sys/net80211/ieee80211_output.c

*54fbbda3Sjsg/*	$OpenBSD: ieee80211_output.c,v 1.140 2024/09/01 03:09:00 jsg Exp $	*/
91b2158bSmillert/*	$NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $	*/
91b2158bSmillert
91b2158bSmillert/*-
91b2158bSmillert * Copyright (c) 2001 Atsushi Onoe
91b2158bSmillert * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
45eec175Sdamien * Copyright (c) 2007-2009 Damien Bergamini
91b2158bSmillert * All rights reserved.
91b2158bSmillert *
91b2158bSmillert * Redistribution and use in source and binary forms, with or without
91b2158bSmillert * modification, are permitted provided that the following conditions
91b2158bSmillert * are met:
91b2158bSmillert * 1. Redistributions of source code must retain the above copyright
91b2158bSmillert *    notice, this list of conditions and the following disclaimer.
91b2158bSmillert * 2. Redistributions in binary form must reproduce the above copyright
91b2158bSmillert *    notice, this list of conditions and the following disclaimer in the
91b2158bSmillert *    documentation and/or other materials provided with the distribution.
91b2158bSmillert * 3. The name of the author may not be used to endorse or promote products
91b2158bSmillert *    derived from this software without specific prior written permission.
91b2158bSmillert *
91b2158bSmillert * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
91b2158bSmillert * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
91b2158bSmillert * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
91b2158bSmillert * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
91b2158bSmillert * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
91b2158bSmillert * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
91b2158bSmillert * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
91b2158bSmillert * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
91b2158bSmillert * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
91b2158bSmillert * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
91b2158bSmillert */
91b2158bSmillert
91b2158bSmillert#include "bpfilter.h"
ef822fe8Sdamien#include "vlan.h"
91b2158bSmillert
91b2158bSmillert#include <sys/param.h>
91b2158bSmillert#include <sys/systm.h>
91b2158bSmillert#include <sys/mbuf.h>
91b2158bSmillert#include <sys/kernel.h>
91b2158bSmillert#include <sys/socket.h>
91b2158bSmillert#include <sys/sockio.h>
91b2158bSmillert#include <sys/endian.h>
91b2158bSmillert#include <sys/errno.h>
91b2158bSmillert#include <sys/sysctl.h>
91b2158bSmillert
91b2158bSmillert#include <net/if.h>
91b2158bSmillert#include <net/if_dl.h>
91b2158bSmillert#include <net/if_media.h>
91b2158bSmillert#include <net/if_llc.h>
91b2158bSmillert#include <net/bpf.h>
91b2158bSmillert
91b2158bSmillert#include <netinet/in.h>
91b2158bSmillert#include <netinet/if_ether.h>
ef822fe8Sdamien#include <netinet/ip.h>
3c732269Sdamien#ifdef INET6
3c732269Sdamien#include <netinet/ip6.h>
3c732269Sdamien#endif
ef822fe8Sdamien
ef822fe8Sdamien#if NVLAN > 0
ef822fe8Sdamien#include <net/if_vlan_var.h>
91b2158bSmillert#endif
91b2158bSmillert
91b2158bSmillert#include <net80211/ieee80211_var.h>
6aaa29faSdamien#include <net80211/ieee80211_priv.h>
91b2158bSmillert
250085e6Sdamienint	ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *,
250085e6Sdamien	    struct mbuf *, int);
aefc44daSstspint	ieee80211_can_use_ampdu(struct ieee80211com *,
aefc44daSstsp	    struct ieee80211_node *);
1247f240Sdamienu_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *,
1247f240Sdamien	    const struct ieee80211_node *, int);
e03e709cSdamienstruct	mbuf *ieee80211_getmgmt(int, int, u_int);
5d49b5a5Sdamienstruct	mbuf *ieee80211_get_probe_req(struct ieee80211com *,
5d49b5a5Sdamien	    struct ieee80211_node *);
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
774cd68cSstspstruct	mbuf *ieee80211_get_probe_resp(struct ieee80211com *);
171ac09aSdamien#endif
5d49b5a5Sdamienstruct	mbuf *ieee80211_get_auth(struct ieee80211com *,
5d49b5a5Sdamien	    struct ieee80211_node *, u_int16_t, u_int16_t);
5d49b5a5Sdamienstruct	mbuf *ieee80211_get_deauth(struct ieee80211com *,
5d49b5a5Sdamien	    struct ieee80211_node *, u_int16_t);
5d49b5a5Sdamienstruct	mbuf *ieee80211_get_assoc_req(struct ieee80211com *,
5d49b5a5Sdamien	    struct ieee80211_node *, int);
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
5d49b5a5Sdamienstruct	mbuf *ieee80211_get_assoc_resp(struct ieee80211com *,
5d49b5a5Sdamien	    struct ieee80211_node *, u_int16_t);
171ac09aSdamien#endif
5d49b5a5Sdamienstruct	mbuf *ieee80211_get_disassoc(struct ieee80211com *,
5d49b5a5Sdamien	    struct ieee80211_node *, u_int16_t);
45eec175Sdamienstruct	mbuf *ieee80211_get_addba_req(struct ieee80211com *,
45eec175Sdamien	    struct ieee80211_node *, u_int8_t);
45eec175Sdamienstruct	mbuf *ieee80211_get_addba_resp(struct ieee80211com *,
ec69e05aSdamien	    struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t);
45eec175Sdamienstruct	mbuf *ieee80211_get_delba(struct ieee80211com *,
ec69e05aSdamien	    struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t);
6999278eSstspuint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *);
432d6c6bSstsp#ifndef IEEE80211_STA_ONLY
432d6c6bSstspuint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *);
432d6c6bSstsp#endif
45eec175Sdamienstruct	mbuf *ieee80211_get_sa_query(struct ieee80211com *,
45eec175Sdamien	    struct ieee80211_node *, u_int8_t);
45eec175Sdamienstruct	mbuf *ieee80211_get_action(struct ieee80211com *,
45eec175Sdamien	    struct ieee80211_node *, u_int8_t, u_int8_t, int);
250085e6Sdamien
91b2158bSmillert/*
673b59bcSreyk * IEEE 802.11 output routine. Normally this will directly call the
673b59bcSreyk * Ethernet output routine because 802.11 encapsulation is called
1bb78573Sdamien * later by the driver. This function can be used to send raw frames
673b59bcSreyk * if the mbuf has been tagged with a 802.11 data link type.
673b59bcSreyk */
673b59bcSreykint
673b59bcSreykieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
673b59bcSreyk    struct rtentry *rt)
673b59bcSreyk{
131b80deSdamien	struct ieee80211_frame *wh;
673b59bcSreyk	struct m_tag *mtag;
e9188d0dSmpi	int error = 0;
673b59bcSreyk
673b59bcSreyk	/* Interface has to be up and running */
673b59bcSreyk	if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) !=
673b59bcSreyk	    (IFF_UP | IFF_RUNNING)) {
673b59bcSreyk		error = ENETDOWN;
673b59bcSreyk		goto bad;
673b59bcSreyk	}
673b59bcSreyk
673b59bcSreyk	/* Try to get the DLT from a mbuf tag */
673b59bcSreyk	if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) {
131b80deSdamien		struct ieee80211com *ic = (void *)ifp;
02bc3a2fSdamien		u_int dlt = *(u_int *)(mtag + 1);
673b59bcSreyk
673b59bcSreyk		/* Fallback to ethernet for non-802.11 linktypes */
673b59bcSreyk		if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO))
673b59bcSreyk			goto fallback;
673b59bcSreyk
131b80deSdamien		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min))
131b80deSdamien			return (EINVAL);
131b80deSdamien		wh = mtod(m, struct ieee80211_frame *);
131b80deSdamien		if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
131b80deSdamien		    IEEE80211_FC0_VERSION_0)
131b80deSdamien			return (EINVAL);
9561b6baSdamien		if (!(ic->ic_caps & IEEE80211_C_RAWCTL) &&
131b80deSdamien		    (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
131b80deSdamien		    IEEE80211_FC0_TYPE_CTL)
131b80deSdamien			return (EINVAL);
131b80deSdamien
c38eb4ffSmpi		return (if_enqueue(ifp, m));
673b59bcSreyk	}
673b59bcSreyk
673b59bcSreyk fallback:
673b59bcSreyk	return (ether_output(ifp, m, dst, rt));
673b59bcSreyk
673b59bcSreyk bad:
673b59bcSreyk	m_freem(m);
673b59bcSreyk	return (error);
673b59bcSreyk}
673b59bcSreyk
6998360eSstspconst char *
6998360eSstspieee80211_action_name(struct ieee80211_frame *wh)
6998360eSstsp{
6998360eSstsp	const u_int8_t *frm = (const uint8_t *)&wh[1];
6998360eSstsp	const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" };
6998360eSstsp
6998360eSstsp	if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name))
6998360eSstsp		return categ_ba_name[frm[1]];
6998360eSstsp
6998360eSstsp	return "action";
6998360eSstsp}
6998360eSstsp
673b59bcSreyk/*
91b2158bSmillert * Send a management frame to the specified node.  The node pointer
91b2158bSmillert * must have a reference as the pointer will be passed to the driver
91b2158bSmillert * and potentially held for a long time.  If the frame is successfully
91b2158bSmillert * dispatched to the driver, then it is responsible for freeing the
91b2158bSmillert * reference (and potentially free'ing up any associated storage).
91b2158bSmillert */
250085e6Sdamienint
91b2158bSmillertieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni,
91b2158bSmillert    struct mbuf *m, int type)
91b2158bSmillert{
91b2158bSmillert	struct ieee80211com *ic = (void *)ifp;
91b2158bSmillert	struct ieee80211_frame *wh;
91b2158bSmillert
fe6a7506Sjsg	if (ni == NULL)
fe6a7506Sjsg		panic("null node");
91b2158bSmillert	ni->ni_inact = 0;
91b2158bSmillert
91b2158bSmillert	/*
6da4b19dSmpi	 * We want to pass the node down to the driver's start
6da4b19dSmpi	 * routine.  We could stick this in an m_tag and tack that
6da4b19dSmpi	 * on to the mbuf.  However that's rather expensive to do
6da4b19dSmpi	 * for every frame so instead we stuff it in a special pkthdr
6da4b19dSmpi	 * field.
