1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28/* 29 * IEEE 802.11 Station mode support. 30 */ 31#include "opt_inet.h" 32#include "opt_wlan.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/mbuf.h> 37#include <sys/malloc.h> 38#include <sys/kernel.h> 39 40#include <sys/socket.h> 41#include <sys/sockio.h> 42#include <sys/endian.h> 43#include <sys/errno.h> 44#include <sys/proc.h> 45#include <sys/sysctl.h> 46 47#include <net/if.h> 48#include <net/if_media.h> 49#include <net/if_llc.h> 50#include <net/if_dl.h> 51#include <net/if_var.h> 52#include <net/if_private.h> 53#include <net/ethernet.h> 54 55#include <net/bpf.h> 56 57#include <net80211/ieee80211_var.h> 58#include <net80211/ieee80211_sta.h> 59#include <net80211/ieee80211_input.h> 60#ifdef IEEE80211_SUPPORT_SUPERG 61#include <net80211/ieee80211_superg.h> 62#endif 63#include <net80211/ieee80211_ratectl.h> 64#include <net80211/ieee80211_sta.h> 65#include <net80211/ieee80211_vht.h> 66 67#define IEEE80211_RATE2MBS(r) (((r) & IEEE80211_RATE_VAL) / 2) 68 69static void sta_vattach(struct ieee80211vap *); 70static void sta_beacon_miss(struct ieee80211vap *); 71static int sta_newstate(struct ieee80211vap *, enum ieee80211_state, int); 72static int sta_input(struct ieee80211_node *, struct mbuf *, 73 const struct ieee80211_rx_stats *, int, int); 74static void sta_recv_mgmt(struct ieee80211_node *, struct mbuf *, 75 int subtype, const struct ieee80211_rx_stats *, int rssi, int nf); 76static void sta_recv_ctl(struct ieee80211_node *, struct mbuf *, int subtype); 77 78void 79ieee80211_sta_attach(struct ieee80211com *ic) 80{ 81 ic->ic_vattach[IEEE80211_M_STA] = sta_vattach; 82} 83 84void 85ieee80211_sta_detach(struct ieee80211com *ic) 86{ 87} 88 89static void 90sta_vdetach(struct ieee80211vap *vap) 91{ 92} 93 94static void 95sta_vattach(struct ieee80211vap *vap) 96{ 97 vap->iv_newstate = sta_newstate; 98 vap->iv_input = sta_input; 99 vap->iv_recv_mgmt = sta_recv_mgmt; 100 vap->iv_recv_ctl = sta_recv_ctl; 101 vap->iv_opdetach = sta_vdetach; 102 vap->iv_bmiss = sta_beacon_miss; 103} 104 105/* 106 * Handle a beacon miss event. The common code filters out 107 * spurious events that can happen when scanning and/or before 108 * reaching RUN state. 109 */ 110static void 111sta_beacon_miss(struct ieee80211vap *vap) 112{ 113 struct ieee80211com *ic = vap->iv_ic; 114 115 IEEE80211_LOCK_ASSERT(ic); 116 117 KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0, ("scanning")); 118 KASSERT(vap->iv_state >= IEEE80211_S_RUN, 119 ("wrong state %s", ieee80211_state_name[vap->iv_state])); 120 121 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG, 122 "beacon miss, mode %s state %s\n", 123 ieee80211_opmode_name[vap->iv_opmode], 124 ieee80211_state_name[vap->iv_state]); 125 126 if (vap->iv_state == IEEE80211_S_CSA) { 127 /* 128 * A Channel Switch is pending; assume we missed the 129 * beacon that would've completed the process and just 130 * force the switch. If we made a mistake we'll not 131 * find the AP on the new channel and fall back to a 132 * normal scan. 133 */ 134 ieee80211_csa_completeswitch(ic); 135 return; 136 } 137 if (++vap->iv_bmiss_count < vap->iv_bmiss_max) { 138 /* 139 * Send a directed probe req before falling back to a 140 * scan; if we receive a response ic_bmiss_count will 141 * be reset. Some cards mistakenly report beacon miss 142 * so this avoids the expensive scan if the ap is 143 * still there. 144 */ 145 ieee80211_send_probereq(vap->iv_bss, vap->iv_myaddr, 146 vap->iv_bss->ni_bssid, vap->iv_bss->ni_bssid, 147 vap->iv_bss->ni_essid, vap->iv_bss->ni_esslen); 148 return; 149 } 150 151 callout_stop(&vap->iv_swbmiss); 152 vap->iv_bmiss_count = 0; 153 vap->iv_stats.is_beacon_miss++; 154 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) { 155#ifdef IEEE80211_SUPPORT_SUPERG 156 157 /* 158 * If we receive a beacon miss interrupt when using 159 * dynamic turbo, attempt to switch modes before 160 * reassociating. 161 */ 162 if (IEEE80211_ATH_CAP(vap, vap->iv_bss, IEEE80211_NODE_TURBOP)) 163 ieee80211_dturbo_switch(vap, 164 ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO); 165#endif 166 /* 167 * Try to reassociate before scanning for a new ap. 168 */ 169 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 1); 170 } else { 171 /* 172 * Somebody else is controlling state changes (e.g. 173 * a user-mode app) don't do anything that would 174 * confuse them; just drop into scan mode so they'll 175 * notified of the state change and given control. 176 */ 177 ieee80211_new_state(vap, IEEE80211_S_SCAN, 0); 178 } 179} 180 181/* 182 * Handle deauth with reason. We retry only for 183 * the cases where we might succeed. Otherwise 184 * we downgrade the ap and scan. 185 */ 186static void 187sta_authretry(struct ieee80211vap *vap, struct ieee80211_node *ni, int reason) 188{ 189 switch (reason) { 190 case IEEE80211_STATUS_SUCCESS: /* NB: MLME assoc */ 191 case IEEE80211_STATUS_TIMEOUT: 192 case IEEE80211_REASON_ASSOC_EXPIRE: 193 case IEEE80211_REASON_NOT_AUTHED: 194 case IEEE80211_REASON_NOT_ASSOCED: 195 case IEEE80211_REASON_ASSOC_LEAVE: 196 case IEEE80211_REASON_ASSOC_NOT_AUTHED: 197 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, 1); 198 break; 199 default: 200 ieee80211_scan_assoc_fail(vap, vap->iv_bss->ni_macaddr, reason); 201 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 202 ieee80211_check_scan_current(vap); 203 break; 204 } 205} 206 207static void 208sta_swbmiss_start(struct ieee80211vap *vap) 209{ 210 211 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) { 212 /* 213 * Start s/w beacon miss timer for devices w/o 214 * hardware support. We fudge a bit here since 215 * we're doing this in software. 216 */ 217 vap->iv_swbmiss_period = IEEE80211_TU_TO_TICKS( 218 2 * vap->iv_bmissthreshold * vap->iv_bss->ni_intval); 219 vap->iv_swbmiss_count = 0; 220 callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period, 221 ieee80211_swbmiss, vap); 222 } 223} 224 225/* 226 * IEEE80211_M_STA vap state machine handler. 227 * This routine handles the main states in the 802.11 protocol. 228 */ 229static int 230sta_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) 231{ 232 struct ieee80211com *ic = vap->iv_ic; 233 struct ieee80211_node *ni; 234 enum ieee80211_state ostate; 235 236 IEEE80211_LOCK_ASSERT(ic); 237 238 ostate = vap->iv_state; 239 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n", 240 __func__, ieee80211_state_name[ostate], 241 ieee80211_state_name[nstate], arg); 242 vap->iv_state = nstate; /* state transition */ 243 callout_stop(&vap->iv_mgtsend); /* XXX callout_drain */ 244 if (ostate != IEEE80211_S_SCAN) 245 ieee80211_cancel_scan(vap); /* background scan */ 246 ni = vap->iv_bss; /* NB: no reference held */ 247 if (vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) 248 callout_stop(&vap->iv_swbmiss); 249 switch (nstate) { 250 case IEEE80211_S_INIT: 251 switch (ostate) { 252 case IEEE80211_S_SLEEP: 253 /* XXX wakeup */ 254 /* XXX driver hook to wakeup the hardware? */ 255 case IEEE80211_S_RUN: 256 IEEE80211_SEND_MGMT(ni, 257 IEEE80211_FC0_SUBTYPE_DISASSOC, 258 IEEE80211_REASON_ASSOC_LEAVE); 259 ieee80211_sta_leave(ni); 260 break; 261 case IEEE80211_S_ASSOC: 262 IEEE80211_SEND_MGMT(ni, 263 IEEE80211_FC0_SUBTYPE_DEAUTH, 264 IEEE80211_REASON_AUTH_LEAVE); 265 break; 266 case IEEE80211_S_SCAN: 267 ieee80211_cancel_scan(vap); 268 break; 269 default: 270 break; 271 } 272 if (ostate != IEEE80211_S_INIT) { 273 /* NB: optimize INIT -> INIT case */ 274 ieee80211_reset_bss(vap); 275 } 276 if (vap->iv_auth->ia_detach != NULL) 277 vap->iv_auth->ia_detach(vap); 278 break; 279 case IEEE80211_S_SCAN: 280 switch (ostate) { 281 case IEEE80211_S_INIT: 282 /* 283 * Initiate a scan. We can come here as a result 284 * of an IEEE80211_IOC_SCAN_REQ too in which case 285 * the vap will be marked with IEEE80211_FEXT_SCANREQ 286 * and the scan request parameters will be present 287 * in iv_scanreq. Otherwise we do the default. 