1 /*
2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * Copyright (c) 2001 Atsushi Onoe
8 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
9 * All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote products
20 * derived from this software without specific prior written permission.
21 *
22 * Alternatively, this software may be distributed under the terms of the
23 * GNU General Public License ("GPL") version 2 as published by the Free
24 * Software Foundation.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 /*
39 * Node management routines
40 */
41
42 #include "net80211_impl.h"
43
44 static ieee80211_node_t *ieee80211_node_alloc(ieee80211com_t *);
45 static void ieee80211_node_cleanup(ieee80211_node_t *);
46 static void ieee80211_node_free(ieee80211_node_t *);
47 static uint8_t ieee80211_node_getrssi(const ieee80211_node_t *);
48 static void ieee80211_setup_node(ieee80211com_t *, ieee80211_node_table_t *,
49 ieee80211_node_t *, const uint8_t *);
50 static void ieee80211_node_reclaim(ieee80211_node_table_t *,
51 ieee80211_node_t *);
52 static void ieee80211_free_node_locked(ieee80211_node_t *);
53 static void ieee80211_free_allnodes(ieee80211_node_table_t *);
54 static void ieee80211_node_leave(ieee80211com_t *, ieee80211_node_t *);
55 static void ieee80211_timeout_scan_candidates(ieee80211_node_table_t *);
56 static void ieee80211_timeout_stations(ieee80211_node_table_t *);
57 static void ieee80211_node_table_init(ieee80211com_t *,
58 ieee80211_node_table_t *, const char *, int, int,
59 void (*timeout)(ieee80211_node_table_t *));
60 static void ieee80211_node_table_cleanup(ieee80211_node_table_t *);
61
62 /*
63 * association failures before ignored
64 * The failure may be caused by the response frame is lost for
65 * environmental reason. So Try associate more than once before
66 * ignore the node
67 */
68 #define IEEE80211_STA_FAILS_MAX 2
69
70 /*
71 * Initialize node database management callbacks for the interface.
72 * This function is called by ieee80211_attach(). These callback
73 * functions may be overridden in special circumstances, as long as
74 * as this is done after calling ieee80211_attach() and prior to any
75 * other call which may allocate a node
76 */
77 void
ieee80211_node_attach(ieee80211com_t * ic)78 ieee80211_node_attach(ieee80211com_t *ic)
79 {
80 struct ieee80211_impl *im = ic->ic_private;
81
82 ic->ic_node_alloc = ieee80211_node_alloc;
83 ic->ic_node_free = ieee80211_node_free;
84 ic->ic_node_cleanup = ieee80211_node_cleanup;
85 ic->ic_node_getrssi = ieee80211_node_getrssi;
86
87 /* default station inactivity timer setings */
88 im->im_inact_init = IEEE80211_INACT_INIT;
89 im->im_inact_assoc = IEEE80211_INACT_ASSOC;
90 im->im_inact_run = IEEE80211_INACT_RUN;
91 im->im_inact_probe = IEEE80211_INACT_PROBE;
92 }
93
94 /*
95 * Initialize node databases and the ic_bss node element.
96 */
97 void
ieee80211_node_lateattach(ieee80211com_t * ic)98 ieee80211_node_lateattach(ieee80211com_t *ic)
99 {
100 /*
101 * Calculate ic_tim_bitmap size in bytes
102 * IEEE80211_AID_MAX defines maximum bits in ic_tim_bitmap
103 */
104 ic->ic_tim_len = howmany(IEEE80211_AID_MAX, 8) * sizeof (uint8_t);
105
106 ieee80211_node_table_init(ic, &ic->ic_sta, "station",
107 IEEE80211_INACT_INIT, IEEE80211_WEP_NKID,
108 ieee80211_timeout_stations);
109 ieee80211_node_table_init(ic, &ic->ic_scan, "scan",
110 IEEE80211_INACT_SCAN, 0, ieee80211_timeout_scan_candidates);
111
112 ieee80211_reset_bss(ic);
113 }
114
115 /*
116 * Destroy all node databases and is usually called during device detach
117 */
118 void
ieee80211_node_detach(ieee80211com_t * ic)119 ieee80211_node_detach(ieee80211com_t *ic)
120 {
121 /* Node Detach */
122 if (ic->ic_bss != NULL) {
123 ieee80211_free_node(ic->ic_bss);
124 ic->ic_bss = NULL;
125 }
126 ieee80211_node_table_cleanup(&ic->ic_scan);
127 ieee80211_node_table_cleanup(&ic->ic_sta);
128 }
129
130 /*
131 * Increase a node's reference count
132 *
133 * Return pointer to the node
134 */
135 ieee80211_node_t *
ieee80211_ref_node(ieee80211_node_t * in)136 ieee80211_ref_node(ieee80211_node_t *in)
137 {
138 ieee80211_node_incref(in);
139 return (in);
140 }
141
142 /*
143 * Dexrease a node's reference count
144 */
145 void
ieee80211_unref_node(ieee80211_node_t ** in)146 ieee80211_unref_node(ieee80211_node_t **in)
147 {
148 ieee80211_node_decref(*in);
149 *in = NULL; /* guard against use */
150 }
151
152 /*
153 * Mark ports authorized for data traffic. This function is usually
154 * used by 802.1x authenticator.
155 */
156 void
ieee80211_node_authorize(ieee80211_node_t * in)157 ieee80211_node_authorize(ieee80211_node_t *in)
158 {
159 ieee80211_impl_t *im = in->in_ic->ic_private;
160
161 in->in_flags |= IEEE80211_NODE_AUTH;
162 in->in_inact_reload = im->im_inact_run;
163 in->in_inact = in->in_inact_reload;
164 }
165
166 /*
167 * Mark ports unauthorized for data traffic. This function is usually
168 * used by 802.1x authenticator.
169 */
170 void
ieee80211_node_unauthorize(ieee80211_node_t * in)171 ieee80211_node_unauthorize(ieee80211_node_t *in)
172 {
173 in->in_flags &= ~IEEE80211_NODE_AUTH;
174 }
175
176 /*
177 * Set/change the channel. The rate set is also updated as
178 * to insure a consistent view by drivers.
179 */
180 static void
ieee80211_node_setchan(ieee80211com_t * ic,ieee80211_node_t * in,struct ieee80211_channel * chan)181 ieee80211_node_setchan(ieee80211com_t *ic, ieee80211_node_t *in,
182 struct ieee80211_channel *chan)
183 {
184 if (chan == IEEE80211_CHAN_ANYC)
185 chan = ic->ic_curchan;
186 in->in_chan = chan;
187 if (IEEE80211_IS_CHAN_HT(chan)) {
188 /*
189 * Gotta be careful here; the rate set returned by
190 * ieee80211_get_suprates is actually any HT rate
191 * set so blindly copying it will be bad. We must
192 * install the legacy rate est in ni_rates and the
193 * HT rate set in ni_htrates.
194 */
195 in->in_htrates = *ieee80211_get_suphtrates(ic, chan);
196 }
197 in->in_rates = *ieee80211_get_suprates(ic, chan);
198 /* in->in_rates = ic->ic_sup_rates[ieee80211_chan2mode(ic, chan)]; */
199 }
200
201 /*
202 * Initialize the channel set to scan based on the available channels
203 * and the current PHY mode.
204 */
205 static void
ieee80211_reset_scan(ieee80211com_t * ic)206 ieee80211_reset_scan(ieee80211com_t *ic)
207 {
208 ieee80211_impl_t *im = ic->ic_private;
209
210 if (ic->ic_des_chan != IEEE80211_CHAN_ANYC) {
211 (void) memset(im->im_chan_scan, 0, sizeof (im->im_chan_scan));
212 ieee80211_setbit(im->im_chan_scan,
213 ieee80211_chan2ieee(ic, ic->ic_des_chan));
214 } else {
215 bcopy(ic->ic_chan_active, im->im_chan_scan,
216 sizeof (ic->ic_chan_active));
217 }
218 ieee80211_dbg(IEEE80211_MSG_SCAN, "ieee80211_reset_scan(): "
219 "start chan %u\n", ieee80211_chan2ieee(ic, ic->ic_curchan));
220 }
221
222 /*
223 * Begin an active scan. Initialize the node cache. The scan
224 * begins on the next radio channel by calling ieee80211_next_scan().
225 * The actual scanning is not automated. The driver itself
226 * only handles setting the radio frequency and stepping through
227 * the channels.