91b2158bSmillert	 */
91b2158bSmillert	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
91b2158bSmillert	if (m == NULL)
91b2158bSmillert		return ENOMEM;
6da4b19dSmpi	m->m_pkthdr.ph_cookie = ni;
91b2158bSmillert
91b2158bSmillert	wh = mtod(m, struct ieee80211_frame *);
91b2158bSmillert	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type;
91b2158bSmillert	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
91b2158bSmillert	*(u_int16_t *)&wh->i_dur[0] = 0;
91b2158bSmillert	*(u_int16_t *)&wh->i_seq[0] =
91b2158bSmillert	    htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT);
797d79d7Sstsp	ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff;
91b2158bSmillert	IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
91b2158bSmillert	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
91b2158bSmillert	IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
91b2158bSmillert
e8163130Sdamien	/* check if protection is required for this mgmt frame */
e8163130Sdamien	if ((ic->ic_caps & IEEE80211_C_MFP) &&
e8163130Sdamien	    (type == IEEE80211_FC0_SUBTYPE_DISASSOC ||
e8163130Sdamien	     type == IEEE80211_FC0_SUBTYPE_DEAUTH ||
e8163130Sdamien	     type == IEEE80211_FC0_SUBTYPE_ACTION)) {
e8163130Sdamien		/*
e8163130Sdamien		 * Hack: we should not set the Protected bit in outgoing
e8163130Sdamien		 * group management frames, however it is used as an
e8163130Sdamien		 * indication to the drivers that they must encrypt the
e8163130Sdamien		 * frame.  Drivers should clear this bit from group
e8163130Sdamien		 * management frames (software crypto code will do it).
e8163130Sdamien		 * XXX could use an mbuf flag..
e8163130Sdamien		 */
e8163130Sdamien		if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
e8163130Sdamien		    (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT))
e8163130Sdamien			wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
e8163130Sdamien	}
e8163130Sdamien
91b2158bSmillert	if (ifp->if_flags & IFF_DEBUG) {
91b2158bSmillert		/* avoid to print too many frames */
171ac09aSdamien		if (
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
171ac09aSdamien		    ic->ic_opmode == IEEE80211_M_IBSS ||
171ac09aSdamien#endif
91b2158bSmillert#ifdef IEEE80211_DEBUG
91b2158bSmillert		    ieee80211_debug > 1 ||
91b2158bSmillert#endif
91b2158bSmillert		    (type & IEEE80211_FC0_SUBTYPE_MASK) !=
6998360eSstsp		    IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
6998360eSstsp			const char *subtype_name;
6998360eSstsp			if ((type & IEEE80211_FC0_SUBTYPE_MASK) ==
6998360eSstsp			    IEEE80211_FC0_SUBTYPE_ACTION)
6998360eSstsp				subtype_name = ieee80211_action_name(wh);
6998360eSstsp			else
6998360eSstsp				subtype_name = ieee80211_mgt_subtype_name[
6998360eSstsp				    (type & IEEE80211_FC0_SUBTYPE_MASK) >>
6998360eSstsp				    IEEE80211_FC0_SUBTYPE_SHIFT];
aec29e1fSreyk			printf("%s: sending %s to %s on channel %u mode %s\n",
6998360eSstsp			    ifp->if_xname, subtype_name,
91b2158bSmillert			    ether_sprintf(ni->ni_macaddr),
aec29e1fSreyk			    ieee80211_chan2ieee(ic, ni->ni_chan),
2206dc0fSstsp			    ieee80211_phymode_name[ic->ic_curmode]);
91b2158bSmillert		}
6998360eSstsp	}
91b2158bSmillert
93d01030Sdamien#ifndef IEEE80211_STA_ONLY
93d01030Sdamien	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
93d01030Sdamien	    ieee80211_pwrsave(ic, m, ni) != 0)
93d01030Sdamien		return 0;
93d01030Sdamien#endif
351e1934Sdlg	mq_enqueue(&ic->ic_mgtq, m);
91b2158bSmillert	ifp->if_timer = 1;
67de757dSmpi	if_start(ifp);
91b2158bSmillert	return 0;
91b2158bSmillert}
91b2158bSmillert
3b874289Sdamien/*-
3b874289Sdamien * EDCA tables are computed using the following formulas:
3b874289Sdamien *
3b874289Sdamien * 1) EDCATable (non-AP QSTA)
3b874289Sdamien *
3b874289Sdamien * AC     CWmin 	   CWmax	   AIFSN  TXOP limit(ms)
3b874289Sdamien * -------------------------------------------------------------
3b874289Sdamien * AC_BK  aCWmin	   aCWmax	   7	  0
3b874289Sdamien * AC_BE  aCWmin	   aCWmax	   3	  0
3b874289Sdamien * AC_VI  (aCWmin+1)/2-1   aCWmin	   2	  agn=3.008 b=6.016 others=0
3b874289Sdamien * AC_VO  (aCWmin+1)/4-1   (aCWmin+1)/2-1  2	  agn=1.504 b=3.264 others=0
3b874289Sdamien *
3b874289Sdamien * 2) QAPEDCATable (QAP)
3b874289Sdamien *
3b874289Sdamien * AC     CWmin 	   CWmax	   AIFSN  TXOP limit(ms)
3b874289Sdamien * -------------------------------------------------------------
3b874289Sdamien * AC_BK  aCWmin	   aCWmax	   7	  0
3b874289Sdamien * AC_BE  aCWmin	   4*(aCWmin+1)-1  3	  0
3b874289Sdamien * AC_VI  (aCWmin+1)/2-1   aCWmin	   1	  agn=3.008 b=6.016 others=0
3b874289Sdamien * AC_VO  (aCWmin+1)/4-1   (aCWmin+1)/2-1  1	  agn=1.504 b=3.264 others=0
3b874289Sdamien *
3b874289Sdamien * and the following aCWmin/aCWmax values:
3b874289Sdamien *
3b874289Sdamien * PHY		aCWmin	aCWmax
3b874289Sdamien * ---------------------------
3b874289Sdamien * 11A		15	1023
3b874289Sdamien * 11B  	31	1023
3b874289Sdamien * 11G		15*	1023	(*) aCWmin(1)
432d6c6bSstsp * 11N		15	1023
3b874289Sdamien */
fca238d4Sstspconst struct ieee80211_edca_ac_params
3b874289Sdamien    ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = {
3b874289Sdamien	[IEEE80211_MODE_11B] = {
3b874289Sdamien		[EDCA_AC_BK] = { 5, 10, 7,   0 },
3b874289Sdamien		[EDCA_AC_BE] = { 5, 10, 3,   0 },
3b874289Sdamien		[EDCA_AC_VI] = { 4,  5, 2, 188 },
3b874289Sdamien		[EDCA_AC_VO] = { 3,  4, 2, 102 }
3b874289Sdamien	},
3b874289Sdamien	[IEEE80211_MODE_11A] = {
3b874289Sdamien		[EDCA_AC_BK] = { 4, 10, 7,   0 },
3b874289Sdamien		[EDCA_AC_BE] = { 4, 10, 3,   0 },
3b874289Sdamien		[EDCA_AC_VI] = { 3,  4, 2,  94 },
3b874289Sdamien		[EDCA_AC_VO] = { 2,  3, 2,  47 }
3b874289Sdamien	},
3b874289Sdamien	[IEEE80211_MODE_11G] = {
3b874289Sdamien		[EDCA_AC_BK] = { 4, 10, 7,   0 },
3b874289Sdamien		[EDCA_AC_BE] = { 4, 10, 3,   0 },
3b874289Sdamien		[EDCA_AC_VI] = { 3,  4, 2,  94 },
3b874289Sdamien		[EDCA_AC_VO] = { 2,  3, 2,  47 }
3b874289Sdamien	},
432d6c6bSstsp	[IEEE80211_MODE_11N] = {
432d6c6bSstsp		[EDCA_AC_BK] = { 4, 10, 7,   0 },
432d6c6bSstsp		[EDCA_AC_BE] = { 4, 10, 3,   0 },
432d6c6bSstsp		[EDCA_AC_VI] = { 3,  4, 2,  94 },
432d6c6bSstsp		[EDCA_AC_VO] = { 2,  3, 2,  47 }
432d6c6bSstsp	},
50e8fe1cSstsp	[IEEE80211_MODE_11AC] = {
50e8fe1cSstsp		[EDCA_AC_BK] = { 4, 10, 7,   0 },
50e8fe1cSstsp		[EDCA_AC_BE] = { 4, 10, 3,   0 },
50e8fe1cSstsp		[EDCA_AC_VI] = { 3,  4, 2,  94 },
50e8fe1cSstsp		[EDCA_AC_VO] = { 2,  3, 2,  47 }
50e8fe1cSstsp	},
3b874289Sdamien};
3b874289Sdamien
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
e8f8f56cSstspconst struct ieee80211_edca_ac_params
3b874289Sdamien    ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = {
3b874289Sdamien	[IEEE80211_MODE_11B] = {
3b874289Sdamien		[EDCA_AC_BK] = { 5, 10, 7,   0 },
3b874289Sdamien		[EDCA_AC_BE] = { 5,  7, 3,   0 },
3b874289Sdamien		[EDCA_AC_VI] = { 4,  5, 1, 188 },
3b874289Sdamien		[EDCA_AC_VO] = { 3,  4, 1, 102 }
3b874289Sdamien	},
3b874289Sdamien	[IEEE80211_MODE_11A] = {
3b874289Sdamien		[EDCA_AC_BK] = { 4, 10, 7,   0 },
3b874289Sdamien		[EDCA_AC_BE] = { 4,  6, 3,   0 },
3b874289Sdamien		[EDCA_AC_VI] = { 3,  4, 1,  94 },
3b874289Sdamien		[EDCA_AC_VO] = { 2,  3, 1,  47 }
3b874289Sdamien	},
3b874289Sdamien	[IEEE80211_MODE_11G] = {
3b874289Sdamien		[EDCA_AC_BK] = { 4, 10, 7,   0 },
3b874289Sdamien		[EDCA_AC_BE] = { 4,  6, 3,   0 },
3b874289Sdamien		[EDCA_AC_VI] = { 3,  4, 1,  94 },
3b874289Sdamien		[EDCA_AC_VO] = { 2,  3, 1,  47 }
3b874289Sdamien	},
432d6c6bSstsp	[IEEE80211_MODE_11N] = {
432d6c6bSstsp		[EDCA_AC_BK] = { 4, 10, 7,   0 },
432d6c6bSstsp		[EDCA_AC_BE] = { 4,  6, 3,   0 },
432d6c6bSstsp		[EDCA_AC_VI] = { 3,  4, 1,  94 },
432d6c6bSstsp		[EDCA_AC_VO] = { 2,  3, 1,  47 }
432d6c6bSstsp	},
50e8fe1cSstsp	[IEEE80211_MODE_11AC] = {
50e8fe1cSstsp		[EDCA_AC_BK] = { 4, 10, 7,   0 },
50e8fe1cSstsp		[EDCA_AC_BE] = { 4,  6, 3,   0 },
50e8fe1cSstsp		[EDCA_AC_VI] = { 3,  4, 1,  94 },
50e8fe1cSstsp		[EDCA_AC_VO] = { 2,  3, 1,  47 }
50e8fe1cSstsp	},
3b874289Sdamien};
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
3b874289Sdamien
91b2158bSmillert/*
ef822fe8Sdamien * Return the EDCA Access Category to be used for transmitting a frame with
ef822fe8Sdamien * user-priority `up'.
