search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nvmecontrol devlist: Annotate connected Fabrics hosts
[freebsd/src.git] / sys / net80211 / ieee80211_sta.c
blob9e4e1013fd2f8d483e158e4a12be3b840aa01a02
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 /*
29 * IEEE 802.11 Station mode support.
30 */
31 #include "opt_inet.h"
32 #include "opt_wlan.h"
33
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/mbuf.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
39
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/proc.h>
45 #include <sys/sysctl.h>
46
47 #include <net/if.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/if_dl.h>
51 #include <net/if_var.h>
52 #include <net/if_private.h>
53 #include <net/ethernet.h>
54
55 #include <net/bpf.h>
56
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_sta.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
62 #endif
63 #include <net80211/ieee80211_ratectl.h>
64 #include <net80211/ieee80211_sta.h>
65 #include <net80211/ieee80211_vht.h>
66
67 #define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2)
68
69 static void sta_vattach(struct ieee80211vap *);
70 static void sta_beacon_miss(struct ieee80211vap *);
71 static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int);
72 static int sta_input(struct ieee80211_node *, struct mbuf *,
73 const struct ieee80211_rx_stats *, int, int);
74 static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *,
75 int subtype, const struct ieee80211_rx_stats *, int rssi, int nf);
76 static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype);
77
78 void
79 ieee80211_sta_attach(struct ieee80211com *ic)
80 {
81 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach;
82 }
83
84 void
85 ieee80211_sta_detach(struct ieee80211com *ic)
86 {
87 }
88
89 static void
90 sta_vdetach(struct ieee80211vap *vap)
91 {
92 }
93
94 static void
95 sta_vattach(struct ieee80211vap *vap)
96 {
97 vap->iv_newstate = sta_newstate;
98 vap->iv_input = sta_input;
99 vap->iv_recv_mgmt = sta_recv_mgmt;
100 vap->iv_recv_ctl = sta_recv_ctl;
101 vap->iv_opdetach = sta_vdetach;
102 vap->iv_bmiss = sta_beacon_miss;
103 }
104
105 /*
106 * Handle a beacon miss event. The common code filters out
107 * spurious events that can happen when scanning and/or before
108 * reaching RUN state.
109 */
110 static void
111 sta_beacon_miss(struct ieee80211vap *vap)
112 {
113 struct ieee80211com *ic = vap->iv_ic;
114
115 IEEE80211_LOCK_ASSERT(ic);
116
117 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning"));
118 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
119 ("wrong state %s", ieee80211_state_name[vap->iv_state]));
120
121 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
122 "beacon miss, mode %s state %s\n",
123 ieee80211_opmode_name[vap->iv_opmode],
124 ieee80211_state_name[vap->iv_state]);
125
126 if (vap->iv_state == IEEE80211_S_CSA) {
127 /*
128 * A Channel Switch is pending; assume we missed the
129 * beacon that would've completed the process and just
130 * force the switch. If we made a mistake we'll not
131 * find the AP on the new channel and fall back to a
132 * normal scan.
133 */
134 ieee80211_csa_completeswitch(ic);
135 return;
136 }
137 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) {
138 /*
139 * Send a directed probe req before falling back to a
140 * scan; if we receive a response ic_bmiss_count will
141 * be reset. Some cards mistakenly report beacon miss
142 * so this avoids the expensive scan if the ap is
143 * still there.
144 */
145 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr,
146 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid,
147 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen);
148 return;
149 }
150
151 callout_stop(&vap->iv_swbmiss);
152 vap->iv_bmiss_count = 0;
153 vap->iv_stats.is_beacon_miss++;
154 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
155 #ifdef IEEE80211_SUPPORT_SUPERG
156
157 /*
158 * If we receive a beacon miss interrupt when using
159 * dynamic turbo, attempt to switch modes before
160 * reassociating.
161 */
162 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP))
163 ieee80211_dturbo_switch(vap,
164 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
165 #endif
166 /*
167 * Try to reassociate before scanning for a new ap.
168 */
169 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1);
170 } else {
171 /*
172 * Somebody else is controlling state changes (e.g.
173 * a user-mode app) don't do anything that would
174 * confuse them; just drop into scan mode so they'll
175 * notified of the state change and given control.
176 */
177 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0);
178 }
179 }
180
181 /*
182 * Handle deauth with reason. We retry only for
183 * the cases where we might succeed. Otherwise
184 * we downgrade the ap and scan.
185 */
186 static void
187 sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason)
188 {
189 switch (reason) {
190 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */
191 case IEEE80211_STATUS_TIMEOUT:
192 case IEEE80211_REASON_ASSOC_EXPIRE:
193 case IEEE80211_REASON_NOT_AUTHED:
194 case IEEE80211_REASON_NOT_ASSOCED:
195 case IEEE80211_REASON_ASSOC_LEAVE:
196 case IEEE80211_REASON_ASSOC_NOT_AUTHED:
197 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
198 break;
199 default:
200 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason);
201 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
202 ieee80211_check_scan_current(vap);
203 break;
204 }
205 }
206
207 static void
208 sta_swbmiss_start(struct ieee80211vap *vap)
209 {
210
211 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) {
212 /*
213 * Start s/w beacon miss timer for devices w/o
214 * hardware support. We fudge a bit here since
215 * we're doing this in software.
216 */
217 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS(
218 2 * vap->iv_bmissthreshold * vap->iv_bss->ni_intval);
219 vap->iv_swbmiss_count = 0;
220 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
221 ieee80211_swbmiss, vap);
222 }
223 }
224
225 /*
226 * IEEE80211_M_STA vap state machine handler.
227 * This routine handles the main states in the 802.11 protocol.
228 */
229 static int
230 sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
231 {
232 struct ieee80211com *ic = vap->iv_ic;
233 struct ieee80211_node *ni;
234 enum ieee80211_state ostate;
235
236 IEEE80211_LOCK_ASSERT(ic);
237
238 ostate = vap->iv_state;
239 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
240 __func__, ieee80211_state_name[ostate],
241 ieee80211_state_name[nstate], arg);
242 vap->iv_state = nstate; /* state transition */
243 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */
244 if (ostate != IEEE80211_S_SCAN)
245 ieee80211_cancel_scan(vap); /* background scan */
246 ni = vap->iv_bss; /* NB: no reference held */
247 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS)
248 callout_stop(&vap->iv_swbmiss);
249 switch (nstate) {
250 case IEEE80211_S_INIT:
251 switch (ostate) {
252 case IEEE80211_S_SLEEP:
253 /* XXX wakeup */
254 /* XXX driver hook to wakeup the hardware? */
255 case IEEE80211_S_RUN:
256 IEEE80211_SEND_MGMT(ni,
257 IEEE80211_FC0_SUBTYPE_DISASSOC,
258 IEEE80211_REASON_ASSOC_LEAVE);
259 ieee80211_sta_leave(ni);
260 break;
261 case IEEE80211_S_ASSOC:
262 IEEE80211_SEND_MGMT(ni,
263 IEEE80211_FC0_SUBTYPE_DEAUTH,
264 IEEE80211_REASON_AUTH_LEAVE);
265 break;
266 case IEEE80211_S_SCAN:
267 ieee80211_cancel_scan(vap);
268 break;
269 default:
270 break;
271 }
272 if (ostate != IEEE80211_S_INIT) {
273 /* NB: optimize INIT -> INIT case */
274 ieee80211_reset_bss(vap);
275 }
276 if (vap->iv_auth->ia_detach != NULL)
277 vap->iv_auth->ia_detach(vap);
278 break;
279 case IEEE80211_S_SCAN:
280 switch (ostate) {
281 case IEEE80211_S_INIT:
282 /*
283 * Initiate a scan. We can come here as a result
284 * of an IEEE80211_IOC_SCAN_REQ too in which case
285 * the vap will be marked with IEEE80211_FEXT_SCANREQ
286 * and the scan request parameters will be present
287 * in iv_scanreq. Otherwise we do the default.
288 */
289 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
290 ieee80211_check_scan(vap,
291 vap->iv_scanreq_flags,
292 vap->iv_scanreq_duration,
293 vap->iv_scanreq_mindwell,
294 vap->iv_scanreq_maxdwell,
295 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
296 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
297 } else
298 ieee80211_check_scan_current(vap);
299 break;
300 case IEEE80211_S_SCAN:
301 case IEEE80211_S_AUTH:
302 case IEEE80211_S_ASSOC:
303 /*
304 * These can happen either because of a timeout
305 * on an assoc/auth response or because of a
306 * change in state that requires a reset. For
307 * the former we're called with a non-zero arg
308 * that is the cause for the failure; pass this
309 * to the scan code so it can update state.
310 * Otherwise trigger a new scan unless we're in
311 * manual roaming mode in which case an application
312 * must issue an explicit scan request.
