associate with; it can have 487 * any units so long as values have consistent units and higher values 488 * mean ``better signal''. The receive timestamp is currently not used 489 * by the 802.11 layer. 490 */ 491static int 492sta_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf) 493{ 494#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0) 495#define HAS_SEQ(type) ((type & 0x4) == 0) 496 struct ieee80211vap *vap = ni->ni_vap; 497 struct ieee80211com *ic = ni->ni_ic; 498 struct ifnet *ifp = vap->iv_ifp; 499 struct ieee80211_frame *wh; 500 struct ieee80211_key *key; 501 struct ether_header *eh; 502 int hdrspace, need_tap; 503 uint8_t dir, type, subtype, qos; 504 uint8_t *bssid; 505 uint16_t rxseq; 506 507 if (m->m_flags & M_AMPDU_MPDU) { 508 /* 509 * Fastpath for A-MPDU reorder q resubmission. Frames 510 * w/ M_AMPDU_MPDU marked have already passed through 511 * here but were received out of order and been held on 512 * the reorder queue. When resubmitted they are marked 513 * with the M_AMPDU_MPDU flag and we can bypass most of 514 * the normal processing. 515 */ 516 wh = mtod(m, struct ieee80211_frame *); 517 type = IEEE80211_FC0_TYPE_DATA; 518 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 519 subtype = IEEE80211_FC0_SUBTYPE_QOS; 520 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 521 goto resubmit_ampdu; 522 } 523 524 KASSERT(ni != NULL, ("null node")); 525 ni->ni_inact = ni->ni_inact_reload; 526 527 need_tap = 1; /* mbuf need to be tapped. */ 528 type = -1; /* undefined */ 529 530 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) { 531 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 532 ni->ni_macaddr, NULL, 533 "too short (1): len %u", m->m_pkthdr.len); 534 vap->iv_stats.is_rx_tooshort++; 535 goto out; 536 } 537 /* 538 * Bit of a cheat here, we use a pointer for a 3-address 539 * frame format but don't reference fields past outside 540 * ieee80211_frame_min w/o first validating the data is 541 * present. 542 */ 543 wh = mtod(m, struct ieee80211_frame *); 544 545 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 546 IEEE80211_FC0_VERSION_0) { 547 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 548 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 549 wh->i_fc[0], wh->i_fc[1]); 550 vap->iv_stats.is_rx_badversion++; 551 goto err; 552 } 553 554 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 555 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 556 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 557 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) { 558 bssid = wh->i_addr2; 559 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 560 /* not interested in */ 561 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 562 bssid, NULL, "%s", "not to bss"); 563 vap->iv_stats.is_rx_wrongbss++; 564 goto out; 565 } 566 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 567 ni->ni_noise = nf; 568 if (HAS_SEQ(type)) { 569 uint8_t tid = ieee80211_gettid(wh); 570 if (IEEE80211_QOS_HAS_SEQ(wh) && 571 TID_TO_WME_AC(tid) >= WME_AC_VI) 572 ic->ic_wme.wme_hipri_traffic++; 573 rxseq = le16toh(*(uint16_t *)wh->i_seq); 574 if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 && 575 (wh->i_fc[1] & IEEE80211_FC1_RETRY) && 576 SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) { 577 /* duplicate, discard */ 578 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 579 bssid, "duplicate", 580 "seqno <%u,%u> fragno <%u,%u> tid %u", 581 rxseq >> IEEE80211_SEQ_SEQ_SHIFT, 582 ni->ni_rxseqs[tid] >> 583 IEEE80211_SEQ_SEQ_SHIFT, 584 rxseq & IEEE80211_SEQ_FRAG_MASK, 585 ni->ni_rxseqs[tid] & 586 IEEE80211_SEQ_FRAG_MASK, 587 tid); 588 vap->iv_stats.is_rx_dup++; 589 IEEE80211_NODE_STAT(ni, rx_dup); 590 goto out; 591 } 592 ni->ni_rxseqs[tid] = rxseq; 593 } 594 } 595 596 switch (type) { 597 case IEEE80211_FC0_TYPE_DATA: 598 hdrspace = ieee80211_hdrspace(ic, wh); 599 if (m->m_len < hdrspace && 600 (m = m_pullup(m, hdrspace)) == NULL) { 601 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 602 ni->ni_macaddr, NULL, 603 "data too short: expecting %u", hdrspace); 604 vap->iv_stats.is_rx_tooshort++; 605 goto out; /* XXX */ 606 } 607 /* 608 * Handle A-MPDU re-ordering. If the frame is to be 609 * processed directly then ieee80211_ampdu_reorder 610 * will return 0; otherwise it has consumed the mbuf 611 * and we should do nothing more with it. 612 */ 613 if ((m->m_flags & M_AMPDU) && 614 (dir == IEEE80211_FC1_DIR_FROMDS || 615 dir == IEEE80211_FC1_DIR_DSTODS) && 616 ieee80211_ampdu_reorder(ni, m) != 0) { 617 m = NULL; 618 goto out; 619 } 620 resubmit_ampdu: 621 if (dir == IEEE80211_FC1_DIR_FROMDS) { 622 if ((ifp->if_flags & IFF_SIMPLEX) && 623 isfromds_mcastecho(vap, wh)) { 624 /* 625 * In IEEE802.11 network, multicast 626 * packets sent from "me" are broadcast 627 * from the AP; silently discard for 628 * SIMPLEX interface. 