ef822fe8Sdamien */
ef822fe8Sdamienenum ieee80211_edca_ac
ef822fe8Sdamienieee80211_up_to_ac(struct ieee80211com *ic, int up)
ef822fe8Sdamien{
ce7deb45Sdamien	/* see Table 9-1 */
ef822fe8Sdamien	static const enum ieee80211_edca_ac up_to_ac[] = {
ef822fe8Sdamien		EDCA_AC_BE,	/* BE */
ef822fe8Sdamien		EDCA_AC_BK,	/* BK */
ef822fe8Sdamien		EDCA_AC_BK,	/* -- */
ef822fe8Sdamien		EDCA_AC_BE,	/* EE */
ef822fe8Sdamien		EDCA_AC_VI,	/* CL */
ef822fe8Sdamien		EDCA_AC_VI,	/* VI */
ef822fe8Sdamien		EDCA_AC_VO,	/* VO */
ef822fe8Sdamien		EDCA_AC_VO	/* NC */
ef822fe8Sdamien	};
ef822fe8Sdamien	enum ieee80211_edca_ac ac;
ef822fe8Sdamien
ef822fe8Sdamien	ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE;
ef822fe8Sdamien
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
ef822fe8Sdamien	if (ic->ic_opmode == IEEE80211_M_HOSTAP)
ef822fe8Sdamien		return ac;
171ac09aSdamien#endif
ef822fe8Sdamien	/*
ef822fe8Sdamien	 * We do not support the admission control procedure defined in
b5f5be9fSstsp	 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that
ef822fe8Sdamien	 * non-AP QSTAs that don't support this procedure shall use EDCA
ef822fe8Sdamien	 * parameters of a lower priority AC that does not require
ef822fe8Sdamien	 * admission control.
ef822fe8Sdamien	 */
ef822fe8Sdamien	while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) {
ef822fe8Sdamien		switch (ac) {
ef822fe8Sdamien		case EDCA_AC_BK:
ef822fe8Sdamien			/* can't get there */
ef822fe8Sdamien			break;
ef822fe8Sdamien		case EDCA_AC_BE:
ef822fe8Sdamien			/* BE shouldn't require admission control */
ef822fe8Sdamien			ac = EDCA_AC_BK;
ef822fe8Sdamien			break;
ef822fe8Sdamien		case EDCA_AC_VI:
ef822fe8Sdamien			ac = EDCA_AC_BE;
ef822fe8Sdamien			break;
ef822fe8Sdamien		case EDCA_AC_VO:
ef822fe8Sdamien			ac = EDCA_AC_VI;
ef822fe8Sdamien			break;
ef822fe8Sdamien		}
ef822fe8Sdamien	}
ef822fe8Sdamien	return ac;
ef822fe8Sdamien}
ef822fe8Sdamien
ef822fe8Sdamien/*
ef822fe8Sdamien * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority
fb4c23fcSdamien * based on the DSCP (Differentiated Services Codepoint) field.
ef822fe8Sdamien */
fb4c23fcSdamienint
fb4c23fcSdamienieee80211_classify(struct ieee80211com *ic, struct mbuf *m)
ef822fe8Sdamien{
4e00b903Spatrick	struct ether_header eh;
3c732269Sdamien	u_int8_t ds_field;
ef822fe8Sdamien#if NVLAN > 0
0cb2bd1bSdamien	if (m->m_flags & M_VLANTAG)	/* use VLAN 802.1D user-priority */
0cb2bd1bSdamien		return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag);
ef822fe8Sdamien#endif
4e00b903Spatrick	m_copydata(m, 0, sizeof(eh), (caddr_t)&eh);
4e00b903Spatrick	if (eh.ether_type == htons(ETHERTYPE_IP)) {
4e00b903Spatrick		struct ip ip;
4e00b903Spatrick		m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip);
4e00b903Spatrick		if (ip.ip_v != 4)
3c732269Sdamien			return 0;
4e00b903Spatrick		ds_field = ip.ip_tos;
3c732269Sdamien	}
3c732269Sdamien#ifdef INET6
4e00b903Spatrick	else if (eh.ether_type == htons(ETHERTYPE_IPV6)) {
4e00b903Spatrick		struct ip6_hdr ip6;
3c732269Sdamien		u_int32_t flowlabel;
4e00b903Spatrick		m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6);
4e00b903Spatrick		flowlabel = ntohl(ip6.ip6_flow);
3c732269Sdamien		if ((flowlabel >> 28) != 6)
3c732269Sdamien			return 0;
3c732269Sdamien		ds_field = (flowlabel >> 20) & 0xff;
3c732269Sdamien	}
3c732269Sdamien#endif	/* INET6 */
3c732269Sdamien	else	/* neither IPv4 nor IPv6 */
3c732269Sdamien		return 0;
3c732269Sdamien
ef822fe8Sdamien	/*
fb4c23fcSdamien	 * Map Differentiated Services Codepoint field (see RFC2474).
fb4c23fcSdamien	 * Preserves backward compatibility with IP Precedence field.
ef822fe8Sdamien	 */
3c732269Sdamien	switch (ds_field & 0xfc) {
ef822fe8Sdamien	case IPTOS_PREC_PRIORITY:
aefc44daSstsp		return EDCA_AC_VI;
ef822fe8Sdamien	case IPTOS_PREC_IMMEDIATE:
aefc44daSstsp		return EDCA_AC_BK;
ef822fe8Sdamien	case IPTOS_PREC_FLASH:
ef822fe8Sdamien	case IPTOS_PREC_FLASHOVERRIDE:
ef822fe8Sdamien	case IPTOS_PREC_CRITIC_ECP:
ef822fe8Sdamien	case IPTOS_PREC_INTERNETCONTROL:
ef822fe8Sdamien	case IPTOS_PREC_NETCONTROL:
aefc44daSstsp		return EDCA_AC_VO;
aefc44daSstsp	default:
aefc44daSstsp		return EDCA_AC_BE;
ef822fe8Sdamien	}
aefc44daSstsp}
aefc44daSstsp
aefc44daSstspint
aefc44daSstspieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni)
aefc44daSstsp{
aefc44daSstsp	return (ni->ni_flags & IEEE80211_NODE_HT) &&
aefc44daSstsp	    (ic->ic_caps & IEEE80211_C_TX_AMPDU) &&
aefc44daSstsp	    !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) &&
aefc44daSstsp	    /*
aefc44daSstsp	     * Don't use A-MPDU on non-encrypted networks. There are devices
aefc44daSstsp	     * with buggy firmware which allow an attacker to inject 802.11
678831beSjsg	     * frames into a wifi network by embedding rogue A-MPDU subframes
aefc44daSstsp	     * in an arbitrary data payload (e.g. PNG images) which may end
aefc44daSstsp	     * up appearing as actual frames after de-aggregation by a buggy
aefc44daSstsp	     * device; see https://github.com/rpp0/aggr-inject for details.
aefc44daSstsp	     * WPA2 prevents this injection attack since the attacker would
aefc44daSstsp	     * need to inject frames which get decrypted correctly.
aefc44daSstsp	     */
aefc44daSstsp	    ((ic->ic_flags & IEEE80211_F_RSNON) &&
aefc44daSstsp	      (ni->ni_rsnprotos & IEEE80211_PROTO_RSN));
aefc44daSstsp}
aefc44daSstsp
aefc44daSstspvoid
aefc44daSstspieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni,
aefc44daSstsp    int tid, uint16_t ssn)
aefc44daSstsp{
aefc44daSstsp	struct ifnet *ifp = &ic->ic_if;
aefc44daSstsp	struct mbuf *m;
aefc44daSstsp
aefc44daSstsp	m = ieee80211_get_compressed_bar(ic, ni, tid, ssn);
aefc44daSstsp	if (m == NULL)
aefc44daSstsp		return;
aefc44daSstsp
aefc44daSstsp	ieee80211_ref_node(ni);
aefc44daSstsp	if (mq_enqueue(&ic->ic_mgtq, m) == 0)
aefc44daSstsp		if_start(ifp);
aefc44daSstsp	else
aefc44daSstsp		ieee80211_release_node(ic, ni);
ef822fe8Sdamien}
ef822fe8Sdamien
ef822fe8Sdamien/*
91b2158bSmillert * Encapsulate an outbound data frame.  The mbuf chain is updated and
91b2158bSmillert * a reference to the destination node is returned.  If an error is
91b2158bSmillert * encountered NULL is returned and the node reference will also be NULL.
91b2158bSmillert *
91b2158bSmillert * NB: The caller is responsible for free'ing a returned node reference.
91b2158bSmillert *     The convention is ic_bss is not reference counted; the caller must
91b2158bSmillert *     maintain that.