313 */
314 if (arg != 0)
315 ieee80211_scan_assoc_fail(vap,
316 vap->iv_bss->ni_macaddr, arg);
317 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
318 ieee80211_check_scan_current(vap);
319 break;
320 case IEEE80211_S_SLEEP: /* beacon miss */
321 /*
322 * XXX if in sleep we need to wakeup the hardware.
323 */
324 /* FALLTHROUGH */
325 case IEEE80211_S_RUN: /* beacon miss */
326 /*
327 * Beacon miss. Notify user space and if not
328 * under control of a user application (roaming
329 * manual) kick off a scan to re-connect.
330 */
331
332 ieee80211_sta_leave(ni);
333 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO)
334 ieee80211_check_scan_current(vap);
335 break;
336 default:
337 goto invalid;
338 }
339 break;
340 case IEEE80211_S_AUTH:
341 switch (ostate) {
342 case IEEE80211_S_INIT:
343 case IEEE80211_S_SCAN:
344 IEEE80211_SEND_MGMT(ni,
345 IEEE80211_FC0_SUBTYPE_AUTH, 1);
346 break;
347 case IEEE80211_S_AUTH:
348 case IEEE80211_S_ASSOC:
349 switch (arg & 0xff) {
350 case IEEE80211_FC0_SUBTYPE_AUTH:
351 /* ??? */
352 IEEE80211_SEND_MGMT(ni,
353 IEEE80211_FC0_SUBTYPE_AUTH, 2);
354 break;
355 case IEEE80211_FC0_SUBTYPE_DEAUTH:
356 sta_authretry(vap, ni, arg>>8);
357 break;
358 }
359 break;
360 case IEEE80211_S_SLEEP:
361 case IEEE80211_S_RUN:
362 switch (arg & 0xff) {
363 case IEEE80211_FC0_SUBTYPE_AUTH:
364 IEEE80211_SEND_MGMT(ni,
365 IEEE80211_FC0_SUBTYPE_AUTH, 2);
366 vap->iv_state = IEEE80211_S_RUN; /* stay RUN */
367 break;
368 case IEEE80211_FC0_SUBTYPE_DEAUTH:
369 ieee80211_sta_leave(ni);
370 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
371 /* try to reauth */
372 IEEE80211_SEND_MGMT(ni,
373 IEEE80211_FC0_SUBTYPE_AUTH, 1);
374 }
375 break;
376 }
377 break;
378 default:
379 goto invalid;
380 }
381 break;
382 case IEEE80211_S_ASSOC:
383 switch (ostate) {
384 case IEEE80211_S_AUTH:
385 case IEEE80211_S_ASSOC:
386 IEEE80211_SEND_MGMT(ni,
387 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
388 break;
389 case IEEE80211_S_SLEEP: /* cannot happen */
390 case IEEE80211_S_RUN:
391 ieee80211_sta_leave(ni);
392 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) {
393 IEEE80211_SEND_MGMT(ni, arg ?
394 IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
395 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
396 }
397 break;
398 default:
399 goto invalid;
400 }
401 break;
402 case IEEE80211_S_RUN:
403 if (vap->iv_flags & IEEE80211_F_WPA) {
404 /* XXX validate prerequisites */
405 }
406 switch (ostate) {
407 case IEEE80211_S_RUN:
408 case IEEE80211_S_CSA:
409 break;
410 case IEEE80211_S_AUTH: /* when join is done in fw */
411 case IEEE80211_S_ASSOC:
412 #ifdef IEEE80211_DEBUG
413 if (ieee80211_msg_debug(vap)) {
414 ieee80211_note(vap, "%s with %s ssid ",
415 (vap->iv_opmode == IEEE80211_M_STA ?
416 "associated" : "synchronized"),
417 ether_sprintf(ni->ni_bssid));
418 ieee80211_print_essid(vap->iv_bss->ni_essid,
419 ni->ni_esslen);
420 /* XXX MCS/HT */
421 printf(" channel %d start %uMb\n",
422 ieee80211_chan2ieee(ic, ic->ic_curchan),
423 IEEE80211_RATE2MBS(ni->ni_txrate));
424 }
425 #endif
426 ieee80211_scan_assoc_success(vap, ni->ni_macaddr);
427 ieee80211_notify_node_join(ni,
428 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
429 break;
430 case IEEE80211_S_SLEEP:
431 /* Wake up from sleep */
432 vap->iv_sta_ps(vap, 0);
433 break;
434 default:
435 goto invalid;
436 }
437 ieee80211_sync_curchan(ic);
438 if (ostate != IEEE80211_S_RUN)
439 sta_swbmiss_start(vap);
440 /*
441 * When 802.1x is not in use mark the port authorized
442 * at this point so traffic can flow.
443 */
444 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
445 ieee80211_node_authorize(ni);
446 /*
447 * Fake association when joining an existing bss.
448 *
449 * Don't do this if we're doing SLEEP->RUN.
450 */
451 if (ic->ic_newassoc != NULL && ostate != IEEE80211_S_SLEEP)
452 ic->ic_newassoc(vap->iv_bss, (ostate != IEEE80211_S_RUN));
453 break;
454 case IEEE80211_S_CSA:
455 if (ostate != IEEE80211_S_RUN)
456 goto invalid;
457 break;
458 case IEEE80211_S_SLEEP:
459 sta_swbmiss_start(vap);
460 vap->iv_sta_ps(vap, 1);
461 break;
462 default:
463 invalid:
464 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
465 "%s: unexpected state transition %s -> %s\n", __func__,
466 ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
467 break;
468 }
469 return 0;
470 }
471
472 /*
473 * Return non-zero if the frame is an echo of a multicast
474 * frame sent by ourself. The dir is known to be DSTODS.
475 */
476 static __inline int
477 isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
478 {
479 #define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh)
480 #define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh)
481 const uint8_t *sa;
482
483 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
484
485 if (!IEEE80211_IS_MULTICAST(wh->i_addr3))
486 return 0;
487 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4;
488 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr);
489 #undef WH4
490 #undef QWH4
491 }
492
493 /*
494 * Return non-zero if the frame is an echo of a multicast
495 * frame sent by ourself. The dir is known to be FROMDS.
496 */
497 static __inline int
498 isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh)
499 {
500 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode"));
501
502 if (!IEEE80211_IS_MULTICAST(wh->i_addr1))
503 return 0;
504 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr);
505 }
506
507 /*
508 * Decide if a received management frame should be
509 * printed when debugging is enabled. This filters some
510 * of the less interesting frames that come frequently
511 * (e.g. beacons).
512 */
513 static __inline int
514 doprint(struct ieee80211vap *vap, int subtype)
515 {
516 switch (subtype) {
517 case IEEE80211_FC0_SUBTYPE_BEACON:
518 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
519 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
520 return 0;
521 }
522 return 1;
523 }
524
525 /*
526 * Process a received frame. The node associated with the sender
527 * should be supplied. If nothing was found in the node table then
528 * the caller is assumed to supply a reference to iv_bss instead.
529 * The RSSI and a timestamp are also supplied. The RSSI data is used
530 * during AP scanning to select a AP to associate with; it can have
531 * any units so long as values have consistent units and higher values
532 * mean ``better signal''. The receive timestamp is currently not used
533 * by the 802.11 layer.
534 */
535 static int
536 sta_input(struct ieee80211_node *ni, struct mbuf *m,
537 const struct ieee80211_rx_stats *rxs, int rssi, int nf)
538 {
539 struct ieee80211vap *vap = ni->ni_vap;
540 struct ieee80211com *ic = ni->ni_ic;
541 struct ifnet *ifp = vap->iv_ifp;
542 struct ieee80211_frame *wh;
543 struct ieee80211_key *key;
544 struct ether_header *eh;
545 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */
546 uint8_t dir, type, subtype, qos;
547 uint8_t *bssid;
548 int is_hw_decrypted = 0;
549 int has_decrypted = 0;
550
551 KASSERT(ni != NULL, ("%s: null node, mbuf %p", __func__, m));
552
553 /* Early init in case of early error case. */
554 type = -1;
555
556 /*
557 * Bit of a cheat here, we use a pointer for a 3-address
558 * frame format but don't reference fields past outside
559 * ieee80211_frame_min (or other shorter frames) w/o first
560 * validating the data is present.
561 */
562 wh = mtod(m, struct ieee80211_frame *);
563
564 if (m->m_pkthdr.len < 2 || m->m_pkthdr.len < ieee80211_anyhdrsize(wh)) {
565 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
566 ni->ni_macaddr, NULL,
567 "too short (1): len %u", m->m_pkthdr.len);
568 vap->iv_stats.is_rx_tooshort++;
569 goto err;
570 }
571 if (!IEEE80211_IS_FC0_CHECK_VER(wh, IEEE80211_FC0_VERSION_0)) {
572 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
573 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
574 wh->i_fc[0], wh->i_fc[1]);
575 vap->iv_stats.is_rx_badversion++;
576 goto err;
577 }
578
579 /*
580 * Some devices do hardware decryption all the way through
581 * to pretending the frame wasn't encrypted in the first place.