629 */ 630 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 631 wh, "data", "%s", "multicast echo"); 632 vap->iv_stats.is_rx_mcastecho++; 633 goto out; 634 } 635 if ((vap->iv_flags & IEEE80211_F_DWDS) && 636 IEEE80211_IS_MULTICAST(wh->i_addr1)) { 637 /* 638 * DWDS sta's must drop 3-address mcast frames 639 * as they will be sent separately as a 4-addr 640 * frame. Accepting the 3-addr frame will 641 * confuse the bridge into thinking the sending 642 * sta is located at the end of WDS link. 643 */ 644 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh, 645 "3-address data", "%s", "DWDS enabled"); 646 vap->iv_stats.is_rx_mcastecho++; 647 goto out; 648 } 649 } else if (dir == IEEE80211_FC1_DIR_DSTODS) { 650 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) { 651 IEEE80211_DISCARD(vap, 652 IEEE80211_MSG_INPUT, wh, "4-address data", 653 "%s", "DWDS not enabled"); 654 vap->iv_stats.is_rx_wrongdir++; 655 goto out; 656 } 657 if ((ifp->if_flags & IFF_SIMPLEX) && 658 isdstods_mcastecho(vap, wh)) { 659 /* 660 * In IEEE802.11 network, multicast 661 * packets sent from "me" are broadcast 662 * from the AP; silently discard for 663 * SIMPLEX interface. 664 */ 665 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh, 666 "4-address data", "%s", "multicast echo"); 667 vap->iv_stats.is_rx_mcastecho++; 668 goto out; 669 } 670 } else { 671 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh, 672 "data", "incorrect dir 0x%x", dir); 673 vap->iv_stats.is_rx_wrongdir++; 674 goto out; 675 } 676 677 /* 678 * Handle privacy requirements. Note that we 679 * must not be preempted from here until after 680 * we (potentially) call ieee80211_crypto_demic; 681 * otherwise we may violate assumptions in the 682 * crypto cipher modules used to do delayed update 683 * of replay sequence numbers. 684 */ 685 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 686 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 687 /* 688 * Discard encrypted frames when privacy is off. 689 */ 690 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 691 wh, "WEP", "%s", "PRIVACY off"); 692 vap->iv_stats.is_rx_noprivacy++; 693 IEEE80211_NODE_STAT(ni, rx_noprivacy); 694 goto out; 695 } 696 key = ieee80211_crypto_decap(ni, m, hdrspace); 697 if (key == NULL) { 698 /* NB: stats+msgs handled in crypto_decap */ 699 IEEE80211_NODE_STAT(ni, rx_wepfail); 700 goto out; 701 } 702 wh = mtod(m, struct ieee80211_frame *); 703 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 704 } else { 705 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 706 key = NULL; 707 } 708 709 /* 710 * Save QoS bits for use below--before we strip the header. 711 */ 712 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) { 713 qos = (dir == IEEE80211_FC1_DIR_DSTODS) ? 714 ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] : 715 ((struct ieee80211_qosframe *)wh)->i_qos[0]; 716 } else 717 qos = 0; 718 719 /* 720 * Next up, any fragmentation. 721 */ 722 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 723 m = ieee80211_defrag(ni, m, hdrspace); 724 if (m == NULL) { 725 /* Fragment dropped or frame not complete yet */ 726 goto out; 727 } 728 } 729 wh = NULL; /* no longer valid, catch any uses */ 730 731 /* 732 * Next strip any MSDU crypto bits. 733 */ 734 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { 735 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 736 ni->ni_macaddr, "data", "%s", "demic error"); 737 vap->iv_stats.is_rx_demicfail++; 738 IEEE80211_NODE_STAT(ni, rx_demicfail); 739 goto out; 740 } 741 742 /* copy to listener after decrypt */ 743 if (ieee80211_radiotap_active_vap(vap)) 744 ieee80211_radiotap_tx(vap, m); 745 need_tap = 0; 746 747 /* 748 * Finally, strip the 802.11 header. 749 */ 750 m = ieee80211_decap(vap, m, hdrspace); 751 if (m == NULL) { 752 /* XXX mask bit to check for both */ 753 /* don't count Null data frames as errors */ 754 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 755 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 756 goto out; 757 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 758 ni->ni_macaddr, "data", "%s", "decap error"); 759 vap->iv_stats.is_rx_decap++; 760 IEEE80211_NODE_STAT(ni, rx_decap); 761 goto err; 762 } 763 eh = mtod(m, struct ether_header *); 764 if (!ieee80211_node_is_authorized(ni)) { 765 /* 766 * Deny any non-PAE frames received prior to 767 * authorization. For open/shared-key 768 * authentication the port is mark authorized 769 * after authentication completes. For 802.1x 770 * the port is not marked authorized by the 771 * authenticator until the handshake has completed. 