228 */
229 void
ieee80211_begin_scan(ieee80211com_t * ic,boolean_t reset)230 ieee80211_begin_scan(ieee80211com_t *ic, boolean_t reset)
231 {
232 IEEE80211_LOCK(ic);
233
234 if (ic->ic_opmode != IEEE80211_M_HOSTAP)
235 ic->ic_flags |= IEEE80211_F_ASCAN;
236 ieee80211_dbg(IEEE80211_MSG_SCAN,
237 "begin %s scan in %s mode on channel %u\n",
238 (ic->ic_flags & IEEE80211_F_ASCAN) ? "active" : "passive",
239 ieee80211_phymode_name[ic->ic_curmode],
240 ieee80211_chan2ieee(ic, ic->ic_curchan));
241
242 /*
243 * Clear scan state and flush any previously seen AP's.
244 */
245 ieee80211_reset_scan(ic);
246 if (reset)
247 ieee80211_free_allnodes(&ic->ic_scan);
248
249 ic->ic_flags |= IEEE80211_F_SCAN;
250 IEEE80211_UNLOCK(ic);
251
252 /* Scan the next channel. */
253 ieee80211_next_scan(ic);
254 }
255
256 /*
257 * Switch to the next channel marked for scanning.
258 * A driver is expected to first call ieee80211_begin_scan(),
259 * to initialize the node cache, then set the radio channel
260 * on the device. And then after a certain time has elapsed,
261 * call ieee80211_next_scan() to move to the next channel.
262 * Typically, a timeout routine is used to automate this process.
263 */
264 void
ieee80211_next_scan(ieee80211com_t * ic)265 ieee80211_next_scan(ieee80211com_t *ic)
266 {
267 ieee80211_impl_t *im = ic->ic_private;
268 struct ieee80211_channel *chan;
269
270 IEEE80211_LOCK(ic);
271 /*
272 * Insure any previous mgt frame timeouts don't fire.
273 * This assumes the driver does the right thing in
274 * flushing anything queued in the driver and below.
275 */
276 im->im_mgt_timer = 0;
277
278 chan = ic->ic_curchan;
279 do {
280 if (++chan > &ic->ic_sup_channels[IEEE80211_CHAN_MAX])
281 chan = &ic->ic_sup_channels[0];
282 if (ieee80211_isset(im->im_chan_scan,
283 ieee80211_chan2ieee(ic, chan))) {
284 ieee80211_clrbit(im->im_chan_scan,
285 ieee80211_chan2ieee(ic, chan));
286 ieee80211_dbg(IEEE80211_MSG_SCAN,
287 "ieee80211_next_scan: chan %d->%d\n",
288 ieee80211_chan2ieee(ic, ic->ic_curchan),
289 ieee80211_chan2ieee(ic, chan));
290 ic->ic_curchan = chan;
291 /*
292 * drivers should do this as needed,
293 * for now maintain compatibility
294 */
295 ic->ic_bss->in_rates =
296 ic->ic_sup_rates[ieee80211_chan2mode(ic, chan)];
297 IEEE80211_UNLOCK(ic);
298 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
299 return;
300 }
301 } while (chan != ic->ic_curchan);
302 IEEE80211_UNLOCK(ic);
303 ieee80211_end_scan(ic);
304 }
305
306 /*
307 * Copy useful state from node obss into nbss.
308 */
309 static void
ieee80211_copy_bss(ieee80211_node_t * nbss,const ieee80211_node_t * obss)310 ieee80211_copy_bss(ieee80211_node_t *nbss, const ieee80211_node_t *obss)
311 {
312 /* propagate useful state */
313 nbss->in_authmode = obss->in_authmode;
314 nbss->in_txpower = obss->in_txpower;
315 nbss->in_vlan = obss->in_vlan;
316 }
317
318 /*
319 * Setup the net80211 specific portion of an interface's softc, ic,
320 * for use in IBSS mode
321 */
322 void
ieee80211_create_ibss(ieee80211com_t * ic,struct ieee80211_channel * chan)323 ieee80211_create_ibss(ieee80211com_t *ic, struct ieee80211_channel *chan)
324 {
325 ieee80211_impl_t *im = ic->ic_private;
326 ieee80211_node_table_t *nt;
327 ieee80211_node_t *in;
328
329 IEEE80211_LOCK_ASSERT(ic);
330 ieee80211_dbg(IEEE80211_MSG_SCAN, "ieee80211_create_ibss: "
331 "creating ibss\n");
332
333 /*
334 * Create the station/neighbor table. Note that for adhoc
335 * mode we make the initial inactivity timer longer since
336 * we create nodes only through discovery and they typically
337 * are long-lived associations.
338 */
339 nt = &ic->ic_sta;
340 IEEE80211_NODE_LOCK(nt);
341 nt->nt_name = "neighbor";
342 nt->nt_inact_init = im->im_inact_run;
343 IEEE80211_NODE_UNLOCK(nt);
344
345 in = ieee80211_alloc_node(ic, &ic->ic_sta, ic->ic_macaddr);
346 if (in == NULL) {
347 ieee80211_err("ieee80211_create_ibss(): alloc node failed\n");
348 return;
349 }
350 IEEE80211_ADDR_COPY(in->in_bssid, ic->ic_macaddr);
351 in->in_esslen = ic->ic_des_esslen;
352 (void) memcpy(in->in_essid, ic->ic_des_essid, in->in_esslen);
353 ieee80211_copy_bss(in, ic->ic_bss);
354 in->in_intval = ic->ic_bintval;
355 if (ic->ic_flags & IEEE80211_F_PRIVACY)
356 in->in_capinfo |= IEEE80211_CAPINFO_PRIVACY;
357 if (ic->ic_phytype == IEEE80211_T_FH) {
358 in->in_fhdwell = 200;
359 in->in_fhindex = 1;
360 }
361 switch (ic->ic_opmode) {
362 case IEEE80211_M_IBSS:
363 ic->ic_flags |= IEEE80211_F_SIBSS;
364 in->in_capinfo |= IEEE80211_CAPINFO_IBSS;
365 if (ic->ic_flags & IEEE80211_F_DESBSSID)
366 IEEE80211_ADDR_COPY(in->in_bssid, ic->ic_des_bssid);
367 else
368 in->in_bssid[0] |= 0x02; /* local bit for IBSS */
369 break;
370 case IEEE80211_M_AHDEMO:
371 if (ic->ic_flags & IEEE80211_F_DESBSSID)
372 IEEE80211_ADDR_COPY(in->in_bssid, ic->ic_des_bssid);
373 else
374 (void) memset(in->in_bssid, 0, IEEE80211_ADDR_LEN);
375 break;
376 default:
377 ieee80211_err("ieee80211_create_ibss(): "
378 "wrong opmode %u to creat IBSS, abort\n",
379 ic->ic_opmode);
380 ieee80211_free_node(in);
381 return;
382 }
383
384 /*
385 * Fix the channel and related attributes.
386 */
387 ieee80211_node_setchan(ic, in, chan);
388 ic->ic_curchan = chan;
389 ic->ic_curmode = ieee80211_chan2mode(ic, chan);
390 /*
391 * Do mode-specific rate setup.