582 * So, tag it appropriately so it isn't discarded inappropriately.
583 */
584 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED))
585 is_hw_decrypted = 1;
586
587 if (m->m_flags & M_AMPDU_MPDU) {
588 /*
589 * Fastpath for A-MPDU reorder q resubmission. Frames
590 * w/ M_AMPDU_MPDU marked have already passed through
591 * here but were received out of order and been held on
592 * the reorder queue. When resubmitted they are marked
593 * with the M_AMPDU_MPDU flag and we can bypass most of
594 * the normal processing.
595 */
596 type = IEEE80211_FC0_TYPE_DATA;
597 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
598 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA;
599 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */
600 goto resubmit_ampdu;
601 }
602
603 ni->ni_inact = ni->ni_inact_reload;
604
605 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
606 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
607 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
608 /*
609 * Control frames are not folowing the header scheme of data and mgmt
610 * frames so we do not apply extra checks here.
611 * We probably should do checks on RA (+TA) where available for those
612 * too, but for now do not drop them.
613 */
614 if (type != IEEE80211_FC0_TYPE_CTL &&
615 (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
616 bssid = wh->i_addr2;
617 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
618 /* not interested in */
619 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
620 bssid, NULL, "%s", "not to bss");
621 vap->iv_stats.is_rx_wrongbss++;
622 goto out;
623 }
624
625 /*
626 * Some devices may be in a promiscuous mode
627 * where they receive frames for multiple station
628 * addresses.
629 *
630 * If we receive a data frame that isn't
631 * destined to our VAP MAC, drop it.
632 *
633 * XXX TODO: This is only enforced when not scanning;
634 * XXX it assumes a software-driven scan will put the NIC
635 * XXX into a "no data frames" mode before setting this
636 * XXX flag. Otherwise it may be possible that we'll still
637 * XXX process data frames whilst scanning.
638 */
639 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
640 && (! IEEE80211_ADDR_EQ(wh->i_addr1, IF_LLADDR(ifp)))) {
641 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
642 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
643 IF_LLADDR(ifp), ":", wh->i_addr1, ":");
644 vap->iv_stats.is_rx_wrongbss++;
645 goto out;
646 }
647
648 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
649 ni->ni_noise = nf;
650 if ( IEEE80211_HAS_SEQ(type, subtype) &&
651 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
652 uint8_t tid = ieee80211_gettid(wh);
653 if (IEEE80211_QOS_HAS_SEQ(wh) &&
654 TID_TO_WME_AC(tid) >= WME_AC_VI)
655 ic->ic_wme.wme_hipri_traffic++;
656 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs))
657 goto out;
658 }
659 }
660
661 switch (type) {
662 case IEEE80211_FC0_TYPE_DATA:
663 hdrspace = ieee80211_hdrspace(ic, wh);
664 if (m->m_len < hdrspace &&
665 (m = m_pullup(m, hdrspace)) == NULL) {
666 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
667 ni->ni_macaddr, NULL,
668 "data too short: expecting %u", hdrspace);
669 vap->iv_stats.is_rx_tooshort++;
670 goto out; /* XXX */
671 }
672 /*
673 * Handle A-MPDU re-ordering. If the frame is to be
674 * processed directly then ieee80211_ampdu_reorder
675 * will return 0; otherwise it has consumed the mbuf
676 * and we should do nothing more with it.
677 */
678 if ((m->m_flags & M_AMPDU) &&
679 (dir == IEEE80211_FC1_DIR_FROMDS ||
680 dir == IEEE80211_FC1_DIR_DSTODS) &&
681 ieee80211_ampdu_reorder(ni, m, rxs) != 0) {
682 m = NULL;
683 goto out;
684 }
685 resubmit_ampdu:
686 if (dir == IEEE80211_FC1_DIR_FROMDS) {
687 if ((ifp->if_flags & IFF_SIMPLEX) &&
688 isfromds_mcastecho(vap, wh)) {
689 /*
690 * In IEEE802.11 network, multicast
691 * packets sent from "me" are broadcast
692 * from the AP; silently discard for
693 * SIMPLEX interface.
694 */
695 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
696 wh, "data", "%s", "multicast echo");
697 vap->iv_stats.is_rx_mcastecho++;
698 goto out;
699 }
700 if ((vap->iv_flags & IEEE80211_F_DWDS) &&
701 IEEE80211_IS_MULTICAST(wh->i_addr1)) {
702 /*
703 * DWDS sta's must drop 3-address mcast frames
704 * as they will be sent separately as a 4-addr
705 * frame. Accepting the 3-addr frame will
706 * confuse the bridge into thinking the sending
707 * sta is located at the end of WDS link.
708 */
709 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
710 "3-address data", "%s", "DWDS enabled");
711 vap->iv_stats.is_rx_mcastecho++;
712 goto out;
713 }
714 } else if (dir == IEEE80211_FC1_DIR_DSTODS) {
715 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) {
716 IEEE80211_DISCARD(vap,
717 IEEE80211_MSG_INPUT, wh, "4-address data",
718 "%s", "DWDS not enabled");
719 vap->iv_stats.is_rx_wrongdir++;
720 goto out;
721 }
722 if ((ifp->if_flags & IFF_SIMPLEX) &&
723 isdstods_mcastecho(vap, wh)) {
724 /*
725 * In IEEE802.11 network, multicast
726 * packets sent from "me" are broadcast
727 * from the AP; silently discard for
728 * SIMPLEX interface.
729 */
730 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
731 "4-address data", "%s", "multicast echo");
732 vap->iv_stats.is_rx_mcastecho++;
733 goto out;
734 }
735 } else {
736 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh,
737 "data", "incorrect dir 0x%x", dir);
738 vap->iv_stats.is_rx_wrongdir++;
739 goto out;
740 }
741
742 /*
743 * Handle privacy requirements for hardware decryption
744 * devices.
745 *
746 * For those devices, a handful of things happen.
747 *
748 * + If IV has been stripped, then we can't run
749 * ieee80211_crypto_decap() - none of the key
750 * + If MIC has been stripped, we can't validate
751 * MIC here.
752 * + If MIC fails, then we need to communicate a
753 * MIC failure up to the stack - but we don't know
754 * which key was used.
755 */
756
757 /*
758 * Handle privacy requirements. Note that we
759 * must not be preempted from here until after
760 * we (potentially) call ieee80211_crypto_demic;
761 * otherwise we may violate assumptions in the
762 * crypto cipher modules used to do delayed update
763 * of replay sequence numbers.
764 */
765 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) {
766 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
767 /*
768 * Discard encrypted frames when privacy is off.
769 */
770 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
771 wh, "WEP", "%s", "PRIVACY off");
772 vap->iv_stats.is_rx_noprivacy++;
773 IEEE80211_NODE_STAT(ni, rx_noprivacy);
774 goto out;
775 }
776 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
777 /* NB: stats+msgs handled in crypto_decap */
778 IEEE80211_NODE_STAT(ni, rx_wepfail);
779 goto out;
780 }
781 wh = mtod(m, struct ieee80211_frame *);
782 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
783 has_decrypted = 1;
784 } else {
785 /* XXX M_WEP and IEEE80211_F_PRIVACY */
786 key = NULL;
787 }
788
789 /*
790 * Save QoS bits for use below--before we strip the header.
791 */
792 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA)
793 qos = ieee80211_getqos(wh)[0];
794 else
795 qos = 0;
796
797 /*
798 * Next up, any fragmentation.
799 */
800 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
801 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
802 if (m == NULL) {
803 /* Fragment dropped or frame not complete yet */
804 goto out;
805 }
806 }
807 wh = NULL; /* no longer valid, catch any uses */
808
809 /*
810 * Next strip any MSDU crypto bits.
811 *
812 * Note: we can't do MIC stripping/verification if the
813 * upper layer has stripped it. We have to check MIC
814 * ourselves. So, key may be NULL, but we have to check
815 * the RX status.
816 */
817 if (!ieee80211_crypto_demic(vap, key, m, 0)) {
818 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
819 ni->ni_macaddr, "data", "%s", "demic error");
820 vap->iv_stats.is_rx_demicfail++;
821 IEEE80211_NODE_STAT(ni, rx_demicfail);
822 goto out;
823 }
824
825 /* copy to listener after decrypt */
826 if (ieee80211_radiotap_active_vap(vap))
827 ieee80211_radiotap_rx(vap, m);
828 need_tap = 0;
829
830 /*
831 * Finally, strip the 802.11 header.