772 */ 773 if (eh->ether_type != htons(ETHERTYPE_PAE)) { 774 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 775 eh->ether_shost, "data", 776 "unauthorized port: ether type 0x%x len %u", 777 eh->ether_type, m->m_pkthdr.len); 778 vap->iv_stats.is_rx_unauth++; 779 IEEE80211_NODE_STAT(ni, rx_unauth); 780 goto err; 781 } 782 } else { 783 /* 784 * When denying unencrypted frames, discard 785 * any non-PAE frames received without encryption. 786 */ 787 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 788 (key == NULL && (m->m_flags & M_WEP) == 0) && 789 eh->ether_type != htons(ETHERTYPE_PAE)) { 790 /* 791 * Drop unencrypted frames. 792 */ 793 vap->iv_stats.is_rx_unencrypted++; 794 IEEE80211_NODE_STAT(ni, rx_unencrypted); 795 goto out; 796 } 797 } 798 /* XXX require HT? */ 799 if (qos & IEEE80211_QOS_AMSDU) { 800 m = ieee80211_decap_amsdu(ni, m); 801 if (m == NULL) 802 return IEEE80211_FC0_TYPE_DATA; 803 } else { 804#ifdef IEEE80211_SUPPORT_SUPERG 805 m = ieee80211_decap_fastframe(vap, ni, m); 806 if (m == NULL) 807 return IEEE80211_FC0_TYPE_DATA; 808#endif 809 } 810 ieee80211_deliver_data(vap, ni, m); 811 return IEEE80211_FC0_TYPE_DATA; 812 813 case IEEE80211_FC0_TYPE_MGT: 814 vap->iv_stats.is_rx_mgmt++; 815 IEEE80211_NODE_STAT(ni, rx_mgmt); 816 if (dir != IEEE80211_FC1_DIR_NODS) { 817 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 818 wh, "data", "incorrect dir 0x%x", dir); 819 vap->iv_stats.is_rx_wrongdir++; 820 goto err; 821 } 822 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 823 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 824 ni->ni_macaddr, "mgt", "too short: len %u", 825 m->m_pkthdr.len); 826 vap->iv_stats.is_rx_tooshort++; 827 goto out; 828 } 829#ifdef IEEE80211_DEBUG 830 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 831 ieee80211_msg_dumppkts(vap)) { 832 if_printf(ifp, "received %s from %s rssi %d\n", 833 ieee80211_mgt_subtype_name[subtype >> 834 IEEE80211_FC0_SUBTYPE_SHIFT], 835 ether_sprintf(wh->i_addr2), rssi); 836 } 837#endif 838 if (wh->i_fc[1] & IEEE80211_FC1_WEP) { 839 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 840 /* 841 * Only shared key auth frames with a challenge 842 * should be encrypted, discard all others. 843 */ 844 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 845 wh, ieee80211_mgt_subtype_name[subtype >> 846 IEEE80211_FC0_SUBTYPE_SHIFT], 847 "%s", "WEP set but not permitted"); 848 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 849 goto out; 850 } 851 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 852 /* 853 * Discard encrypted frames when privacy is off. 854 */ 855 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 856 wh, "mgt", "%s", "WEP set but PRIVACY off"); 857 vap->iv_stats.is_rx_noprivacy++; 858 goto out; 859 } 860 hdrspace = ieee80211_hdrspace(ic, wh); 861 key = ieee80211_crypto_decap(ni, m, hdrspace); 862 if (key == NULL) { 863 /* NB: stats+msgs handled in crypto_decap */ 864 goto out; 865 } 866 wh = mtod(m, struct ieee80211_frame *); 867 wh->i_fc[1] &= ~IEEE80211_FC1_WEP; 868 } 869 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf); 870 goto out; 871 872 case IEEE80211_FC0_TYPE_CTL: 873 vap->iv_stats.is_rx_ctl++; 874 IEEE80211_NODE_STAT(ni, rx_ctrl); 875 vap->iv_recv_ctl(ni, m, subtype); 876 goto out; 877 878 default: 879 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 880 wh, NULL, "bad frame type 0x%x", type); 881 /* should not come here */ 882 break; 883 } 884err: 885 ifp->if_ierrors++; 886out: 887 if (m != NULL) { 888 if (need_tap) 889 ieee80211_radiotap_rx(vap, m); 890 m_freem(m); 891 } 892 return type; 893#undef SEQ_LEQ 894} 895 896static void 897sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 898 int rssi, int nf, uint16_t seq, uint16_t status) 899{ 900 struct ieee80211vap *vap = ni->ni_vap; 901 902 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 903 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 904 ni->ni_macaddr, "open auth", 905 "bad sta auth mode %u", ni->ni_authmode); 906 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 907 return; 908 } 909 if (vap->iv_state != IEEE80211_S_AUTH || 910 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 911 vap->iv_stats.is_rx_bad_auth++; 912 return; 913 } 914 if (status != 0) { 915 