392 */
393 ieee80211_setbasicrates(&in->in_rates, ic->ic_curmode);
394 IEEE80211_UNLOCK(ic);
395 ieee80211_sta_join(ic, ieee80211_ref_node(in));
396 IEEE80211_LOCK(ic);
397 }
398
399 void
ieee80211_reset_bss(ieee80211com_t * ic)400 ieee80211_reset_bss(ieee80211com_t *ic)
401 {
402 ieee80211_node_t *in;
403 ieee80211_node_t *obss;
404
405 ieee80211_node_table_reset(&ic->ic_sta);
406 ieee80211_reset_erp(ic);
407
408 in = ieee80211_alloc_node(ic, &ic->ic_scan, ic->ic_macaddr);
409 ASSERT(in != NULL);
410 obss = ic->ic_bss;
411 ic->ic_bss = ieee80211_ref_node(in);
412 if (obss != NULL) {
413 ieee80211_copy_bss(in, obss);
414 in->in_intval = ic->ic_bintval;
415 ieee80211_free_node(obss);
416 }
417 }
418
419 static int
ieee80211_match_bss(ieee80211com_t * ic,ieee80211_node_t * in)420 ieee80211_match_bss(ieee80211com_t *ic, ieee80211_node_t *in)
421 {
422 uint8_t rate;
423 int fail;
424
425 fail = 0;
426 if (ieee80211_isclr(ic->ic_chan_active,
427 ieee80211_chan2ieee(ic, in->in_chan))) {
428 fail |= IEEE80211_BADCHAN;
429 }
430 if (ic->ic_des_chan != IEEE80211_CHAN_ANYC &&
431 in->in_chan != ic->ic_des_chan) {
432 fail |= IEEE80211_BADCHAN;
433 }
434 if (ic->ic_opmode == IEEE80211_M_IBSS) {
435 if (!(in->in_capinfo & IEEE80211_CAPINFO_IBSS))
436 fail |= IEEE80211_BADOPMODE;
437 } else {
438 if (!(in->in_capinfo & IEEE80211_CAPINFO_ESS))
439 fail |= IEEE80211_BADOPMODE;
440 }
441 if (ic->ic_flags & IEEE80211_F_PRIVACY) {
442 if (!(in->in_capinfo & IEEE80211_CAPINFO_PRIVACY))
443 fail |= IEEE80211_BADPRIVACY;
444 } else {
445 if (in->in_capinfo & IEEE80211_CAPINFO_PRIVACY)
446 fail |= IEEE80211_BADPRIVACY;
447 }
448 rate = ieee80211_fix_rate(in, &in->in_rates,
449 IEEE80211_F_DONEGO | IEEE80211_F_DOFRATE);
450 if (rate & IEEE80211_RATE_BASIC)
451 fail |= IEEE80211_BADRATE;
452 if (ic->ic_des_esslen != 0 &&
453 (in->in_esslen != ic->ic_des_esslen ||
454 memcmp(in->in_essid, ic->ic_des_essid, ic->ic_des_esslen) != 0)) {
455 fail |= IEEE80211_BADESSID;
456 }
457 if ((ic->ic_flags & IEEE80211_F_DESBSSID) &&
458 !IEEE80211_ADDR_EQ(ic->ic_des_bssid, in->in_bssid)) {
459 fail |= IEEE80211_BADBSSID;
460 }
461 if (in->in_fails >= IEEE80211_STA_FAILS_MAX)
462 fail |= IEEE80211_NODEFAIL;
463
464 return (fail);
465 }
466
467 #define IEEE80211_MAXRATE(_rs) \
468 ((_rs).ir_rates[(_rs).ir_nrates - 1] & IEEE80211_RATE_VAL)
469
470 /*
471 * Compare the capabilities of node a with node b and decide which is
472 * more desirable (return b if b is considered better than a). Note
473 * that we assume compatibility/usability has already been checked
474 * so we don't need to (e.g. validate whether privacy is supported).
475 * Used to select the best scan candidate for association in a BSS.
476 *
477 * Return desired node
478 */
479 static ieee80211_node_t *
ieee80211_node_compare(ieee80211com_t * ic,ieee80211_node_t * a,ieee80211_node_t * b)480 ieee80211_node_compare(ieee80211com_t *ic, ieee80211_node_t *a,
481 ieee80211_node_t *b)
482 {
483 uint8_t maxa;
484 uint8_t maxb;
485 uint8_t rssia;
486 uint8_t rssib;
487
488 /* privacy support preferred */
489 if ((a->in_capinfo & IEEE80211_CAPINFO_PRIVACY) &&
490 !(b->in_capinfo & IEEE80211_CAPINFO_PRIVACY)) {
491 return (a);
492 }
493 if (!(a->in_capinfo & IEEE80211_CAPINFO_PRIVACY) &&
494 (b->in_capinfo & IEEE80211_CAPINFO_PRIVACY)) {
495 return (b);
496 }
497
498 /* compare count of previous failures */
499 if (b->in_fails != a->in_fails)
500 return ((a->in_fails > b->in_fails) ? b : a);
501
502 rssia = ic->ic_node_getrssi(a);
503 rssib = ic->ic_node_getrssi(b);
504 if (ABS(rssib - rssia) < IEEE80211_RSSI_CMP_THRESHOLD) {
505 /* best/max rate preferred if signal level close enough */
506 maxa = IEEE80211_MAXRATE(a->in_rates);
507 maxb = IEEE80211_MAXRATE(b->in_rates);
508 if (maxa != maxb)
509 return ((maxb > maxa) ? b : a);
510 /* for now just prefer 5Ghz band to all other bands */
511 if (IEEE80211_IS_CHAN_5GHZ(a->in_chan) &&
512 !IEEE80211_IS_CHAN_5GHZ(b->in_chan)) {
513 return (a);
514 }
515 if (!IEEE80211_IS_CHAN_5GHZ(a->in_chan) &&
516 IEEE80211_IS_CHAN_5GHZ(b->in_chan)) {
517 return (b);
518 }
519 }
520 /* all things being equal, compare signal level */
521 return ((rssib > rssia) ? b : a);
522 }
523
524 /*
525 * Mark an ongoing scan stopped.
526 */
527 void
ieee80211_cancel_scan(ieee80211com_t * ic)528 ieee80211_cancel_scan(ieee80211com_t *ic)
529 {
530 IEEE80211_LOCK(ic);
531 ieee80211_dbg(IEEE80211_MSG_SCAN, "ieee80211_cancel_scan()"
532 "end %s scan\n",
533 (ic->ic_flags & IEEE80211_F_ASCAN) ? "active" : "passive");
534 ic->ic_flags &= ~(IEEE80211_F_SCAN | IEEE80211_F_ASCAN);
535 cv_broadcast(&((ieee80211_impl_t *)ic->ic_private)->im_scan_cv);
536 IEEE80211_UNLOCK(ic);
537 }
538
539 /*
540 * Complete a scan of potential channels. It is called by
541 * ieee80211_next_scan() when the state machine has performed
542 * a full cycle of scaning on all available radio channels.
543 * ieee80211_end_scan() will inspect the node cache for suitable
544 * APs found during scaning, and associate with one, should
545 * the parameters of the node match those of the configuration
546 * requested from userland.
547 */
548 void
ieee80211_end_scan(ieee80211com_t * ic)549 ieee80211_end_scan(ieee80211com_t *ic)
550 {
551 ieee80211_node_table_t *nt = &ic->ic_scan;
552 ieee80211_node_t *in;
553 ieee80211_node_t *selbs;
554
555 ieee80211_cancel_scan(ic);
556 /* notify SCAN done */
557 ieee80211_notify(ic, EVENT_SCAN_RESULTS);
558 IEEE80211_LOCK(ic);
559
560 /*
561 * Automatic sequencing; look for a candidate and
562 * if found join the network.
563 */
564 /* NB: unlocked read should be ok */
565 in = list_head(&nt->nt_node);
566 if (in == NULL && (ic->ic_flags & IEEE80211_F_WPA) == 0) {
567 ieee80211_dbg(IEEE80211_MSG_SCAN, "ieee80211_end_scan: "
568 "no scan candidate\n");
569 notfound:
570 if (ic->ic_opmode == IEEE80211_M_IBSS &&
571 (ic->ic_flags & IEEE80211_F_IBSSON) &&
572 ic->ic_des_esslen != 0) {
573 ieee80211_create_ibss(ic, ic->ic_ibss_chan);
574 IEEE80211_UNLOCK(ic);
575 return;
576 }
577
578 /*
579 * Reset the list of channels to scan and start again.
580 */
581 ieee80211_reset_scan(ic);
582 ic->ic_flags |= IEEE80211_F_SCAN | IEEE80211_F_ASCAN;
583 IEEE80211_UNLOCK(ic);
584
585 ieee80211_next_scan(ic);
586 return;
587 }
588
589 if (ic->ic_flags & IEEE80211_F_SCANONLY ||
590 ic->ic_flags & IEEE80211_F_WPA) { /* scan only */
591 ic->ic_flags &= ~IEEE80211_F_SCANONLY;
592 IEEE80211_UNLOCK(ic);
593 ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
594 return;
595 }
596
597 selbs = NULL;
598 IEEE80211_NODE_LOCK(nt);
599 while (in != NULL) {
600 if (in->in_fails >= IEEE80211_STA_FAILS_MAX) {
601 ieee80211_node_t *tmpin = in;
602
603 /*
604 * The configuration of the access points may change
605 * during my scan. So delete the entry for the AP
606 * and retry to associate if there is another beacon.
607 */
608 in = list_next(&nt->nt_node, tmpin);
609 ieee80211_node_reclaim(nt, tmpin);
610 continue;
611 }
612 /*
613 * It's possible at some special moments, the in_chan will
614 * be none. Need to skip the null node.
615 */
616 if (in->in_chan == IEEE80211_CHAN_ANYC) {
617 in = list_next(&nt->nt_node, in);
618 continue;
619 }
620 if (ieee80211_match_bss(ic, in) == 0) {
621 if (selbs == NULL)
622 selbs = in;
623 else
624 selbs = ieee80211_node_compare(ic, selbs, in);
625 }
626 in = list_next(&nt->nt_node, in);
627 }
628 if (selbs != NULL) /* grab ref while dropping lock */
629 (void) ieee80211_ref_node(selbs);
630 IEEE80211_NODE_UNLOCK(nt);
631 if (selbs == NULL)
632 goto notfound;
633 IEEE80211_UNLOCK(ic);
634 ieee80211_sta_join(ic, selbs);
635 }
636
637
638 /*
639 * Handle 802.11 ad hoc network merge. The convention, set by the
640 * Wireless Ethernet Compatibility Alliance (WECA), is that an 802.11
641 * station will change its BSSID to match the "oldest" 802.11 ad hoc
642 * network, on the same channel, that has the station's desired SSID.