91b2158bSmillert */
91b2158bSmillertstruct mbuf *
91b2158bSmillertieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni)
91b2158bSmillert{
91b2158bSmillert	struct ieee80211com *ic = (void *)ifp;
91b2158bSmillert	struct ether_header eh;
91b2158bSmillert	struct ieee80211_frame *wh;
91b2158bSmillert	struct ieee80211_node *ni = NULL;
91b2158bSmillert	struct llc *llc;
673b59bcSreyk	struct m_tag *mtag;
673b59bcSreyk	u_int8_t *addr;
fb4c23fcSdamien	u_int dlt, hdrlen;
fb4c23fcSdamien	int addqos, tid;
91b2158bSmillert
673b59bcSreyk	/* Handle raw frames if mbuf is tagged as 802.11 */
673b59bcSreyk	if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) {
673b59bcSreyk		dlt = *(u_int *)(mtag + 1);
673b59bcSreyk
673b59bcSreyk		if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO))
673b59bcSreyk			goto fallback;
673b59bcSreyk
673b59bcSreyk		wh = mtod(m, struct ieee80211_frame *);
673b59bcSreyk		switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
673b59bcSreyk		case IEEE80211_FC1_DIR_NODS:
673b59bcSreyk		case IEEE80211_FC1_DIR_FROMDS:
673b59bcSreyk			addr = wh->i_addr1;
673b59bcSreyk			break;
673b59bcSreyk		case IEEE80211_FC1_DIR_DSTODS:
673b59bcSreyk		case IEEE80211_FC1_DIR_TODS:
673b59bcSreyk			addr = wh->i_addr3;
673b59bcSreyk			break;
673b59bcSreyk		default:
673b59bcSreyk			goto bad;
673b59bcSreyk		}
673b59bcSreyk
673b59bcSreyk		ni = ieee80211_find_txnode(ic, addr);
673b59bcSreyk		if (ni == NULL)
673b59bcSreyk			ni = ieee80211_ref_node(ic->ic_bss);
673b59bcSreyk		if (ni == NULL) {
a0068c42Sjsg			printf("%s: no node for dst %s, "
a0068c42Sjsg			    "discard raw tx frame\n", ifp->if_xname,
a0068c42Sjsg			    ether_sprintf(addr));
673b59bcSreyk			ic->ic_stats.is_tx_nonode++;
673b59bcSreyk			goto bad;
673b59bcSreyk		}
673b59bcSreyk		ni->ni_inact = 0;
673b59bcSreyk
673b59bcSreyk		*pni = ni;
673b59bcSreyk		return (m);
673b59bcSreyk	}
673b59bcSreyk
673b59bcSreyk fallback:
a12575e0Sstsp	if (ic->ic_opmode == IEEE80211_M_MONITOR)
a12575e0Sstsp		goto bad;
a12575e0Sstsp
91b2158bSmillert	if (m->m_len < sizeof(struct ether_header)) {
91b2158bSmillert		m = m_pullup(m, sizeof(struct ether_header));
91b2158bSmillert		if (m == NULL) {
91b2158bSmillert			ic->ic_stats.is_tx_nombuf++;
91b2158bSmillert			goto bad;
91b2158bSmillert		}
91b2158bSmillert	}
91b2158bSmillert	memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header));
91b2158bSmillert
91b2158bSmillert	ni = ieee80211_find_txnode(ic, eh.ether_dhost);
91b2158bSmillert	if (ni == NULL) {
932b9027Sdamien		DPRINTF(("no node for dst %s, discard frame\n",
932b9027Sdamien		    ether_sprintf(eh.ether_dhost)));
91b2158bSmillert		ic->ic_stats.is_tx_nonode++;
91b2158bSmillert		goto bad;
91b2158bSmillert	}
e03e709cSdamien
c7cb3652Sstsp#ifndef IEEE80211_STA_ONLY
c7cb3652Sstsp	if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss &&
c7cb3652Sstsp	    ni->ni_state != IEEE80211_STA_ASSOC) {
c7cb3652Sstsp		ic->ic_stats.is_tx_nonode++;
c7cb3652Sstsp		goto bad;
c7cb3652Sstsp	}
c7cb3652Sstsp#endif
c7cb3652Sstsp
01ad6d9fSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
01ad6d9fSdamien	    !ni->ni_port_valid &&
83aa0ba6Sdlg	    eh.ether_type != htons(ETHERTYPE_EAPOL)) {
932b9027Sdamien		DPRINTF(("port not valid: %s\n",
932b9027Sdamien		    ether_sprintf(eh.ether_dhost)));
eba1a6b6Sdamien		ic->ic_stats.is_tx_noauth++;
eba1a6b6Sdamien		goto bad;
eba1a6b6Sdamien	}
e03e709cSdamien
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_COUNTERM) &&
e03e709cSdamien	    ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)
e03e709cSdamien		/* XXX TKIP countermeasures! */;
e03e709cSdamien
91b2158bSmillert	ni->ni_inact = 0;
91b2158bSmillert
fb4c23fcSdamien	if ((ic->ic_flags & IEEE80211_F_QOS) &&
eba1a6b6Sdamien	    (ni->ni_flags & IEEE80211_NODE_QOS) &&
eba1a6b6Sdamien	    /* do not QoS-encapsulate EAPOL frames */
83aa0ba6Sdlg	    eh.ether_type != htons(ETHERTYPE_EAPOL)) {
aefc44daSstsp		struct ieee80211_tx_ba *ba;
fb4c23fcSdamien		tid = ieee80211_classify(ic, m);
aefc44daSstsp		ba = &ni->ni_tx_ba[tid];
21eba542Sstsp		/* We use QoS data frames for aggregation only. */
21eba542Sstsp		if (ba->ba_state != IEEE80211_BA_AGREED) {
aefc44daSstsp			hdrlen = sizeof(struct ieee80211_frame);
aefc44daSstsp			addqos = 0;
21eba542Sstsp			if (ieee80211_can_use_ampdu(ic, ni))
21eba542Sstsp				ieee80211_node_trigger_addba_req(ni, tid);
aefc44daSstsp		} else {
fb4c23fcSdamien			hdrlen = sizeof(struct ieee80211_qosframe);
fb4c23fcSdamien			addqos = 1;
aefc44daSstsp		}
fb4c23fcSdamien	} else {
fb4c23fcSdamien		hdrlen = sizeof(struct ieee80211_frame);
fb4c23fcSdamien		addqos = 0;
fb4c23fcSdamien	}
49c1cac8Sdamien	m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN);
91b2158bSmillert	llc = mtod(m, struct llc *);
91b2158bSmillert	llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
91b2158bSmillert	llc->llc_control = LLC_UI;
91b2158bSmillert	llc->llc_snap.org_code[0] = 0;
91b2158bSmillert	llc->llc_snap.org_code[1] = 0;
91b2158bSmillert	llc->llc_snap.org_code[2] = 0;
91b2158bSmillert	llc->llc_snap.ether_type = eh.ether_type;
fb4c23fcSdamien	M_PREPEND(m, hdrlen, M_DONTWAIT);
91b2158bSmillert	if (m == NULL) {
91b2158bSmillert		ic->ic_stats.is_tx_nombuf++;
91b2158bSmillert		goto bad;
91b2158bSmillert	}
91b2158bSmillert	wh = mtod(m, struct ieee80211_frame *);
91b2158bSmillert	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
91b2158bSmillert	*(u_int16_t *)&wh->i_dur[0] = 0;
fb4c23fcSdamien	if (addqos) {
fb4c23fcSdamien		struct ieee80211_qosframe *qwh =
fb4c23fcSdamien		    (struct ieee80211_qosframe *)wh;
45eec175Sdamien		u_int16_t qos = tid;
45eec175Sdamien
45eec175Sdamien		if (ic->ic_tid_noack & (1 << tid))
45eec175Sdamien			qos |= IEEE80211_QOS_ACK_POLICY_NOACK;
21eba542Sstsp		else {
aefc44daSstsp			/* Use HT immediate block-ack. */
aefc44daSstsp			qos |= IEEE80211_QOS_ACK_POLICY_NORMAL;
21eba542Sstsp		}
fb4c23fcSdamien		qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
45eec175Sdamien		*(u_int16_t *)qwh->i_qos = htole16(qos);
45eec175Sdamien		*(u_int16_t *)qwh->i_seq =
fb4c23fcSdamien		    htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
797d79d7Sstsp		ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff;
fb4c23fcSdamien	} else {
91b2158bSmillert		*(u_int16_t *)&wh->i_seq[0] =
91b2158bSmillert		    htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT);
797d79d7Sstsp		ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff;
fb4c23fcSdamien	}
91b2158bSmillert	switch (ic->ic_opmode) {
91b2158bSmillert	case IEEE80211_M_STA:
91b2158bSmillert		wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
91b2158bSmillert		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
91b2158bSmillert	case IEEE80211_M_IBSS:
91b2158bSmillert	case IEEE80211_M_AHDEMO:
91b2158bSmillert		wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
0fd4e251Sreyk		IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid);
91b2158bSmillert		break;
91b2158bSmillert	case IEEE80211_M_HOSTAP:
91b2158bSmillert		wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
91b2158bSmillert		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
91b2158bSmillert		break;
171ac09aSdamien#endif
171ac09aSdamien	default:
171ac09aSdamien		/* should not get there */
91b2158bSmillert		goto bad;
91b2158bSmillert	}
e03e709cSdamien
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_WEPON) ||
01ad6d9fSdamien	    ((ic->ic_flags & IEEE80211_F_RSNON) &&
01ad6d9fSdamien	     (ni->ni_flags & IEEE80211_NODE_TXPROT)))
e03e709cSdamien		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
e03e709cSdamien
93d01030Sdamien#ifndef IEEE80211_STA_ONLY
93d01030Sdamien	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
93d01030Sdamien	    ieee80211_pwrsave(ic, m, ni) != 0) {
93d01030Sdamien		*pni = NULL;
93d01030Sdamien		return NULL;
93d01030Sdamien	}
93d01030Sdamien#endif
91b2158bSmillert	*pni = ni;
91b2158bSmillert	return m;
91b2158bSmillertbad:
91b2158bSmillert	m_freem(m);
901bffb8Sjsg	if (ni != NULL)
0fd4e251Sreyk		ieee80211_release_node(ic, ni);
91b2158bSmillert	*pni = NULL;
91b2158bSmillert	return NULL;
91b2158bSmillert}
91b2158bSmillert
91b2158bSmillert/*
8d0ac44dSdamien * Add a Capability Information field to a frame (see 7.3.1.4).
8d0ac44dSdamien */
8d0ac44dSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic,
8d0ac44dSdamien    const struct ieee80211_node *ni)
8d0ac44dSdamien{
8d0ac44dSdamien	u_int16_t capinfo;
8d0ac44dSdamien
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
8d0ac44dSdamien	if (ic->ic_opmode == IEEE80211_M_IBSS)
8d0ac44dSdamien		capinfo = IEEE80211_CAPINFO_IBSS;
8d0ac44dSdamien	else if (ic->ic_opmode == IEEE80211_M_HOSTAP)
8d0ac44dSdamien		capinfo = IEEE80211_CAPINFO_ESS;
8d0ac44dSdamien	else
171ac09aSdamien#endif
8d0ac44dSdamien		capinfo = 0;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
e03e709cSdamien	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
e03e709cSdamien	    (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON)))
8d0ac44dSdamien		capinfo |= IEEE80211_CAPINFO_PRIVACY;
171ac09aSdamien#endif
8d0ac44dSdamien	/* NB: some 11a AP's reject the request when short preamble is set */
8d0ac44dSdamien	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
8d0ac44dSdamien	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
8d0ac44dSdamien		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
8d0ac44dSdamien	if (ic->ic_flags & IEEE80211_F_SHSLOT)
8d0ac44dSdamien		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
8d0ac44dSdamien	LE_WRITE_2(frm, capinfo);
8d0ac44dSdamien	return frm + 2;
8d0ac44dSdamien}
8d0ac44dSdamien
8d0ac44dSdamien/*
8d0ac44dSdamien * Add an SSID element to a frame (see 7.3.2.1).
8d0ac44dSdamien */
8d0ac44dSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len)
8d0ac44dSdamien{
8d0ac44dSdamien	*frm++ = IEEE80211_ELEMID_SSID;
8d0ac44dSdamien	*frm++ = len;
8d0ac44dSdamien	memcpy(frm, ssid, len);
8d0ac44dSdamien	return frm + len;
8d0ac44dSdamien}
8d0ac44dSdamien
8d0ac44dSdamien/*
8d0ac44dSdamien * Add a supported rates element to a frame (see 7.3.2.2).
91b2158bSmillert */
91b2158bSmillertu_int8_t *
91b2158bSmillertieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs)
91b2158bSmillert{
91b2158bSmillert	int nrates;
91b2158bSmillert
91b2158bSmillert	*frm++ = IEEE80211_ELEMID_RATES;
5d49b5a5Sdamien	nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE);
91b2158bSmillert	*frm++ = nrates;
91b2158bSmillert	memcpy(frm, rs->rs_rates, nrates);
91b2158bSmillert	return frm + nrates;
91b2158bSmillert}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
91b2158bSmillert/*
8d0ac44dSdamien * Add a DS Parameter Set element to a frame (see 7.3.2.4).
