xref: /openbsd/sys/net80211/ieee80211_proto.c (revision cecf84d4) 
1 /*	$OpenBSD: ieee80211_proto.c,v 1.51 2015/03/14 03:38:51 jsg Exp $	*/
2 /*	$NetBSD: ieee80211_proto.c,v 1.8 2004/04/30 23:58:20 dyoung Exp $	*/
3 
4 /*-
5  * Copyright (c) 2001 Atsushi Onoe
6  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
7  * Copyright (c) 2008, 2009 Damien Bergamini
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. The name of the author may not be used to endorse or promote products
19  *    derived from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 /*
34  * IEEE 802.11 protocol support.
35  */
36 
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mbuf.h>
40 #include <sys/kernel.h>
41 #include <sys/socket.h>
42 #include <sys/sockio.h>
43 #include <sys/endian.h>
44 #include <sys/errno.h>
45 #include <sys/sysctl.h>
46 
47 #include <net/if.h>
48 #include <net/if_dl.h>
49 #include <net/if_media.h>
50 #include <net/if_arp.h>
51 #include <net/if_llc.h>
52 
53 #include <netinet/in.h>
54 #include <netinet/if_ether.h>
55 
56 #include <net80211/ieee80211_var.h>
57 #include <net80211/ieee80211_priv.h>
58 
59 const char * const ieee80211_mgt_subtype_name[] = {
60 	"assoc_req",	"assoc_resp",	"reassoc_req",	"reassoc_resp",
61 	"probe_req",	"probe_resp",	"reserved#6",	"reserved#7",
62 	"beacon",	"atim",		"disassoc",	"auth",
63 	"deauth",	"action",	"action_noack",	"reserved#15"
64 };
65 const char * const ieee80211_state_name[IEEE80211_S_MAX] = {
66 	"INIT",		/* IEEE80211_S_INIT */
67 	"SCAN",		/* IEEE80211_S_SCAN */
68 	"AUTH",		/* IEEE80211_S_AUTH */
69 	"ASSOC",	/* IEEE80211_S_ASSOC */
70 	"RUN"		/* IEEE80211_S_RUN */
71 };
72 const char * const ieee80211_phymode_name[] = {
73 	"auto",		/* IEEE80211_MODE_AUTO */
74 	"11a",		/* IEEE80211_MODE_11A */
75 	"11b",		/* IEEE80211_MODE_11B */
76 	"11g",		/* IEEE80211_MODE_11G */
77 	"turbo",	/* IEEE80211_MODE_TURBO */
78 };
79 
80 int ieee80211_newstate(struct ieee80211com *, enum ieee80211_state, int);
81 
82 void
83 ieee80211_proto_attach(struct ifnet *ifp)
84 {
85 	struct ieee80211com *ic = (void *)ifp;
86 
87 	ifp->if_hdrlen = sizeof(struct ieee80211_frame);
88 
89 #ifdef notdef
90 	ic->ic_rtsthreshold = IEEE80211_RTS_DEFAULT;
91 #else
92 	ic->ic_rtsthreshold = IEEE80211_RTS_MAX;
93 #endif
94 	ic->ic_fragthreshold = 2346;		/* XXX not used yet */
95 	ic->ic_fixed_rate = -1;			/* no fixed rate */
96 	ic->ic_protmode = IEEE80211_PROT_CTSONLY;
97 
98 	/* protocol state change handler */
99 	ic->ic_newstate = ieee80211_newstate;
100 
101 	/* initialize management frame handlers */
102 	ic->ic_recv_mgmt = ieee80211_recv_mgmt;
103 	ic->ic_send_mgmt = ieee80211_send_mgmt;
104 }
105 
106 void
107 ieee80211_proto_detach(struct ifnet *ifp)
108 {
109 	struct ieee80211com *ic = (void *)ifp;
110 
111 	IF_PURGE(&ic->ic_mgtq);
112 	IF_PURGE(&ic->ic_pwrsaveq);
113 }
114 
115 void
116 ieee80211_print_essid(const u_int8_t *essid, int len)
117 {
118 	int i;
119 	const u_int8_t *p;
120 
121 	if (len > IEEE80211_NWID_LEN)
122 		len = IEEE80211_NWID_LEN;
123 	/* determine printable or not */
124 	for (i = 0, p = essid; i < len; i++, p++) {
125 		if (*p < ' ' || *p > 0x7e)
126 			break;
127 	}
128 	if (i == len) {
129 		printf("\"");
130 		for (i = 0, p = essid; i < len; i++, p++)
131 			printf("%c", *p);
132 		printf("\"");
133 	} else {
134 		printf("0x");
135 		for (i = 0, p = essid; i < len; i++, p++)
136 			printf("%02x", *p);
137 	}
138 }
139 
140 #ifdef IEEE80211_DEBUG
141 void
142 ieee80211_dump_pkt(const u_int8_t *buf, int len, int rate, int rssi)
143 {
144 	struct ieee80211_frame *wh;
145 	int i;
146 
147 	wh = (struct ieee80211_frame *)buf;
148 	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
149 	case IEEE80211_FC1_DIR_NODS:
150 		printf("NODS %s", ether_sprintf(wh->i_addr2));
151 		printf("->%s", ether_sprintf(wh->i_addr1));