832 */
833 m = ieee80211_decap(vap, m, hdrspace, qos);
834 if (m == NULL) {
835 /* XXX mask bit to check for both */
836 /* don't count Null data frames as errors */
837 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
838 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
839 goto out;
840 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
841 ni->ni_macaddr, "data", "%s", "decap error");
842 vap->iv_stats.is_rx_decap++;
843 IEEE80211_NODE_STAT(ni, rx_decap);
844 goto err;
845 }
846 if (!(qos & IEEE80211_QOS_AMSDU))
847 eh = mtod(m, struct ether_header *);
848 else
849 eh = NULL;
850 if (!ieee80211_node_is_authorized(ni)) {
851 /*
852 * Deny any non-PAE frames received prior to
853 * authorization. For open/shared-key
854 * authentication the port is mark authorized
855 * after authentication completes. For 802.1x
856 * the port is not marked authorized by the
857 * authenticator until the handshake has completed.
858 */
859 if (eh == NULL ||
860 eh->ether_type != htons(ETHERTYPE_PAE)) {
861 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
862 ni->ni_macaddr, "data", "unauthorized or "
863 "unknown port: ether type 0x%x len %u",
864 eh == NULL ? -1 : eh->ether_type,
865 m->m_pkthdr.len);
866 vap->iv_stats.is_rx_unauth++;
867 IEEE80211_NODE_STAT(ni, rx_unauth);
868 goto err;
869 }
870 } else {
871 /*
872 * When denying unencrypted frames, discard
873 * any non-PAE frames received without encryption.
874 */
875 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
876 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
877 (is_hw_decrypted == 0) &&
878 (eh == NULL ||
879 eh->ether_type != htons(ETHERTYPE_PAE))) {
880 /*
881 * Drop unencrypted frames.
882 */
883 vap->iv_stats.is_rx_unencrypted++;
884 IEEE80211_NODE_STAT(ni, rx_unencrypted);
885 goto out;
886 }
887 }
888 /* XXX require HT? */
889 if (qos & IEEE80211_QOS_AMSDU) {
890 m = ieee80211_decap_amsdu(ni, m);
891 if (m == NULL)
892 return IEEE80211_FC0_TYPE_DATA;
893 } else {
894 #ifdef IEEE80211_SUPPORT_SUPERG
895 m = ieee80211_decap_fastframe(vap, ni, m);
896 if (m == NULL)
897 return IEEE80211_FC0_TYPE_DATA;
898 #endif
899 }
900 ieee80211_deliver_data(vap, ni, m);
901 return IEEE80211_FC0_TYPE_DATA;
902
903 case IEEE80211_FC0_TYPE_MGT:
904 vap->iv_stats.is_rx_mgmt++;
905 IEEE80211_NODE_STAT(ni, rx_mgmt);
906 if (dir != IEEE80211_FC1_DIR_NODS) {
907 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
908 wh, "data", "incorrect dir 0x%x", dir);
909 vap->iv_stats.is_rx_wrongdir++;
910 goto err;
911 }
912 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
913 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
914 ni->ni_macaddr, "mgt", "too short: len %u",
915 m->m_pkthdr.len);
916 vap->iv_stats.is_rx_tooshort++;
917 goto out;
918 }
919 #ifdef IEEE80211_DEBUG
920 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
921 ieee80211_msg_dumppkts(vap)) {
922 if_printf(ifp, "received %s from %s rssi %d\n",
923 ieee80211_mgt_subtype_name(subtype),
924 ether_sprintf(wh->i_addr2), rssi);
925 }
926 #endif
927
928 /*
929 * Note: See above for hardware offload privacy requirements.
930 * It also applies here.
931 */
932
933 /*
934 * Again, having encrypted flag set check would be good, but
935 * then we have to also handle crypto_decap() like above.
936 */
937 if (IEEE80211_IS_PROTECTED(wh)) {
938 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
939 /*
940 * Only shared key auth frames with a challenge
941 * should be encrypted, discard all others.
942 */
943 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
944 wh, ieee80211_mgt_subtype_name(subtype),
945 "%s", "WEP set but not permitted");
946 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
947 goto out;
948 }
949 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
950 /*
951 * Discard encrypted frames when privacy is off.
952 */
953 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
954 wh, "mgt", "%s", "WEP set but PRIVACY off");
955 vap->iv_stats.is_rx_noprivacy++;
956 goto out;
957 }
958 hdrspace = ieee80211_hdrspace(ic, wh);
959
960 /*
961 * Again, if IV/MIC was stripped, then this whole
962 * setup will fail. That's going to need some poking.
963 */
964 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) {
965 /* NB: stats+msgs handled in crypto_decap */
966 goto out;
967 }
968 has_decrypted = 1;
969 wh = mtod(m, struct ieee80211_frame *);
970 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
971 }
972 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
973 goto out;
974
975 case IEEE80211_FC0_TYPE_CTL:
976 vap->iv_stats.is_rx_ctl++;
977 IEEE80211_NODE_STAT(ni, rx_ctrl);
978 vap->iv_recv_ctl(ni, m, subtype);
979 goto out;
980
981 default:
982 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
983 wh, NULL, "bad frame type 0x%x", type);
984 /* should not come here */
985 break;
986 }
987 err:
988 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
989 out:
990 if (m != NULL) {
991 if (need_tap && ieee80211_radiotap_active_vap(vap))
992 ieee80211_radiotap_rx(vap, m);
993 m_freem(m);
994 }
995 return type;
996 }
997
998 static void
999 sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
1000 int rssi, int nf, uint16_t seq, uint16_t status)
1001 {
1002 struct ieee80211vap *vap = ni->ni_vap;
1003
1004 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
1005 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1006 ni->ni_macaddr, "open auth",
1007 "bad sta auth mode %u", ni->ni_authmode);
1008 vap->iv_stats.is_rx_bad_auth++; /* XXX */
1009 return;
1010 }
1011 if (vap->iv_state != IEEE80211_S_AUTH ||
1012 seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1013 vap->iv_stats.is_rx_bad_auth++;
1014 return;
1015 }
1016 if (status != 0) {
1017 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1018 ni, "open auth failed (reason %d)", status);
1019 vap->iv_stats.is_rx_auth_fail++;
1020 vap->iv_stats.is_rx_authfail_code = status;
1021 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1022 IEEE80211_SCAN_FAIL_STATUS);
1023 } else
1024 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1025 }
1026
1027 static void
1028 sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
1029 uint8_t *frm, uint8_t *efrm, int rssi, int nf,
1030 uint16_t seq, uint16_t status)
1031 {
1032 struct ieee80211vap *vap = ni->ni_vap;
1033 uint8_t *challenge;
1034
1035 /*
1036 * NB: this can happen as we allow pre-shared key
1037 * authentication to be enabled w/o wep being turned
1038 * on so that configuration of these can be done
1039 * in any order. It may be better to enforce the
1040 * ordering in which case this check would just be
1041 * for sanity/consistency.
1042 */
1043 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1044 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1045 ni->ni_macaddr, "shared key auth",
1046 "%s", " PRIVACY is disabled");
1047 goto bad;
1048 }
1049 /*
1050 * Pre-shared key authentication is evil; accept
1051 * it only if explicitly configured (it is supported
1052 * mainly for compatibility with clients like OS X).
1053 */
1054 if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1055 ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1056 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1057 ni->ni_macaddr, "shared key auth",
1058 "bad sta auth mode %u", ni->ni_authmode);
1059 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1060 goto bad;
1061 }
1062
1063 challenge = NULL;
1064 if (frm + 1 < efrm) {
1065 if ((frm[1] + 2) > (efrm - frm)) {
1066 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1067 ni->ni_macaddr, "shared key auth",
1068 "ie %d/%d too long",
1069 frm[0], (frm[1] + 2) - (efrm - frm));
1070 vap->iv_stats.is_rx_bad_auth++;
1071 goto bad;
1072 }
1073 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1074 challenge = frm;
1075 frm += frm[1] + 2;
1076 }
1077 switch (seq) {
1078 case IEEE80211_AUTH_SHARED_CHALLENGE:
1079 case IEEE80211_AUTH_SHARED_RESPONSE:
1080 if (challenge == NULL) {
1081 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1082 ni->ni_macaddr, "shared key auth",
1083 "%s", "no challenge");
1084 vap->iv_stats.is_rx_bad_auth++;
1085 goto bad;
1086 }
1087 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1088 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1089 ni->ni_macaddr, "shared key auth",
1090 "bad challenge len %d", challenge[1]);
1091 vap->iv_stats.is_rx_bad_auth++;
1092 goto bad;
1093 }
1094 default:
1095 break;
1096 }
1097 if (vap->iv_state != IEEE80211_S_AUTH)
1098 return;
1099 switch (seq) {
1100 case IEEE80211_AUTH_SHARED_PASS:
1101 if (ni->ni_challenge != NULL) {
1102 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
1103 ni->ni_challenge = NULL;
1104 }
1105 if (status != 0) {
1106 IEEE80211_NOTE_FRAME(vap,
1107 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh,
1108 "shared key auth failed (reason %d)", status);
1109 vap->iv_stats.is_rx_auth_fail++;
1110 vap->iv_stats.is_rx_authfail_code = status;
1111 return;
1112 }
1113 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
1114 break;
1115 case IEEE80211_AUTH_SHARED_CHALLENGE:
1116 if (!ieee80211_alloc_challenge(ni))
1117 return;
1118 /* XXX could optimize by passing recvd challenge */
1119 memcpy(ni->ni_challenge, &challenge[2], challenge[1]);
1120 IEEE80211_SEND_MGMT(ni,
1121 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1122 break;
1123 default:
1124 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH,
1125 wh, "shared key auth", "bad seq %d", seq);
1126 vap->iv_stats.is_rx_bad_auth++;
1127 return;
1128 }
1129 return;
1130 bad:
1131 /*
1132 * Kick the state machine. This short-circuits
1133 * using the mgt frame timeout to trigger the
1134 * state transition.