91b2158bSmillert */
c790398aSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic,
8d0ac44dSdamien    const struct ieee80211_node *ni)
91b2158bSmillert{
8d0ac44dSdamien	*frm++ = IEEE80211_ELEMID_DSPARMS;
1bb78573Sdamien	*frm++ = 1;
8d0ac44dSdamien	*frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
1bb78573Sdamien	return frm;
1bb78573Sdamien}
1bb78573Sdamien
6003857fSdamien/*
8d0ac44dSdamien * Add a TIM element to a frame (see 7.3.2.6 and Annex L).
ece40bdcSdamien */
ece40bdcSdamienu_int8_t *
ece40bdcSdamienieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic)
ece40bdcSdamien{
ece40bdcSdamien	u_int i, offset = 0, len;
ece40bdcSdamien
ece40bdcSdamien	/* find first non-zero octet in the virtual bit map */
36dba039Sjsg	for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++)
36dba039Sjsg		;
ece40bdcSdamien
ece40bdcSdamien	/* clear the lsb as it is reserved for the broadcast indication bit */
ece40bdcSdamien	if (i < ic->ic_tim_len)
ece40bdcSdamien		offset = i & ~1;
ece40bdcSdamien
ece40bdcSdamien	/* find last non-zero octet in the virtual bit map */
36dba039Sjsg	for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--)
36dba039Sjsg		;
ece40bdcSdamien
ece40bdcSdamien	len = i - offset + 1;
ece40bdcSdamien
ece40bdcSdamien	*frm++ = IEEE80211_ELEMID_TIM;
ece40bdcSdamien	*frm++ = len + 3;		/* length */
ece40bdcSdamien	*frm++ = ic->ic_dtim_count;	/* DTIM count */
ece40bdcSdamien	*frm++ = ic->ic_dtim_period;	/* DTIM period */
ece40bdcSdamien
ece40bdcSdamien	/* Bitmap Control */
ece40bdcSdamien	*frm = offset;
ece40bdcSdamien	/* set broadcast/multicast indication bit if necessary */
93d01030Sdamien	if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending)
ece40bdcSdamien		*frm |= 0x01;
ece40bdcSdamien	frm++;
ece40bdcSdamien
ece40bdcSdamien	/* Partial Virtual Bitmap */
ece40bdcSdamien	memcpy(frm, &ic->ic_tim_bitmap[offset], len);
ece40bdcSdamien	return frm + len;
ece40bdcSdamien}
ece40bdcSdamien
ece40bdcSdamien/*
8d0ac44dSdamien * Add an IBSS Parameter Set element to a frame (see 7.3.2.7).
6003857fSdamien */
6003857fSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni)
6003857fSdamien{
8d0ac44dSdamien	*frm++ = IEEE80211_ELEMID_IBSSPARMS;
8d0ac44dSdamien	*frm++ = 2;
8d0ac44dSdamien	LE_WRITE_2(frm, 0);	/* TODO: ATIM window */
8d0ac44dSdamien	return frm + 2;
6003857fSdamien}
6003857fSdamien
6003857fSdamien/*
8d0ac44dSdamien * Add an EDCA Parameter Set element to a frame (see 7.3.2.29).
6003857fSdamien */
6003857fSdamienu_int8_t *
6003857fSdamienieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic)
6003857fSdamien{
6003857fSdamien	const struct ieee80211_edca_ac_params *edca;
6003857fSdamien	int aci;
6003857fSdamien
6003857fSdamien	*frm++ = IEEE80211_ELEMID_EDCAPARMS;
6003857fSdamien	*frm++ = 18;	/* length */
6003857fSdamien	*frm++ = 0;	/* QoS Info */
6003857fSdamien	*frm++ = 0;	/* reserved */
6003857fSdamien
6003857fSdamien	/* setup AC Parameter Records */
a1ea161cSstsp	edca = ieee80211_edca_table[ic->ic_curmode];
6003857fSdamien	for (aci = 0; aci < EDCA_NUM_AC; aci++) {
6003857fSdamien		const struct ieee80211_edca_ac_params *ac = &edca[aci];
6003857fSdamien
6003857fSdamien		*frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) |
6003857fSdamien			 (ac->ac_aifsn & 0xf);
6003857fSdamien		*frm++ = (ac->ac_ecwmax << 4) |
6003857fSdamien			 (ac->ac_ecwmin & 0xf);
8d0ac44dSdamien		LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2;
8d0ac44dSdamien	}
8d0ac44dSdamien	return frm;
8d0ac44dSdamien}
8d0ac44dSdamien
8d0ac44dSdamien/*
8d0ac44dSdamien * Add an ERP element to a frame (see 7.3.2.13).
8d0ac44dSdamien */
8d0ac44dSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic)
8d0ac44dSdamien{
8d0ac44dSdamien	u_int8_t erp;
ca7fda7eSstsp	int nonerpsta = 0;
8d0ac44dSdamien
8d0ac44dSdamien	*frm++ = IEEE80211_ELEMID_ERP;
8d0ac44dSdamien	*frm++ = 1;
8d0ac44dSdamien	erp = 0;
8d0ac44dSdamien	/*
8d0ac44dSdamien	 * The NonERP_Present bit shall be set to 1 when a NonERP STA
8d0ac44dSdamien	 * is associated with the BSS.
8d0ac44dSdamien	 */
ca7fda7eSstsp	ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta);
ca7fda7eSstsp	if (nonerpsta != 0)
8d0ac44dSdamien		erp |= IEEE80211_ERP_NON_ERP_PRESENT;
8d0ac44dSdamien	/*
8d0ac44dSdamien	 * If one or more NonERP STAs are associated in the BSS, the
8d0ac44dSdamien	 * Use_Protection bit shall be set to 1 in transmitted ERP
8d0ac44dSdamien	 * Information Elements.
8d0ac44dSdamien	 */
8d0ac44dSdamien	if (ic->ic_flags & IEEE80211_F_USEPROT)
8d0ac44dSdamien		erp |= IEEE80211_ERP_USE_PROTECTION;
8d0ac44dSdamien	/*
8d0ac44dSdamien	 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP
8d0ac44dSdamien	 * Information Element sender if one or more associated NonERP
8d0ac44dSdamien	 * STAs are not short preamble capable.
8d0ac44dSdamien	 */
8d0ac44dSdamien	if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE))
8d0ac44dSdamien		erp |= IEEE80211_ERP_BARKER_MODE;
8d0ac44dSdamien	*frm++ = erp;
8d0ac44dSdamien	return frm;
8d0ac44dSdamien}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
8d0ac44dSdamien
8d0ac44dSdamien/*
8d0ac44dSdamien * Add a QoS Capability element to a frame (see 7.3.2.35).
8d0ac44dSdamien */
8d0ac44dSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic)
8d0ac44dSdamien{
8d0ac44dSdamien	*frm++ = IEEE80211_ELEMID_QOS_CAP;
8d0ac44dSdamien	*frm++ = 1;
8d0ac44dSdamien	*frm++ = 0;	/* QoS Info */
8d0ac44dSdamien	return frm;
8d0ac44dSdamien}
8d0ac44dSdamien
6999278eSstsp/*
6999278eSstsp * Add a Wifi-Alliance WME (aka WMM) info element to a frame.
6999278eSstsp * WME is a requirement for Wifi-Alliance compliance and some
6999278eSstsp * 11n APs will not negotiate HT if this element is missing.
6999278eSstsp */
6999278eSstspuint8_t *
6999278eSstspieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic)
6999278eSstsp{
6999278eSstsp	*frm++ = IEEE80211_ELEMID_VENDOR;
6999278eSstsp	*frm++ = 7;
6999278eSstsp	memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
6999278eSstsp	*frm++ = 2; /* OUI type */
6999278eSstsp	*frm++ = 0; /* OUI subtype */
6999278eSstsp	*frm++ = 1; /* version */
6999278eSstsp	*frm++ = 0; /* info */
6999278eSstsp
6999278eSstsp	return frm;
6999278eSstsp}
432d6c6bSstsp
432d6c6bSstsp#ifndef IEEE80211_STA_ONLY
432d6c6bSstsp/*
432d6c6bSstsp * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame.
432d6c6bSstsp */
432d6c6bSstspuint8_t *
432d6c6bSstspieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic)
432d6c6bSstsp{
432d6c6bSstsp	const struct ieee80211_edca_ac_params *edca;
432d6c6bSstsp	int aci;
432d6c6bSstsp
432d6c6bSstsp	*frm++ = IEEE80211_ELEMID_VENDOR;
432d6c6bSstsp	*frm++ = 24;
432d6c6bSstsp	memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
432d6c6bSstsp	*frm++ = 2; /* OUI type */
432d6c6bSstsp	*frm++ = 1; /* OUI subtype */
432d6c6bSstsp	*frm++ = 1; /* version */
432d6c6bSstsp	*frm++ = 0; /* info */
432d6c6bSstsp	*frm++ = 0; /* reserved */
432d6c6bSstsp
432d6c6bSstsp	/* setup AC Parameter Records */
a1ea161cSstsp	edca = ieee80211_edca_table[ic->ic_curmode];
432d6c6bSstsp	for (aci = 0; aci < EDCA_NUM_AC; aci++) {
432d6c6bSstsp		const struct ieee80211_edca_ac_params *ac = &edca[aci];
432d6c6bSstsp
432d6c6bSstsp		*frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) |
432d6c6bSstsp			 (ac->ac_aifsn & 0xf);
432d6c6bSstsp		*frm++ = (ac->ac_ecwmax << 4) |
432d6c6bSstsp			 (ac->ac_ecwmin & 0xf);
432d6c6bSstsp		LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2;
432d6c6bSstsp	}
432d6c6bSstsp
432d6c6bSstsp	return frm;
432d6c6bSstsp}
432d6c6bSstsp#endif
432d6c6bSstsp
8d0ac44dSdamien/*
90af3bf7Sstsp * Add an RSN element to a frame (see 802.11-2012 8.4.2.27)
05534718Sdamien */
05534718Sdamienu_int8_t *
1247f240Sdamienieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic,
e03e709cSdamien    const struct ieee80211_node *ni, int wpa)
05534718Sdamien{
e03e709cSdamien	const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI;
1247f240Sdamien	u_int8_t *pcount;
b0e5533eSstsp	u_int16_t count, rsncaps;
05534718Sdamien
05534718Sdamien	/* write Version field */
05534718Sdamien	LE_WRITE_2(frm, 1); frm += 2;
05534718Sdamien
90af3bf7Sstsp	/* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */
1247f240Sdamien	memcpy(frm, oui, 3); frm += 3;
e03e709cSdamien	switch (ni->ni_rsngroupcipher) {
05534718Sdamien	case IEEE80211_CIPHER_WEP40:
05534718Sdamien		*frm++ = 1;
05534718Sdamien		break;
05534718Sdamien	case IEEE80211_CIPHER_TKIP:
05534718Sdamien		*frm++ = 2;
05534718Sdamien		break;
05534718Sdamien	case IEEE80211_CIPHER_CCMP:
0e5a82c2Sdamien		*frm++ = 4;