152 		printf("(%s)", ether_sprintf(wh->i_addr3));
153 		break;
154 	case IEEE80211_FC1_DIR_TODS:
155 		printf("TODS %s", ether_sprintf(wh->i_addr2));
156 		printf("->%s", ether_sprintf(wh->i_addr3));
157 		printf("(%s)", ether_sprintf(wh->i_addr1));
158 		break;
159 	case IEEE80211_FC1_DIR_FROMDS:
160 		printf("FRDS %s", ether_sprintf(wh->i_addr3));
161 		printf("->%s", ether_sprintf(wh->i_addr1));
162 		printf("(%s)", ether_sprintf(wh->i_addr2));
163 		break;
164 	case IEEE80211_FC1_DIR_DSTODS:
165 		printf("DSDS %s", ether_sprintf((u_int8_t *)&wh[1]));
166 		printf("->%s", ether_sprintf(wh->i_addr3));
167 		printf("(%s", ether_sprintf(wh->i_addr2));
168 		printf("->%s)", ether_sprintf(wh->i_addr1));
169 		break;
170 	}
171 	switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
172 	case IEEE80211_FC0_TYPE_DATA:
173 		printf(" data");
174 		break;
175 	case IEEE80211_FC0_TYPE_MGT:
176 		printf(" %s", ieee80211_mgt_subtype_name[
177 		    (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK)
178 		    >> IEEE80211_FC0_SUBTYPE_SHIFT]);
179 		break;
180 	default:
181 		printf(" type#%d", wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK);
182 		break;
183 	}
184 	if (wh->i_fc[1] & IEEE80211_FC1_WEP)
185 		printf(" WEP");
186 	if (rate >= 0)
187 		printf(" %d%sM", rate / 2, (rate & 1) ? ".5" : "");
188 	if (rssi >= 0)
189 		printf(" +%d", rssi);
190 	printf("\n");
191 	if (len > 0) {
192 		for (i = 0; i < len; i++) {
193 			if ((i & 1) == 0)
194 				printf(" ");
195 			printf("%02x", buf[i]);
196 		}
197 		printf("\n");
198 	}
199 }
200 #endif
201 
202 int
203 ieee80211_fix_rate(struct ieee80211com *ic, struct ieee80211_node *ni,
204     int flags)
205 {
206 #define	RV(v)	((v) & IEEE80211_RATE_VAL)
207 	int i, j, ignore, error;
208 	int okrate, badrate, fixedrate;
209 	const struct ieee80211_rateset *srs;
210 	struct ieee80211_rateset *nrs;
211 	u_int8_t r;
212 
213 	/*
214 	 * If the fixed rate check was requested but no fixed rate has been
215 	 * defined then just remove the check.
216 	 */
217 	if ((flags & IEEE80211_F_DOFRATE) && ic->ic_fixed_rate == -1)
218 		flags &= ~IEEE80211_F_DOFRATE;
219 
220 	error = 0;
221 	okrate = badrate = fixedrate = 0;
222 	srs = &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)];
223 	nrs = &ni->ni_rates;
224 	for (i = 0; i < nrs->rs_nrates; ) {
225 		ignore = 0;
226 		if (flags & IEEE80211_F_DOSORT) {
227 			/*
228 			 * Sort rates.
229 			 */
230 			for (j = i + 1; j < nrs->rs_nrates; j++) {
231 				if (RV(nrs->rs_rates[i]) >
232 				    RV(nrs->rs_rates[j])) {
233 					r = nrs->rs_rates[i];
234 					nrs->rs_rates[i] = nrs->rs_rates[j];
235 					nrs->rs_rates[j] = r;
236 				}
237 			}
238 		}
239 		r = nrs->rs_rates[i] & IEEE80211_RATE_VAL;
240 		badrate = r;
241 		if (flags & IEEE80211_F_DOFRATE) {
242 			/*
243 			 * Check fixed rate is included.
244 			 */
245 			if (r == RV(srs->rs_rates[ic->ic_fixed_rate]))
246 				fixedrate = r;
247 		}
248 		if (flags & IEEE80211_F_DONEGO) {
249 			/*
250 			 * Check against supported rates.
251 			 */
252 			for (j = 0; j < srs->rs_nrates; j++) {
253 				if (r == RV(srs->rs_rates[j])) {
254 					/*
255 					 * Overwrite with the supported rate
256 					 * value so any basic rate bit is set.
257 					 * This insures that response we send
258 					 * to stations have the necessary basic
259 					 * rate bit set.
260 					 */
261 					nrs->rs_rates[i] = srs->rs_rates[j];
262 					break;
263 				}
264 			}
265 			if (j == srs->rs_nrates) {
266 				/*
267 				 * A rate in the node's rate set is not
268 				 * supported.  If this is a basic rate and we
269 				 * are operating as an AP then this is an error.
270 				 * Otherwise we just discard/ignore the rate.
271 				 * Note that this is important for 11b stations
272 				 * when they want to associate with an 11g AP.