288 */ 289 if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) { 290 ieee80211_check_scan(vap, 291 vap->iv_scanreq_flags, 292 vap->iv_scanreq_duration, 293 vap->iv_scanreq_mindwell, 294 vap->iv_scanreq_maxdwell, 295 vap->iv_scanreq_nssid, vap->iv_scanreq_ssid); 296 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ; 297 } else 298 ieee80211_check_scan_current(vap); 299 break; 300 case IEEE80211_S_SCAN: 301 case IEEE80211_S_AUTH: 302 case IEEE80211_S_ASSOC: 303 /* 304 * These can happen either because of a timeout 305 * on an assoc/auth response or because of a 306 * change in state that requires a reset. For 307 * the former we're called with a non-zero arg 308 * that is the cause for the failure; pass this 309 * to the scan code so it can update state. 310 * Otherwise trigger a new scan unless we're in 311 * manual roaming mode in which case an application 312 * must issue an explicit scan request. 313 */ 314 if (arg != 0) 315 ieee80211_scan_assoc_fail(vap, 316 vap->iv_bss->ni_macaddr, arg); 317 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 318 ieee80211_check_scan_current(vap); 319 break; 320 case IEEE80211_S_SLEEP: /* beacon miss */ 321 /* 322 * XXX if in sleep we need to wakeup the hardware. 323 */ 324 /* FALLTHROUGH */ 325 case IEEE80211_S_RUN: /* beacon miss */ 326 /* 327 * Beacon miss. Notify user space and if not 328 * under control of a user application (roaming 329 * manual) kick off a scan to re-connect. 330 */ 331 332 ieee80211_sta_leave(ni); 333 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) 334 ieee80211_check_scan_current(vap); 335 break; 336 default: 337 goto invalid; 338 } 339 break; 340 case IEEE80211_S_AUTH: 341 switch (ostate) { 342 case IEEE80211_S_INIT: 343 case IEEE80211_S_SCAN: 344 IEEE80211_SEND_MGMT(ni, 345 IEEE80211_FC0_SUBTYPE_AUTH, 1); 346 break; 347 case IEEE80211_S_AUTH: 348 case IEEE80211_S_ASSOC: 349 switch (arg & 0xff) { 350 case IEEE80211_FC0_SUBTYPE_AUTH: 351 /* ??? */ 352 IEEE80211_SEND_MGMT(ni, 353 IEEE80211_FC0_SUBTYPE_AUTH, 2); 354 break; 355 case IEEE80211_FC0_SUBTYPE_DEAUTH: 356 sta_authretry(vap, ni, arg>>8); 357 break; 358 } 359 break; 360 case IEEE80211_S_SLEEP: 361 case IEEE80211_S_RUN: 362 switch (arg & 0xff) { 363 case IEEE80211_FC0_SUBTYPE_AUTH: 364 IEEE80211_SEND_MGMT(ni, 365 IEEE80211_FC0_SUBTYPE_AUTH, 2); 366 vap->iv_state = IEEE80211_S_RUN; /* stay RUN */ 367 break; 368 case IEEE80211_FC0_SUBTYPE_DEAUTH: 369 ieee80211_sta_leave(ni); 370 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) { 371 /* try to reauth */ 372 IEEE80211_SEND_MGMT(ni, 373 IEEE80211_FC0_SUBTYPE_AUTH, 1); 374 } 375 break; 376 } 377 break; 378 default: 379 goto invalid; 380 } 381 break; 382 case IEEE80211_S_ASSOC: 383 switch (ostate) { 384 case IEEE80211_S_AUTH: 385 case IEEE80211_S_ASSOC: 386 IEEE80211_SEND_MGMT(ni, 387 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 388 break; 389 case IEEE80211_S_SLEEP: /* cannot happen */ 390 case IEEE80211_S_RUN: 391 ieee80211_sta_leave(ni); 392 if (vap->iv_roaming == IEEE80211_ROAMING_AUTO) { 393 IEEE80211_SEND_MGMT(ni, arg ? 394 IEEE80211_FC0_SUBTYPE_REASSOC_REQ : 395 IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0); 396 } 397 break; 398 default: 399 goto invalid; 400 } 401 break; 402 case IEEE80211_S_RUN: 403 if (vap->iv_flags & IEEE80211_F_WPA) { 404 /* XXX validate prerequisites */ 405 } 406 switch (ostate) { 407 case IEEE80211_S_RUN: 408 case IEEE80211_S_CSA: 409 break; 410 case IEEE80211_S_AUTH: /* when join is done in fw */ 411 case IEEE80211_S_ASSOC: 412#ifdef IEEE80211_DEBUG 413 if (ieee80211_msg_debug(vap)) { 414 ieee80211_note(vap, "%s with %s ssid ", 415 (vap->iv_opmode == IEEE80211_M_STA ? 416 "associated" : "synchronized"), 417 ether_sprintf(ni->ni_bssid)); 418 ieee80211_print_essid(vap->iv_bss->ni_essid, 419 ni->ni_esslen); 420 /* XXX MCS/HT */ 421 printf(" channel %d start %uMb\n", 422 ieee80211_chan2ieee(ic, ic->ic_curchan), 423 IEEE80211_RATE2MBS(ni->ni_txrate)); 424 } 425#endif 426 ieee80211_scan_assoc_success(vap, ni->ni_macaddr); 427 ieee80211_notify_node_join(ni, 428 arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP); 429 break; 430 case IEEE80211_S_SLEEP: 431 /* Wake up from sleep */ 432 vap->iv_sta_ps(vap, 0); 433 break; 434 default: 435 goto invalid; 436 } 437 ieee80211_sync_curchan(ic); 438 if (ostate != IEEE80211_S_RUN) 439 sta_swbmiss_start(vap); 440 /* 441 * When 802.1x is not in use mark the port authorized 442 * at this point so traffic can flow. 443 */ 444 if (ni->ni_authmode != IEEE80211_AUTH_8021X) 445 ieee80211_node_authorize(ni); 446 /* 447 * Fake association when joining an existing bss. 448 * 449 * Don't do this if we're doing SLEEP->RUN. 450 */ 451 if (ic->ic_newassoc != NULL && ostate != IEEE80211_S_SLEEP) 452 ic->ic_newassoc(vap->iv_bss, (ostate != IEEE80211_S_RUN)); 453 break; 454 case IEEE80211_S_CSA: 455 if (ostate != IEEE80211_S_RUN) 456 goto invalid; 457 break; 458 case IEEE80211_S_SLEEP: 459 sta_swbmiss_start(vap); 460 vap->iv_sta_ps(vap, 1); 461 break; 462 default: 463 invalid: 464 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, 465 "%s: unexpected state transition %s -> %s\n", __func__, 466 ieee80211_state_name[ostate], ieee80211_state_name[nstate]); 467 break; 468 } 469 return 0; 470} 471 472/* 473 * Return non-zero if the frame is an echo of a multicast 474 * frame sent by ourself. The dir is known to be DSTODS. 475 */ 476static __inline int 477isdstods_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh) 478{ 479#define QWH4(wh) ((const struct ieee80211_qosframe_addr4 *)wh) 480#define WH4(wh) ((const struct ieee80211_frame_addr4 *)wh) 481 const uint8_t *sa; 482 483 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode")); 484 485 if (!IEEE80211_IS_MULTICAST(wh->i_addr3)) 486 return 0; 487 sa = IEEE80211_QOS_HAS_SEQ(wh) ? QWH4(wh)->i_addr4 : WH4(wh)->i_addr4; 488 return IEEE80211_ADDR_EQ(sa, vap->iv_myaddr); 489#undef WH4 490#undef QWH4 491} 492 493/* 494 * Return non-zero if the frame is an echo of a multicast 495 * frame sent by ourself. The dir is known to be FROMDS. 496 */ 497static __inline int 498isfromds_mcastecho(struct ieee80211vap *vap, const struct ieee80211_frame *wh) 499{ 500 KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("wrong mode")); 501 502 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) 503 return 0; 504 return IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_myaddr); 505} 506 507/* 508 * Decide if a received management frame should be 509 * printed when debugging is enabled. This filters some 510 * of the less interesting frames that come frequently 511 * (e.g. beacons). 512 */ 513static __inline int 514doprint(struct ieee80211vap *vap, int subtype) 515{ 516 switch (subtype) { 517 case IEEE80211_FC0_SUBTYPE_BEACON: 518 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN); 519 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 520 return 0; 521 } 522 return 1; 523} 524 525/* 526 * Process a received frame. The node associated with the sender 527 * should be supplied. If nothing was found in the node table then 528 * the caller is assumed to supply a reference to iv_bss instead. 529 * The RSSI and a timestamp are also supplied. The RSSI data is used 530 * during AP scanning to select a AP to associate with; it can have 531 * any units so long as values have consistent units and higher values 532 * mean ``better signal''. The receive timestamp is currently not used 533 * by the 802.11 layer. 534 */ 535static int 536sta_input(struct ieee80211_node *ni, struct mbuf *m, 537 const struct ieee80211_rx_stats *rxs, int rssi, int nf) 538{ 539 struct ieee80211vap *vap = ni->ni_vap; 540 struct ieee80211com *ic = ni->ni_ic; 541 struct ifnet *ifp = vap->iv_ifp; 542 struct ieee80211_frame *wh; 543 struct ieee80211_key *key; 544 struct ether_header *eh; 545 int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ 546 uint8_t dir, type, subtype, qos; 547 uint8_t *bssid; 548 int is_hw_decrypted = 0; 549 int has_decrypted = 0; 550 551 KASSERT(ni != NULL, ("%s: null node, mbuf %p", __func__, m)); 552 553 /* Early init in case of early error case. */ 554 type = -1; 555 556 /* 557 * Bit of a cheat here, we use a pointer for a 3-address 558 * frame format but don't reference fields past outside 559 * ieee80211_frame_min (or other shorter frames) w/o first 560 * validating the data is present. 