05534718Sdamien		break;
05534718Sdamien	case IEEE80211_CIPHER_WEP104:
05534718Sdamien		*frm++ = 5;
05534718Sdamien		break;
e03e709cSdamien	default:
e03e709cSdamien		/* can't get there */
db011a80Sdamien		panic("invalid group data cipher!");
05534718Sdamien	}
05534718Sdamien
05534718Sdamien	pcount = frm; frm += 2;
05534718Sdamien	count = 0;
05534718Sdamien	/* write Pairwise Cipher Suite List */
e03e709cSdamien	if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) {
1247f240Sdamien		memcpy(frm, oui, 3); frm += 3;
3a557689Sdamien		*frm++ = 0;
3a557689Sdamien		count++;
3a557689Sdamien	}
e03e709cSdamien	if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) {
1247f240Sdamien		memcpy(frm, oui, 3); frm += 3;
05534718Sdamien		*frm++ = 2;
05534718Sdamien		count++;
05534718Sdamien	}
e03e709cSdamien	if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) {
1247f240Sdamien		memcpy(frm, oui, 3); frm += 3;
0e5a82c2Sdamien		*frm++ = 4;
05534718Sdamien		count++;
05534718Sdamien	}
05534718Sdamien	/* write Pairwise Cipher Suite Count field */
05534718Sdamien	LE_WRITE_2(pcount, count);
05534718Sdamien
05534718Sdamien	pcount = frm; frm += 2;
05534718Sdamien	count = 0;
05534718Sdamien	/* write AKM Suite List (see Table 20dc) */
c7c53e5eSdamien	if (ni->ni_rsnakms & IEEE80211_AKM_8021X) {
1247f240Sdamien		memcpy(frm, oui, 3); frm += 3;
05534718Sdamien		*frm++ = 1;
05534718Sdamien		count++;
05534718Sdamien	}
e03e709cSdamien	if (ni->ni_rsnakms & IEEE80211_AKM_PSK) {
1247f240Sdamien		memcpy(frm, oui, 3); frm += 3;
05534718Sdamien		*frm++ = 2;
05534718Sdamien		count++;
05534718Sdamien	}
f91ff320Sdamien	if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) {
c7c53e5eSdamien		memcpy(frm, oui, 3); frm += 3;
c7c53e5eSdamien		*frm++ = 5;
c7c53e5eSdamien		count++;
c7c53e5eSdamien	}
f91ff320Sdamien	if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) {
c7c53e5eSdamien		memcpy(frm, oui, 3); frm += 3;
c7c53e5eSdamien		*frm++ = 6;
c7c53e5eSdamien		count++;
c7c53e5eSdamien	}
05534718Sdamien	/* write AKM Suite List Count field */
05534718Sdamien	LE_WRITE_2(pcount, count);
05534718Sdamien
db011a80Sdamien	if (wpa)
db011a80Sdamien		return frm;
db011a80Sdamien
05534718Sdamien	/* write RSN Capabilities field */
b0e5533eSstsp	rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK |
b0e5533eSstsp	    IEEE80211_RSNCAP_GTKSA_RCNT_MASK));
b0e5533eSstsp	if (ic->ic_caps & IEEE80211_C_MFP) {
b0e5533eSstsp		rsncaps |= IEEE80211_RSNCAP_MFPC;
b0e5533eSstsp		if (ic->ic_flags & IEEE80211_F_MFPR)
b0e5533eSstsp			rsncaps |= IEEE80211_RSNCAP_MFPR;
b0e5533eSstsp	}
b0e5533eSstsp	if (ic->ic_flags & IEEE80211_F_PBAR)
b0e5533eSstsp		rsncaps |= IEEE80211_RSNCAP_PBAC;
b0e5533eSstsp	LE_WRITE_2(frm, rsncaps); frm += 2;
05534718Sdamien
f91ff320Sdamien	if (ni->ni_flags & IEEE80211_NODE_PMKID) {
f91ff320Sdamien		/* write PMKID Count field */
f91ff320Sdamien		LE_WRITE_2(frm, 1); frm += 2;
f91ff320Sdamien		/* write PMKID List (only 1) */
f91ff320Sdamien		memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN);
f91ff320Sdamien		frm += IEEE80211_PMKID_LEN;
f91ff320Sdamien	}
f91ff320Sdamien
db011a80Sdamien	if (!(ic->ic_caps & IEEE80211_C_MFP))
db011a80Sdamien		return frm;
db011a80Sdamien
f5370d46Sstsp	if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) {
f5370d46Sstsp		/* no PMKID (PMKID Count=0) */
f5370d46Sstsp		LE_WRITE_2(frm, 0); frm += 2;
f5370d46Sstsp	}
f5370d46Sstsp
db011a80Sdamien	/* write Group Integrity Cipher Suite field */
db011a80Sdamien	memcpy(frm, oui, 3); frm += 3;
db011a80Sdamien	switch (ic->ic_rsngroupmgmtcipher) {
45eec175Sdamien	case IEEE80211_CIPHER_BIP:
db011a80Sdamien		*frm++ = 6;
db011a80Sdamien		break;
db011a80Sdamien	default:
db011a80Sdamien		/* can't get there */
db011a80Sdamien		panic("invalid integrity group cipher!");
e03e709cSdamien	}
1247f240Sdamien	return frm;
1247f240Sdamien}
1247f240Sdamien
1247f240Sdamienu_int8_t *
1247f240Sdamienieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic,
1247f240Sdamien    const struct ieee80211_node *ni)
1247f240Sdamien{
1247f240Sdamien	u_int8_t *plen;
1247f240Sdamien
1247f240Sdamien	*frm++ = IEEE80211_ELEMID_RSN;
1247f240Sdamien	plen = frm++;	/* length filled in later */
1247f240Sdamien	frm = ieee80211_add_rsn_body(frm, ic, ni, 0);
1247f240Sdamien
1247f240Sdamien	/* write length field */
c8535842Sdamien	*plen = frm - plen - 1;
1247f240Sdamien	return frm;
1247f240Sdamien}
1247f240Sdamien
1247f240Sdamien/*
e03e709cSdamien * Add a vendor-specific WPA element to a frame.
e03e709cSdamien * This is required for compatibility with Wi-Fi Alliance WPA.
1247f240Sdamien */
1247f240Sdamienu_int8_t *
e03e709cSdamienieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic,
1247f240Sdamien    const struct ieee80211_node *ni)
1247f240Sdamien{
1247f240Sdamien	u_int8_t *plen;
1247f240Sdamien
1247f240Sdamien	*frm++ = IEEE80211_ELEMID_VENDOR;
1247f240Sdamien	plen = frm++;	/* length filled in later */
1247f240Sdamien	memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
e03e709cSdamien	*frm++ = 1;	/* WPA */
1247f240Sdamien	frm = ieee80211_add_rsn_body(frm, ic, ni, 1);
1247f240Sdamien
05534718Sdamien	/* write length field */
c8535842Sdamien	*plen = frm - plen - 1;
05534718Sdamien	return frm;
05534718Sdamien}
05534718Sdamien
05534718Sdamien/*
8d0ac44dSdamien * Add an extended supported rates element to a frame (see 7.3.2.14).
8d0ac44dSdamien */
8d0ac44dSdamienu_int8_t *
8d0ac44dSdamienieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs)
8d0ac44dSdamien{
8c4d58d2Sdamien	int nrates;
8c4d58d2Sdamien
8c4d58d2Sdamien	KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE);
8c4d58d2Sdamien
8d0ac44dSdamien	*frm++ = IEEE80211_ELEMID_XRATES;
8c4d58d2Sdamien	nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
8d0ac44dSdamien	*frm++ = nrates;
8d0ac44dSdamien	memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
8c4d58d2Sdamien	return frm + nrates;
6003857fSdamien}
6003857fSdamien
45eec175Sdamien/*
45eec175Sdamien * Add an HT Capabilities element to a frame (see 7.3.2.57).
45eec175Sdamien */
45eec175Sdamienu_int8_t *
45eec175Sdamienieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic)
45eec175Sdamien{
45eec175Sdamien	*frm++ = IEEE80211_ELEMID_HTCAPS;
45eec175Sdamien	*frm++ = 26;
45eec175Sdamien	LE_WRITE_2(frm, ic->ic_htcaps); frm += 2;
bb1f4a0cSstsp	*frm++ = ic->ic_ampdu_params;
ebc1d5f7Sstsp	memcpy(frm, ic->ic_sup_mcs, 10); frm += 10;
ebc1d5f7Sstsp	LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH));
ebc1d5f7Sstsp	frm += 2;
ebc1d5f7Sstsp	*frm++ = ic->ic_tx_mcs_set;
ebc1d5f7Sstsp	*frm++ = 0; /* reserved */
ebc1d5f7Sstsp	*frm++ = 0; /* reserved */
ebc1d5f7Sstsp	*frm++ = 0; /* reserved */
45eec175Sdamien	LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2;
45eec175Sdamien	LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4;
45eec175Sdamien	*frm++ = ic->ic_aselcaps;
45eec175Sdamien	return frm;
45eec175Sdamien}
45eec175Sdamien
ec69e05aSdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamien/*
45eec175Sdamien * Add an HT Operation element to a frame (see 7.3.2.58).
45eec175Sdamien */
45eec175Sdamienu_int8_t *
45eec175Sdamienieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic)
45eec175Sdamien{
45eec175Sdamien	*frm++ = IEEE80211_ELEMID_HTOP;
45eec175Sdamien	*frm++ = 22;
45eec175Sdamien	*frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
bf61fa4aSstsp	*frm++ = ic->ic_bss->ni_htop0;
bf61fa4aSstsp	LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2;
bf61fa4aSstsp	LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2;
45eec175Sdamien	memset(frm, 0, 16); frm += 16;
45eec175Sdamien	return frm;
45eec175Sdamien}
ec69e05aSdamien#endif	/* !IEEE80211_STA_ONLY */
45eec175Sdamien
50e8fe1cSstsp/*
50e8fe1cSstsp * Add a VHT Capabilities element to a frame (see 802.11ac-2013 8.4.2.160.2).
50e8fe1cSstsp */
50e8fe1cSstspu_int8_t *
50e8fe1cSstspieee80211_add_vhtcaps(u_int8_t *frm, struct ieee80211com *ic)
50e8fe1cSstsp{
50e8fe1cSstsp	*frm++ = IEEE80211_ELEMID_VHTCAPS;
50e8fe1cSstsp	*frm++ = 12;
50e8fe1cSstsp	LE_WRITE_4(frm, ic->ic_vhtcaps); frm += 4;
50e8fe1cSstsp	LE_WRITE_2(frm, ic->ic_vht_rxmcs); frm += 2;
50e8fe1cSstsp	LE_WRITE_2(frm, ic->ic_vht_rx_max_lgi_mbit_s); frm += 2;
50e8fe1cSstsp	LE_WRITE_2(frm, ic->ic_vht_txmcs); frm += 2;
50e8fe1cSstsp	LE_WRITE_2(frm, ic->ic_vht_tx_max_lgi_mbit_s); frm += 2;
50e8fe1cSstsp	return frm;
50e8fe1cSstsp}
50e8fe1cSstsp
45eec175Sdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamien/*
45eec175Sdamien * Add a Timeout Interval element to a frame (see 7.3.2.49).