273 				 */
274 #ifndef IEEE80211_STA_ONLY
275 				if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
276 				    (nrs->rs_rates[i] & IEEE80211_RATE_BASIC))
277 					error++;
278 #endif
279 				ignore++;
280 			}
281 		}
282 		if (flags & IEEE80211_F_DODEL) {
283 			/*
284 			 * Delete unacceptable rates.
285 			 */
286 			if (ignore) {
287 				nrs->rs_nrates--;
288 				for (j = i; j < nrs->rs_nrates; j++)
289 					nrs->rs_rates[j] = nrs->rs_rates[j + 1];
290 				nrs->rs_rates[j] = 0;
291 				continue;
292 			}
293 		}
294 		if (!ignore)
295 			okrate = nrs->rs_rates[i];
296 		i++;
297 	}
298 	if (okrate == 0 || error != 0 ||
299 	    ((flags & IEEE80211_F_DOFRATE) && fixedrate == 0))
300 		return badrate | IEEE80211_RATE_BASIC;
301 	else
302 		return RV(okrate);
303 #undef RV
304 }
305 
306 /*
307  * Reset 11g-related state.
308  */
309 void
310 ieee80211_reset_erp(struct ieee80211com *ic)
311 {
312 	ic->ic_flags &= ~IEEE80211_F_USEPROT;
313 	ic->ic_nonerpsta = 0;
314 	ic->ic_longslotsta = 0;
315 
316 	/*
317 	 * Enable short slot time iff:
318 	 * - we're operating in 802.11a or
319 	 * - we're operating in 802.11g and we're not in IBSS mode and
320 	 *   the device supports short slot time
321 	 */
322 	ieee80211_set_shortslottime(ic,
323 	    ic->ic_curmode == IEEE80211_MODE_11A
324 #ifndef IEEE80211_STA_ONLY
325 	    ||
326 	    (ic->ic_curmode == IEEE80211_MODE_11G &&
327 	     ic->ic_opmode == IEEE80211_M_HOSTAP &&
328 	     (ic->ic_caps & IEEE80211_C_SHSLOT))
329 #endif
330 	);
331 
332 	if (ic->ic_curmode == IEEE80211_MODE_11A ||
333 	    (ic->ic_caps & IEEE80211_C_SHPREAMBLE))
334 		ic->ic_flags |= IEEE80211_F_SHPREAMBLE;
335 	else
336 		ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
337 }
338 
339 /*
340  * Set the short slot time state and notify the driver.
341  */
342 void
343 ieee80211_set_shortslottime(struct ieee80211com *ic, int on)
344 {
345 	if (on)
346 		ic->ic_flags |= IEEE80211_F_SHSLOT;
347 	else
348 		ic->ic_flags &= ~IEEE80211_F_SHSLOT;
349 
350 	/* notify the driver */
351 	if (ic->ic_updateslot != NULL)
352 		ic->ic_updateslot(ic);
353 }
354 
355 /*
356  * This function is called by the 802.1X PACP machine (via an ioctl) when
357  * the transmit key machine (4-Way Handshake for 802.11) should run.
358  */
359 int
360 ieee80211_keyrun(struct ieee80211com *ic, u_int8_t *macaddr)
361 {
362 #ifndef IEEE80211_STA_ONLY
363 	struct ieee80211_node *ni;
364 	struct ieee80211_pmk *pmk;
365 #endif
366 
367 	/* STA must be associated or AP must be ready */
368 	if (ic->ic_state != IEEE80211_S_RUN ||
369 	    !(ic->ic_flags & IEEE80211_F_RSNON))
370 		return ENETDOWN;
371 
372 #ifndef IEEE80211_STA_ONLY
373 	if (ic->ic_opmode == IEEE80211_M_STA)
374 #endif
375 		return 0;	/* supplicant only, do nothing */
376 
377 #ifndef IEEE80211_STA_ONLY
378 	/* find the STA with which we must start the key exchange */
379 	if ((ni = ieee80211_find_node(ic, macaddr)) == NULL) {
380 		DPRINTF(("no node found for %s\n", ether_sprintf(macaddr)));
381 		return EINVAL;
382 	}
383 	/* check that the STA is in the correct state */
384 	if (ni->ni_state != IEEE80211_STA_ASSOC ||
385 	    ni->ni_rsn_state != RSNA_AUTHENTICATION_2) {
386 		DPRINTF(("unexpected in state %d\n", ni->ni_rsn_state));
387 		return EINVAL;
388 	}
389 	ni->ni_rsn_state = RSNA_INITPMK;
390 
391 	/* make sure a PMK is available for this STA, otherwise deauth it */
392 	if ((pmk = ieee80211_pmksa_find(ic, ni, NULL)) == NULL) {
393 		DPRINTF(("no PMK available for %s\n", ether_sprintf(macaddr)));
394 		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
395 		    IEEE80211_REASON_AUTH_LEAVE);
396 		ieee80211_node_leave(ic, ni);
397 		return EINVAL;
398 	}
399 	memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN);
400 	memcpy(ni->ni_pmkid, pmk->pmk_pmkid, IEEE80211_PMKID_LEN);
401 	ni->ni_flags |= IEEE80211_NODE_PMK;
402 
403 	/* initiate key exchange (4-Way Handshake) with STA */
404 	return ieee80211_send_4way_msg1(ic, ni);
405 #endif	/* IEEE80211_STA_ONLY */
406 }
407 
408 #ifndef IEEE80211_STA_ONLY
409 /*
410  * Initiate a group key handshake with a node.