1135 */
1136 if (vap->iv_state == IEEE80211_S_AUTH)
1137 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1138 IEEE80211_SCAN_FAIL_STATUS);
1139 }
1140
1141 /*
1142 * Parse the WME IE for QoS and U-APSD information.
1143 *
1144 * Returns -1 if the IE isn't found, 1 if it's found.
1145 */
1146 int
1147 ieee80211_parse_wmeie(uint8_t *frm, const struct ieee80211_frame *wh,
1148 struct ieee80211_node *ni)
1149 {
1150 u_int len = frm[1];
1151
1152 ni->ni_uapsd = 0;
1153
1154 if (len < sizeof(struct ieee80211_wme_param)-2) {
1155 IEEE80211_DISCARD_IE(ni->ni_vap,
1156 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1157 wh, "WME", "too short, len %u", len);
1158 return -1;
1159 }
1160
1161 ni->ni_uapsd = frm[WME_CAPINFO_IE_OFFSET];
1162
1163 IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_POWER | IEEE80211_MSG_ASSOC,
1164 ni, "U-APSD settings from STA: 0x%02x", ni->ni_uapsd);
1165
1166 return 1;
1167 }
1168
1169 int
1170 ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm,
1171 const struct ieee80211_frame *wh, uint8_t *qosinfo)
1172 {
1173 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
1174 u_int len = frm[1], qosinfo_count;
1175 int i;
1176
1177 *qosinfo = 0;
1178
1179 if (len < sizeof(struct ieee80211_wme_param)-2) {
1180 IEEE80211_DISCARD_IE(vap,
1181 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME,
1182 wh, "WME", "too short, len %u", len);
1183 return -1;
1184 }
1185 *qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)];
1186 qosinfo_count = *qosinfo & WME_QOSINFO_COUNT;
1187
1188 /* XXX do proper check for wraparound */
1189 if (qosinfo_count == wme->wme_wmeChanParams.cap_info)
1190 return 0;
1191 frm += __offsetof(struct ieee80211_wme_param, params_acParams);
1192 for (i = 0; i < WME_NUM_AC; i++) {
1193 struct wmeParams *wmep =
1194 &wme->wme_wmeChanParams.cap_wmeParams[i];
1195 /* NB: ACI not used */
1196 wmep->wmep_acm = _IEEE80211_MASKSHIFT(frm[0], WME_PARAM_ACM);
1197 wmep->wmep_aifsn =
1198 _IEEE80211_MASKSHIFT(frm[0], WME_PARAM_AIFSN);
1199 wmep->wmep_logcwmin =
1200 _IEEE80211_MASKSHIFT(frm[1], WME_PARAM_LOGCWMIN);
1201 wmep->wmep_logcwmax =
1202 _IEEE80211_MASKSHIFT(frm[1], WME_PARAM_LOGCWMAX);
1203 wmep->wmep_txopLimit = le16dec(frm+2);
1204 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
1205 "%s: WME: %d: acm=%d aifsn=%d logcwmin=%d logcwmax=%d txopLimit=%d\n",
1206 __func__,
1207 i,
1208 wmep->wmep_acm,
1209 wmep->wmep_aifsn,
1210 wmep->wmep_logcwmin,
1211 wmep->wmep_logcwmax,
1212 wmep->wmep_txopLimit);
1213 frm += 4;
1214 }
1215 wme->wme_wmeChanParams.cap_info = qosinfo_count;
1216 return 1;
1217 }
1218
1219 /*
1220 * Process 11h Channel Switch Announcement (CSA) ie. If this
1221 * is the first CSA then initiate the switch. Otherwise we
1222 * track state and trigger completion and/or cancel of the switch.
1223 * XXX should be public for IBSS use
1224 */
1225 static void
1226 ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm,
1227 const struct ieee80211_frame *wh)
1228 {
1229 struct ieee80211com *ic = vap->iv_ic;
1230 const struct ieee80211_csa_ie *csa =
1231 (const struct ieee80211_csa_ie *) frm;
1232
1233 KASSERT(vap->iv_state >= IEEE80211_S_RUN,
1234 ("state %s", ieee80211_state_name[vap->iv_state]));
1235
1236 if (csa->csa_mode > 1) {
1237 IEEE80211_DISCARD_IE(vap,
1238 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1239 wh, "CSA", "invalid mode %u", csa->csa_mode);
1240 return;
1241 }
1242 IEEE80211_LOCK(ic);
1243 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) {
1244 /*
1245 * Convert the channel number to a channel reference. We
1246 * try first to preserve turbo attribute of the current
1247 * channel then fallback. Note this will not work if the
1248 * CSA specifies a channel that requires a band switch (e.g.
1249 * 11a => 11g). This is intentional as 11h is defined only
1250 * for 5GHz/11a and because the switch does not involve a
1251 * reassociation, protocol state (capabilities, negotated
1252 * rates, etc) may/will be wrong.
1253 */
1254 struct ieee80211_channel *c =
1255 ieee80211_find_channel_byieee(ic, csa->csa_newchan,
1256 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO));
1257 if (c == NULL) {
1258 c = ieee80211_find_channel_byieee(ic,
1259 csa->csa_newchan,
1260 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL));
1261 if (c == NULL) {
1262 IEEE80211_DISCARD_IE(vap,
1263 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1264 wh, "CSA", "invalid channel %u",
1265 csa->csa_newchan);
1266 goto done;
1267 }
1268 }
1269 #if IEEE80211_CSA_COUNT_MIN > 0
1270 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) {
1271 /*
1272 * Require at least IEEE80211_CSA_COUNT_MIN count to
1273 * reduce the risk of being redirected by a fabricated
1274 * CSA. If a valid CSA is dropped we'll still get a
1275 * beacon miss when the AP leaves the channel so we'll
1276 * eventually follow to the new channel.
1277 *
1278 * NOTE: this violates the 11h spec that states that
1279 * count may be any value and if 0 then a switch
1280 * should happen asap.
1281 */
1282 IEEE80211_DISCARD_IE(vap,
1283 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
1284 wh, "CSA", "count %u too small, must be >= %u",
1285 csa->csa_count, IEEE80211_CSA_COUNT_MIN);
1286 goto done;
1287 }
1288 #endif
1289 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count);
1290 } else {
1291 /*
1292 * Validate this ie against the initial CSA. We require
1293 * mode and channel not change and the count must be
1294 * monotonically decreasing. This may be pointless and
1295 * canceling the switch as a result may be too paranoid but
1296 * in the worst case if we drop out of CSA because of this
1297 * and the AP does move then we'll just end up taking a
1298 * beacon miss and scan to find the AP.
1299 *
1300 * XXX may want <= on count as we also process ProbeResp
1301 * frames and those may come in w/ the same count as the
1302 * previous beacon; but doing so leaves us open to a stuck
1303 * count until we add a dead-man timer
1304 */
1305 if (!(csa->csa_count < ic->ic_csa_count &&
1306 csa->csa_mode == ic->ic_csa_mode &&
1307 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) {
1308 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh,
1309 "CSA ie mismatch, initial ie <%d,%d,%d>, "
1310 "this ie <%d,%d,%d>", ic->ic_csa_mode,
1311 ic->ic_csa_newchan, ic->ic_csa_count,
1312 csa->csa_mode, csa->csa_newchan, csa->csa_count);
1313 ieee80211_csa_cancelswitch(ic);
1314 } else {
1315 if (csa->csa_count <= 1)
1316 ieee80211_csa_completeswitch(ic);
1317 else
1318 ic->ic_csa_count = csa->csa_count;
1319 }
1320 }
1321 done:
1322 IEEE80211_UNLOCK(ic);
1323 }
1324
1325 /*
1326 * Return non-zero if a background scan may be continued:
1327 * o bg scan is active
1328 * o no channel switch is pending
1329 * o there has not been any traffic recently
1330 * o no full-offload scan support (no need for explicitly continuing scan then)
1331 *
1332 * Note we do not check if there is an administrative enable;
1333 * this is only done to start the scan. We assume that any
1334 * change in state will be accompanied by a request to cancel
1335 * active scans which will otherwise cause this test to fail.