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 916 ni, "open auth failed (reason %d)", status); 917 vap->iv_stats.is_rx_auth_fail++; 918 vap->iv_stats.is_rx_authfail_code = status; 919 ieee80211_new_state(vap, IEEE80211_S_SCAN, 920 IEEE80211_SCAN_FAIL_STATUS); 921 } else 922 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0); 923} 924 925static void 926sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 927 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 928 uint16_t seq, uint16_t status) 929{ 930 struct ieee80211vap *vap = ni->ni_vap; 931 uint8_t *challenge; 932 int estatus; 933 934 /* 935 * NB: this can happen as we allow pre-shared key 936 * authentication to be enabled w/o wep being turned 937 * on so that configuration of these can be done 938 * in any order. It may be better to enforce the 939 * ordering in which case this check would just be 940 * for sanity/consistency. 941 */ 942 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 943 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 944 ni->ni_macaddr, "shared key auth", 945 "%s", " PRIVACY is disabled"); 946 estatus = IEEE80211_STATUS_ALG; 947 goto bad; 948 } 949 /* 950 * Pre-shared key authentication is evil; accept 951 * it only if explicitly configured (it is supported 952 * mainly for compatibility with clients like OS X). 953 */ 954 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 955 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 956 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 957 ni->ni_macaddr, "shared key auth", 958 "bad sta auth mode %u", ni->ni_authmode); 959 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 960 estatus = IEEE80211_STATUS_ALG; 961 goto bad; 962 } 963 964 challenge = NULL; 965 if (frm + 1 < efrm) { 966 if ((frm[1] + 2) > (efrm - frm)) { 967 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 968 ni->ni_macaddr, "shared key auth", 969 "ie %d/%d too long", 970 frm[0], (frm[1] + 2) - (efrm - frm)); 971 vap->iv_stats.is_rx_bad_auth++; 972 estatus = IEEE80211_STATUS_CHALLENGE; 973 goto bad; 974 } 975 if (*frm == IEEE80211_ELEMID_CHALLENGE) 976 challenge = frm; 977 frm += frm[1] + 2; 978 } 979 switch (seq) { 980 case IEEE80211_AUTH_SHARED_CHALLENGE: 981 case IEEE80211_AUTH_SHARED_RESPONSE: 982 if (challenge == NULL) { 983 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 984 ni->ni_macaddr, "shared key auth", 985 "%s", "no challenge"); 986 vap->iv_stats.is_rx_bad_auth++; 987 estatus = IEEE80211_STATUS_CHALLENGE; 988 goto bad; 989 } 990 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 991 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 992 ni->ni_macaddr, "shared key auth", 993 "bad challenge len %d", challenge[1]); 994 vap->iv_stats.is_rx_bad_auth++; 995 estatus = IEEE80211_STATUS_CHALLENGE; 996 goto bad; 997 } 998 default: 999 break; 1000 } 1001 if (vap->iv_state != IEEE80211_S_AUTH) 1002 return; 1003 switch (seq) { 1004 case IEEE80211_AUTH_SHARED_PASS: 1005 if (ni->ni_challenge != NULL) { 1006 free(ni->ni_challenge, M_80211_NODE); 1007 ni->ni_challenge = NULL; 1008 } 1009 if (status != 0) { 1010 IEEE80211_NOTE_FRAME(vap, 1011 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh, 1012 "shared key auth failed (reason %d)", status); 1013 vap->iv_stats.is_rx_auth_fail++; 1014 vap->iv_stats.is_rx_authfail_code = status; 1015 return; 1016 } 1017 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0); 1018 break; 1019 case IEEE80211_AUTH_SHARED_CHALLENGE: 1020 if (!ieee80211_alloc_challenge(ni)) 1021 return; 1022 /* XXX could optimize by passing recvd challenge */ 1023 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1024 IEEE80211_SEND_MGMT(ni, 1025 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1026 break; 1027 default: 1028 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH, 1029 wh, "shared key auth", "bad seq %d", seq); 1030 vap->iv_stats.is_rx_bad_auth++; 1031 return; 1032 } 1033 return; 1034bad: 1035 /* 1036 * Kick the state machine. This short-circuits 1037 * using the mgt frame timeout to trigger the 1038 * state transition. 