561 */ 562 wh = mtod(m, struct ieee80211_frame *); 563 564 if (m->m_pkthdr.len < 2 || m->m_pkthdr.len < ieee80211_anyhdrsize(wh)) { 565 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 566 ni->ni_macaddr, NULL, 567 "too short (1): len %u", m->m_pkthdr.len); 568 vap->iv_stats.is_rx_tooshort++; 569 goto err; 570 } 571 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 572 IEEE80211_FC0_VERSION_0) { 573 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 574 ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x", 575 wh->i_fc[0], wh->i_fc[1]); 576 vap->iv_stats.is_rx_badversion++; 577 goto err; 578 } 579 580 /* 581 * Some devices do hardware decryption all the way through 582 * to pretending the frame wasn't encrypted in the first place. 583 * So, tag it appropriately so it isn't discarded inappropriately. 584 */ 585 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) 586 is_hw_decrypted = 1; 587 588 if (m->m_flags & M_AMPDU_MPDU) { 589 /* 590 * Fastpath for A-MPDU reorder q resubmission. Frames 591 * w/ M_AMPDU_MPDU marked have already passed through 592 * here but were received out of order and been held on 593 * the reorder queue. When resubmitted they are marked 594 * with the M_AMPDU_MPDU flag and we can bypass most of 595 * the normal processing. 596 */ 597 type = IEEE80211_FC0_TYPE_DATA; 598 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 599 subtype = IEEE80211_FC0_SUBTYPE_QOS_DATA; 600 hdrspace = ieee80211_hdrspace(ic, wh); /* XXX optimize? */ 601 goto resubmit_ampdu; 602 } 603 604 ni->ni_inact = ni->ni_inact_reload; 605 606 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; 607 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 608 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 609 /* 610 * Control frames are not folowing the header scheme of data and mgmt 611 * frames so we do not apply extra checks here. 612 * We probably should do checks on RA (+TA) where available for those 613 * too, but for now do not drop them. 614 */ 615 if (type != IEEE80211_FC0_TYPE_CTL && 616 (ic->ic_flags & IEEE80211_F_SCAN) == 0) { 617 bssid = wh->i_addr2; 618 if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) { 619 /* not interested in */ 620 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 621 bssid, NULL, "%s", "not to bss"); 622 vap->iv_stats.is_rx_wrongbss++; 623 goto out; 624 } 625 626 /* 627 * Some devices may be in a promiscuous mode 628 * where they receive frames for multiple station 629 * addresses. 630 * 631 * If we receive a data frame that isn't 632 * destined to our VAP MAC, drop it. 633 * 634 * XXX TODO: This is only enforced when not scanning; 635 * XXX it assumes a software-driven scan will put the NIC 636 * XXX into a "no data frames" mode before setting this 637 * XXX flag. Otherwise it may be possible that we'll still 638 * XXX process data frames whilst scanning. 639 */ 640 if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) 641 && (! IEEE80211_ADDR_EQ(wh->i_addr1, IF_LLADDR(ifp)))) { 642 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 643 bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", 644 IF_LLADDR(ifp), ":", wh->i_addr1, ":"); 645 vap->iv_stats.is_rx_wrongbss++; 646 goto out; 647 } 648 649 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); 650 ni->ni_noise = nf; 651 if ( IEEE80211_HAS_SEQ(type, subtype) && 652 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 653 uint8_t tid = ieee80211_gettid(wh); 654 if (IEEE80211_QOS_HAS_SEQ(wh) && 655 TID_TO_WME_AC(tid) >= WME_AC_VI) 656 ic->ic_wme.wme_hipri_traffic++; 657 if (! ieee80211_check_rxseq(ni, wh, bssid, rxs)) 658 goto out; 659 } 660 } 661 662 switch (type) { 663 case IEEE80211_FC0_TYPE_DATA: 664 hdrspace = ieee80211_hdrspace(ic, wh); 665 if (m->m_len < hdrspace && 666 (m = m_pullup(m, hdrspace)) == NULL) { 667 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 668 ni->ni_macaddr, NULL, 669 "data too short: expecting %u", hdrspace); 670 vap->iv_stats.is_rx_tooshort++; 671 goto out; /* XXX */ 672 } 673 /* 674 * Handle A-MPDU re-ordering. If the frame is to be 675 * processed directly then ieee80211_ampdu_reorder 676 * will return 0; otherwise it has consumed the mbuf 677 * and we should do nothing more with it. 678 */ 679 if ((m->m_flags & M_AMPDU) && 680 (dir == IEEE80211_FC1_DIR_FROMDS || 681 dir == IEEE80211_FC1_DIR_DSTODS) && 682 ieee80211_ampdu_reorder(ni, m, rxs) != 0) { 683 m = NULL; 684 goto out; 685 } 686 resubmit_ampdu: 687 if (dir == IEEE80211_FC1_DIR_FROMDS) { 688 if ((ifp->if_flags & IFF_SIMPLEX) && 689 isfromds_mcastecho(vap, wh)) { 690 /* 691 * In IEEE802.11 network, multicast 692 * packets sent from "me" are broadcast 693 * from the AP; silently discard for 694 * SIMPLEX interface. 695 */ 696 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 697 wh, "data", "%s", "multicast echo"); 698 vap->iv_stats.is_rx_mcastecho++; 699 goto out; 700 } 701 if ((vap->iv_flags & IEEE80211_F_DWDS) && 702 IEEE80211_IS_MULTICAST(wh->i_addr1)) { 703 /* 704 * DWDS sta's must drop 3-address mcast frames 705 * as they will be sent separately as a 4-addr 706 * frame. Accepting the 3-addr frame will 707 * confuse the bridge into thinking the sending 708 * sta is located at the end of WDS link. 709 */ 710 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh, 711 "3-address data", "%s", "DWDS enabled"); 712 vap->iv_stats.is_rx_mcastecho++; 713 goto out; 714 } 715 } else if (dir == IEEE80211_FC1_DIR_DSTODS) { 716 if ((vap->iv_flags & IEEE80211_F_DWDS) == 0) { 717 IEEE80211_DISCARD(vap, 718 IEEE80211_MSG_INPUT, wh, "4-address data", 719 "%s", "DWDS not enabled"); 720 vap->iv_stats.is_rx_wrongdir++; 721 goto out; 722 } 723 if ((ifp->if_flags & IFF_SIMPLEX) && 724 isdstods_mcastecho(vap, wh)) { 725 /* 726 * In IEEE802.11 network, multicast 727 * packets sent from "me" are broadcast 728 * from the AP; silently discard for 729 * SIMPLEX interface. 730 */ 731 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh, 732 "4-address data", "%s", "multicast echo"); 733 vap->iv_stats.is_rx_mcastecho++; 734 goto out; 735 } 736 } else { 737 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, wh, 738 "data", "incorrect dir 0x%x", dir); 739 vap->iv_stats.is_rx_wrongdir++; 740 goto out; 741 } 742 743 /* 744 * Handle privacy requirements for hardware decryption 745 * devices. 746 * 747 * For those devices, a handful of things happen. 748 * 749 * + If IV has been stripped, then we can't run 750 * ieee80211_crypto_decap() - none of the key 751 * + If MIC has been stripped, we can't validate 752 * MIC here. 753 * + If MIC fails, then we need to communicate a 754 * MIC failure up to the stack - but we don't know 755 * which key was used. 756 */ 757 758 /* 759 * Handle privacy requirements. Note that we 760 * must not be preempted from here until after 761 * we (potentially) call ieee80211_crypto_demic; 762 * otherwise we may violate assumptions in the 763 * crypto cipher modules used to do delayed update 764 * of replay sequence numbers. 765 */ 766 if (is_hw_decrypted || IEEE80211_IS_PROTECTED(wh)) { 767 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 768 /* 769 * Discard encrypted frames when privacy is off. 770 */ 771 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 772 wh, "WEP", "%s", "PRIVACY off"); 773 vap->iv_stats.is_rx_noprivacy++; 774 IEEE80211_NODE_STAT(ni, rx_noprivacy); 775 goto out; 776 } 777 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 778 /* NB: stats+msgs handled in crypto_decap */ 779 IEEE80211_NODE_STAT(ni, rx_wepfail); 780 goto out; 781 } 782 wh = mtod(m, struct ieee80211_frame *); 783 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 784 has_decrypted = 1; 785 } else { 786 /* XXX M_WEP and IEEE80211_F_PRIVACY */ 787 key = NULL; 788 } 789 790 /* 791 * Save QoS bits for use below--before we strip the header. 792 */ 793 if (subtype == IEEE80211_FC0_SUBTYPE_QOS_DATA) 794 qos = ieee80211_getqos(wh)[0]; 795 else 796 qos = 0; 797 798 /* 799 * Next up, any fragmentation. 