45eec175Sdamien */
45eec175Sdamienu_int8_t *
45eec175Sdamienieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value)
45eec175Sdamien{
45eec175Sdamien	*frm++ = IEEE80211_ELEMID_TIE;
45eec175Sdamien	*frm++ = 5;	/* length */
45eec175Sdamien	*frm++ = type;	/* Timeout Interval type */
45eec175Sdamien	LE_WRITE_4(frm, value);
45eec175Sdamien	return frm + 4;
45eec175Sdamien}
45eec175Sdamien#endif
45eec175Sdamien
250085e6Sdamienstruct mbuf *
e03e709cSdamienieee80211_getmgmt(int flags, int type, u_int pktlen)
91b2158bSmillert{
91b2158bSmillert	struct mbuf *m;
91b2158bSmillert
e03e709cSdamien	/* reserve space for 802.11 header */
f6599d9eSdamien	pktlen += sizeof(struct ieee80211_frame);
f6599d9eSdamien
fe6a7506Sjsg	if (pktlen > MCLBYTES)
e03e709cSdamien		panic("management frame too large: %u", pktlen);
91b2158bSmillert	MGETHDR(m, flags, type);
e03e709cSdamien	if (m == NULL)
e03e709cSdamien		return NULL;
f76734bcSdamien	if (pktlen > MHLEN) {
91b2158bSmillert		MCLGET(m, flags);
b2a6e105Sdamien		if (!(m->m_flags & M_EXT))
e03e709cSdamien			return m_free(m);
b2a6e105Sdamien	}
e03e709cSdamien	m->m_data += sizeof(struct ieee80211_frame);
91b2158bSmillert	return m;
91b2158bSmillert}
91b2158bSmillert
5d49b5a5Sdamien/*-
5d49b5a5Sdamien * Probe request frame format:
5d49b5a5Sdamien * [tlv] SSID
5d49b5a5Sdamien * [tlv] Supported rates
5d49b5a5Sdamien * [tlv] Extended Supported Rates (802.11g)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
91b2158bSmillert */
5d49b5a5Sdamienstruct mbuf *
5d49b5a5Sdamienieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni)
91b2158bSmillert{
9b4ad7b6Sdamien	const struct ieee80211_rateset *rs =
9b4ad7b6Sdamien	    &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)];
91b2158bSmillert	struct mbuf *m;
91b2158bSmillert	u_int8_t *frm;
91b2158bSmillert
e03e709cSdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1bb78573Sdamien	    2 + ic->ic_des_esslen +
9b4ad7b6Sdamien	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
9b4ad7b6Sdamien	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
45eec175Sdamien		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
50e8fe1cSstsp	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) +
50e8fe1cSstsp	    ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0));
91b2158bSmillert	if (m == NULL)
5d49b5a5Sdamien		return NULL;
5d49b5a5Sdamien
91b2158bSmillert	frm = mtod(m, u_int8_t *);
5d49b5a5Sdamien	frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen);
8c4d58d2Sdamien	frm = ieee80211_add_rates(frm, rs);
8c4d58d2Sdamien	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
8c4d58d2Sdamien		frm = ieee80211_add_xrates(frm, rs);
6999278eSstsp	if (ic->ic_flags & IEEE80211_F_HTON) {
45eec175Sdamien		frm = ieee80211_add_htcaps(frm, ic);
6999278eSstsp		frm = ieee80211_add_wme_info(frm, ic);
6999278eSstsp	}
50e8fe1cSstsp	if (ic->ic_flags & IEEE80211_F_VHTON)
50e8fe1cSstsp		frm = ieee80211_add_htcaps(frm, ic);
5d49b5a5Sdamien
91b2158bSmillert	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
91b2158bSmillert
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
5d49b5a5Sdamien/*-
8d0ac44dSdamien * Probe response frame format:
5d49b5a5Sdamien * [8]   Timestamp
5d49b5a5Sdamien * [2]   Beacon interval
5d49b5a5Sdamien * [2]   Capability
5d49b5a5Sdamien * [tlv] Service Set Identifier (SSID)
5d49b5a5Sdamien * [tlv] Supported rates
45eec175Sdamien * [tlv] DS Parameter Set (802.11g)
5d49b5a5Sdamien * [tlv] ERP Information (802.11g)
5d49b5a5Sdamien * [tlv] Extended Supported Rates (802.11g)
5d49b5a5Sdamien * [tlv] RSN (802.11i)
5d49b5a5Sdamien * [tlv] EDCA Parameter Set (802.11e)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
45eec175Sdamien * [tlv] HT Operation (802.11n)
91b2158bSmillert */
5d49b5a5Sdamienstruct mbuf *
774cd68cSstspieee80211_get_probe_resp(struct ieee80211com *ic)
5d49b5a5Sdamien{
9b4ad7b6Sdamien	const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates;
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien	u_int8_t *frm;
5d49b5a5Sdamien
e03e709cSdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
9b4ad7b6Sdamien	    8 + 2 + 2 +
774cd68cSstsp	    2 + ic->ic_bss->ni_esslen +
9b4ad7b6Sdamien	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
e63afc57Sdamien	    2 + 1 +
9b4ad7b6Sdamien	    ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) +
9b4ad7b6Sdamien	    ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) +
9b4ad7b6Sdamien	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
9b4ad7b6Sdamien		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
e03e709cSdamien	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
9654ac02Sdamien	      (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
9654ac02Sdamien		2 + IEEE80211_RSNIE_MAXLEN : 0) +
9b4ad7b6Sdamien	    ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) +
e03e709cSdamien	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
9654ac02Sdamien	      (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
45eec175Sdamien		2 + IEEE80211_WPAIE_MAXLEN : 0) +
5fb37217Sstsp	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
91b2158bSmillert	if (m == NULL)
5d49b5a5Sdamien		return NULL;
91b2158bSmillert
5d49b5a5Sdamien	frm = mtod(m, u_int8_t *);
9b4ad7b6Sdamien	memset(frm, 0, 8); frm += 8;	/* timestamp is set by hardware */
8d0ac44dSdamien	LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2;
774cd68cSstsp	frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss);
91b2158bSmillert	frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid,
91b2158bSmillert	    ic->ic_bss->ni_esslen);
8c4d58d2Sdamien	frm = ieee80211_add_rates(frm, rs);
774cd68cSstsp	frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss);
8d0ac44dSdamien	if (ic->ic_opmode == IEEE80211_M_IBSS)
774cd68cSstsp		frm = ieee80211_add_ibss_params(frm, ic->ic_bss);
1bb78573Sdamien	if (ic->ic_curmode == IEEE80211_MODE_11G)
1bb78573Sdamien		frm = ieee80211_add_erp(frm, ic);
8c4d58d2Sdamien	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
8c4d58d2Sdamien		frm = ieee80211_add_xrates(frm, rs);
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e03e709cSdamien	    (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN))
3a557689Sdamien		frm = ieee80211_add_rsn(frm, ic, ic->ic_bss);
6003857fSdamien	if (ic->ic_flags & IEEE80211_F_QOS)
6003857fSdamien		frm = ieee80211_add_edca_params(frm, ic);
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e03e709cSdamien	    (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA))
e03e709cSdamien		frm = ieee80211_add_wpa(frm, ic, ic->ic_bss);
45eec175Sdamien	if (ic->ic_flags & IEEE80211_F_HTON) {
45eec175Sdamien		frm = ieee80211_add_htcaps(frm, ic);
45eec175Sdamien		frm = ieee80211_add_htop(frm, ic);
5fb37217Sstsp		frm = ieee80211_add_wme_param(frm, ic);
45eec175Sdamien	}
91b2158bSmillert
5d49b5a5Sdamien	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
5d49b5a5Sdamien
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
5d49b5a5Sdamien
5d49b5a5Sdamien/*-
5d49b5a5Sdamien * Authentication frame format:
5d49b5a5Sdamien * [2] Authentication algorithm number
5d49b5a5Sdamien * [2] Authentication transaction sequence number
5d49b5a5Sdamien * [2] Status code
5d49b5a5Sdamien */
5d49b5a5Sdamienstruct mbuf *
5d49b5a5Sdamienieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni,
5d49b5a5Sdamien    u_int16_t status, u_int16_t seq)
5d49b5a5Sdamien{
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien	u_int8_t *frm;
5d49b5a5Sdamien
91b2158bSmillert	MGETHDR(m, M_DONTWAIT, MT_DATA);
91b2158bSmillert	if (m == NULL)
5d49b5a5Sdamien		return NULL;
894ad73aSclaudio	m_align(m, 2 * 3);
91b2158bSmillert	m->m_pkthdr.len = m->m_len = 2 * 3;
5d49b5a5Sdamien
91b2158bSmillert	frm = mtod(m, u_int8_t *);
ecd3783dSdamien	LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2;
8d0ac44dSdamien	LE_WRITE_2(frm, seq); frm += 2;
ecd3783dSdamien	LE_WRITE_2(frm, status);
91b2158bSmillert
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
91b2158bSmillert
5d49b5a5Sdamien/*-
5d49b5a5Sdamien * Deauthentication frame format:
5d49b5a5Sdamien * [2] Reason code
5d49b5a5Sdamien */
5d49b5a5Sdamienstruct mbuf *
5d49b5a5Sdamienieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni,
5d49b5a5Sdamien    u_int16_t reason)
5d49b5a5Sdamien{
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien
91b2158bSmillert	MGETHDR(m, M_DONTWAIT, MT_DATA);
91b2158bSmillert	if (m == NULL)
5d49b5a5Sdamien		return NULL;
894ad73aSclaudio	m_align(m, 2);
91b2158bSmillert	m->m_pkthdr.len = m->m_len = 2;
894ad73aSclaudio
5d49b5a5Sdamien	*mtod(m, u_int16_t *) = htole16(reason);
91b2158bSmillert
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
5d49b5a5Sdamien
5d49b5a5Sdamien/*-
5d49b5a5Sdamien * (Re)Association request frame format:
5d49b5a5Sdamien * [2]   Capability information
5d49b5a5Sdamien * [2]   Listen interval
5d49b5a5Sdamien * [6*]  Current AP address (Reassociation only)
5d49b5a5Sdamien * [tlv] SSID
5d49b5a5Sdamien * [tlv] Supported rates
5d49b5a5Sdamien * [tlv] Extended Supported Rates (802.11g)
5d49b5a5Sdamien * [tlv] RSN (802.11i)
6003857fSdamien * [tlv] QoS Capability (802.11e)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
91b2158bSmillert */
5d49b5a5Sdamienstruct mbuf *
5d49b5a5Sdamienieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni,
4dfbe550Sdamien    int type)
5d49b5a5Sdamien{
9b4ad7b6Sdamien	const struct ieee80211_rateset *rs = &ni->ni_rates;
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien	u_int8_t *frm;
5d49b5a5Sdamien	u_int16_t capinfo;
5d49b5a5Sdamien
e03e709cSdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
9b4ad7b6Sdamien	    2 + 2 +
4dfbe550Sdamien	    ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ?