1039 */ 1040 if (vap->iv_state == IEEE80211_S_AUTH) 1041 ieee80211_new_state(vap, IEEE80211_S_SCAN, 1042 IEEE80211_SCAN_FAIL_STATUS); 1043} 1044 1045static int 1046ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm, 1047 const struct ieee80211_frame *wh) 1048{ 1049#define MS(_v, _f) (((_v) & _f) >> _f##_S) 1050 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme; 1051 u_int len = frm[1], qosinfo; 1052 int i; 1053 1054 if (len < sizeof(struct ieee80211_wme_param)-2) { 1055 IEEE80211_DISCARD_IE(vap, 1056 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1057 wh, "WME", "too short, len %u", len); 1058 return -1; 1059 } 1060 qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1061 qosinfo &= WME_QOSINFO_COUNT; 1062 /* XXX do proper check for wraparound */ 1063 if (qosinfo == wme->wme_wmeChanParams.cap_info) 1064 return 0; 1065 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1066 for (i = 0; i < WME_NUM_AC; i++) { 1067 struct wmeParams *wmep = 1068 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1069 /* NB: ACI not used */ 1070 wmep->wmep_acm = MS(frm[0], WME_PARAM_ACM); 1071 wmep->wmep_aifsn = MS(frm[0], WME_PARAM_AIFSN); 1072 wmep->wmep_logcwmin = MS(frm[1], WME_PARAM_LOGCWMIN); 1073 wmep->wmep_logcwmax = MS(frm[1], WME_PARAM_LOGCWMAX); 1074 wmep->wmep_txopLimit = LE_READ_2(frm+2); 1075 frm += 4; 1076 } 1077 wme->wme_wmeChanParams.cap_info = qosinfo; 1078 return 1; 1079#undef MS 1080} 1081 1082/* 1083 * Return non-zero if a background scan may be continued: 1084 * o bg scan is active 1085 * o no channel switch is pending 1086 * o there has not been any traffic recently 1087 * 1088 * Note we do not check if there is an administrative enable; 1089 * this is only done to start the scan. We assume that any 1090 * change in state will be accompanied by a request to cancel 1091 * active scans which will otherwise cause this test to fail. 1092 */ 1093static __inline int 1094contbgscan(struct ieee80211vap *vap) 1095{ 1096 struct ieee80211com *ic = vap->iv_ic; 1097 1098 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) && 1099 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 && 1100 vap->iv_state == IEEE80211_S_RUN && /* XXX? */ 1101 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle)); 1102} 1103 1104/* 1105 * Return non-zero if a backgrond scan may be started: 1106 * o bg scanning is administratively enabled 1107 * o no channel switch is pending 1108 * o we are not boosted on a dynamic turbo channel 1109 * o there has not been a scan recently 1110 * o there has not been any traffic recently 1111 */ 1112static __inline int 1113startbgscan(struct ieee80211vap *vap) 1114{ 1115 struct ieee80211com *ic = vap->iv_ic; 1116 1117 return ((vap->iv_flags & IEEE80211_F_BGSCAN) && 1118 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 && 1119#ifdef IEEE80211_SUPPORT_SUPERG 1120 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) && 1121#endif 1122 time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) && 1123 time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle)); 1124} 1125 1126static void 1127sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, 1128 int subtype, int rssi, int nf) 1129{ 1130#define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP) 1131#define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1132 struct ieee80211vap *vap = ni->ni_vap; 1133 struct ieee80211com *ic = ni->ni_ic; 1134 struct ieee80211_frame *wh; 1135 uint8_t *frm, *efrm; 1136 uint8_t *rates, *xrates, *wme, *htcap, *htinfo; 1137 uint8_t rate; 1138 1139 wh = mtod(m0, struct ieee80211_frame *); 1140 frm = (uint8_t *)&wh[1]; 1141 efrm = mtod(m0, uint8_t *) + m0->m_len; 1142 switch (subtype) { 1143 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1144 case IEEE80211_FC0_SUBTYPE_BEACON: { 1145 struct ieee80211_scanparams scan; 1146 /* 1147 * We process beacon/probe response frames: 1148 * o when scanning, or 1149 * o station mode when associated (to collect state 1150 * updates such as 802.11g slot time) 1151 * Frames otherwise received are discarded. 1152 */ 1153 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) { 1154 vap->iv_stats.is_rx_mgtdiscard++; 1155 return; 1156 } 1157 /* XXX probe response in sta mode when !scanning? */ 1158 if (ieee80211_parse_beacon(ni, m0, &scan) != 0) 1159 return; 1160 /* 1161 * Count frame now that we know it's to be processed. 1162 */ 1163 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1164 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1165 IEEE80211_NODE_STAT(ni, rx_beacons); 1166 } else 1167 IEEE80211_NODE_STAT(ni, rx_proberesp); 1168 /* 1169 * When operating in station mode, check for state updates. 