800 */ 801 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { 802 m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); 803 if (m == NULL) { 804 /* Fragment dropped or frame not complete yet */ 805 goto out; 806 } 807 } 808 wh = NULL; /* no longer valid, catch any uses */ 809 810 /* 811 * Next strip any MSDU crypto bits. 812 * 813 * Note: we can't do MIC stripping/verification if the 814 * upper layer has stripped it. We have to check MIC 815 * ourselves. So, key may be NULL, but we have to check 816 * the RX status. 817 */ 818 if (!ieee80211_crypto_demic(vap, key, m, 0)) { 819 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 820 ni->ni_macaddr, "data", "%s", "demic error"); 821 vap->iv_stats.is_rx_demicfail++; 822 IEEE80211_NODE_STAT(ni, rx_demicfail); 823 goto out; 824 } 825 826 /* copy to listener after decrypt */ 827 if (ieee80211_radiotap_active_vap(vap)) 828 ieee80211_radiotap_rx(vap, m); 829 need_tap = 0; 830 831 /* 832 * Finally, strip the 802.11 header. 833 */ 834 m = ieee80211_decap(vap, m, hdrspace, qos); 835 if (m == NULL) { 836 /* XXX mask bit to check for both */ 837 /* don't count Null data frames as errors */ 838 if (subtype == IEEE80211_FC0_SUBTYPE_NODATA || 839 subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL) 840 goto out; 841 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 842 ni->ni_macaddr, "data", "%s", "decap error"); 843 vap->iv_stats.is_rx_decap++; 844 IEEE80211_NODE_STAT(ni, rx_decap); 845 goto err; 846 } 847 if (!(qos & IEEE80211_QOS_AMSDU)) 848 eh = mtod(m, struct ether_header *); 849 else 850 eh = NULL; 851 if (!ieee80211_node_is_authorized(ni)) { 852 /* 853 * Deny any non-PAE frames received prior to 854 * authorization. For open/shared-key 855 * authentication the port is mark authorized 856 * after authentication completes. For 802.1x 857 * the port is not marked authorized by the 858 * authenticator until the handshake has completed. 859 */ 860 if (eh == NULL || 861 eh->ether_type != htons(ETHERTYPE_PAE)) { 862 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, 863 ni->ni_macaddr, "data", "unauthorized or " 864 "unknown port: ether type 0x%x len %u", 865 eh == NULL ? -1 : eh->ether_type, 866 m->m_pkthdr.len); 867 vap->iv_stats.is_rx_unauth++; 868 IEEE80211_NODE_STAT(ni, rx_unauth); 869 goto err; 870 } 871 } else { 872 /* 873 * When denying unencrypted frames, discard 874 * any non-PAE frames received without encryption. 875 */ 876 if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && 877 ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && 878 (is_hw_decrypted == 0) && 879 (eh == NULL || 880 eh->ether_type != htons(ETHERTYPE_PAE))) { 881 /* 882 * Drop unencrypted frames. 883 */ 884 vap->iv_stats.is_rx_unencrypted++; 885 IEEE80211_NODE_STAT(ni, rx_unencrypted); 886 goto out; 887 } 888 } 889 /* XXX require HT? */ 890 if (qos & IEEE80211_QOS_AMSDU) { 891 m = ieee80211_decap_amsdu(ni, m); 892 if (m == NULL) 893 return IEEE80211_FC0_TYPE_DATA; 894 } else { 895#ifdef IEEE80211_SUPPORT_SUPERG 896 m = ieee80211_decap_fastframe(vap, ni, m); 897 if (m == NULL) 898 return IEEE80211_FC0_TYPE_DATA; 899#endif 900 } 901 ieee80211_deliver_data(vap, ni, m); 902 return IEEE80211_FC0_TYPE_DATA; 903 904 case IEEE80211_FC0_TYPE_MGT: 905 vap->iv_stats.is_rx_mgmt++; 906 IEEE80211_NODE_STAT(ni, rx_mgmt); 907 if (dir != IEEE80211_FC1_DIR_NODS) { 908 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 909 wh, "data", "incorrect dir 0x%x", dir); 910 vap->iv_stats.is_rx_wrongdir++; 911 goto err; 912 } 913 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) { 914 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY, 915 ni->ni_macaddr, "mgt", "too short: len %u", 916 m->m_pkthdr.len); 917 vap->iv_stats.is_rx_tooshort++; 918 goto out; 919 } 920#ifdef IEEE80211_DEBUG 921 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) || 922 ieee80211_msg_dumppkts(vap)) { 923 if_printf(ifp, "received %s from %s rssi %d\n", 924 ieee80211_mgt_subtype_name(subtype), 925 ether_sprintf(wh->i_addr2), rssi); 926 } 927#endif 928 929 /* 930 * Note: See above for hardware offload privacy requirements. 931 * It also applies here. 932 */ 933 934 /* 935 * Again, having encrypted flag set check would be good, but 936 * then we have to also handle crypto_decap() like above. 937 */ 938 if (IEEE80211_IS_PROTECTED(wh)) { 939 if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { 940 /* 941 * Only shared key auth frames with a challenge 942 * should be encrypted, discard all others. 943 */ 944 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 945 wh, ieee80211_mgt_subtype_name(subtype), 946 "%s", "WEP set but not permitted"); 947 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */ 948 goto out; 949 } 950 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 951 /* 952 * Discard encrypted frames when privacy is off. 953 */ 954 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 955 wh, "mgt", "%s", "WEP set but PRIVACY off"); 956 vap->iv_stats.is_rx_noprivacy++; 957 goto out; 958 } 959 hdrspace = ieee80211_hdrspace(ic, wh); 960 961 /* 962 * Again, if IV/MIC was stripped, then this whole 963 * setup will fail. That's going to need some poking. 964 */ 965 if (ieee80211_crypto_decap(ni, m, hdrspace, &key) == 0) { 966 /* NB: stats+msgs handled in crypto_decap */ 967 goto out; 968 } 969 has_decrypted = 1; 970 wh = mtod(m, struct ieee80211_frame *); 971 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 972 } 973 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf); 974 goto out; 975 976 case IEEE80211_FC0_TYPE_CTL: 977 vap->iv_stats.is_rx_ctl++; 978 IEEE80211_NODE_STAT(ni, rx_ctrl); 979 vap->iv_recv_ctl(ni, m, subtype); 980 goto out; 981 982 default: 983 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 984 wh, NULL, "bad frame type 0x%x", type); 985 /* should not come here */ 986 break; 987 } 988err: 989 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 990out: 991 if (m != NULL) { 992 if (need_tap && ieee80211_radiotap_active_vap(vap)) 993 ieee80211_radiotap_rx(vap, m); 994 m_freem(m); 995 } 996 return type; 997} 998 999static void 1000sta_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh, 1001 int rssi, int nf, uint16_t seq, uint16_t status) 1002{ 1003 struct ieee80211vap *vap = ni->ni_vap; 1004 1005 if (ni->ni_authmode == IEEE80211_AUTH_SHARED) { 1006 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1007 ni->ni_macaddr, "open auth", 1008 "bad sta auth mode %u", ni->ni_authmode); 1009 vap->iv_stats.is_rx_bad_auth++; /* XXX */ 1010 return; 1011 } 1012 if (vap->iv_state != IEEE80211_S_AUTH || 1013 seq != IEEE80211_AUTH_OPEN_RESPONSE) { 1014 vap->iv_stats.is_rx_bad_auth++; 1015 return; 1016 } 1017 if (status != 0) { 1018 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, 1019 ni, "open auth failed (reason %d)", status); 1020 vap->iv_stats.is_rx_auth_fail++; 1021 vap->iv_stats.is_rx_authfail_code = status; 1022 ieee80211_new_state(vap, IEEE80211_S_SCAN, 1023 IEEE80211_SCAN_FAIL_STATUS); 1024 } else 1025 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0); 1026} 1027 1028static void 1029sta_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh, 1030 uint8_t *frm, uint8_t *efrm, int rssi, int nf, 1031 uint16_t seq, uint16_t status) 1032{ 1033 struct ieee80211vap *vap = ni->ni_vap; 1034 uint8_t *challenge; 1035 1036 /* 1037 * NB: this can happen as we allow pre-shared key 1038 * authentication to be enabled w/o wep being turned 1039 * on so that configuration of these can be done 1040 * in any order. It may be better to enforce the 1041 * ordering in which case this check would just be 1042 * for sanity/consistency. 1043 */ 1044 if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { 1045 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1046 ni->ni_macaddr, "shared key auth", 1047 "%s", " PRIVACY is disabled"); 1048 goto bad; 1049 } 1050 /* 1051 * Pre-shared key authentication is evil; accept 1052 * it only if explicitly configured (it is supported 1053 * mainly for compatibility with clients like OS X). 