411  */
412 static void
413 ieee80211_node_gtk_rekey(void *arg, struct ieee80211_node *ni)
414 {
415 	struct ieee80211com *ic = arg;
416 
417 	if (ni->ni_state != IEEE80211_STA_ASSOC ||
418 	    ni->ni_rsn_gstate != RSNA_IDLE)
419 		return;
420 
421 	/* initiate a group key handshake with STA */
422 	ni->ni_flags |= IEEE80211_NODE_REKEY;
423 	if (ieee80211_send_group_msg1(ic, ni) != 0)
424 		ni->ni_flags &= ~IEEE80211_NODE_REKEY;
425 	else
426 		ic->ic_rsn_keydonesta++;
427 }
428 
429 /*
430  * This function is called in HostAP mode when the group key needs to be
431  * changed.
432  */
433 void
434 ieee80211_setkeys(struct ieee80211com *ic)
435 {
436 	struct ieee80211_key *k;
437 	u_int8_t kid;
438 
439 	/* Swap(GM, GN) */
440 	kid = (ic->ic_def_txkey == 1) ? 2 : 1;
441 	k = &ic->ic_nw_keys[kid];
442 	memset(k, 0, sizeof(*k));
443 	k->k_id = kid;
444 	k->k_cipher = ic->ic_bss->ni_rsngroupcipher;
445 	k->k_flags = IEEE80211_KEY_GROUP | IEEE80211_KEY_TX;
446 	k->k_len = ieee80211_cipher_keylen(k->k_cipher);
447 	arc4random_buf(k->k_key, k->k_len);
448 
449 	if (ic->ic_caps & IEEE80211_C_MFP) {
450 		/* Swap(GM_igtk, GN_igtk) */
451 		kid = (ic->ic_igtk_kid == 4) ? 5 : 4;
452 		k = &ic->ic_nw_keys[kid];
453 		memset(k, 0, sizeof(*k));
454 		k->k_id = kid;
455 		k->k_cipher = ic->ic_bss->ni_rsngroupmgmtcipher;
456 		k->k_flags = IEEE80211_KEY_IGTK | IEEE80211_KEY_TX;
457 		k->k_len = 16;
458 		arc4random_buf(k->k_key, k->k_len);
459 	}
460 
461 	ic->ic_rsn_keydonesta = 0;
462 	ieee80211_iterate_nodes(ic, ieee80211_node_gtk_rekey, ic);
463 }
464 
465 /*
466  * The group key handshake has been completed with all associated stations.
467  */
468 void
469 ieee80211_setkeysdone(struct ieee80211com *ic)
470 {
471 	u_int8_t kid;
472 
473 	/* install GTK */
474 	kid = (ic->ic_def_txkey == 1) ? 2 : 1;
475 	if ((*ic->ic_set_key)(ic, ic->ic_bss, &ic->ic_nw_keys[kid]) == 0)
476 		ic->ic_def_txkey = kid;
477 
478 	if (ic->ic_caps & IEEE80211_C_MFP) {
479 		/* install IGTK */
480 		kid = (ic->ic_igtk_kid == 4) ? 5 : 4;
481 		if ((*ic->ic_set_key)(ic, ic->ic_bss,
482 		    &ic->ic_nw_keys[kid]) == 0)
483 			ic->ic_igtk_kid = kid;
484 	}
485 }
486 
487 /*
488  * Group key lifetime has expired, update it.
489  */
490 void
491 ieee80211_gtk_rekey_timeout(void *arg)
492 {
493 	struct ieee80211com *ic = arg;
494 	int s;
495 
496 	s = splnet();
497 	ieee80211_setkeys(ic);
498 	splx(s);
499 
500 	/* re-schedule a GTK rekeying after 3600s */
501 	timeout_add_sec(&ic->ic_rsn_timeout, 3600);
502 }
503 
504 void
505 ieee80211_sa_query_timeout(void *arg)
506 {
507 	struct ieee80211_node *ni = arg;
508 	struct ieee80211com *ic = ni->ni_ic;
509 	int s;
510 
511 	s = splnet();
512 	if (++ni->ni_sa_query_count >= 3) {
513 		ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY;
514 		ni->ni_flags |= IEEE80211_NODE_SA_QUERY_FAILED;
515 	} else	/* retry SA Query Request */
516 		ieee80211_sa_query_request(ic, ni);
517 	splx(s);
518 }
519 
520 /*
521  * Request that a SA Query Request frame be sent to a specified peer STA
522  * to which the STA is associated.