1336 */
1337 static __inline int
1338 contbgscan(struct ieee80211vap *vap)
1339 {
1340 struct ieee80211com *ic = vap->iv_ic;
1341
1342 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) &&
1343 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1344 !(vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) &&
1345 vap->iv_state == IEEE80211_S_RUN && /* XXX? */
1346 ieee80211_time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle));
1347 }
1348
1349 /*
1350 * Return non-zero if a backgrond scan may be started:
1351 * o bg scanning is administratively enabled
1352 * o no channel switch is pending
1353 * o we are not boosted on a dynamic turbo channel
1354 * o there has not been a scan recently
1355 * o there has not been any traffic recently (don't check if full-offload scan)
1356 */
1357 static __inline int
1358 startbgscan(struct ieee80211vap *vap)
1359 {
1360 struct ieee80211com *ic = vap->iv_ic;
1361
1362 return ((vap->iv_flags & IEEE80211_F_BGSCAN) &&
1363 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 &&
1364 #ifdef IEEE80211_SUPPORT_SUPERG
1365 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) &&
1366 #endif
1367 ieee80211_time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) &&
1368 ((vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) ||
1369 ieee80211_time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle)));
1370 }
1371
1372 #ifdef notyet
1373 /*
1374 * Compare two quiet IEs and return if they are equivalent.
1375 *
1376 * The tbttcount isn't checked - that's not part of the configuration.
1377 */
1378 static int
1379 compare_quiet_ie(const struct ieee80211_quiet_ie *q1,
1380 const struct ieee80211_quiet_ie *q2)
1381 {
1382
1383 if (q1->period != q2->period)
1384 return (0);
1385 if (le16dec(&q1->duration) != le16dec(&q2->duration))
1386 return (0);
1387 if (le16dec(&q1->offset) != le16dec(&q2->offset))
1388 return (0);
1389 return (1);
1390 }
1391 #endif
1392
1393 static void
1394 sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, int subtype,
1395 const struct ieee80211_rx_stats *rxs,
1396 int rssi, int nf)
1397 {
1398 #define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1399 struct ieee80211vap *vap = ni->ni_vap;
1400 struct ieee80211com *ic = ni->ni_ic;
1401 struct ieee80211_channel *rxchan = ic->ic_curchan;
1402 struct ieee80211_frame *wh;
1403 int ht_state_change = 0, do_ht = 0;
1404 uint8_t *frm, *efrm;
1405 uint8_t *rates, *xrates, *wme, *htcap, *htinfo;
1406 uint8_t *vhtcap, *vhtopmode;
1407 uint8_t rate;
1408 uint8_t qosinfo;
1409
1410 wh = mtod(m0, struct ieee80211_frame *);
1411 frm = (uint8_t *)&wh[1];
1412 efrm = mtod(m0, uint8_t *) + m0->m_len;
1413 switch (subtype) {
1414 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1415 case IEEE80211_FC0_SUBTYPE_BEACON: {
1416 struct ieee80211_scanparams scan;
1417 struct ieee80211_channel *c;
1418 /*
1419 * We process beacon/probe response frames:
1420 * o when scanning, or
1421 * o station mode when associated (to collect state
1422 * updates such as 802.11g slot time)
1423 * Frames otherwise received are discarded.
1424 */
1425 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) {
1426 vap->iv_stats.is_rx_mgtdiscard++;
1427 return;
1428 }
1429
1430 /* Override RX channel as appropriate */
1431 if (rxs != NULL) {
1432 c = ieee80211_lookup_channel_rxstatus(vap, rxs);
1433 if (c != NULL)
1434 rxchan = c;
1435 }
1436
1437 /* XXX probe response in sta mode when !scanning? */
1438 if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0) {
1439 if (! (ic->ic_flags & IEEE80211_F_SCAN))
1440 vap->iv_stats.is_beacon_bad++;
1441 return;
1442 }
1443
1444 /*
1445 * Count frame now that we know it's to be processed.
1446 */
1447 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1448 vap->iv_stats.is_rx_beacon++; /* XXX remove */
1449 IEEE80211_NODE_STAT(ni, rx_beacons);
1450 } else
1451 IEEE80211_NODE_STAT(ni, rx_proberesp);
1452 /*
1453 * When operating in station mode, check for state updates.
1454 * Be careful to ignore beacons received while doing a
1455 * background scan. We consider only 11g/WMM stuff right now.
1456 */
1457 if (ni->ni_associd != 0 &&
1458 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
1459 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
1460 /* record tsf of last beacon */
1461 memcpy(ni->ni_tstamp.data, scan.tstamp,
1462 sizeof(ni->ni_tstamp));
1463 /* count beacon frame for s/w bmiss handling */
1464 vap->iv_swbmiss_count++;
1465 vap->iv_bmiss_count = 0;
1466 if (ni->ni_erp != scan.erp) {
1467 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1468 wh->i_addr2,
1469 "erp change: was 0x%x, now 0x%x",
1470 ni->ni_erp, scan.erp);
1471 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1472 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1473 vap->iv_flags |= IEEE80211_F_USEPROT;
1474 else
1475 vap->iv_flags &= ~IEEE80211_F_USEPROT;
1476 ni->ni_erp = scan.erp;
1477 /* XXX statistic */
1478 /* driver notification */
1479 ieee80211_vap_update_erp_protmode(vap);
1480 }
1481 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
1482 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1483 wh->i_addr2,
1484 "capabilities change: was 0x%x, now 0x%x",
1485 ni->ni_capinfo, scan.capinfo);
1486 /*
1487 * NB: we assume short preamble doesn't
1488 * change dynamically
1489 */
1490 ieee80211_vap_set_shortslottime(vap,
1491 IEEE80211_IS_CHAN_A(ic->ic_bsschan) ||
1492 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1493 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME)
1494 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME);
1495 /* XXX statistic */
1496 }
1497 if (scan.wme != NULL &&
1498 (ni->ni_flags & IEEE80211_NODE_QOS)) {
1499 int _retval;
1500 if ((_retval = ieee80211_parse_wmeparams(vap,
1501 scan.wme, wh, &qosinfo)) >= 0) {
1502 if (qosinfo & WME_CAPINFO_UAPSD_EN)
1503 ni->ni_flags |=
1504 IEEE80211_NODE_UAPSD;
1505 if (_retval > 0)
1506 ieee80211_wme_updateparams(vap);
1507 }
1508 } else
1509 ni->ni_flags &= ~IEEE80211_NODE_UAPSD;
1510 #ifdef IEEE80211_SUPPORT_SUPERG
1511 if (scan.ath != NULL)
1512 ieee80211_parse_athparams(ni, scan.ath, wh);
1513 #endif
1514 if (scan.htcap != NULL && scan.htinfo != NULL &&
1515 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1516 /* XXX state changes? */
1517 ieee80211_ht_updateparams(ni,
1518 scan.htcap, scan.htinfo);
1519 do_ht = 1;
1520 }
1521 if (scan.vhtcap != NULL && scan.vhtopmode != NULL &&
1522 (vap->iv_vht_flags & IEEE80211_FVHT_VHT)) {
1523 /* XXX state changes? */
1524 ieee80211_vht_updateparams(ni,
1525 scan.vhtcap, scan.vhtopmode);
1526 do_ht = 1;
1527 }
1528 if (do_ht) {
1529 if (ieee80211_ht_updateparams_final(ni,
1530 scan.htcap, scan.htinfo))
1531 ht_state_change = 1;
1532 }
1533
1534 /*
1535 * If we have a quiet time IE then report it up to
1536 * the driver.
1537 *
1538 * Otherwise, inform the driver that the quiet time
1539 * IE has disappeared - only do that once rather than
1540 * spamming it each time.
1541 */
1542 if (scan.quiet) {
1543 ic->ic_set_quiet(ni, scan.quiet);
1544 ni->ni_quiet_ie_set = 1;
1545 memcpy(&ni->ni_quiet_ie, scan.quiet,
1546 sizeof(struct ieee80211_quiet_ie));
1547 } else {
1548 if (ni->ni_quiet_ie_set == 1)
1549 ic->ic_set_quiet(ni, NULL);
1550 ni->ni_quiet_ie_set = 0;
1551 bzero(&ni->ni_quiet_ie,
1552 sizeof(struct ieee80211_quiet_ie));
1553 }
1554
1555 if (scan.tim != NULL) {
1556 struct ieee80211_tim_ie *tim =
1557 (struct ieee80211_tim_ie *) scan.tim;
1558 /*
1559 * XXX Check/debug this code; see if it's about
1560 * the right time to force the VAP awake if we
1561 * receive a frame destined for us?