643 * The "oldest" 802.11 network sends beacons with the greatest TSF
644 * timestamp.
645 * The caller is assumed to validate TSF's before attempting a merge.
646 *
647 * Return B_TRUE if the BSSID changed, B_FALSE otherwise.
648 */
649 boolean_t
ieee80211_ibss_merge(ieee80211_node_t * in)650 ieee80211_ibss_merge(ieee80211_node_t *in)
651 {
652 ieee80211com_t *ic = in->in_ic;
653
654 if (in == ic->ic_bss ||
655 IEEE80211_ADDR_EQ(in->in_bssid, ic->ic_bss->in_bssid)) {
656 /* unchanged, nothing to do */
657 return (B_FALSE);
658 }
659 if (ieee80211_match_bss(ic, in) != 0) { /* capabilities mismatch */
660 ieee80211_dbg(IEEE80211_MSG_ASSOC, "ieee80211_ibss_merge: "
661 " merge failed, capabilities mismatch\n");
662 return (B_FALSE);
663 }
664 ieee80211_dbg(IEEE80211_MSG_ASSOC, "ieee80211_ibss_merge: "
665 "new bssid %s: %s preamble, %s slot time%s\n",
666 ieee80211_macaddr_sprintf(in->in_bssid),
667 (ic->ic_flags & IEEE80211_F_SHPREAMBLE) ? "short" : "long",
668 (ic->ic_flags & IEEE80211_F_SHSLOT) ? "short" : "long",
669 (ic->ic_flags&IEEE80211_F_USEPROT) ? ", protection" : "");
670 ieee80211_sta_join(ic, ieee80211_ref_node(in));
671 return (B_TRUE);
672 }
673
674 /*
675 * Change the bss channel.
676 */
677 void
ieee80211_setcurchan(ieee80211com_t * ic,struct ieee80211_channel * c)678 ieee80211_setcurchan(ieee80211com_t *ic, struct ieee80211_channel *c)
679 {
680 ic->ic_curchan = c;
681 ic->ic_curmode = ieee80211_chan2mode(ic, ic->ic_curchan);
682 if (ic->ic_set_channel != NULL)
683 ic->ic_set_channel(ic);
684 }
685
686 /*
687 * Join the specified IBSS/BSS network. The node is assumed to
688 * be passed in with a held reference.
689 */
690 void
ieee80211_sta_join(ieee80211com_t * ic,ieee80211_node_t * selbs)691 ieee80211_sta_join(ieee80211com_t *ic, ieee80211_node_t *selbs)
692 {
693 ieee80211_impl_t *im = ic->ic_private;
694 ieee80211_node_t *obss;
695
696 IEEE80211_LOCK(ic);
697 if (ic->ic_opmode == IEEE80211_M_IBSS) {
698 ieee80211_node_table_t *nt;
699
700 /*
701 * Delete unusable rates; we've already checked
702 * that the negotiated rate set is acceptable.
703 */
704 (void) ieee80211_fix_rate(selbs, &selbs->in_rates,
705 IEEE80211_F_DODEL);
706 /*
707 * Fillin the neighbor table
708 */
709 nt = &ic->ic_sta;
710 IEEE80211_NODE_LOCK(nt);
711 nt->nt_name = "neighbor";
712 nt->nt_inact_init = im->im_inact_run;
713 IEEE80211_NODE_UNLOCK(nt);
714 }
715
716 /*
717 * Committed to selbs, setup state.
718 */
719 obss = ic->ic_bss;
720 ic->ic_bss = selbs; /* caller assumed to bump refcnt */
721 if (obss != NULL) {
722 ieee80211_copy_bss(selbs, obss);
723 ieee80211_free_node(obss);
724 }
725 ic->ic_curmode = ieee80211_chan2mode(ic, selbs->in_chan);
726 ic->ic_curchan = selbs->in_chan;
727 ic->ic_phytype = selbs->in_phytype;
728 /*
729 * Set the erp state (mostly the slot time) to deal with
730 * the auto-select case; this should be redundant if the
731 * mode is locked.
732 */
733 ieee80211_reset_erp(ic);
734 ieee80211_wme_initparams(ic);
735
736 IEEE80211_UNLOCK(ic);
737 if (ic->ic_opmode == IEEE80211_M_STA)
738 ieee80211_new_state(ic, IEEE80211_S_AUTH, -1);
739 else
740 ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
741 }
742
743 /*
744 * Leave the specified IBSS/BSS network. The node is assumed to
745 * be passed in with a held reference.
746 */
747 void
ieee80211_sta_leave(ieee80211com_t * ic,ieee80211_node_t * in)748 ieee80211_sta_leave(ieee80211com_t *ic, ieee80211_node_t *in)
749 {
750 IEEE80211_LOCK(ic);
751 ic->ic_node_cleanup(in);
752 ieee80211_notify_node_leave(ic, in);
753 IEEE80211_UNLOCK(ic);
754 }
755
756 /*
757 * Allocate a node. This is the default callback function for
758 * ic_node_alloc. This function may be overridden by the driver
759 * to allocate device specific node structure.
760 */
761 /* ARGSUSED */
762 static ieee80211_node_t *
ieee80211_node_alloc(ieee80211com_t * ic)763 ieee80211_node_alloc(ieee80211com_t *ic)
764 {
765 return (kmem_zalloc(sizeof (ieee80211_node_t), KM_SLEEP));
766 }
767
768 /*
769 * Cleanup a node, free any memory associated with the node.
770 * This is the default callback function for ic_node_cleanup
771 * and may be overridden by the driver.
772 */
773 static void
ieee80211_node_cleanup(ieee80211_node_t * in)774 ieee80211_node_cleanup(ieee80211_node_t *in)
775 {
776 in->in_associd = 0;
777 in->in_rssi = 0;
778 in->in_rstamp = 0;
779 if (in->in_challenge != NULL) {
780 kmem_free(in->in_challenge, IEEE80211_CHALLENGE_LEN);
781 in->in_challenge = NULL;
782 }
783 if (in->in_rxfrag != NULL) {
784 freemsg(in->in_rxfrag);
785 in->in_rxfrag = NULL;
786 }
787 }
788
789 /*
790 * Free a node. This is the default callback function for ic_node_free
791 * and may be overridden by the driver to free memory used by device
792 * specific node structure
793 */
794 static void
ieee80211_node_free(ieee80211_node_t * in)795 ieee80211_node_free(ieee80211_node_t *in)
796 {
797 ieee80211com_t *ic = in->in_ic;
798
799 ic->ic_node_cleanup(in);
800 if (in->in_wpa_ie != NULL)
801 ieee80211_free(in->in_wpa_ie);
802 if (in->in_wme_ie != NULL)
803 ieee80211_free(in->in_wme_ie);
804 if (in->in_htcap_ie != NULL)
805 ieee80211_free(in->in_htcap_ie);
806 kmem_free(in, sizeof (ieee80211_node_t));
807 }
808
809 /*
810 * Get a node current RSSI value. This is the default callback function
811 * for ic_node_getrssi and may be overridden by the driver to provide
812 * device specific RSSI calculation algorithm.
813 */
814 static uint8_t
ieee80211_node_getrssi(const ieee80211_node_t * in)815 ieee80211_node_getrssi(const ieee80211_node_t *in)
816 {
817 return (in->in_rssi);
818 }
819
820 /* Free fragment if not needed anymore */
821 static void
node_cleanfrag(ieee80211_node_t * in)822 node_cleanfrag(ieee80211_node_t *in)
823 {
824 clock_t ticks;
825
826 ticks = ddi_get_lbolt();
827 if (in->in_rxfrag != NULL && ticks > (in->in_rxfragstamp + hz)) {
828 freemsg(in->in_rxfrag);
829 in->in_rxfrag = NULL;
830 }
831 }
832
833 /*
834 * Setup a node. Initialize the node with specified macaddr. Associate
835 * with the interface softc, ic, and add it to the specified node
836 * database.