1170 * Be careful to ignore beacons received while doing a 1171 * background scan. We consider only 11g/WMM stuff right now. 1172 */ 1173 if (ni->ni_associd != 0 && 1174 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1175 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1176 /* record tsf of last beacon */ 1177 memcpy(ni->ni_tstamp.data, scan.tstamp, 1178 sizeof(ni->ni_tstamp)); 1179 /* count beacon frame for s/w bmiss handling */ 1180 vap->iv_swbmiss_count++; 1181 vap->iv_bmiss_count = 0; 1182 if (ni->ni_erp != scan.erp) { 1183 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1184 wh->i_addr2, 1185 "erp change: was 0x%x, now 0x%x", 1186 ni->ni_erp, scan.erp); 1187 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1188 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1189 ic->ic_flags |= IEEE80211_F_USEPROT; 1190 else 1191 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1192 ni->ni_erp = scan.erp; 1193 /* XXX statistic */ 1194 /* XXX driver notification */ 1195 } 1196 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1197 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1198 wh->i_addr2, 1199 "capabilities change: was 0x%x, now 0x%x", 1200 ni->ni_capinfo, scan.capinfo); 1201 /* 1202 * NB: we assume short preamble doesn't 1203 * change dynamically 1204 */ 1205 ieee80211_set_shortslottime(ic, 1206 IEEE80211_IS_CHAN_A(ic->ic_bsschan) || 1207 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1208 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME) 1209 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME); 1210 /* XXX statistic */ 1211 } 1212 if (scan.wme != NULL && 1213 (ni->ni_flags & IEEE80211_NODE_QOS) && 1214 ieee80211_parse_wmeparams(vap, scan.wme, wh) > 0) 1215 ieee80211_wme_updateparams(vap); 1216#ifdef IEEE80211_SUPPORT_SUPERG 1217 if (scan.ath != NULL) 1218 ieee80211_parse_athparams(ni, scan.ath, wh); 1219#endif 1220 if (scan.htcap != NULL && scan.htinfo != NULL && 1221 (vap->iv_flags_ext & IEEE80211_FEXT_HT)) { 1222 ieee80211_ht_updateparams(ni, 1223 scan.htcap, scan.htinfo); 1224 /* XXX state changes? */ 1225 } 1226 if (scan.tim != NULL) { 1227 struct ieee80211_tim_ie *tim = 1228 (struct ieee80211_tim_ie *) scan.tim; 1229#if 0 1230 int aid = IEEE80211_AID(ni->ni_associd); 1231 int ix = aid / NBBY; 1232 int min = tim->tim_bitctl &~ 1; 1233 int max = tim->tim_len + min - 4; 1234 if ((tim->tim_bitctl&1) || 1235 (min <= ix && ix <= max && 1236 isset(tim->tim_bitmap - min, aid))) { 1237 /* 1238 * XXX Do not let bg scan kick off 1239 * we are expecting data. 1240 */ 1241 ic->ic_lastdata = ticks; 1242 ieee80211_sta_pwrsave(vap, 0); 1243 } 1244#endif 1245 ni->ni_dtim_count = tim->tim_count; 1246 ni->ni_dtim_period = tim->tim_period; 1247 } 1248 /* 1249 * If scanning, pass the info to the scan module. 1250 * Otherwise, check if it's the right time to do 1251 * a background scan. Background scanning must 1252 * be enabled and we must not be operating in the 1253 * turbo phase of dynamic turbo mode. Then, 1254 * it's been a while since the last background 1255 * scan and if no data frames have come through 1256 * recently, kick off a scan. Note that this 1257 * is the mechanism by which a background scan 1258 * is started _and_ continued each time we 1259 * return on-channel to receive a beacon from 1260 * our ap. 1261 */ 1262 if (ic->ic_flags & IEEE80211_F_SCAN) { 1263 ieee80211_add_scan(vap, &scan, wh, 1264 subtype, rssi, nf); 1265 } else if (contbgscan(vap)) { 1266 ieee80211_bg_scan(vap, 0); 1267 } else if (startbgscan(vap)) { 1268 vap->iv_stats.is_scan_bg++; 1269#if 0 1270 /* wakeup if we are sleeing */ 1271 ieee80211_set_pwrsave(vap, 0); 1272#endif 1273 ieee80211_bg_scan(vap, 0); 1274 } 1275 return; 1276 } 1277 /* 1278 * If scanning, just pass information to the scan module. 1279 */ 1280 if (ic->ic_flags & IEEE80211_F_SCAN) { 1281 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 1282 /* 1283 * Actively scanning a channel marked passive; 1284 * send a probe request now that we know there 1285 * is 802.11 traffic present. 1286 * 1287 * XXX check if the beacon we recv'd gives 1288 * us what we need and suppress the probe req 1289 */ 1290 ieee80211_probe_curchan(vap, 1); 1291 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1292 } 1293 ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf); 1294 return; 1295 } 1296 break; 1297 } 1298 1299 case IEEE80211_FC0_SUBTYPE_AUTH: { 1300 uint16_t algo, seq, status; 1301 /* 1302 * auth frame format 1303 * [2] algorithm 1304 * [2] sequence 1305 * [2] status 1306 * [tlv*] challenge 1307 */ 1308 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1309 algo = le16toh(*(uint16_t *)frm); 1310 seq = le16toh(*(uint16_t *)(frm + 2)); 1311 status = le16toh(*(uint16_t *)(frm + 4)); 1312 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1313 "recv auth frame with algorithm %d seq %d", algo, seq); 1314 1315 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1316 IEEE80211_DISCARD(vap, 1317 