523  */
524 void
525 ieee80211_sa_query_request(struct ieee80211com *ic, struct ieee80211_node *ni)
526 {
527 	/* MLME-SAQuery.request */
528 
529 	if (!(ni->ni_flags & IEEE80211_NODE_SA_QUERY)) {
530 		ni->ni_flags |= IEEE80211_NODE_SA_QUERY;
531 		ni->ni_flags &= ~IEEE80211_NODE_SA_QUERY_FAILED;
532 		ni->ni_sa_query_count = 0;
533 	}
534 	/* generate new Transaction Identifier */
535 	ni->ni_sa_query_trid++;
536 
537 	/* send SA Query Request */
538 	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_SA_QUERY,
539 	    IEEE80211_ACTION_SA_QUERY_REQ, 0);
540 	timeout_add_msec(&ni->ni_sa_query_to, 10);
541 }
542 #endif	/* IEEE80211_STA_ONLY */
543 
544 #ifndef IEEE80211_NO_HT
545 void
546 ieee80211_tx_ba_timeout(void *arg)
547 {
548 	struct ieee80211_tx_ba *ba = arg;
549 	struct ieee80211_node *ni = ba->ba_ni;
550 	struct ieee80211com *ic = ni->ni_ic;
551 	u_int8_t tid;
552 	int s;
553 
554 	s = splnet();
555 	if (ba->ba_state == IEEE80211_BA_REQUESTED) {
556 		/* MLME-ADDBA.confirm(TIMEOUT) */
557 		ba->ba_state = IEEE80211_BA_INIT;
558 
559 	} else if (ba->ba_state == IEEE80211_BA_AGREED) {
560 		/* Block Ack inactivity timeout */
561 		tid = ((caddr_t)ba - (caddr_t)ni->ni_tx_ba) / sizeof(*ba);
562 		ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT,
563 		    1, tid);
564 	}
565 	splx(s);
566 }
567 
568 void
569 ieee80211_rx_ba_timeout(void *arg)
570 {
571 	struct ieee80211_rx_ba *ba = arg;
572 	struct ieee80211_node *ni = ba->ba_ni;
573 	struct ieee80211com *ic = ni->ni_ic;
574 	u_int8_t tid;
575 	int s;
576 
577 	s = splnet();
578 
579 	/* Block Ack inactivity timeout */
580 	tid = ((caddr_t)ba - (caddr_t)ni->ni_rx_ba) / sizeof(*ba);
581 	ieee80211_delba_request(ic, ni, IEEE80211_REASON_TIMEOUT, 0, tid);
582 
583 	splx(s);
584 }
585 
586 /*
587  * Request initiation of Block Ack with the specified peer.
588  */
589 int
590 ieee80211_addba_request(struct ieee80211com *ic, struct ieee80211_node *ni,
591     u_int16_t ssn, u_int8_t tid)
592 {
593 	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
594 
595 	/* MLME-ADDBA.request */
596 
597 	/* setup Block Ack */
598 	ba->ba_state = IEEE80211_BA_REQUESTED;
599 	ba->ba_token = ic->ic_dialog_token++;
600 	ba->ba_timeout_val = IEEE80211_BA_MAX_TIMEOUT;
601 	timeout_set(&ba->ba_to, ieee80211_tx_ba_timeout, ba);
602 	ba->ba_winsize = IEEE80211_BA_MAX_WINSZ;
603 	ba->ba_winstart = ssn;
604 	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
605 
606 	timeout_add_sec(&ba->ba_to, 1);	/* dot11ADDBAResponseTimeout */
607 	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
608 	    IEEE80211_ACTION_ADDBA_REQ, tid);
609 	return 0;
610 }
611 
612 /*
613  * Request the deletion of Block Ack with a peer.
614  */
615 void
616 ieee80211_delba_request(struct ieee80211com *ic, struct ieee80211_node *ni,
617     u_int16_t reason, u_int8_t dir, u_int8_t tid)
618 {
619 	/* MLME-DELBA.request */
620 
621 	/* transmit a DELBA frame */
622 	IEEE80211_SEND_ACTION(ic, ni, IEEE80211_CATEG_BA,
623 	    IEEE80211_ACTION_DELBA, reason << 16 | dir << 8 | tid);
624 	if (dir) {
625 		/* MLME-DELBA.confirm(Originator) */
626 		struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
627 
628 		if (ic->ic_ampdu_tx_stop != NULL)
629 			ic->ic_ampdu_tx_stop(ic, ni, tid);
630 
631 		ba->ba_state = IEEE80211_BA_INIT;
632 		/* stop Block Ack inactivity timer */
633 		timeout_del(&ba->ba_to);
634 	} else {
635 		/* MLME-DELBA.confirm(Recipient) */
636 		struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
637 		int i;
638 
639 		if (ic->ic_ampdu_rx_stop != NULL)
640 			ic->ic_ampdu_rx_stop(ic, ni, tid);
641 
642 		ba->ba_state = IEEE80211_BA_INIT;
643 		/* stop Block Ack inactivity timer */
644 		timeout_del(&ba->ba_to);
645 
646 		if (ba->ba_buf != NULL) {
647 			/* free all MSDUs stored in reordering buffer */
648 			for (i = 0; i < IEEE80211_BA_MAX_WINSZ; i++)
649 				if (ba->ba_buf[i].m != NULL)
650 					m_freem(ba->ba_buf[i].m);
651 			/* free reordering buffer */
652 			free(ba->ba_buf, M_DEVBUF, 0);