837 */
838 static void
ieee80211_setup_node(ieee80211com_t * ic,ieee80211_node_table_t * nt,ieee80211_node_t * in,const uint8_t * macaddr)839 ieee80211_setup_node(ieee80211com_t *ic, ieee80211_node_table_t *nt,
840 ieee80211_node_t *in, const uint8_t *macaddr)
841 {
842 int32_t hash;
843
844 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_setup_node(): "
845 "%p<%s> in %s table\n", in,
846 ieee80211_macaddr_sprintf(macaddr),
847 (nt != NULL) ? nt->nt_name : "NULL");
848
849 in->in_ic = ic;
850 IEEE80211_ADDR_COPY(in->in_macaddr, macaddr);
851 hash = ieee80211_node_hash(macaddr);
852 ieee80211_node_initref(in); /* mark referenced */
853 in->in_authmode = IEEE80211_AUTH_OPEN;
854 in->in_txpower = ic->ic_txpowlimit; /* max power */
855 in->in_chan = IEEE80211_CHAN_ANYC;
856 in->in_inact_reload = IEEE80211_INACT_INIT;
857 in->in_inact = in->in_inact_reload;
858 ieee80211_crypto_resetkey(ic, &in->in_ucastkey, IEEE80211_KEYIX_NONE);
859
860 if (nt != NULL) {
861 IEEE80211_NODE_LOCK(nt);
862 list_insert_tail(&nt->nt_node, in);
863 list_insert_tail(&nt->nt_hash[hash], in);
864 in->in_table = nt;
865 in->in_inact_reload = nt->nt_inact_init;
866 IEEE80211_NODE_UNLOCK(nt);
867 }
868 }
869
870 /*
871 * Allocates and initialize a node with specified MAC address.
872 * Associate the node with the interface ic. If the allocation
873 * is successful, the node structure is initialized by
874 * ieee80211_setup_node(); otherwise, NULL is returned
875 */
876 ieee80211_node_t *
ieee80211_alloc_node(ieee80211com_t * ic,ieee80211_node_table_t * nt,const uint8_t * macaddr)877 ieee80211_alloc_node(ieee80211com_t *ic, ieee80211_node_table_t *nt,
878 const uint8_t *macaddr)
879 {
880 ieee80211_node_t *in;
881
882 in = ic->ic_node_alloc(ic);
883 if (in != NULL)
884 ieee80211_setup_node(ic, nt, in, macaddr);
885 return (in);
886 }
887
888 /*
889 * Craft a temporary node suitable for sending a management frame
890 * to the specified station. We craft only as much state as we
891 * need to do the work since the node will be immediately reclaimed
892 * once the send completes.
893 */
894 ieee80211_node_t *
ieee80211_tmp_node(ieee80211com_t * ic,const uint8_t * macaddr)895 ieee80211_tmp_node(ieee80211com_t *ic, const uint8_t *macaddr)
896 {
897 ieee80211_node_t *in;
898
899 in = ic->ic_node_alloc(ic);
900 if (in != NULL) {
901 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_tmp_node: "
902 "%p<%s>\n", in, ieee80211_macaddr_sprintf(macaddr));
903
904 IEEE80211_ADDR_COPY(in->in_macaddr, macaddr);
905 IEEE80211_ADDR_COPY(in->in_bssid, ic->ic_bss->in_bssid);
906 ieee80211_node_initref(in); /* mark referenced */
907 in->in_txpower = ic->ic_bss->in_txpower;
908 /* NB: required by ieee80211_fix_rate */
909 ieee80211_node_setchan(ic, in, ic->ic_bss->in_chan);
910 ieee80211_crypto_resetkey(ic, &in->in_ucastkey,
911 IEEE80211_KEYIX_NONE);
912
913 in->in_table = NULL; /* NB: pedantic */
914 in->in_ic = ic;
915 }
916
917 return (in);
918 }
919
920 /*
921 * ieee80211_dup_bss() is similar to ieee80211_alloc_node(),
922 * but is instead used to create a node database entry for
923 * the specified BSSID. If the allocation is successful, the
924 * node is initialized, otherwise, NULL is returned.
925 */
926 ieee80211_node_t *
ieee80211_dup_bss(ieee80211_node_table_t * nt,const uint8_t * macaddr)927 ieee80211_dup_bss(ieee80211_node_table_t *nt, const uint8_t *macaddr)
928 {
929 ieee80211com_t *ic = nt->nt_ic;
930 ieee80211_node_t *in;
931
932 in = ieee80211_alloc_node(ic, nt, macaddr);
933 if (in != NULL) {
934 /*
935 * Inherit from ic_bss.
936 */
937 ieee80211_copy_bss(in, ic->ic_bss);
938 IEEE80211_ADDR_COPY(in->in_bssid, ic->ic_bss->in_bssid);
939 ieee80211_node_setchan(ic, in, ic->ic_bss->in_chan);
940 }
941
942 return (in);
943 }
944
945 /*
946 * Iterate through the node table, searching for a node entry which
947 * matches macaddr. If the entry is found, its reference count is
948 * incremented, and a pointer to the node is returned; otherwise,
949 * NULL will be returned.
950 * The node table lock is acquired by the caller.
951 */
952 static ieee80211_node_t *
ieee80211_find_node_locked(ieee80211_node_table_t * nt,const uint8_t * macaddr)953 ieee80211_find_node_locked(ieee80211_node_table_t *nt, const uint8_t *macaddr)
954 {
955 ieee80211_node_t *in;
956 int hash;
957
958 ASSERT(IEEE80211_NODE_IS_LOCKED(nt));
959
960 hash = ieee80211_node_hash(macaddr);
961 in = list_head(&nt->nt_hash[hash]);
962 while (in != NULL) {
963 if (IEEE80211_ADDR_EQ(in->in_macaddr, macaddr))
964 return (ieee80211_ref_node(in)); /* mark referenced */
965 in = list_next(&nt->nt_hash[hash], in);
966 }
967 return (NULL);
968 }
969
970 /*
971 * Iterate through the node table, searching for a node entry
972 * which match specified mac address.
973 * Return NULL if no matching node found.
974 */
975 ieee80211_node_t *
ieee80211_find_node(ieee80211_node_table_t * nt,const uint8_t * macaddr)976 ieee80211_find_node(ieee80211_node_table_t *nt, const uint8_t *macaddr)
977 {
978 ieee80211_node_t *in;
979
980 IEEE80211_NODE_LOCK(nt);
981 in = ieee80211_find_node_locked(nt, macaddr);
982 IEEE80211_NODE_UNLOCK(nt);
983 return (in);
984 }
985
986 /*
987 * Like find but search based on the ssid too.
988 */
989 ieee80211_node_t *
ieee80211_find_node_with_ssid(ieee80211_node_table_t * nt,const uint8_t * macaddr,uint32_t ssidlen,const uint8_t * ssid)990 ieee80211_find_node_with_ssid(ieee80211_node_table_t *nt,
991 const uint8_t *macaddr, uint32_t ssidlen, const uint8_t *ssid)
992 {
993 ieee80211_node_t *in;
994 int hash;
995
996 IEEE80211_NODE_LOCK(nt);
997
998 hash = ieee80211_node_hash(macaddr);
999 in = list_head(&nt->nt_hash[hash]);
1000 while (in != NULL) {
1001 if (IEEE80211_ADDR_EQ(in->in_macaddr, macaddr) &&
1002 in->in_esslen == ssidlen &&
1003 memcmp(in->in_essid, ssid, ssidlen) == 0)
1004 break;
1005 in = list_next(&nt->nt_hash[hash], in);
1006 }
1007 if (in != NULL) {
1008 (void) ieee80211_ref_node(in); /* mark referenced */
1009 }
1010 IEEE80211_NODE_UNLOCK(nt);
1011
1012 return (in);
1013 }
1014
1015 /*
1016 * Fake up a node; this handles node discovery in adhoc mode.
1017 * Note that for the driver's benefit we treat this like an
1018 * association so the driver has an opportunity to setup it's
1019 * private state.
1020 */
1021 ieee80211_node_t *
ieee80211_fakeup_adhoc_node(ieee80211_node_table_t * nt,const uint8_t * macaddr)1022 ieee80211_fakeup_adhoc_node(ieee80211_node_table_t *nt, const uint8_t *macaddr)
1023 {
1024 ieee80211com_t *ic = nt->nt_ic;
1025 ieee80211_node_t *in;
1026
1027 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_fakeup_adhoc_node: "
1028 "mac<%s>\n", ieee80211_macaddr_sprintf(macaddr));
1029 in = ieee80211_dup_bss(nt, macaddr);
1030 if (in != NULL) {
1031 /* no rate negotiation; just dup */
1032 in->in_rates = ic->ic_bss->in_rates;
1033 if (ic->ic_node_newassoc != NULL)
1034 ic->ic_node_newassoc(in, 1);
1035 ieee80211_node_authorize(in);
1036 }
1037 return (in);
1038 }
1039
1040 static void
ieee80211_saveie(uint8_t ** iep,const uint8_t * ie)1041 ieee80211_saveie(uint8_t **iep, const uint8_t *ie)
1042 {
1043 uint_t ielen = ie[1]+2;
1044 /*
1045 * Record information element for later use.