1562 */
1563 int aid = IEEE80211_AID(ni->ni_associd);
1564 int ix = aid / NBBY;
1565 int min = tim->tim_bitctl &~ 1;
1566 int max = tim->tim_len + min - 4;
1567 int tim_ucast = 0;
1568 #ifdef __notyet__
1569 int tim_mcast = 0;
1570 #endif
1571
1572 /*
1573 * Only do this for unicast traffic in the TIM
1574 * The multicast traffic notification for
1575 * the scan notification stuff should occur
1576 * differently.
1577 */
1578 if (min <= ix && ix <= max &&
1579 isset(tim->tim_bitmap - min, aid)) {
1580 tim_ucast = 1;
1581 }
1582
1583 #ifdef __notyet__
1584 /*
1585 * Do a separate notification
1586 * for the multicast bit being set.
1587 */
1588 if (tim->tim_bitctl & 1) {
1589 tim_mcast = 1;
1590 }
1591 #endif
1592
1593 /*
1594 * If the TIM indicates there's traffic for
1595 * us then get us out of STA mode powersave.
1596 */
1597 if (tim_ucast == 1) {
1598 /*
1599 * Wake us out of SLEEP state if we're
1600 * in it; and if we're doing bgscan
1601 * then wake us out of STA powersave.
1602 */
1603 ieee80211_sta_tim_notify(vap, 1);
1604
1605 /*
1606 * This is preventing us from
1607 * continuing a bgscan; because it
1608 * tricks the contbgscan()
1609 * routine to think there's always
1610 * traffic for us.
1611 *
1612 * I think we need both an RX and
1613 * TX ic_lastdata field.
1614 */
1615 ic->ic_lastdata = ticks;
1616 }
1617
1618 ni->ni_dtim_count = tim->tim_count;
1619 ni->ni_dtim_period = tim->tim_period;
1620 }
1621 if (scan.csa != NULL &&
1622 (vap->iv_flags & IEEE80211_F_DOTH))
1623 ieee80211_parse_csaparams(vap, scan.csa, wh);
1624 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
1625 /*
1626 * No CSA ie or 11h disabled, but a channel
1627 * switch is pending; drop out so we aren't
1628 * stuck in CSA state. If the AP really is
1629 * moving we'll get a beacon miss and scan.
1630 */
1631 IEEE80211_LOCK(ic);
1632 ieee80211_csa_cancelswitch(ic);
1633 IEEE80211_UNLOCK(ic);
1634 }
1635 /*
1636 * If scanning, pass the info to the scan module.
1637 * Otherwise, check if it's the right time to do
1638 * a background scan. Background scanning must
1639 * be enabled and we must not be operating in the
1640 * turbo phase of dynamic turbo mode. Then,
1641 * it's been a while since the last background
1642 * scan and if no data frames have come through
1643 * recently, kick off a scan. Note that this
1644 * is the mechanism by which a background scan
1645 * is started _and_ continued each time we
1646 * return on-channel to receive a beacon from
1647 * our ap.
1648 */
1649 if (ic->ic_flags & IEEE80211_F_SCAN) {
1650 ieee80211_add_scan(vap, rxchan,
1651 &scan, wh, subtype, rssi, nf);
1652 } else if (contbgscan(vap)) {
1653 ieee80211_bg_scan(vap, 0);
1654 } else if (startbgscan(vap)) {
1655 vap->iv_stats.is_scan_bg++;
1656 #if 0
1657 /* wakeup if we are sleeing */
1658 ieee80211_set_pwrsave(vap, 0);
1659 #endif
1660 ieee80211_bg_scan(vap, 0);
1661 }
1662
1663 /*
1664 * Put the station to sleep if we haven't seen
1665 * traffic in a while.
1666 */
1667 IEEE80211_LOCK(ic);
1668 ieee80211_sta_ps_timer_check(vap);
1669 IEEE80211_UNLOCK(ic);
1670
1671 /*
1672 * If we've had a channel width change (eg HT20<->HT40)
1673 * then schedule a delayed driver notification.
1674 */
1675 if (ht_state_change)
1676 ieee80211_update_chw(ic);
1677 return;
1678 }
1679 /*
1680 * If scanning, just pass information to the scan module.
1681 */
1682 if (ic->ic_flags & IEEE80211_F_SCAN) {
1683 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
1684 /*
1685 * Actively scanning a channel marked passive;
1686 * send a probe request now that we know there
1687 * is 802.11 traffic present.
1688 *
1689 * XXX check if the beacon we recv'd gives
1690 * us what we need and suppress the probe req
1691 */
1692 ieee80211_probe_curchan(vap, true);
1693 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1694 }
1695 ieee80211_add_scan(vap, rxchan, &scan, wh,
1696 subtype, rssi, nf);
1697 return;
1698 }
1699 break;
1700 }
1701
1702 case IEEE80211_FC0_SUBTYPE_AUTH: {
1703 uint16_t algo, seq, status;
1704 /*
1705 * auth frame format
1706 * [2] algorithm
1707 * [2] sequence
1708 * [2] status
1709 * [tlv*] challenge
1710 */
1711 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1712 algo = le16toh(*(uint16_t *)frm);
1713 seq = le16toh(*(uint16_t *)(frm + 2));
1714 status = le16toh(*(uint16_t *)(frm + 4));
1715 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1716 "recv auth frame with algorithm %d seq %d", algo, seq);
1717
1718 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1719 IEEE80211_DISCARD(vap,
1720 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1721 wh, "auth", "%s", "TKIP countermeasures enabled");
1722 vap->iv_stats.is_rx_auth_countermeasures++;
1723 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
1724 ieee80211_send_error(ni, wh->i_addr2,
1725 IEEE80211_FC0_SUBTYPE_AUTH,
1726 IEEE80211_REASON_MIC_FAILURE);
1727 }
1728 return;
1729 }
1730 if (algo == IEEE80211_AUTH_ALG_SHARED)
1731 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1732 seq, status);
1733 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1734 sta_auth_open(ni, wh, rssi, nf, seq, status);
1735 else {
1736 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1737 wh, "auth", "unsupported alg %d", algo);
1738 vap->iv_stats.is_rx_auth_unsupported++;
1739 return;
1740 }
1741 break;
1742 }
1743
1744 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1745 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
1746 uint16_t capinfo, associd;
1747 uint16_t status;
1748
1749 if (vap->iv_state != IEEE80211_S_ASSOC) {
1750 vap->iv_stats.is_rx_mgtdiscard++;
1751 return;
1752 }
1753
1754 /*
1755 * asresp frame format
1756 * [2] capability information
1757 * [2] status
1758 * [2] association ID
1759 * [tlv] supported rates
1760 * [tlv] extended supported rates
1761 * [tlv] WME
1762 * [tlv] HT capabilities
1763 * [tlv] HT info
1764 */
1765 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1766 ni = vap->iv_bss;
1767 capinfo = le16toh(*(uint16_t *)frm);
1768 frm += 2;
1769 status = le16toh(*(uint16_t *)frm);
1770 frm += 2;
1771 if (status != 0) {
1772 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1773 wh->i_addr2, "%sassoc failed (reason %d)",
1774 ISREASSOC(subtype) ? "re" : "", status);
1775 vap->iv_stats.is_rx_auth_fail++; /* XXX */
1776 return;
1777 }
1778 associd = le16toh(*(uint16_t *)frm);
1779 frm += 2;
1780
1781 rates = xrates = wme = htcap = htinfo = NULL;
1782 vhtcap = vhtopmode = NULL;
1783 while (efrm - frm > 1) {
1784 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1785 switch (*frm) {
1786 case IEEE80211_ELEMID_RATES:
1787 rates = frm;
1788 break;
1789 case IEEE80211_ELEMID_XRATES:
1790 xrates = frm;
1791 break;
1792 case IEEE80211_ELEMID_HTCAP:
1793 htcap = frm;
1794 break;
1795 case IEEE80211_ELEMID_HTINFO:
1796 htinfo = frm;
1797 break;
1798 case IEEE80211_ELEMID_VENDOR:
1799 if (iswmeoui(frm))
1800 wme = frm;
1801 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1802 /*
1803 * Accept pre-draft HT ie's if the
1804 * standard ones have not been seen.