653 			ba->ba_buf = NULL;
654 		}
655 	}
656 }
657 #endif	/* !IEEE80211_NO_HT */
658 
659 void
660 ieee80211_auth_open(struct ieee80211com *ic, const struct ieee80211_frame *wh,
661     struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi, u_int16_t seq,
662     u_int16_t status)
663 {
664 	struct ifnet *ifp = &ic->ic_if;
665 	switch (ic->ic_opmode) {
666 #ifndef IEEE80211_STA_ONLY
667 	case IEEE80211_M_IBSS:
668 		if (ic->ic_state != IEEE80211_S_RUN ||
669 		    seq != IEEE80211_AUTH_OPEN_REQUEST) {
670 			DPRINTF(("discard auth from %s; state %u, seq %u\n",
671 			    ether_sprintf((u_int8_t *)wh->i_addr2),
672 			    ic->ic_state, seq));
673 			ic->ic_stats.is_rx_bad_auth++;
674 			return;
675 		}
676 		ieee80211_new_state(ic, IEEE80211_S_AUTH,
677 		    wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
678 		break;
679 
680 	case IEEE80211_M_AHDEMO:
681 		/* should not come here */
682 		break;
683 
684 	case IEEE80211_M_HOSTAP:
685 		if (ic->ic_state != IEEE80211_S_RUN ||
686 		    seq != IEEE80211_AUTH_OPEN_REQUEST) {
687 			DPRINTF(("discard auth from %s; state %u, seq %u\n",
688 			    ether_sprintf((u_int8_t *)wh->i_addr2),
689 			    ic->ic_state, seq));
690 			ic->ic_stats.is_rx_bad_auth++;
691 			return;
692 		}
693 		if (ni == ic->ic_bss) {
694 			ni = ieee80211_find_node(ic, wh->i_addr2);
695 			if (ni == NULL)
696 				ni = ieee80211_alloc_node(ic, wh->i_addr2);
697 			if (ni == NULL) {
698 				return;
699 			}
700 			IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid);
701 			ni->ni_rssi = rxi->rxi_rssi;
702 			ni->ni_rstamp = rxi->rxi_tstamp;
703 			ni->ni_chan = ic->ic_bss->ni_chan;
704 		}
705 		IEEE80211_SEND_MGMT(ic, ni,
706 			IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
707 		if (ifp->if_flags & IFF_DEBUG)
708 			printf("%s: station %s %s authenticated (open)\n",
709 			    ifp->if_xname,
710 			    ether_sprintf((u_int8_t *)ni->ni_macaddr),
711 			    ni->ni_state != IEEE80211_STA_CACHE ?
712 			    "newly" : "already");
713 		ieee80211_node_newstate(ni, IEEE80211_STA_AUTH);
714 		break;
715 #endif	/* IEEE80211_STA_ONLY */
716 
717 	case IEEE80211_M_STA:
718 		if (ic->ic_state != IEEE80211_S_AUTH ||
719 		    seq != IEEE80211_AUTH_OPEN_RESPONSE) {
720 			ic->ic_stats.is_rx_bad_auth++;
721 			DPRINTF(("discard auth from %s; state %u, seq %u\n",
722 			    ether_sprintf((u_int8_t *)wh->i_addr2),
723 			    ic->ic_state, seq));
724 			return;
725 		}
726 		if (ic->ic_flags & IEEE80211_F_RSNON) {
727 			/* XXX not here! */
728 			ic->ic_bss->ni_flags &= ~IEEE80211_NODE_TXRXPROT;
729 			ic->ic_bss->ni_port_valid = 0;
730 			ic->ic_bss->ni_replaycnt_ok = 0;
731 			(*ic->ic_delete_key)(ic, ic->ic_bss,
732 			    &ic->ic_bss->ni_pairwise_key);
733 		}
734 		if (status != 0) {
735 			if (ifp->if_flags & IFF_DEBUG)
736 				printf("%s: open authentication failed "
737 				    "(reason %d) for %s\n", ifp->if_xname,
738 				    status,
739 				    ether_sprintf((u_int8_t *)wh->i_addr3));
740 			if (ni != ic->ic_bss)
741 				ni->ni_fails++;
742 			ic->ic_stats.is_rx_auth_fail++;
743 			return;
744 		}
745 		ieee80211_new_state(ic, IEEE80211_S_ASSOC,
746 		    wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK);
747 		break;
748 	default:
749 		break;
750 	}
751 }
752 
753 int
754 ieee80211_newstate(struct ieee80211com *ic, enum ieee80211_state nstate,
755     int mgt)
756 {
757 	struct ifnet *ifp = &ic->ic_if;
758 	struct ieee80211_node *ni;
759 	enum ieee80211_state ostate;
760 	u_int rate;
761 #ifndef IEEE80211_STA_ONLY
762 	int s;
763 #endif
764 
765 	ostate = ic->ic_state;
766 	DPRINTF(("%s -> %s\n", ieee80211_state_name[ostate],
767 	    ieee80211_state_name[nstate]));
768 	ic->ic_state = nstate;			/* state transition */
769 	ni = ic->ic_bss;			/* NB: no reference held */
770 	if (ostate == IEEE80211_S_RUN)
771 		ieee80211_set_link_state(ic, LINK_STATE_DOWN);
772 	switch (nstate) {
773 	case IEEE80211_S_INIT:
774 		/*
775 		 * If mgt = -1, driver is already partway down, so do
776 		 * not send management frames.