1046 */
1047 if (*iep == NULL || (*iep)[1] != ie[1]) {
1048 if (*iep != NULL)
1049 ieee80211_free(*iep);
1050 *iep = ieee80211_malloc(ielen);
1051 }
1052 if (*iep != NULL)
1053 (void) memcpy(*iep, ie, ielen);
1054 }
1055
1056 static void
saveie(uint8_t ** iep,const uint8_t * ie)1057 saveie(uint8_t **iep, const uint8_t *ie)
1058 {
1059 if (ie == NULL) {
1060 if (*iep != NULL)
1061 ieee80211_free(*iep);
1062 *iep = NULL;
1063 }
1064 else
1065 ieee80211_saveie(iep, ie);
1066 }
1067
1068 /*
1069 * Process a beacon or probe response frame.
1070 */
1071 void
ieee80211_add_scan(ieee80211com_t * ic,const struct ieee80211_scanparams * sp,const struct ieee80211_frame * wh,int subtype,int rssi,int rstamp)1072 ieee80211_add_scan(ieee80211com_t *ic, const struct ieee80211_scanparams *sp,
1073 const struct ieee80211_frame *wh, int subtype, int rssi, int rstamp)
1074 {
1075 ieee80211_node_table_t *nt = &ic->ic_scan;
1076 ieee80211_node_t *in;
1077 boolean_t newnode = B_FALSE;
1078
1079 in = ieee80211_find_node(nt, wh->i_addr3);
1080 if (in == NULL) {
1081 /*
1082 * Create a new entry.
1083 */
1084 in = ieee80211_alloc_node(ic, nt, wh->i_addr3);
1085 if (in == NULL) {
1086 ieee80211_dbg(IEEE80211_MSG_ANY, "ieee80211_add_scan: "
1087 "alloc node failed\n");
1088 return;
1089 }
1090 /*
1091 * inherit from ic_bss.
1092 */
1093 ieee80211_copy_bss(in, ic->ic_bss);
1094 ieee80211_node_setchan(ic, in, ic->ic_curchan);
1095 newnode = B_TRUE;
1096 }
1097
1098 /* ap beaconing multiple ssid w/ same bssid */
1099
1100 /*
1101 * sp->ssid[0] - element ID
1102 * sp->ssid[1] - length
1103 * sp->ssid[2]... - ssid
1104 */
1105 if (sp->ssid[1] != 0 &&
1106 subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP ||
1107 in->in_esslen == 0) {
1108 in->in_esslen = sp->ssid[1];
1109 bzero(in->in_essid, sizeof (in->in_essid));
1110 bcopy(sp->ssid + 2, in->in_essid, sp->ssid[1]);
1111 }
1112 IEEE80211_ADDR_COPY(in->in_bssid, wh->i_addr3);
1113 in->in_rssi = (uint8_t)rssi;
1114 in->in_rstamp = rstamp;
1115 bcopy(sp->tstamp, in->in_tstamp.data, sizeof (in->in_tstamp));
1116 in->in_intval = sp->bintval;
1117 in->in_capinfo = sp->capinfo;
1118 in->in_chan = &ic->ic_sup_channels[sp->chan];
1119 in->in_phytype = sp->phytype;
1120 in->in_fhdwell = sp->fhdwell;
1121 in->in_fhindex = sp->fhindex;
1122 in->in_erp = sp->erp;
1123 if (sp->tim != NULL) {
1124 struct ieee80211_tim_ie *ie;
1125
1126 ie = (struct ieee80211_tim_ie *)sp->tim;
1127 in->in_dtim_count = ie->tim_count;
1128 in->in_dtim_period = ie->tim_period;
1129 }
1130 /*
1131 * Record the byte offset from the mac header to
1132 * the start of the TIM information element for
1133 * use by hardware and/or to speedup software
1134 * processing of beacon frames.
1135 */
1136 in->in_tim_off = sp->timoff;
1137 /*
1138 * Record optional information elements that might be
1139 * used by applications or drivers.
1140 */
1141 saveie(&in->in_wme_ie, sp->wme);
1142 saveie(&in->in_wpa_ie, sp->wpa);
1143 saveie(&in->in_htcap_ie, sp->htcap);
1144 /* parsed in ieee80211_sta_join() */
1145 if (sp->htcap != NULL)
1146 ieee80211_parse_htcap(in, in->in_htcap_ie);
1147
1148 /* NB: must be after in_chan is setup */
1149 (void) ieee80211_setup_rates(in, sp->rates, sp->xrates,
1150 IEEE80211_F_DOSORT);
1151
1152 if (!newnode)
1153 ieee80211_free_node(in);
1154 }
1155
1156 /*
1157 * Initialize/update an ad-hoc node with contents from a received
1158 * beacon frame.
1159 */
1160 void
ieee80211_init_neighbor(ieee80211_node_t * in,const struct ieee80211_frame * wh,const struct ieee80211_scanparams * sp)1161 ieee80211_init_neighbor(ieee80211_node_t *in, const struct ieee80211_frame *wh,
1162 const struct ieee80211_scanparams *sp)
1163 {
1164 in->in_esslen = sp->ssid[1];
1165 (void) memcpy(in->in_essid, sp->ssid + 2, sp->ssid[1]);
1166 IEEE80211_ADDR_COPY(in->in_bssid, wh->i_addr3);
1167 (void) memcpy(in->in_tstamp.data, sp->tstamp, sizeof (in->in_tstamp));
1168 in->in_intval = sp->bintval;
1169 in->in_capinfo = sp->capinfo;
1170 in->in_chan = in->in_ic->ic_curchan;
1171 in->in_fhdwell = sp->fhdwell;
1172 in->in_fhindex = sp->fhindex;
1173 in->in_erp = sp->erp;
1174 in->in_tim_off = sp->timoff;
1175 if (sp->wme != NULL)
1176 ieee80211_saveie(&in->in_wme_ie, sp->wme);
1177
1178 /* NB: must be after in_chan is setup */
1179 (void) ieee80211_setup_rates(in, sp->rates, sp->xrates,
1180 IEEE80211_F_DOSORT);
1181 }
1182
1183 /*
1184 * Do node discovery in adhoc mode on receipt of a beacon
1185 * or probe response frame. Note that for the driver's
1186 * benefit we we treat this like an association so the
1187 * driver has an opportuinty to setup it's private state.
1188 */
1189 ieee80211_node_t *
ieee80211_add_neighbor(ieee80211com_t * ic,const struct ieee80211_frame * wh,const struct ieee80211_scanparams * sp)1190 ieee80211_add_neighbor(ieee80211com_t *ic, const struct ieee80211_frame *wh,
1191 const struct ieee80211_scanparams *sp)
1192 {
1193 ieee80211_node_t *in;
1194
1195 in = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1196 if (in != NULL) {
1197 ieee80211_init_neighbor(in, wh, sp);
1198 if (ic->ic_node_newassoc != NULL)
1199 ic->ic_node_newassoc(in, 1);
1200 }
1201 return (in);
1202 }
1203
1204 #define IEEE80211_IS_CTL(wh) \
1205 ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_CTL)
1206
1207 #define IEEE80211_IS_PSPOLL(wh) \
1208 ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == \
1209 IEEE80211_FC0_SUBTYPE_PS_POLL)
1210
1211 #define IEEE80211_IS_BAR(wh) \
1212 ((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == \
1213 IEEE80211_FC0_SUBTYPE_BAR)
1214
1215 /*
1216 * Locate the node for sender, track state, and then pass the
1217 * (referenced) node up to the 802.11 layer for its use. We
1218 * are required to pass some node so we fall back to ic_bss
1219 * when this frame is from an unknown sender. The 802.11 layer
1220 * knows this means the sender wasn't in the node table and
1221 * acts accordingly.