1054 */ 1055 if (ni->ni_authmode != IEEE80211_AUTH_AUTO && 1056 ni->ni_authmode != IEEE80211_AUTH_SHARED) { 1057 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1058 ni->ni_macaddr, "shared key auth", 1059 "bad sta auth mode %u", ni->ni_authmode); 1060 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */ 1061 goto bad; 1062 } 1063 1064 challenge = NULL; 1065 if (frm + 1 < efrm) { 1066 if ((frm[1] + 2) > (efrm - frm)) { 1067 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1068 ni->ni_macaddr, "shared key auth", 1069 "ie %d/%d too long", 1070 frm[0], (frm[1] + 2) - (efrm - frm)); 1071 vap->iv_stats.is_rx_bad_auth++; 1072 goto bad; 1073 } 1074 if (*frm == IEEE80211_ELEMID_CHALLENGE) 1075 challenge = frm; 1076 frm += frm[1] + 2; 1077 } 1078 switch (seq) { 1079 case IEEE80211_AUTH_SHARED_CHALLENGE: 1080 case IEEE80211_AUTH_SHARED_RESPONSE: 1081 if (challenge == NULL) { 1082 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1083 ni->ni_macaddr, "shared key auth", 1084 "%s", "no challenge"); 1085 vap->iv_stats.is_rx_bad_auth++; 1086 goto bad; 1087 } 1088 if (challenge[1] != IEEE80211_CHALLENGE_LEN) { 1089 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH, 1090 ni->ni_macaddr, "shared key auth", 1091 "bad challenge len %d", challenge[1]); 1092 vap->iv_stats.is_rx_bad_auth++; 1093 goto bad; 1094 } 1095 default: 1096 break; 1097 } 1098 if (vap->iv_state != IEEE80211_S_AUTH) 1099 return; 1100 switch (seq) { 1101 case IEEE80211_AUTH_SHARED_PASS: 1102 if (ni->ni_challenge != NULL) { 1103 IEEE80211_FREE(ni->ni_challenge, M_80211_NODE); 1104 ni->ni_challenge = NULL; 1105 } 1106 if (status != 0) { 1107 IEEE80211_NOTE_FRAME(vap, 1108 IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, wh, 1109 "shared key auth failed (reason %d)", status); 1110 vap->iv_stats.is_rx_auth_fail++; 1111 vap->iv_stats.is_rx_authfail_code = status; 1112 return; 1113 } 1114 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0); 1115 break; 1116 case IEEE80211_AUTH_SHARED_CHALLENGE: 1117 if (!ieee80211_alloc_challenge(ni)) 1118 return; 1119 /* XXX could optimize by passing recvd challenge */ 1120 memcpy(ni->ni_challenge, &challenge[2], challenge[1]); 1121 IEEE80211_SEND_MGMT(ni, 1122 IEEE80211_FC0_SUBTYPE_AUTH, seq + 1); 1123 break; 1124 default: 1125 IEEE80211_DISCARD(vap, IEEE80211_MSG_AUTH, 1126 wh, "shared key auth", "bad seq %d", seq); 1127 vap->iv_stats.is_rx_bad_auth++; 1128 return; 1129 } 1130 return; 1131bad: 1132 /* 1133 * Kick the state machine. This short-circuits 1134 * using the mgt frame timeout to trigger the 1135 * state transition. 1136 */ 1137 if (vap->iv_state == IEEE80211_S_AUTH) 1138 ieee80211_new_state(vap, IEEE80211_S_SCAN, 1139 IEEE80211_SCAN_FAIL_STATUS); 1140} 1141 1142/* 1143 * Parse the WME IE for QoS and U-APSD information. 1144 * 1145 * Returns -1 if the IE isn't found, 1 if it's found. 1146 */ 1147int 1148ieee80211_parse_wmeie(uint8_t *frm, const struct ieee80211_frame *wh, 1149 struct ieee80211_node *ni) 1150{ 1151 u_int len = frm[1]; 1152 1153 ni->ni_uapsd = 0; 1154 1155 if (len < sizeof(struct ieee80211_wme_param)-2) { 1156 IEEE80211_DISCARD_IE(ni->ni_vap, 1157 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1158 wh, "WME", "too short, len %u", len); 1159 return -1; 1160 } 1161 1162 ni->ni_uapsd = frm[WME_CAPINFO_IE_OFFSET]; 1163 1164 IEEE80211_NOTE(ni->ni_vap, IEEE80211_MSG_POWER | IEEE80211_MSG_ASSOC, 1165 ni, "U-APSD settings from STA: 0x%02x", ni->ni_uapsd); 1166 1167 return 1; 1168} 1169 1170int 1171ieee80211_parse_wmeparams(struct ieee80211vap *vap, uint8_t *frm, 1172 const struct ieee80211_frame *wh, uint8_t *qosinfo) 1173{ 1174 struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme; 1175 u_int len = frm[1], qosinfo_count; 1176 int i; 1177 1178 *qosinfo = 0; 1179 1180 if (len < sizeof(struct ieee80211_wme_param)-2) { 1181 IEEE80211_DISCARD_IE(vap, 1182 IEEE80211_MSG_ELEMID | IEEE80211_MSG_WME, 1183 wh, "WME", "too short, len %u", len); 1184 return -1; 1185 } 1186 *qosinfo = frm[__offsetof(struct ieee80211_wme_param, param_qosInfo)]; 1187 qosinfo_count = *qosinfo & WME_QOSINFO_COUNT; 1188 1189 /* XXX do proper check for wraparound */ 1190 if (qosinfo_count == wme->wme_wmeChanParams.cap_info) 1191 return 0; 1192 frm += __offsetof(struct ieee80211_wme_param, params_acParams); 1193 for (i = 0; i < WME_NUM_AC; i++) { 1194 struct wmeParams *wmep = 1195 &wme->wme_wmeChanParams.cap_wmeParams[i]; 1196 /* NB: ACI not used */ 1197 wmep->wmep_acm = _IEEE80211_MASKSHIFT(frm[0], WME_PARAM_ACM); 1198 wmep->wmep_aifsn = 1199 _IEEE80211_MASKSHIFT(frm[0], WME_PARAM_AIFSN); 1200 wmep->wmep_logcwmin = 1201 _IEEE80211_MASKSHIFT(frm[1], WME_PARAM_LOGCWMIN); 1202 wmep->wmep_logcwmax = 1203 _IEEE80211_MASKSHIFT(frm[1], WME_PARAM_LOGCWMAX); 1204 wmep->wmep_txopLimit = le16dec(frm+2); 1205 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 1206 "%s: WME: %d: acm=%d aifsn=%d logcwmin=%d logcwmax=%d txopLimit=%d\n", 1207 __func__, 1208 i, 1209 wmep->wmep_acm, 1210 wmep->wmep_aifsn, 1211 wmep->wmep_logcwmin, 1212 wmep->wmep_logcwmax, 1213 wmep->wmep_txopLimit); 1214 frm += 4; 1215 } 1216 wme->wme_wmeChanParams.cap_info = qosinfo_count; 1217 return 1; 1218} 1219 1220/* 1221 * Process 11h Channel Switch Announcement (CSA) ie. If this 1222 * is the first CSA then initiate the switch. Otherwise we 1223 * track state and trigger completion and/or cancel of the switch. 1224 * XXX should be public for IBSS use 1225 */ 1226static void 1227ieee80211_parse_csaparams(struct ieee80211vap *vap, uint8_t *frm, 1228 const struct ieee80211_frame *wh) 1229{ 1230 struct ieee80211com *ic = vap->iv_ic; 1231 const struct ieee80211_csa_ie *csa = 1232 (const struct ieee80211_csa_ie *) frm; 1233 1234 KASSERT(vap->iv_state >= IEEE80211_S_RUN, 1235 ("state %s", ieee80211_state_name[vap->iv_state])); 1236 1237 if (csa->csa_mode > 1) { 1238 IEEE80211_DISCARD_IE(vap, 1239 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH, 1240 wh, "CSA", "invalid mode %u", csa->csa_mode); 1241 return; 1242 } 1243 IEEE80211_LOCK(ic); 1244 if ((ic->ic_flags & IEEE80211_F_CSAPENDING) == 0) { 1245 /* 1246 * Convert the channel number to a channel reference. We 1247 * try first to preserve turbo attribute of the current 1248 * channel then fallback. Note this will not work if the 1249 * CSA specifies a channel that requires a band switch (e.g. 1250 * 11a => 11g). This is intentional as 11h is defined only 1251 * for 5GHz/11a and because the switch does not involve a 1252 * reassociation, protocol state (capabilities, negotated 1253 * rates, etc) may/will be wrong. 1254 */ 1255 struct ieee80211_channel *c = 1256 ieee80211_find_channel_byieee(ic, csa->csa_newchan, 1257 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALLTURBO)); 1258 if (c == NULL) { 1259 c = ieee80211_find_channel_byieee(ic, 1260 csa->csa_newchan, 1261 (ic->ic_bsschan->ic_flags & IEEE80211_CHAN_ALL)); 1262 if (c == NULL) { 1263 IEEE80211_DISCARD_IE(vap, 1264 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH, 1265 wh, "CSA", "invalid channel %u", 1266 csa->csa_newchan); 1267 goto done; 1268 } 1269 } 1270#if IEEE80211_CSA_COUNT_MIN > 0 1271 if (csa->csa_count < IEEE80211_CSA_COUNT_MIN) { 1272 /* 1273 * Require at least IEEE80211_CSA_COUNT_MIN count to 1274 * reduce the risk of being redirected by a fabricated 1275 * CSA. If a valid CSA is dropped we'll still get a 1276 * beacon miss when the AP leaves the channel so we'll 1277 * eventually follow to the new channel. 1278 * 1279 * NOTE: this violates the 11h spec that states that 1280 * count may be any value and if 0 then a switch 1281 * should happen asap. 1282 */ 1283 IEEE80211_DISCARD_IE(vap, 1284 IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH, 1285 wh, "CSA", "count %u too small, must be >= %u", 1286 csa->csa_count, IEEE80211_CSA_COUNT_MIN); 1287 goto done; 1288 } 1289#endif 1290 ieee80211_csa_startswitch(ic, c, csa->csa_mode, csa->csa_count); 1291 } else { 1292 /* 1293 * Validate this ie against the initial CSA. We require 1294 * mode and channel not change and the count must be 1295 * monotonically decreasing. This may be pointless and 1296 * canceling the switch as a result may be too paranoid but 1297 * in the worst case if we drop out of CSA because of this 1298 * and the AP does move then we'll just end up taking a 1299 * beacon miss and scan to find the AP. 1300 * 1301 * XXX may want <= on count as we also process ProbeResp 1302 * frames and those may come in w/ the same count as the 1303 * previous beacon; but doing so leaves us open to a stuck 1304 * count until we add a dead-man timer 1305 */ 1306 if (!