777 		 */
778 		switch (ostate) {
779 		case IEEE80211_S_INIT:
780 			break;
781 		case IEEE80211_S_RUN:
782 			if (mgt == -1)
783 				goto justcleanup;
784 			switch (ic->ic_opmode) {
785 			case IEEE80211_M_STA:
786 				IEEE80211_SEND_MGMT(ic, ni,
787 				    IEEE80211_FC0_SUBTYPE_DISASSOC,
788 				    IEEE80211_REASON_ASSOC_LEAVE);
789 				break;
790 #ifndef IEEE80211_STA_ONLY
791 			case IEEE80211_M_HOSTAP:
792 				s = splnet();
793 				RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) {
794 					if (ni->ni_associd == 0)
795 						continue;
796 					IEEE80211_SEND_MGMT(ic, ni,
797 					    IEEE80211_FC0_SUBTYPE_DISASSOC,
798 					    IEEE80211_REASON_ASSOC_LEAVE);
799 				}
800 				splx(s);
801 				break;
802 #endif
803 			default:
804 				break;
805 			}
806 			/* FALLTHROUGH */
807 		case IEEE80211_S_ASSOC:
808 			if (mgt == -1)
809 				goto justcleanup;
810 			switch (ic->ic_opmode) {
811 			case IEEE80211_M_STA:
812 				IEEE80211_SEND_MGMT(ic, ni,
813 				    IEEE80211_FC0_SUBTYPE_DEAUTH,
814 				    IEEE80211_REASON_AUTH_LEAVE);
815 				break;
816 #ifndef IEEE80211_STA_ONLY
817 			case IEEE80211_M_HOSTAP:
818 				s = splnet();
819 				RB_FOREACH(ni, ieee80211_tree, &ic->ic_tree) {
820 					IEEE80211_SEND_MGMT(ic, ni,
821 					    IEEE80211_FC0_SUBTYPE_DEAUTH,
822 					    IEEE80211_REASON_AUTH_LEAVE);
823 				}
824 				splx(s);
825 				break;
826 #endif
827 			default:
828 				break;
829 			}
830 			/* FALLTHROUGH */
831 		case IEEE80211_S_AUTH:
832 		case IEEE80211_S_SCAN:
833 justcleanup:
834 #ifndef IEEE80211_STA_ONLY
835 			if (ic->ic_opmode == IEEE80211_M_HOSTAP)
836 				timeout_del(&ic->ic_rsn_timeout);
837 #endif
838 			ic->ic_mgt_timer = 0;
839 			IF_PURGE(&ic->ic_mgtq);
840 			IF_PURGE(&ic->ic_pwrsaveq);
841 			ieee80211_free_allnodes(ic);
842 			break;
843 		}
844 		break;
845 	case IEEE80211_S_SCAN:
846 		ic->ic_flags &= ~IEEE80211_F_SIBSS;
847 		/* initialize bss for probe request */
848 		IEEE80211_ADDR_COPY(ni->ni_macaddr, etherbroadcastaddr);
849 		IEEE80211_ADDR_COPY(ni->ni_bssid, etherbroadcastaddr);
850 		ni->ni_rates = ic->ic_sup_rates[
851 			ieee80211_chan2mode(ic, ni->ni_chan)];
852 		ni->ni_associd = 0;
853 		ni->ni_rstamp = 0;
854 		switch (ostate) {
855 		case IEEE80211_S_INIT:
856 #ifndef IEEE80211_STA_ONLY
857 			if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
858 			    ic->ic_des_chan != IEEE80211_CHAN_ANYC) {
859 				/*
860 				 * AP operation and we already have a channel;
861 				 * bypass the scan and startup immediately.
862 				 */
863 				ieee80211_create_ibss(ic, ic->ic_des_chan);
864 			} else
865 #endif
866 				ieee80211_begin_scan(ifp);
867 			break;
868 		case IEEE80211_S_SCAN:
869 			/* scan next */
870 			if (ic->ic_flags & IEEE80211_F_ASCAN) {
871 				IEEE80211_SEND_MGMT(ic, ni,
872 				    IEEE80211_FC0_SUBTYPE_PROBE_REQ, 0);
873 			}
874 			break;
875 		case IEEE80211_S_RUN:
876 			/* beacon miss */
877 			if (ifp->if_flags & IFF_DEBUG) {
878 				/* XXX bssid clobbered above */
879 				printf("%s: no recent beacons from %s;"
880 				    " rescanning\n", ifp->if_xname,
881 				    ether_sprintf(ic->ic_bss->ni_bssid));
882 			}
883 			ieee80211_free_allnodes(ic);
884 			/* FALLTHROUGH */
885 		case IEEE80211_S_AUTH:
886 		case IEEE80211_S_ASSOC:
887 			/* timeout restart scan */
888 			ni = ieee80211_find_node(ic, ic->ic_bss->ni_macaddr);
889 			if (ni != NULL)
890 				ni->ni_fails++;
891 			ieee80211_begin_scan(ifp);
892 			break;
893 		}
894 		break;
895 	case IEEE80211_S_AUTH:
896 		switch (ostate) {
897 		case IEEE80211_S_INIT:
898 			DPRINTF(("invalid transition\n"));
899 			break;