1222 */
1223 ieee80211_node_t *
ieee80211_find_rxnode(ieee80211com_t * ic,const struct ieee80211_frame * wh)1224 ieee80211_find_rxnode(ieee80211com_t *ic, const struct ieee80211_frame *wh)
1225 {
1226 ieee80211_node_table_t *nt;
1227 ieee80211_node_t *in;
1228
1229 /* may want scanned nodes in the neighbor table for adhoc */
1230 if (ic->ic_opmode == IEEE80211_M_STA ||
1231 (ic->ic_flags & IEEE80211_F_SCAN)) {
1232 nt = &ic->ic_scan;
1233 } else {
1234 nt = &ic->ic_sta;
1235 }
1236
1237 IEEE80211_NODE_LOCK(nt);
1238 if (IEEE80211_IS_CTL(wh) &&
1239 !IEEE80211_IS_PSPOLL(wh) && !IEEE80211_IS_BAR(wh))
1240 in = ieee80211_find_node_locked(nt, wh->i_addr1);
1241 else
1242 in = ieee80211_find_node_locked(nt, wh->i_addr2);
1243 IEEE80211_NODE_UNLOCK(nt);
1244
1245 if (in == NULL)
1246 in = ieee80211_ref_node(ic->ic_bss);
1247
1248 return (in);
1249 }
1250
1251 #undef IEEE80211_IS_BAR
1252 #undef IEEE80211_IS_PSPOLL
1253 #undef IEEE80211_IS_CTL
1254
1255 /*
1256 * Return a reference to the appropriate node for sending
1257 * a data frame. This handles node discovery in adhoc networks.
1258 */
1259 ieee80211_node_t *
ieee80211_find_txnode(ieee80211com_t * ic,const uint8_t * daddr)1260 ieee80211_find_txnode(ieee80211com_t *ic, const uint8_t *daddr)
1261 {
1262 ieee80211_node_table_t *nt = &ic->ic_sta;
1263 ieee80211_node_t *in;
1264
1265 /*
1266 * The destination address should be in the node table
1267 * unless this is a multicast/broadcast frame. We can
1268 * also optimize station mode operation, all frames go
1269 * to the bss node.
1270 */
1271 IEEE80211_NODE_LOCK(nt);
1272 if (ic->ic_opmode == IEEE80211_M_STA || IEEE80211_IS_MULTICAST(daddr))
1273 in = ieee80211_ref_node(ic->ic_bss);
1274 else
1275 in = ieee80211_find_node_locked(nt, daddr);
1276 IEEE80211_NODE_UNLOCK(nt);
1277
1278 if (in == NULL) {
1279 if (ic->ic_opmode == IEEE80211_M_IBSS) {
1280 /*
1281 * In adhoc mode cons up a node for the destination.
1282 * Note that we need an additional reference for the
1283 * caller to be consistent with
1284 * ieee80211_find_node_locked
1285 * can't hold lock across ieee80211_dup_bss 'cuz of
1286 * recursive locking
1287 */
1288 in = ieee80211_fakeup_adhoc_node(nt, daddr);
1289 if (in != NULL)
1290 (void) ieee80211_ref_node(in);
1291 } else {
1292 ieee80211_dbg(IEEE80211_MSG_OUTPUT,
1293 "ieee80211_find_txnode: "
1294 "[%s] no node, discard frame\n",
1295 ieee80211_macaddr_sprintf(daddr));
1296 }
1297 }
1298 return (in);
1299 }
1300
1301 /*
1302 * Remove a node from the node database entries and free memory
1303 * associated with the node. The node table lock is acquired by
1304 * the caller.
1305 */
1306 static void
ieee80211_free_node_locked(ieee80211_node_t * in)1307 ieee80211_free_node_locked(ieee80211_node_t *in)
1308 {
1309 ieee80211com_t *ic = in->in_ic;
1310 ieee80211_node_table_t *nt = in->in_table;
1311 int32_t hash;
1312
1313 if (nt != NULL) {
1314 hash = ieee80211_node_hash(in->in_macaddr);
1315 list_remove(&nt->nt_hash[hash], in);
1316 list_remove(&nt->nt_node, in);
1317 }
1318 ic->ic_node_free(in);
1319 }
1320
1321 /*
1322 * Remove a node from the node database entries and free any
1323 * memory associated with the node.
1324 * This method can be overridden in ieee80211_attach()
1325 */
1326 void
ieee80211_free_node(ieee80211_node_t * in)1327 ieee80211_free_node(ieee80211_node_t *in)
1328 {
1329 ieee80211_node_table_t *nt = in->in_table;
1330
1331 if (nt != NULL)
1332 IEEE80211_NODE_LOCK(nt);
1333 if (ieee80211_node_decref_nv(in) == 0)
1334 ieee80211_free_node_locked(in);
1335 if (nt != NULL)
1336 IEEE80211_NODE_UNLOCK(nt);
1337 }
1338
1339 /*
1340 * Reclaim a node. If this is the last reference count then
1341 * do the normal free work. Otherwise remove it from the node
1342 * table and mark it gone by clearing the back-reference.
1343 */
1344 static void
ieee80211_node_reclaim(ieee80211_node_table_t * nt,ieee80211_node_t * in)1345 ieee80211_node_reclaim(ieee80211_node_table_t *nt, ieee80211_node_t *in)
1346 {
1347 int32_t hash;
1348
1349 IEEE80211_NODE_LOCK_ASSERT(nt);
1350 ieee80211_dbg(IEEE80211_MSG_NODE, "node_reclaim: "
1351 " remove %p<%s> from %s table, refcnt %d\n",
1352 in, ieee80211_macaddr_sprintf(in->in_macaddr), nt->nt_name,
1353 ieee80211_node_refcnt(in));
1354
1355 if (ieee80211_node_decref_nv(in) != 0) {
1356 /*
1357 * Clear any entry in the unicast key mapping table.
1358 * We need to do it here so rx lookups don't find it
1359 * in the mapping table even if it's not in the hash
1360 * table. We cannot depend on the mapping table entry
1361 * being cleared because the node may not be free'd.
1362 */
1363 hash = ieee80211_node_hash(in->in_macaddr);
1364 list_remove(&nt->nt_hash[hash], in);
1365 list_remove(&nt->nt_node, in);
1366 in->in_table = NULL;
1367 } else {
1368 ieee80211_free_node_locked(in);
1369 }
1370 }
1371
1372 /*
1373 * Iterate through the node list and reclaim all node in the node table.
1374 * The node table lock is acquired by the caller
1375 */
1376 static void
ieee80211_free_allnodes_locked(ieee80211_node_table_t * nt)1377 ieee80211_free_allnodes_locked(ieee80211_node_table_t *nt)
1378 {
1379 ieee80211_node_t *in;
1380
1381 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_free_allnodes_locked(): "
1382 "free all nodes in %s table\n", nt->nt_name);
1383
1384 in = list_head(&nt->nt_node);
1385 while (in != NULL) {
1386 ieee80211_node_reclaim(nt, in);
1387 in = list_head(&nt->nt_node);
1388 }
1389 ieee80211_reset_erp(nt->nt_ic);
1390 }
1391
1392 /*
1393 * Iterate through the node list, calling ieee80211_node_reclaim() for
1394 * all nodes associated with the interface.
1395 */
1396 static void
ieee80211_free_allnodes(ieee80211_node_table_t * nt)1397 ieee80211_free_allnodes(ieee80211_node_table_t *nt)
1398 {
1399 IEEE80211_NODE_LOCK(nt);
1400 ieee80211_free_allnodes_locked(nt);
1401 IEEE80211_NODE_UNLOCK(nt);
1402 }
1403
1404 /*
1405 * Timeout entries in the scan cache. This is the timeout callback
1406 * function of node table ic_scan which is called when the inactivity
1407 * timer expires.
1408 */
1409 static void
ieee80211_timeout_scan_candidates(ieee80211_node_table_t * nt)1410 ieee80211_timeout_scan_candidates(ieee80211_node_table_t *nt)
1411 {
1412 ieee80211com_t *ic = nt->nt_ic;
1413 ieee80211_node_t *in;
1414
1415 IEEE80211_NODE_LOCK(nt);
1416 in = ic->ic_bss;
1417 node_cleanfrag(in); /* Free fragment if not needed */
1418 nt->nt_inact_timer = IEEE80211_INACT_WAIT;
1419 IEEE80211_NODE_UNLOCK(nt);
1420 }
1421
1422 /*
1423 * Timeout inactive stations and do related housekeeping.
1424 * Note that we cannot hold the node lock while sending a
1425 * frame as this would lead to a LOR. Instead we use a
1426 * generation number to mark nodes that we've scanned and
1427 * drop the lock and restart a scan if we have to time out
1428 * a node. Since we are single-threaded by virtue of
1429 * controlling the inactivity timer we can be sure this will
1430 * process each node only once.