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1318 wh, "auth", "%s", "TKIP countermeasures enabled"); 1319 vap->iv_stats.is_rx_auth_countermeasures++; 1320 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 1321 ieee80211_send_error(ni, wh->i_addr2, 1322 IEEE80211_FC0_SUBTYPE_AUTH, 1323 IEEE80211_REASON_MIC_FAILURE); 1324 } 1325 return; 1326 } 1327 if (algo == IEEE80211_AUTH_ALG_SHARED) 1328 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1329 seq, status); 1330 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1331 sta_auth_open(ni, wh, rssi, nf, seq, status); 1332 else { 1333 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1334 wh, "auth", "unsupported alg %d", algo); 1335 vap->iv_stats.is_rx_auth_unsupported++; 1336 return; 1337 } 1338 break; 1339 } 1340 1341 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1342 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 1343 uint16_t capinfo, associd; 1344 uint16_t status; 1345 1346 if (vap->iv_state != IEEE80211_S_ASSOC) { 1347 vap->iv_stats.is_rx_mgtdiscard++; 1348 return; 1349 } 1350 1351 /* 1352 * asresp frame format 1353 * [2] capability information 1354 * [2] status 1355 * [2] association ID 1356 * [tlv] supported rates 1357 * [tlv] extended supported rates 1358 * [tlv] WME 1359 * [tlv] HT capabilities 1360 * [tlv] HT info 1361 */ 1362 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1363 ni = vap->iv_bss; 1364 capinfo = le16toh(*(uint16_t *)frm); 1365 frm += 2; 1366 status = le16toh(*(uint16_t *)frm); 1367 frm += 2; 1368 if (status != 0) { 1369 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1370 wh->i_addr2, "%sassoc failed (reason %d)", 1371 ISREASSOC(subtype) ? "re" : "", status); 1372 vap->iv_stats.is_rx_auth_fail++; /* XXX */ 1373 return; 1374 } 1375 associd = le16toh(*(uint16_t *)frm); 1376 frm += 2; 1377 1378 rates = xrates = wme = htcap = htinfo = NULL; 1379 while (efrm - frm > 1) { 1380 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1381 switch (*frm) { 1382 case IEEE80211_ELEMID_RATES: 1383 rates = frm; 1384 break; 1385 case IEEE80211_ELEMID_XRATES: 1386 xrates = frm; 1387 break; 1388 case IEEE80211_ELEMID_HTCAP: 1389 htcap = frm; 1390 break; 1391 case IEEE80211_ELEMID_HTINFO: 1392 htinfo = frm; 1393 break; 1394 case IEEE80211_ELEMID_VENDOR: 1395 if (iswmeoui(frm)) 1396 wme = frm; 1397 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) { 1398 /* 1399 * Accept pre-draft HT ie's if the 1400 * standard ones have not been seen. 1401 */ 1402 if (ishtcapoui(frm)) { 1403 if (htcap == NULL) 1404 htcap = frm; 1405 } else if (ishtinfooui(frm)) { 1406 if (htinfo == NULL) 1407 htcap = frm; 1408 } 1409 } 1410 /* XXX Atheros OUI support */ 1411 break; 1412 } 1413 frm += frm[1] + 2; 1414 } 1415 1416 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1417 if (xrates != NULL) 1418 IEEE80211_VERIFY_ELEMENT(xrates, 1419 IEEE80211_RATE_MAXSIZE - rates[1], return); 1420 rate = ieee80211_setup_rates(ni, rates, xrates, 1421 IEEE80211_F_JOIN | 1422 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1423 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1424 if (rate & IEEE80211_RATE_BASIC) { 1425 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1426 wh->i_addr2, 1427 "%sassoc failed (rate set mismatch)", 1428 ISREASSOC(subtype) ? "re" : ""); 1429 vap->iv_stats.is_rx_assoc_norate++; 1430 ieee80211_new_state(vap, IEEE80211_S_SCAN, 1431 IEEE80211_SCAN_FAIL_STATUS); 1432 return; 1433 } 1434 1435 ni->ni_capinfo = capinfo; 1436 ni->ni_associd = associd; 1437 if (ni->ni_jointime == 0) 1438 ni->ni_jointime = time_uptime; 1439 if (wme != NULL && 1440 ieee80211_parse_wmeparams(vap, wme, wh) >= 0) { 1441 ni->ni_flags |= IEEE80211_NODE_QOS; 1442 ieee80211_wme_updateparams(vap); 1443 } else 1444 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1445 /* 1446 * Setup HT state according to the negotiation. 1447 * 1448 * NB: shouldn't need to check if HT use is enabled but some 1449 * ap's send back HT ie's even when we don't indicate we 1450 * are HT capable in our AssocReq. 1451 */ 1452 if (htcap != NULL && htinfo != NULL && 1453 (vap->iv_flags_ext & IEEE80211_FEXT_HT)) { 1454 ieee80211_ht_node_init(ni); 1455 ieee80211_ht_updateparams(ni, htcap, htinfo); 1456 ieee80211_setup_htrates(ni, htcap, 1457 IEEE80211_F_JOIN | IEEE80211_F_DOBRS); 1458 ieee80211_setup_basic_htrates(ni, htinfo); 1459 } else { 1460#ifdef IEEE80211_SUPPORT_SUPERG 1461 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_ATH)) 1462 ieee80211_ff_node_init(ni); 1463#endif 1464 } 1465 /* 1466 * Configure state now that we are associated. 