900 		case IEEE80211_S_SCAN:
901 			IEEE80211_SEND_MGMT(ic, ni,
902 			    IEEE80211_FC0_SUBTYPE_AUTH, 1);
903 			break;
904 		case IEEE80211_S_AUTH:
905 		case IEEE80211_S_ASSOC:
906 			switch (mgt) {
907 			case IEEE80211_FC0_SUBTYPE_AUTH:
908 				/* ??? */
909 				IEEE80211_SEND_MGMT(ic, ni,
910 				    IEEE80211_FC0_SUBTYPE_AUTH, 2);
911 				break;
912 			case IEEE80211_FC0_SUBTYPE_DEAUTH:
913 				/* ignore and retry scan on timeout */
914 				break;
915 			}
916 			break;
917 		case IEEE80211_S_RUN:
918 			switch (mgt) {
919 			case IEEE80211_FC0_SUBTYPE_AUTH:
920 				IEEE80211_SEND_MGMT(ic, ni,
921 				    IEEE80211_FC0_SUBTYPE_AUTH, 2);
922 				ic->ic_state = ostate;	/* stay RUN */
923 				break;
924 			case IEEE80211_FC0_SUBTYPE_DEAUTH:
925 				/* try to reauth */
926 				IEEE80211_SEND_MGMT(ic, ni,
927 				    IEEE80211_FC0_SUBTYPE_AUTH, 1);
928 				break;
929 			}
930 			break;
931 		}
932 		break;
933 	case IEEE80211_S_ASSOC:
934 		switch (ostate) {
935 		case IEEE80211_S_INIT:
936 		case IEEE80211_S_SCAN:
937 		case IEEE80211_S_ASSOC:
938 			DPRINTF(("invalid transition\n"));
939 			break;
940 		case IEEE80211_S_AUTH:
941 			IEEE80211_SEND_MGMT(ic, ni,
942 			    IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
943 			break;
944 		case IEEE80211_S_RUN:
945 			IEEE80211_SEND_MGMT(ic, ni,
946 			    IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 1);
947 			break;
948 		}
949 		break;
950 	case IEEE80211_S_RUN:
951 		switch (ostate) {
952 		case IEEE80211_S_INIT:
953 		case IEEE80211_S_AUTH:
954 		case IEEE80211_S_RUN:
955 			DPRINTF(("invalid transition\n"));
956 			break;
957 		case IEEE80211_S_SCAN:		/* adhoc/hostap mode */
958 		case IEEE80211_S_ASSOC:		/* infra mode */
959 			if (ni->ni_txrate >= ni->ni_rates.rs_nrates)
960 				panic("%s: bogus xmit rate %u setup",
961 				    __func__, ni->ni_txrate);
962 			if (ifp->if_flags & IFF_DEBUG) {
963 				printf("%s: %s with %s ssid ",
964 				    ifp->if_xname,
965 				    ic->ic_opmode == IEEE80211_M_STA ?
966 				    "associated" : "synchronized",
967 				    ether_sprintf(ni->ni_bssid));
968 				ieee80211_print_essid(ic->ic_bss->ni_essid,
969 				    ni->ni_esslen);
970 				rate = ni->ni_rates.rs_rates[ni->ni_txrate] &
971 				    IEEE80211_RATE_VAL;
972 				printf(" channel %d start %u%sMb",
973 				    ieee80211_chan2ieee(ic, ni->ni_chan),
974 				    rate / 2, (rate & 1) ? ".5" : "");
975 				printf(" %s preamble %s slot time%s\n",
976 				    (ic->ic_flags & IEEE80211_F_SHPREAMBLE) ?
977 					"short" : "long",
978 				    (ic->ic_flags & IEEE80211_F_SHSLOT) ?
979 					"short" : "long",
980 				    (ic->ic_flags & IEEE80211_F_USEPROT) ?
981 					" protection enabled" : "");
982 			}
983 			if (!(ic->ic_flags & IEEE80211_F_RSNON)) {
984 				/*
985 				 * NB: When RSN is enabled, we defer setting
986 				 * the link up until the port is valid.
987 				 */
988 				ieee80211_set_link_state(ic, LINK_STATE_UP);
989 			}
990 			ic->ic_mgt_timer = 0;
991 			(*ifp->if_start)(ifp);
992 			break;
993 		}
994 		break;
995 	}
996 	return 0;
997 }
998 
999 void
1000 ieee80211_set_link_state(struct ieee80211com *ic, int nstate)
1001 {
1002 	struct ifnet *ifp = &ic->ic_if;
1003 
1004 	switch (ic->ic_opmode) {
1005 #ifndef IEEE80211_STA_ONLY
1006 	case IEEE80211_M_IBSS:
1007 	case IEEE80211_M_HOSTAP:
1008 		nstate = LINK_STATE_UNKNOWN;
1009 		break;
1010 #endif
1011 	case IEEE80211_M_MONITOR:
1012 		nstate = LINK_STATE_DOWN;
1013 		break;
1014 	default:
1015 		break;
1016 	}
1017 	if (nstate != ifp->if_link_state) {
1018 		ifp->if_link_state = nstate;
1019 		if_link_state_change(ifp);
1020 	}
1021 }
1022