(csa->csa_count < ic->ic_csa_count && 1307 csa->csa_mode == ic->ic_csa_mode && 1308 csa->csa_newchan == ieee80211_chan2ieee(ic, ic->ic_csa_newchan))) { 1309 IEEE80211_NOTE_FRAME(vap, IEEE80211_MSG_DOTH, wh, 1310 "CSA ie mismatch, initial ie <%d,%d,%d>, " 1311 "this ie <%d,%d,%d>", ic->ic_csa_mode, 1312 ic->ic_csa_newchan, ic->ic_csa_count, 1313 csa->csa_mode, csa->csa_newchan, csa->csa_count); 1314 ieee80211_csa_cancelswitch(ic); 1315 } else { 1316 if (csa->csa_count <= 1) 1317 ieee80211_csa_completeswitch(ic); 1318 else 1319 ic->ic_csa_count = csa->csa_count; 1320 } 1321 } 1322done: 1323 IEEE80211_UNLOCK(ic); 1324} 1325 1326/* 1327 * Return non-zero if a background scan may be continued: 1328 * o bg scan is active 1329 * o no channel switch is pending 1330 * o there has not been any traffic recently 1331 * o no full-offload scan support (no need for explicitly continuing scan then) 1332 * 1333 * Note we do not check if there is an administrative enable; 1334 * this is only done to start the scan. We assume that any 1335 * change in state will be accompanied by a request to cancel 1336 * active scans which will otherwise cause this test to fail. 1337 */ 1338static __inline int 1339contbgscan(struct ieee80211vap *vap) 1340{ 1341 struct ieee80211com *ic = vap->iv_ic; 1342 1343 return ((ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN) && 1344 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 && 1345 !(vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) && 1346 vap->iv_state == IEEE80211_S_RUN && /* XXX? */ 1347 ieee80211_time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle)); 1348} 1349 1350/* 1351 * Return non-zero if a backgrond scan may be started: 1352 * o bg scanning is administratively enabled 1353 * o no channel switch is pending 1354 * o we are not boosted on a dynamic turbo channel 1355 * o there has not been a scan recently 1356 * o there has not been any traffic recently (don't check if full-offload scan) 1357 */ 1358static __inline int 1359startbgscan(struct ieee80211vap *vap) 1360{ 1361 struct ieee80211com *ic = vap->iv_ic; 1362 1363 return ((vap->iv_flags & IEEE80211_F_BGSCAN) && 1364 (ic->ic_flags & IEEE80211_F_CSAPENDING) == 0 && 1365#ifdef IEEE80211_SUPPORT_SUPERG 1366 !IEEE80211_IS_CHAN_DTURBO(ic->ic_curchan) && 1367#endif 1368 ieee80211_time_after(ticks, ic->ic_lastscan + vap->iv_bgscanintvl) && 1369 ((vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) || 1370 ieee80211_time_after(ticks, ic->ic_lastdata + vap->iv_bgscanidle))); 1371} 1372 1373#ifdef notyet 1374/* 1375 * Compare two quiet IEs and return if they are equivalent. 1376 * 1377 * The tbttcount isnt checked - that's not part of the configuration. 1378 */ 1379static int 1380compare_quiet_ie(const struct ieee80211_quiet_ie *q1, 1381 const struct ieee80211_quiet_ie *q2) 1382{ 1383 1384 if (q1->period != q2->period) 1385 return (0); 1386 if (le16dec(&q1->duration) != le16dec(&q2->duration)) 1387 return (0); 1388 if (le16dec(&q1->offset) != le16dec(&q2->offset)) 1389 return (0); 1390 return (1); 1391} 1392#endif 1393 1394static void 1395sta_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, int subtype, 1396 const struct ieee80211_rx_stats *rxs, 1397 int rssi, int nf) 1398{ 1399#define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP) 1400 struct ieee80211vap *vap = ni->ni_vap; 1401 struct ieee80211com *ic = ni->ni_ic; 1402 struct ieee80211_channel *rxchan = ic->ic_curchan; 1403 struct ieee80211_frame *wh; 1404 int ht_state_change = 0, do_ht = 0; 1405 uint8_t *frm, *efrm; 1406 uint8_t *rates, *xrates, *wme, *htcap, *htinfo; 1407 uint8_t *vhtcap, *vhtopmode; 1408 uint8_t rate; 1409 uint8_t qosinfo; 1410 1411 wh = mtod(m0, struct ieee80211_frame *); 1412 frm = (uint8_t *)&wh[1]; 1413 efrm = mtod(m0, uint8_t *) + m0->m_len; 1414 switch (subtype) { 1415 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1416 case IEEE80211_FC0_SUBTYPE_BEACON: { 1417 struct ieee80211_scanparams scan; 1418 struct ieee80211_channel *c; 1419 /* 1420 * We process beacon/probe response frames: 1421 * o when scanning, or 1422 * o station mode when associated (to collect state 1423 * updates such as 802.11g slot time) 1424 * Frames otherwise received are discarded. 1425 */ 1426 if (!((ic->ic_flags & IEEE80211_F_SCAN) || ni->ni_associd)) { 1427 vap->iv_stats.is_rx_mgtdiscard++; 1428 return; 1429 } 1430 1431 /* Override RX channel as appropriate */ 1432 if (rxs != NULL) { 1433 c = ieee80211_lookup_channel_rxstatus(vap, rxs); 1434 if (c != NULL) 1435 rxchan = c; 1436 } 1437 1438 /* XXX probe response in sta mode when !scanning? */ 1439 if (ieee80211_parse_beacon(ni, m0, rxchan, &scan) != 0) { 1440 if (! (ic->ic_flags & IEEE80211_F_SCAN)) 1441 vap->iv_stats.is_beacon_bad++; 1442 return; 1443 } 1444 1445 /* 1446 * Count frame now that we know it's to be processed. 1447 */ 1448 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) { 1449 vap->iv_stats.is_rx_beacon++; /* XXX remove */ 1450 IEEE80211_NODE_STAT(ni, rx_beacons); 1451 } else 1452 IEEE80211_NODE_STAT(ni, rx_proberesp); 1453 /* 1454 * When operating in station mode, check for state updates. 1455 * Be careful to ignore beacons received while doing a 1456 * background scan. We consider only 11g/WMM stuff right now. 1457 */ 1458 if (ni->ni_associd != 0 && 1459 ((ic->ic_flags & IEEE80211_F_SCAN) == 0 || 1460 IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) { 1461 /* record tsf of last beacon */ 1462 memcpy(ni->ni_tstamp.data, scan.tstamp, 1463 sizeof(ni->ni_tstamp)); 1464 /* count beacon frame for s/w bmiss handling */ 1465 vap->iv_swbmiss_count++; 1466 vap->iv_bmiss_count = 0; 1467 if (ni->ni_erp != scan.erp) { 1468 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1469 wh->i_addr2, 1470 "erp change: was 0x%x, now 0x%x", 1471 ni->ni_erp, scan.erp); 1472 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1473 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1474 vap->iv_flags |= IEEE80211_F_USEPROT; 1475 else 1476 vap->iv_flags &= ~IEEE80211_F_USEPROT; 1477 ni->ni_erp = scan.erp; 1478 /* XXX statistic */ 1479 /* driver notification */ 1480 ieee80211_vap_update_erp_protmode(vap); 1481 } 1482 if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) { 1483 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1484 wh->i_addr2, 1485 "capabilities change: was 0x%x, now 0x%x", 1486 ni->ni_capinfo, scan.capinfo); 1487 /* 1488 * NB: we assume short preamble doesn't 1489 * change dynamically 1490 */ 1491 ieee80211_vap_set_shortslottime(vap, 1492 IEEE80211_IS_CHAN_A(ic->ic_bsschan) || 1493 (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1494 ni->ni_capinfo = (ni->ni_capinfo &~ IEEE80211_CAPINFO_SHORT_SLOTTIME) 1495 | (scan.capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME); 1496 /* XXX statistic */ 1497 } 1498 if (scan.wme != NULL && 1499 (ni->ni_flags & IEEE80211_NODE_QOS)) { 1500 int _retval; 1501 if ((_retval = ieee80211_parse_wmeparams(vap, 1502 scan.wme, wh, &qosinfo)) >= 0) { 1503 if (qosinfo & WME_CAPINFO_UAPSD_EN) 1504 ni->ni_flags |= 1505 IEEE80211_NODE_UAPSD; 1506 if (_retval > 0) 1507 ieee80211_wme_updateparams(vap); 1508 } 1509 } else 1510 ni->ni_flags &= ~IEEE80211_NODE_UAPSD; 1511#ifdef IEEE80211_SUPPORT_SUPERG 1512 if (scan.ath != NULL) 1513 ieee80211_parse_athparams(ni, scan.ath, wh); 1514#endif 1515 if (scan.htcap != NULL && scan.htinfo != NULL && 1516 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 1517 /* XXX state changes? */ 1518 ieee80211_ht_updateparams(ni, 1519 scan.htcap, scan.htinfo); 1520 do_ht = 1; 1521 } 1522 if (scan.vhtcap != NULL && scan.vhtopmode != NULL && 1523 (vap->iv_vht_flags & IEEE80211_FVHT_VHT)) { 1524 /* XXX state changes? */ 1525 ieee80211_vht_updateparams(ni, 1526 scan.vhtcap, scan.vhtopmode); 1527 do_ht = 1; 1528 } 1529 if (do_ht) { 1530 if (ieee80211_ht_updateparams_final(ni, 1531 scan.htcap, scan.htinfo)) 1532 ht_state_change = 1; 1533 } 1534 1535 /* 1536 * If we have a quiet time IE then report it up to 1537 * the driver. 