1467 * 1468 * XXX may need different/additional driver callbacks? 1469 */ 1470 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) || 1471 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 1472 ic->ic_flags |= IEEE80211_F_SHPREAMBLE; 1473 ic->ic_flags &= ~IEEE80211_F_USEBARKER; 1474 } else { 1475 ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE; 1476 ic->ic_flags |= IEEE80211_F_USEBARKER; 1477 } 1478 ieee80211_set_shortslottime(ic, 1479 IEEE80211_IS_CHAN_A(ic->ic_curchan) || 1480 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1481 /* 1482 * Honor ERP protection. 1483 * 1484 * NB: ni_erp should zero for non-11g operation. 1485 */ 1486 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1487 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1488 ic->ic_flags |= IEEE80211_F_USEPROT; 1489 else 1490 ic->ic_flags &= ~IEEE80211_F_USEPROT; 1491 IEEE80211_NOTE_MAC(vap, 1492 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2, 1493 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s", 1494 ISREASSOC(subtype) ? "re" : "", 1495 IEEE80211_NODE_AID(ni), 1496 ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 1497 ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long", 1498 ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "", 1499 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "", 1500 ni->ni_flags & IEEE80211_NODE_HT ? 1501 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "", 1502 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "", 1503 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" : 1504 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "", 1505 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "", 1506 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ? 1507 ", fast-frames" : "", 1508 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ? 1509 ", turbo" : "" 1510 ); 1511 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype); 1512 break; 1513 } 1514 1515 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 1516 uint16_t reason; 1517 1518 if (vap->iv_state == IEEE80211_S_SCAN) { 1519 vap->iv_stats.is_rx_mgtdiscard++; 1520 return; 1521 } 1522 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 1523 /* NB: can happen when in promiscuous mode */ 1524 vap->iv_stats.is_rx_mgtdiscard++; 1525 break; 1526 } 1527 1528 /* 1529 * deauth frame format 1530 * [2] reason 1531 */ 1532 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 1533 reason = le16toh(*(uint16_t *)frm); 1534 1535 vap->iv_stats.is_rx_deauth++; 1536 vap->iv_stats.is_rx_deauth_code = reason; 1537 IEEE80211_NODE_STAT(ni, rx_deauth); 1538 1539 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1540 "recv deauthenticate (reason %d)", reason); 1541 ieee80211_new_state(vap, IEEE80211_S_AUTH, 1542 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH); 1543 break; 1544 } 1545 1546 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 1547 uint16_t reason; 1548 1549 if (vap->iv_state != IEEE80211_S_RUN && 1550 vap->iv_state != IEEE80211_S_ASSOC && 1551 vap->iv_state != IEEE80211_S_AUTH) { 1552 vap->iv_stats.is_rx_mgtdiscard++; 1553 return; 1554 } 1555 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 1556 /* NB: can happen when in promiscuous mode */ 1557 vap->iv_stats.is_rx_mgtdiscard++; 1558 break; 1559 } 1560 1561 /* 1562 * disassoc frame format 1563 * [2] reason 1564 */ 1565 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 1566 reason = le16toh(*(uint16_t *)frm); 1567 1568 vap->iv_stats.is_rx_disassoc++; 1569 vap->iv_stats.is_rx_disassoc_code = reason; 1570 IEEE80211_NODE_STAT(ni, rx_disassoc); 1571 1572 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 1573 "recv disassociate (reason %d)", reason); 1574 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0); 1575 break; 1576 } 1577 1578 case IEEE80211_FC0_SUBTYPE_ACTION: 1579 if (vap->iv_state == IEEE80211_S_RUN) { 1580 if (ieee80211_parse_action(ni, m0) == 0) 1581 ic->ic_recv_action(ni, frm, efrm); 1582 } else 1583 vap->iv_stats.is_rx_mgtdiscard++; 1584 break; 1585 1586 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1587 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1588 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1589 vap->iv_stats.is_rx_mgtdiscard++; 1590 return; 1591 default: 1592 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1593 wh, "mgt", "subtype 0x%x not handled", subtype); 1594 vap->iv_stats.is_rx_badsubtype++; 1595 break; 1596 } 1597#undef ISREASSOC 1598#undef ISPROBE 1599} 1600 1601static void 1602sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m0, int subtype) 1603{ 1604} 1605