1805 */
1806 if (ishtcapoui(frm)) {
1807 if (htcap == NULL)
1808 htcap = frm;
1809 } else if (ishtinfooui(frm)) {
1810 if (htinfo == NULL)
1811 htinfo = frm;
1812 }
1813 }
1814 /* XXX Atheros OUI support */
1815 break;
1816 case IEEE80211_ELEMID_VHT_CAP:
1817 vhtcap = frm;
1818 break;
1819 case IEEE80211_ELEMID_VHT_OPMODE:
1820 vhtopmode = frm;
1821 break;
1822 }
1823 frm += frm[1] + 2;
1824 }
1825
1826 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1827 if (xrates != NULL)
1828 IEEE80211_VERIFY_ELEMENT(xrates,
1829 IEEE80211_RATE_MAXSIZE - rates[1], return);
1830 rate = ieee80211_setup_rates(ni, rates, xrates,
1831 IEEE80211_F_JOIN |
1832 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
1833 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
1834 if (rate & IEEE80211_RATE_BASIC) {
1835 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC,
1836 wh->i_addr2,
1837 "%sassoc failed (rate set mismatch)",
1838 ISREASSOC(subtype) ? "re" : "");
1839 vap->iv_stats.is_rx_assoc_norate++;
1840 ieee80211_new_state(vap, IEEE80211_S_SCAN,
1841 IEEE80211_SCAN_FAIL_STATUS);
1842 return;
1843 }
1844
1845 ni->ni_capinfo = capinfo;
1846 ni->ni_associd = associd;
1847 if (ni->ni_jointime == 0)
1848 ni->ni_jointime = time_uptime;
1849 if (wme != NULL &&
1850 ieee80211_parse_wmeparams(vap, wme, wh, &qosinfo) >= 0) {
1851 ni->ni_flags |= IEEE80211_NODE_QOS;
1852 ieee80211_wme_updateparams(vap);
1853 } else
1854 ni->ni_flags &= ~IEEE80211_NODE_QOS;
1855 /*
1856 * Setup HT state according to the negotiation.
1857 *
1858 * NB: shouldn't need to check if HT use is enabled but some
1859 * ap's send back HT ie's even when we don't indicate we
1860 * are HT capable in our AssocReq.
1861 */
1862 if (htcap != NULL && htinfo != NULL &&
1863 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
1864 ieee80211_ht_node_init(ni);
1865 ieee80211_ht_updateparams(ni, htcap, htinfo);
1866
1867 if ((vhtcap != NULL) && (vhtopmode != NULL) &
1868 (vap->iv_vht_flags & IEEE80211_FVHT_VHT)) {
1869 /*
1870 * Log if we get a VHT assoc/reassoc response.
1871 * We aren't ready for 2GHz VHT support.
1872 */
1873 if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) {
1874 printf("%s: peer %6D: VHT on 2GHz, ignoring\n",
1875 __func__,
1876 ni->ni_macaddr,
1877 ":");
1878 } else {
1879 ieee80211_vht_node_init(ni);
1880 ieee80211_vht_updateparams(ni, vhtcap, vhtopmode);
1881 ieee80211_setup_vht_rates(ni, vhtcap, vhtopmode);
1882 }
1883 }
1884
1885 ieee80211_ht_updateparams_final(ni, htcap, htinfo);
1886 ieee80211_setup_htrates(ni, htcap,
1887 IEEE80211_F_JOIN | IEEE80211_F_DOBRS);
1888 ieee80211_setup_basic_htrates(ni, htinfo);
1889
1890 ieee80211_node_setuptxparms(ni);
1891 ieee80211_ratectl_node_init(ni);
1892 }
1893
1894 /*
1895 * Always initialise FF/superg state; we can use this
1896 * for doing A-MSDU encapsulation as well.
1897 */
1898 #ifdef IEEE80211_SUPPORT_SUPERG
1899 ieee80211_ff_node_init(ni);
1900 #endif
1901
1902 /*
1903 * Configure state now that we are associated.
1904 *
1905 * XXX may need different/additional driver callbacks?
1906 */
1907 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1908 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
1909 vap->iv_flags |= IEEE80211_F_SHPREAMBLE;
1910 vap->iv_flags &= ~IEEE80211_F_USEBARKER;
1911 } else {
1912 vap->iv_flags &= ~IEEE80211_F_SHPREAMBLE;
1913 vap->iv_flags |= IEEE80211_F_USEBARKER;
1914 }
1915 ieee80211_vap_set_shortslottime(vap,
1916 IEEE80211_IS_CHAN_A(ic->ic_curchan) ||
1917 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
1918 ieee80211_vap_update_preamble(vap);
1919 /*
1920 * Honor ERP protection.
1921 *
1922 * NB: ni_erp should zero for non-11g operation.
1923 */
1924 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1925 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
1926 vap->iv_flags |= IEEE80211_F_USEPROT;
1927 else
1928 vap->iv_flags &= ~IEEE80211_F_USEPROT;
1929 ieee80211_vap_update_erp_protmode(vap);
1930 IEEE80211_NOTE_MAC(vap,
1931 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2,
1932 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s%s",
1933 ISREASSOC(subtype) ? "re" : "",
1934 IEEE80211_NODE_AID(ni),
1935 vap->iv_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
1936 vap->iv_flags&IEEE80211_F_SHSLOT ? "short" : "long",
1937 vap->iv_flags&IEEE80211_F_USEPROT ? ", protection" : "",
1938 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "",
1939 ni->ni_flags & IEEE80211_NODE_HT ?
1940 (ni->ni_chw == IEEE80211_STA_RX_BW_40 ? ", HT40" : ", HT20") : "",
1941 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "",
1942 ni->ni_flags & IEEE80211_NODE_AMSDU ? " (+AMSDU)" : "",
1943 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" :
1944 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "",
1945 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "",
1946 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ?
1947 ", fast-frames" : "",
1948 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ?
1949 ", turbo" : ""
1950 );
1951 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype);
1952 break;
1953 }
1954
1955 case IEEE80211_FC0_SUBTYPE_DEAUTH: {
1956 uint16_t reason;
1957
1958 if (vap->iv_state == IEEE80211_S_SCAN) {
1959 vap->iv_stats.is_rx_mgtdiscard++;
1960 return;
1961 }
1962 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1963 /* NB: can happen when in promiscuous mode */
1964 vap->iv_stats.is_rx_mgtdiscard++;
1965 break;
1966 }
1967
1968 /*
1969 * deauth frame format
1970 * [2] reason
1971 */
1972 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
1973 reason = le16toh(*(uint16_t *)frm);
1974
1975 vap->iv_stats.is_rx_deauth++;
1976 vap->iv_stats.is_rx_deauth_code = reason;
1977 IEEE80211_NODE_STAT(ni, rx_deauth);
1978
1979 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
1980 "recv deauthenticate (reason: %d (%s))", reason,
1981 ieee80211_reason_to_string(reason));
1982 ieee80211_new_state(vap, IEEE80211_S_AUTH,
1983 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH);
1984 break;
1985 }
1986
1987 case IEEE80211_FC0_SUBTYPE_DISASSOC: {
1988 uint16_t reason;
1989
1990 if (vap->iv_state != IEEE80211_S_RUN &&
1991 vap->iv_state != IEEE80211_S_ASSOC &&
1992 vap->iv_state != IEEE80211_S_AUTH) {
1993 vap->iv_stats.is_rx_mgtdiscard++;
1994 return;
1995 }
1996 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
1997 /* NB: can happen when in promiscuous mode */
1998 vap->iv_stats.is_rx_mgtdiscard++;
1999 break;
2000 }
2001
2002 /*
2003 * disassoc frame format
2004 * [2] reason
2005 */
2006 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2007 reason = le16toh(*(uint16_t *)frm);
2008
2009 vap->iv_stats.is_rx_disassoc++;
2010 vap->iv_stats.is_rx_disassoc_code = reason;
2011 IEEE80211_NODE_STAT(ni, rx_disassoc);
2012
2013 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
2014 "recv disassociate (reason: %d (%s))", reason,
2015 ieee80211_reason_to_string(reason));
2016 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0);
2017 break;
2018 }
2019
2020 case IEEE80211_FC0_SUBTYPE_ACTION:
2021 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2022 if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2023 !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2024 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2025 wh, NULL, "%s", "not for us");
2026 vap->iv_stats.is_rx_mgtdiscard++;
2027 } else if (vap->iv_state != IEEE80211_S_RUN) {
2028 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2029 wh, NULL, "wrong state %s",
2030 ieee80211_state_name[vap->iv_state]);
2031 vap->iv_stats.is_rx_mgtdiscard++;
2032 } else {
2033 if (ieee80211_parse_action(ni, m0) == 0)
2034 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2035 }
2036 break;
2037
2038 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2039 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
2040 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2041 case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2042 case IEEE80211_FC0_SUBTYPE_ATIM:
2043 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2044 wh, NULL, "%s", "not handled");
2045 vap->iv_stats.is_rx_mgtdiscard++;
2046 break;
2047
2048 default:
2049 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2050 wh, "mgt", "subtype 0x%x not handled", subtype);
2051 vap->iv_stats.is_rx_badsubtype++;
2052 break;
2053 }
2054 #undef ISREASSOC
2055 }
2056
2057 static void
2058 sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2059 {
2060 switch (subtype) {
2061 case IEEE80211_FC0_SUBTYPE_BAR:
2062 ieee80211_recv_bar(ni, m);
2063 break;
2064 }
2065 }
The FreeBSD Project