1538 * 1539 * Otherwise, inform the driver that the quiet time 1540 * IE has disappeared - only do that once rather than 1541 * spamming it each time. 1542 */ 1543 if (scan.quiet) { 1544 ic->ic_set_quiet(ni, scan.quiet); 1545 ni->ni_quiet_ie_set = 1; 1546 memcpy(&ni->ni_quiet_ie, scan.quiet, 1547 sizeof(struct ieee80211_quiet_ie)); 1548 } else { 1549 if (ni->ni_quiet_ie_set == 1) 1550 ic->ic_set_quiet(ni, NULL); 1551 ni->ni_quiet_ie_set = 0; 1552 bzero(&ni->ni_quiet_ie, 1553 sizeof(struct ieee80211_quiet_ie)); 1554 } 1555 1556 if (scan.tim != NULL) { 1557 struct ieee80211_tim_ie *tim = 1558 (struct ieee80211_tim_ie *) scan.tim; 1559 /* 1560 * XXX Check/debug this code; see if it's about 1561 * the right time to force the VAP awake if we 1562 * receive a frame destined for us? 1563 */ 1564 int aid = IEEE80211_AID(ni->ni_associd); 1565 int ix = aid / NBBY; 1566 int min = tim->tim_bitctl &~ 1; 1567 int max = tim->tim_len + min - 4; 1568 int tim_ucast = 0; 1569#ifdef __notyet__ 1570 int tim_mcast = 0; 1571#endif 1572 1573 /* 1574 * Only do this for unicast traffic in the TIM 1575 * The multicast traffic notification for 1576 * the scan notification stuff should occur 1577 * differently. 1578 */ 1579 if (min <= ix && ix <= max && 1580 isset(tim->tim_bitmap - min, aid)) { 1581 tim_ucast = 1; 1582 } 1583 1584#ifdef __notyet__ 1585 /* 1586 * Do a separate notification 1587 * for the multicast bit being set. 1588 */ 1589 if (tim->tim_bitctl & 1) { 1590 tim_mcast = 1; 1591 } 1592#endif 1593 1594 /* 1595 * If the TIM indicates there's traffic for 1596 * us then get us out of STA mode powersave. 1597 */ 1598 if (tim_ucast == 1) { 1599 /* 1600 * Wake us out of SLEEP state if we're 1601 * in it; and if we're doing bgscan 1602 * then wake us out of STA powersave. 1603 */ 1604 ieee80211_sta_tim_notify(vap, 1); 1605 1606 /* 1607 * This is preventing us from 1608 * continuing a bgscan; because it 1609 * tricks the contbgscan() 1610 * routine to think there's always 1611 * traffic for us. 1612 * 1613 * I think we need both an RX and 1614 * TX ic_lastdata field. 1615 */ 1616 ic->ic_lastdata = ticks; 1617 } 1618 1619 ni->ni_dtim_count = tim->tim_count; 1620 ni->ni_dtim_period = tim->tim_period; 1621 } 1622 if (scan.csa != NULL && 1623 (vap->iv_flags & IEEE80211_F_DOTH)) 1624 ieee80211_parse_csaparams(vap, scan.csa, wh); 1625 else if (ic->ic_flags & IEEE80211_F_CSAPENDING) { 1626 /* 1627 * No CSA ie or 11h disabled, but a channel 1628 * switch is pending; drop out so we aren't 1629 * stuck in CSA state. If the AP really is 1630 * moving we'll get a beacon miss and scan. 1631 */ 1632 IEEE80211_LOCK(ic); 1633 ieee80211_csa_cancelswitch(ic); 1634 IEEE80211_UNLOCK(ic); 1635 } 1636 /* 1637 * If scanning, pass the info to the scan module. 1638 * Otherwise, check if it's the right time to do 1639 * a background scan. Background scanning must 1640 * be enabled and we must not be operating in the 1641 * turbo phase of dynamic turbo mode. Then, 1642 * it's been a while since the last background 1643 * scan and if no data frames have come through 1644 * recently, kick off a scan. Note that this 1645 * is the mechanism by which a background scan 1646 * is started _and_ continued each time we 1647 * return on-channel to receive a beacon from 1648 * our ap. 1649 */ 1650 if (ic->ic_flags & IEEE80211_F_SCAN) { 1651 ieee80211_add_scan(vap, rxchan, 1652 &scan, wh, subtype, rssi, nf); 1653 } else if (contbgscan(vap)) { 1654 ieee80211_bg_scan(vap, 0); 1655 } else if (startbgscan(vap)) { 1656 vap->iv_stats.is_scan_bg++; 1657#if 0 1658 /* wakeup if we are sleeing */ 1659 ieee80211_set_pwrsave(vap, 0); 1660#endif 1661 ieee80211_bg_scan(vap, 0); 1662 } 1663 1664 /* 1665 * Put the station to sleep if we haven't seen 1666 * traffic in a while. 1667 */ 1668 IEEE80211_LOCK(ic); 1669 ieee80211_sta_ps_timer_check(vap); 1670 IEEE80211_UNLOCK(ic); 1671 1672 /* 1673 * If we've had a channel width change (eg HT20<->HT40) 1674 * then schedule a delayed driver notification. 1675 */ 1676 if (ht_state_change) 1677 ieee80211_update_chw(ic); 1678 return; 1679 } 1680 /* 1681 * If scanning, just pass information to the scan module. 1682 */ 1683 if (ic->ic_flags & IEEE80211_F_SCAN) { 1684 if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) { 1685 /* 1686 * Actively scanning a channel marked passive; 1687 * send a probe request now that we know there 1688 * is 802.11 traffic present. 1689 * 1690 * XXX check if the beacon we recv'd gives 1691 * us what we need and suppress the probe req 1692 */ 1693 ieee80211_probe_curchan(vap, 1); 1694 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN; 1695 } 1696 ieee80211_add_scan(vap, rxchan, &scan, wh, 1697 subtype, rssi, nf); 1698 return; 1699 } 1700 break; 1701 } 1702 1703 case IEEE80211_FC0_SUBTYPE_AUTH: { 1704 uint16_t algo, seq, status; 1705 /* 1706 * auth frame format 1707 * [2] algorithm 1708 * [2] sequence 1709 * [2] status 1710 * [tlv*] challenge 1711 */ 1712 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1713 algo = le16toh(*(uint16_t *)frm); 1714 seq = le16toh(*(uint16_t *)(frm + 2)); 1715 status = le16toh(*(uint16_t *)(frm + 4)); 1716 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2, 1717 "recv auth frame with algorithm %d seq %d", algo, seq); 1718 1719 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 1720 IEEE80211_DISCARD(vap, 1721 IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO, 1722 wh, "auth", "%s", "TKIP countermeasures enabled"); 1723 vap->iv_stats.is_rx_auth_countermeasures++; 1724 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 1725 ieee80211_send_error(ni, wh->i_addr2, 1726 IEEE80211_FC0_SUBTYPE_AUTH, 1727 IEEE80211_REASON_MIC_FAILURE); 1728 } 1729 return; 1730 } 1731 if (algo == IEEE80211_AUTH_ALG_SHARED) 1732 sta_auth_shared(ni, wh, frm + 6, efrm, rssi, nf, 1733 seq, status); 1734 else if (algo == IEEE80211_AUTH_ALG_OPEN) 1735 sta_auth_open(ni, wh, rssi, nf, seq, status); 1736 else { 1737 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 1738 wh, "auth", "unsupported alg %d", algo); 1739 vap->iv_stats.is_rx_auth_unsupported++; 1740 return; 1741 } 1742 break; 1743 } 1744 1745 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1746 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: { 1747 uint16_t capinfo, associd; 1748 uint16_t status; 1749 1750 if (vap->iv_state != IEEE80211_S_ASSOC) { 1751 vap->iv_stats.is_rx_mgtdiscard++; 1752 return; 1753 } 1754 1755 /* 1756 * asresp frame format 1757 * [2] capability information 1758 * [2] status 1759 * [2] association ID 1760 * [tlv] supported rates 1761 * [tlv] extended supported rates 1762 * [tlv] WME 1763 * [tlv] HT capabilities 1764 * [tlv] HT info 1765 */ 1766 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return); 1767 ni = vap->iv_bss; 1768 capinfo = le16toh(*(uint16_t *)frm); 1769 frm += 2; 1770 status = le16toh(*(uint16_t *)frm); 1771 frm += 2; 1772 if (status != 0) { 1773 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1774 wh->i_addr2, "%sassoc failed (reason %d)", 1775 ISREASSOC(subtype) ? "re" : "", status); 1776 vap->iv_stats.is_rx_auth_fail++; /* XXX */ 1777 return; 1778 } 1779 associd = le16toh(*(uint16_t *)frm); 1780 frm += 2; 1781 1782 rates = xrates = wme = htcap = htinfo = NULL; 1783 vhtcap = vhtopmode = NULL; 1784 while (efrm - frm > 1) { 1785 IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); 1786 switch (*frm) { 1787 case IEEE80211_ELEMID_RATES: 1788 rates = frm; 1789 break; 1790 case IEEE80211_ELEMID_XRATES: 1791 xrates = frm; 1792 break; 1793 case IEEE80211_ELEMID_HTCAP: 1794 htcap = frm; 1795 break; 1796 case IEEE80211_ELEMID_HTINFO: 1797 htinfo = frm; 1798 break; 1799 case IEEE80211_ELEMID_VENDOR: 1800 if (iswmeoui(frm)) 1801 wme = frm; 1802 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) { 1803 /* 1804 * Accept pre-draft HT ie's if the 1805 * standard ones have not been seen. 1806 */ 1807 if (ishtcapoui(frm)) { 1808 if (htcap == NULL) 1809 htcap = frm; 1810 } else if (ishtinfooui(frm)) { 1811 if (htinfo == NULL) 1812 htinfo = frm; 1813 } 1814 } 1815 /* XXX Atheros OUI support */ 1816 break; 1817 case IEEE80211_ELEMID_VHT_CAP: 1818 vhtcap = frm; 1819 break; 1820 case IEEE80211_ELEMID_VHT_OPMODE: 1821 vhtopmode = frm; 1822 break; 1823 } 1824 frm += frm[1] + 2; 1825 } 1826 1827 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return); 1828 if (xrates != NULL) 1829 IEEE80211_VERIFY_ELEMENT(xrates, 1830 IEEE80211_RATE_MAXSIZE - rates[1], return); 1831 rate = ieee80211_setup_rates(ni, rates, xrates, 1832 IEEE80211_F_JOIN | 1833 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE | 1834 IEEE80211_F_DONEGO | IEEE80211_F_DODEL); 1835 if (rate & IEEE80211_RATE_BASIC) { 1836 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ASSOC, 1837 wh->i_addr2, 1838 "%sassoc failed (rate set mismatch)", 1839 ISREASSOC(subtype) ? "re" : ""); 1840 vap->iv_stats.is_rx_assoc_norate++; 1841 ieee80211_new_state(vap, IEEE80211_S_SCAN, 1842 IEEE80211_SCAN_FAIL_STATUS); 1843 return; 1844 } 1845 1846 ni->ni_capinfo = capinfo; 1847 ni->ni_associd = associd; 1848 if (ni->ni_jointime == 0) 1849 ni->ni_jointime = time_uptime; 1850 if (wme != NULL && 1851 ieee80211_parse_wmeparams(vap, wme, wh, &qosinfo) >= 0) { 1852 ni->ni_flags |= IEEE80211_NODE_QOS; 1853 ieee80211_wme_updateparams(vap); 1854 } else 1855 ni->ni_flags &= ~IEEE80211_NODE_QOS; 1856 /* 1857 * Setup HT state according to the negotiation. 