1431 */
1432 static void
ieee80211_timeout_stations(ieee80211_node_table_t * nt)1433 ieee80211_timeout_stations(ieee80211_node_table_t *nt)
1434 {
1435 ieee80211com_t *ic = nt->nt_ic;
1436 ieee80211_impl_t *im = ic->ic_private;
1437 ieee80211_node_t *in = NULL;
1438 uint32_t gen;
1439 boolean_t isadhoc;
1440
1441 IEEE80211_LOCK_ASSERT(ic);
1442 isadhoc = (ic->ic_opmode == IEEE80211_M_IBSS ||
1443 ic->ic_opmode == IEEE80211_M_AHDEMO);
1444 IEEE80211_SCAN_LOCK(nt);
1445 gen = ++nt->nt_scangen;
1446 restart:
1447 IEEE80211_NODE_LOCK(nt);
1448 for (in = list_head(&nt->nt_node); in != NULL;
1449 in = list_next(&nt->nt_node, in)) {
1450 if (in->in_scangen == gen) /* previously handled */
1451 continue;
1452 in->in_scangen = gen;
1453 node_cleanfrag(in); /* free fragment if not needed */
1454
1455 /*
1456 * Special case ourself; we may be idle for extended periods
1457 * of time and regardless reclaiming our state is wrong.
1458 */
1459 if (in == ic->ic_bss)
1460 continue;
1461 in->in_inact--;
1462 if (in->in_associd != 0 || isadhoc) {
1463 /*
1464 * Probe the station before time it out. We
1465 * send a null data frame which may not be
1466 * uinversally supported by drivers (need it
1467 * for ps-poll support so it should be...).
1468 */
1469 if (0 < in->in_inact &&
1470 in->in_inact <= im->im_inact_probe) {
1471 ieee80211_dbg(IEEE80211_MSG_NODE, "net80211: "
1472 "probe station due to inactivity\n");
1473 IEEE80211_NODE_UNLOCK(nt);
1474 IEEE80211_UNLOCK(ic);
1475 (void) ieee80211_send_nulldata(in);
1476 IEEE80211_LOCK(ic);
1477 goto restart;
1478 }
1479 }
1480 if (in->in_inact <= 0) {
1481 ieee80211_dbg(IEEE80211_MSG_NODE, "net80211: "
1482 "station timed out due to inact (refcnt %u)\n",
1483 ieee80211_node_refcnt(in));
1484 /*
1485 * Send a deauthenticate frame and drop the station.
1486 * This is somewhat complicated due to reference counts
1487 * and locking. At this point a station will typically
1488 * have a reference count of 1. ieee80211_node_leave
1489 * will do a "free" of the node which will drop the
1490 * reference count. But in the meantime a reference
1491 * wil be held by the deauth frame. The actual reclaim
1492 * of the node will happen either after the tx is
1493 * completed or by ieee80211_node_leave.
1494 *
1495 * Separately we must drop the node lock before sending
1496 * in case the driver takes a lock, as this will result
1497 * in LOR between the node lock and the driver lock.
1498 */
1499 IEEE80211_NODE_UNLOCK(nt);
1500 if (in->in_associd != 0) {
1501 IEEE80211_UNLOCK(ic);
1502 IEEE80211_SEND_MGMT(ic, in,
1503 IEEE80211_FC0_SUBTYPE_DEAUTH,
1504 IEEE80211_REASON_AUTH_EXPIRE);
1505 IEEE80211_LOCK(ic);
1506 }
1507 ieee80211_node_leave(ic, in);
1508 goto restart;
1509 }
1510 }
1511 IEEE80211_NODE_UNLOCK(nt);
1512
1513 IEEE80211_SCAN_UNLOCK(nt);
1514
1515 nt->nt_inact_timer = IEEE80211_INACT_WAIT;
1516 }
1517
1518 /*
1519 * Call the user-defined call back function for all nodes in
1520 * the node cache. The callback is invoked with the user-supplied
1521 * value and a pointer to the current node.
1522 */
1523 void
ieee80211_iterate_nodes(ieee80211_node_table_t * nt,ieee80211_iter_func * f,void * arg)1524 ieee80211_iterate_nodes(ieee80211_node_table_t *nt, ieee80211_iter_func *f,
1525 void *arg)
1526 {
1527 ieee80211_node_t *in;
1528
1529 IEEE80211_NODE_LOCK(nt);
1530 in = list_head(&nt->nt_node);
1531 while (in != NULL) {
1532 if (in->in_chan == IEEE80211_CHAN_ANYC) {
1533 in = list_next(&nt->nt_node, in);
1534 continue;
1535 }
1536 (void) ieee80211_ref_node(in);
1537 IEEE80211_NODE_UNLOCK(nt);
1538 (*f)(arg, in);
1539 ieee80211_free_node(in);
1540 IEEE80211_NODE_LOCK(nt);
1541 in = list_next(&nt->nt_node, in);
1542 }
1543 IEEE80211_NODE_UNLOCK(nt);
1544 }
1545
1546 /*
1547 * Handle bookkeeping for station deauthentication/disassociation
1548 * when operating as an ap.
1549 */
1550 static void
ieee80211_node_leave(ieee80211com_t * ic,ieee80211_node_t * in)1551 ieee80211_node_leave(ieee80211com_t *ic, ieee80211_node_t *in)
1552 {
1553 ieee80211_node_table_t *nt = in->in_table;
1554
1555 ASSERT(ic->ic_opmode == IEEE80211_M_IBSS);
1556
1557 /*
1558 * Remove the node from any table it's recorded in and
1559 * drop the caller's reference. Removal from the table
1560 * is important to insure the node is not reprocessed
1561 * for inactivity.
1562 */
1563 if (nt != NULL) {
1564 IEEE80211_NODE_LOCK(nt);
1565 ieee80211_node_reclaim(nt, in);
1566 IEEE80211_NODE_UNLOCK(nt);
1567 } else {
1568 ieee80211_free_node(in);
1569 }
1570 }
1571
1572 /*
1573 * Initialize a node table with specified name, inactivity timer value
1574 * and callback inactivity timeout function. Associate the node table
1575 * with interface softc, ic.
1576 */
1577 static void
ieee80211_node_table_init(ieee80211com_t * ic,ieee80211_node_table_t * nt,const char * name,int inact,int keyixmax,void (* timeout)(ieee80211_node_table_t *))1578 ieee80211_node_table_init(ieee80211com_t *ic, ieee80211_node_table_t *nt,
1579 const char *name, int inact, int keyixmax,
1580 void (*timeout)(ieee80211_node_table_t *))
1581 {
1582 int i;
1583
1584 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_node_table_init():"
1585 "%s table, inact %d\n", name, inact);
1586
1587 nt->nt_ic = ic;
1588 nt->nt_name = name;
1589 nt->nt_inact_timer = 0;
1590 nt->nt_inact_init = inact;
1591 nt->nt_timeout = timeout;
1592 nt->nt_keyixmax = keyixmax;
1593 nt->nt_scangen = 1;
1594 mutex_init(&nt->nt_scanlock, NULL, MUTEX_DRIVER, NULL);
1595 mutex_init(&nt->nt_nodelock, NULL, MUTEX_DRIVER, NULL);
1596
1597 list_create(&nt->nt_node, sizeof (ieee80211_node_t),
1598 offsetof(ieee80211_node_t, in_node));
1599 for (i = 0; i < IEEE80211_NODE_HASHSIZE; i++) {
1600 list_create(&nt->nt_hash[i], sizeof (ieee80211_node_t),
1601 offsetof(ieee80211_node_t, in_hash));
1602 }
1603 }
1604
1605 /*
1606 * Reset a node table. Clean its inactivity timer and call
1607 * ieee80211_free_allnodes_locked() to free all nodes in the
1608 * node table.
1609 */
1610 void
ieee80211_node_table_reset(ieee80211_node_table_t * nt)1611 ieee80211_node_table_reset(ieee80211_node_table_t *nt)
1612 {
1613 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_node_table_reset(): "
1614 "%s table\n", nt->nt_name);
1615
1616 IEEE80211_NODE_LOCK(nt);
1617 nt->nt_inact_timer = 0;
1618 ieee80211_free_allnodes_locked(nt);
1619 IEEE80211_NODE_UNLOCK(nt);
1620 }
1621
1622 /*
1623 * Destroy a node table. Free all nodes in the node table.
1624 * This function is usually called by node detach function.
1625 */
1626 static void
ieee80211_node_table_cleanup(ieee80211_node_table_t * nt)1627 ieee80211_node_table_cleanup(ieee80211_node_table_t *nt)
1628 {
1629 ieee80211_dbg(IEEE80211_MSG_NODE, "ieee80211_node_table_cleanup(): "
1630 "%s table\n", nt->nt_name);
1631
1632 IEEE80211_NODE_LOCK(nt);
1633 ieee80211_free_allnodes_locked(nt);
1634 IEEE80211_NODE_UNLOCK(nt);
1635 mutex_destroy(&nt->nt_nodelock);
1636 mutex_destroy(&nt->nt_scanlock);
1637 }
1638