1858 * 1859 * NB: shouldn't need to check if HT use is enabled but some 1860 * ap's send back HT ie's even when we don't indicate we 1861 * are HT capable in our AssocReq. 1862 */ 1863 if (htcap != NULL && htinfo != NULL && 1864 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 1865 ieee80211_ht_node_init(ni); 1866 ieee80211_ht_updateparams(ni, htcap, htinfo); 1867 1868 if ((vhtcap != NULL) && (vhtopmode != NULL) & 1869 (vap->iv_vht_flags & IEEE80211_FVHT_VHT)) { 1870 /* 1871 * Log if we get a VHT assoc/reassoc response. 1872 * We aren't ready for 2GHz VHT support. 1873 */ 1874 if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) { 1875 printf("%s: peer %6D: VHT on 2GHz, ignoring\n", 1876 __func__, 1877 ni->ni_macaddr, 1878 ":"); 1879 } else { 1880 ieee80211_vht_node_init(ni); 1881 ieee80211_vht_updateparams(ni, vhtcap, vhtopmode); 1882 ieee80211_setup_vht_rates(ni, vhtcap, vhtopmode); 1883 } 1884 } 1885 1886 ieee80211_ht_updateparams_final(ni, htcap, htinfo); 1887 ieee80211_setup_htrates(ni, htcap, 1888 IEEE80211_F_JOIN | IEEE80211_F_DOBRS); 1889 ieee80211_setup_basic_htrates(ni, htinfo); 1890 1891 ieee80211_node_setuptxparms(ni); 1892 ieee80211_ratectl_node_init(ni); 1893 } 1894 1895 /* 1896 * Always initialise FF/superg state; we can use this 1897 * for doing A-MSDU encapsulation as well. 1898 */ 1899#ifdef IEEE80211_SUPPORT_SUPERG 1900 ieee80211_ff_node_init(ni); 1901#endif 1902 1903 /* 1904 * Configure state now that we are associated. 1905 * 1906 * XXX may need different/additional driver callbacks? 1907 */ 1908 if (IEEE80211_IS_CHAN_A(ic->ic_curchan) || 1909 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { 1910 vap->iv_flags |= IEEE80211_F_SHPREAMBLE; 1911 vap->iv_flags &= ~IEEE80211_F_USEBARKER; 1912 } else { 1913 vap->iv_flags &= ~IEEE80211_F_SHPREAMBLE; 1914 vap->iv_flags |= IEEE80211_F_USEBARKER; 1915 } 1916 ieee80211_vap_set_shortslottime(vap, 1917 IEEE80211_IS_CHAN_A(ic->ic_curchan) || 1918 (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME)); 1919 ieee80211_vap_update_preamble(vap); 1920 /* 1921 * Honor ERP protection. 1922 * 1923 * NB: ni_erp should zero for non-11g operation. 1924 */ 1925 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1926 (ni->ni_erp & IEEE80211_ERP_USE_PROTECTION)) 1927 vap->iv_flags |= IEEE80211_F_USEPROT; 1928 else 1929 vap->iv_flags &= ~IEEE80211_F_USEPROT; 1930 ieee80211_vap_update_erp_protmode(vap); 1931 IEEE80211_NOTE_MAC(vap, 1932 IEEE80211_MSG_ASSOC | IEEE80211_MSG_DEBUG, wh->i_addr2, 1933 "%sassoc success at aid %d: %s preamble, %s slot time%s%s%s%s%s%s%s%s%s", 1934 ISREASSOC(subtype) ? "re" : "", 1935 IEEE80211_NODE_AID(ni), 1936 vap->iv_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long", 1937 vap->iv_flags&IEEE80211_F_SHSLOT ? "short" : "long", 1938 vap->iv_flags&IEEE80211_F_USEPROT ? ", protection" : "", 1939 ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : "", 1940 ni->ni_flags & IEEE80211_NODE_HT ? 1941 (ni->ni_chw == 40 ? ", HT40" : ", HT20") : "", 1942 ni->ni_flags & IEEE80211_NODE_AMPDU ? " (+AMPDU)" : "", 1943 ni->ni_flags & IEEE80211_NODE_AMSDU ? " (+AMSDU)" : "", 1944 ni->ni_flags & IEEE80211_NODE_MIMO_RTS ? " (+SMPS-DYN)" : 1945 ni->ni_flags & IEEE80211_NODE_MIMO_PS ? " (+SMPS)" : "", 1946 ni->ni_flags & IEEE80211_NODE_RIFS ? " (+RIFS)" : "", 1947 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF) ? 1948 ", fast-frames" : "", 1949 IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_TURBOP) ? 1950 ", turbo" : "" 1951 ); 1952 ieee80211_new_state(vap, IEEE80211_S_RUN, subtype); 1953 break; 1954 } 1955 1956 case IEEE80211_FC0_SUBTYPE_DEAUTH: { 1957 uint16_t reason; 1958 1959 if (vap->iv_state == IEEE80211_S_SCAN) { 1960 vap->iv_stats.is_rx_mgtdiscard++; 1961 return; 1962 } 1963 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 1964 /* NB: can happen when in promiscuous mode */ 1965 vap->iv_stats.is_rx_mgtdiscard++; 1966 break; 1967 } 1968 1969 /* 1970 * deauth frame format 1971 * [2] reason 1972 */ 1973 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 1974 reason = le16toh(*(uint16_t *)frm); 1975 1976 vap->iv_stats.is_rx_deauth++; 1977 vap->iv_stats.is_rx_deauth_code = reason; 1978 IEEE80211_NODE_STAT(ni, rx_deauth); 1979 1980 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1981 "recv deauthenticate (reason: %d (%s))", reason, 1982 ieee80211_reason_to_string(reason)); 1983 ieee80211_new_state(vap, IEEE80211_S_AUTH, 1984 (reason << 8) | IEEE80211_FC0_SUBTYPE_DEAUTH); 1985 break; 1986 } 1987 1988 case IEEE80211_FC0_SUBTYPE_DISASSOC: { 1989 uint16_t reason; 1990 1991 if (vap->iv_state != IEEE80211_S_RUN && 1992 vap->iv_state != IEEE80211_S_ASSOC && 1993 vap->iv_state != IEEE80211_S_AUTH) { 1994 vap->iv_stats.is_rx_mgtdiscard++; 1995 return; 1996 } 1997 if (!IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) { 1998 /* NB: can happen when in promiscuous mode */ 1999 vap->iv_stats.is_rx_mgtdiscard++; 2000 break; 2001 } 2002 2003 /* 2004 * disassoc frame format 2005 * [2] reason 2006 */ 2007 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return); 2008 reason = le16toh(*(uint16_t *)frm); 2009 2010 vap->iv_stats.is_rx_disassoc++; 2011 vap->iv_stats.is_rx_disassoc_code = reason; 2012 IEEE80211_NODE_STAT(ni, rx_disassoc); 2013 2014 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2015 "recv disassociate (reason: %d (%s))", reason, 2016 ieee80211_reason_to_string(reason)); 2017 ieee80211_new_state(vap, IEEE80211_S_ASSOC, 0); 2018 break; 2019 } 2020 2021 case IEEE80211_FC0_SUBTYPE_ACTION: 2022 case IEEE80211_FC0_SUBTYPE_ACTION_NOACK: 2023 if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) && 2024 !IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2025 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2026 wh, NULL, "%s", "not for us"); 2027 vap->iv_stats.is_rx_mgtdiscard++; 2028 } else if (vap->iv_state != IEEE80211_S_RUN) { 2029 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2030 wh, NULL, "wrong state %s", 2031 ieee80211_state_name[vap->iv_state]); 2032 vap->iv_stats.is_rx_mgtdiscard++; 2033 } else { 2034 if (ieee80211_parse_action(ni, m0) == 0) 2035 (void)ic->ic_recv_action(ni, wh, frm, efrm); 2036 } 2037 break; 2038 2039 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2040 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2041 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 2042 case IEEE80211_FC0_SUBTYPE_TIMING_ADV: 2043 case IEEE80211_FC0_SUBTYPE_ATIM: 2044 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT, 2045 wh, NULL, "%s", "not handled"); 2046 vap->iv_stats.is_rx_mgtdiscard++; 2047 break; 2048 2049 default: 2050 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY, 2051 wh, "mgt", "subtype 0x%x not handled", subtype); 2052 vap->iv_stats.is_rx_badsubtype++; 2053 break; 2054 } 2055#undef ISREASSOC 2056} 2057 2058static void 2059sta_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype) 2060{ 2061 switch (subtype) { 2062 case IEEE80211_FC0_SUBTYPE_BAR: 2063 ieee80211_recv_bar(ni, m); 2064 break; 2065 } 2066} 2067