9b4ad7b6Sdamien		IEEE80211_ADDR_LEN : 0) +
9b4ad7b6Sdamien	    2 + ni->ni_esslen +
9b4ad7b6Sdamien	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
9b4ad7b6Sdamien	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
9b4ad7b6Sdamien		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
e03e709cSdamien	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
9654ac02Sdamien	      (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
9654ac02Sdamien		2 + IEEE80211_RSNIE_MAXLEN : 0) +
45eec175Sdamien	    ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) +
e03e709cSdamien	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
9654ac02Sdamien	      (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
45eec175Sdamien		2 + IEEE80211_WPAIE_MAXLEN : 0) +
50e8fe1cSstsp	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) +
50e8fe1cSstsp	    ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0));
91b2158bSmillert	if (m == NULL)
5d49b5a5Sdamien		return NULL;
91b2158bSmillert
5d49b5a5Sdamien	frm = mtod(m, u_int8_t *);
1934f67dSstsp	capinfo = IEEE80211_CAPINFO_ESS;
91b2158bSmillert	if (ic->ic_flags & IEEE80211_F_WEPON)
91b2158bSmillert		capinfo |= IEEE80211_CAPINFO_PRIVACY;
91b2158bSmillert	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
91b2158bSmillert	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
91b2158bSmillert		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
a0981291Sdamien	if (ic->ic_caps & IEEE80211_C_SHSLOT)
91b2158bSmillert		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
8d0ac44dSdamien	LE_WRITE_2(frm, capinfo); frm += 2;
8d0ac44dSdamien	LE_WRITE_2(frm, ic->ic_lintval); frm += 2;
4dfbe550Sdamien	if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
91b2158bSmillert		IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid);
91b2158bSmillert		frm += IEEE80211_ADDR_LEN;
91b2158bSmillert	}
91b2158bSmillert	frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
8c4d58d2Sdamien	frm = ieee80211_add_rates(frm, rs);
8c4d58d2Sdamien	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
8c4d58d2Sdamien		frm = ieee80211_add_xrates(frm, rs);
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e03e709cSdamien	    (ni->ni_rsnprotos & IEEE80211_PROTO_RSN))
e03e709cSdamien		frm = ieee80211_add_rsn(frm, ic, ni);
45eec175Sdamien	if (ni->ni_flags & IEEE80211_NODE_QOS)
6003857fSdamien		frm = ieee80211_add_qos_capability(frm, ic);
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e03e709cSdamien	    (ni->ni_rsnprotos & IEEE80211_PROTO_WPA))
e03e709cSdamien		frm = ieee80211_add_wpa(frm, ic, ni);
6999278eSstsp	if (ic->ic_flags & IEEE80211_F_HTON) {
45eec175Sdamien		frm = ieee80211_add_htcaps(frm, ic);
6999278eSstsp		frm = ieee80211_add_wme_info(frm, ic);
6999278eSstsp	}
50e8fe1cSstsp	if (ic->ic_flags & IEEE80211_F_VHTON)
50e8fe1cSstsp		frm = ieee80211_add_vhtcaps(frm, ic);
5d49b5a5Sdamien
91b2158bSmillert	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
91b2158bSmillert
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
91b2158bSmillert
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
5d49b5a5Sdamien/*-
5d49b5a5Sdamien * (Re)Association response frame format:
5d49b5a5Sdamien * [2]   Capability information
5d49b5a5Sdamien * [2]   Status code
5d49b5a5Sdamien * [2]   Association ID (AID)
5d49b5a5Sdamien * [tlv] Supported rates
5d49b5a5Sdamien * [tlv] Extended Supported Rates (802.11g)
5d49b5a5Sdamien * [tlv] EDCA Parameter Set (802.11e)
45eec175Sdamien * [tlv] Timeout Interval (802.11w)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
45eec175Sdamien * [tlv] HT Operation (802.11n)
91b2158bSmillert */
5d49b5a5Sdamienstruct mbuf *
5d49b5a5Sdamienieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni,
5d49b5a5Sdamien    u_int16_t status)
5d49b5a5Sdamien{
9b4ad7b6Sdamien	const struct ieee80211_rateset *rs = &ni->ni_rates;
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien	u_int8_t *frm;
5d49b5a5Sdamien
e03e709cSdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
9b4ad7b6Sdamien	    2 + 2 + 2 +
9b4ad7b6Sdamien	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
9b4ad7b6Sdamien	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
9b4ad7b6Sdamien		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
45eec175Sdamien	    ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) +
45eec175Sdamien	    ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) +
5fb37217Sstsp	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
91b2158bSmillert	if (m == NULL)
5d49b5a5Sdamien		return NULL;
91b2158bSmillert
5d49b5a5Sdamien	frm = mtod(m, u_int8_t *);
8d0ac44dSdamien	frm = ieee80211_add_capinfo(frm, ic, ni);
8d0ac44dSdamien	LE_WRITE_2(frm, status); frm += 2;
5d49b5a5Sdamien	if (status == IEEE80211_STATUS_SUCCESS)
8d0ac44dSdamien		LE_WRITE_2(frm, ni->ni_associd);
8d0ac44dSdamien	else
8d0ac44dSdamien		LE_WRITE_2(frm, 0);
91b2158bSmillert	frm += 2;
8c4d58d2Sdamien	frm = ieee80211_add_rates(frm, rs);
8c4d58d2Sdamien	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
8c4d58d2Sdamien		frm = ieee80211_add_xrates(frm, rs);
45eec175Sdamien	if (ni->ni_flags & IEEE80211_NODE_QOS)
6003857fSdamien		frm = ieee80211_add_edca_params(frm, ic);
45eec175Sdamien	if ((ni->ni_flags & IEEE80211_NODE_MFP) &&
45eec175Sdamien	    status == IEEE80211_STATUS_TRY_AGAIN_LATER) {
45eec175Sdamien		/* Association Comeback Time */
45eec175Sdamien		frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */);
45eec175Sdamien	}
6999278eSstsp	if (ic->ic_flags & IEEE80211_F_HTON) {
45eec175Sdamien		frm = ieee80211_add_htcaps(frm, ic);
45eec175Sdamien		frm = ieee80211_add_htop(frm, ic);
5fb37217Sstsp		frm = ieee80211_add_wme_param(frm, ic);
45eec175Sdamien	}
5d49b5a5Sdamien
91b2158bSmillert	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
5d49b5a5Sdamien
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */
5d49b5a5Sdamien
5d49b5a5Sdamien/*-
5d49b5a5Sdamien * Disassociation frame format:
5d49b5a5Sdamien * [2] Reason code
5d49b5a5Sdamien */
5d49b5a5Sdamienstruct mbuf *
5d49b5a5Sdamienieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni,
5d49b5a5Sdamien    u_int16_t reason)
5d49b5a5Sdamien{
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien
5d49b5a5Sdamien	MGETHDR(m, M_DONTWAIT, MT_DATA);
5d49b5a5Sdamien	if (m == NULL)
5d49b5a5Sdamien		return NULL;
894ad73aSclaudio	m_align(m, 2);
5d49b5a5Sdamien	m->m_pkthdr.len = m->m_len = 2;
894ad73aSclaudio
5d49b5a5Sdamien	*mtod(m, u_int16_t *) = htole16(reason);
5d49b5a5Sdamien
5d49b5a5Sdamien	return m;
5d49b5a5Sdamien}
5d49b5a5Sdamien
45eec175Sdamien/*-
45eec175Sdamien * ADDBA Request frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
45eec175Sdamien * [1] Dialog Token
45eec175Sdamien * [2] Block Ack Parameter Set
45eec175Sdamien * [2] Block Ack Timeout Value
45eec175Sdamien * [2] Block Ack Starting Sequence Control
45eec175Sdamien */
45eec175Sdamienstruct mbuf *
45eec175Sdamienieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni,
45eec175Sdamien    u_int8_t tid)
45eec175Sdamien{
ec69e05aSdamien	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
45eec175Sdamien	struct mbuf *m;
45eec175Sdamien	u_int8_t *frm;
45eec175Sdamien
45eec175Sdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9);
45eec175Sdamien	if (m == NULL)
45eec175Sdamien		return m;
45eec175Sdamien
45eec175Sdamien	frm = mtod(m, u_int8_t *);
45eec175Sdamien	*frm++ = IEEE80211_CATEG_BA;
45eec175Sdamien	*frm++ = IEEE80211_ACTION_ADDBA_REQ;
45eec175Sdamien	*frm++ = ba->ba_token;
3367136cSstsp	LE_WRITE_2(frm, ba->ba_params); frm += 2;
387ad762Sstsp	LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2;
aefc44daSstsp	LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2;
45eec175Sdamien
45eec175Sdamien	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
45eec175Sdamien
45eec175Sdamien	return m;
45eec175Sdamien}
45eec175Sdamien
aefc44daSstsp/* Move Tx BA window forward to the specified SSN. */
aefc44daSstspvoid
aefc44daSstspieee80211_output_ba_move_window(struct ieee80211com *ic,
aefc44daSstsp    struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
aefc44daSstsp{
aefc44daSstsp	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
aefc44daSstsp	uint16_t s = ba->ba_winstart;
aefc44daSstsp
aefc44daSstsp	while (SEQ_LT(s, ssn) && ba->ba_bitmap) {
aefc44daSstsp		s = (s + 1) % 0xfff;
aefc44daSstsp		ba->ba_bitmap >>= 1;
aefc44daSstsp	}
aefc44daSstsp
aefc44daSstsp	ba->ba_winstart = (ssn & 0xfff);
aefc44daSstsp	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
aefc44daSstsp}
aefc44daSstsp
aefc44daSstsp/*
aefc44daSstsp * Move Tx BA window forward up to the first hole in the bitmap
aefc44daSstsp * or up to the specified SSN, whichever comes first.
aefc44daSstsp * After calling this function, frames before the start of the
aefc44daSstsp * potentially changed BA window should be discarded.
aefc44daSstsp */
aefc44daSstspvoid
aefc44daSstspieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic,
aefc44daSstsp    struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
aefc44daSstsp{
aefc44daSstsp	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
aefc44daSstsp	uint16_t s = ba->ba_winstart;
aefc44daSstsp	uint64_t bitmap = ba->ba_bitmap;
aefc44daSstsp	int can_move_window = 0;
aefc44daSstsp
aefc44daSstsp	while (bitmap && SEQ_LT(s, ssn)) {
aefc44daSstsp		if ((bitmap & 1) == 0)
aefc44daSstsp			break;
aefc44daSstsp		s = (s + 1) % 0xfff;
aefc44daSstsp		bitmap >>= 1;
aefc44daSstsp		can_move_window = 1;
aefc44daSstsp	}
aefc44daSstsp
aefc44daSstsp	if (can_move_window)
aefc44daSstsp		ieee80211_output_ba_move_window(ic, ni, tid, s);
aefc44daSstsp}
aefc44daSstsp
aefc44daSstsp/* Record an ACK for a frame with a given SSN within the Tx BA window. */
aefc44daSstspvoid
aefc44daSstspieee80211_output_ba_record_ack(struct ieee80211com *ic,
aefc44daSstsp    struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
aefc44daSstsp{
aefc44daSstsp	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
aefc44daSstsp	int i = 0;
aefc44daSstsp	uint16_t s = ba->ba_winstart;
aefc44daSstsp
aefc44daSstsp	KASSERT(!SEQ_LT(ssn, ba->ba_winstart));
aefc44daSstsp	KASSERT(!SEQ_LT(ba->ba_winend, ssn));
aefc44daSstsp
aefc44daSstsp	while (SEQ_LT(s, ssn)) {
aefc44daSstsp		s = (s + 1) % 0xfff;
aefc44daSstsp		i++;
aefc44daSstsp	}
aefc44daSstsp	if (i < ba->ba_winsize)
aefc44daSstsp		ba->ba_bitmap |= (1 << i);
aefc44daSstsp}
aefc44daSstsp
45eec175Sdamien/*-
45eec175Sdamien * ADDBA Response frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
45eec175Sdamien * [1] Dialog Token
45eec175Sdamien * [2] Status Code
45eec175Sdamien * [2] Block Ack Parameter Set
45eec175Sdamien * [2] Block Ack Timeout Value
45eec175Sdamien */
45eec175Sdamienstruct mbuf *
45eec175Sdamienieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni,
ec69e05aSdamien    u_int8_t tid, u_int8_t token, u_int16_t status)
45eec175Sdamien{
3b09a507Sdamien	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
45eec175Sdamien	struct mbuf *m;
45eec175Sdamien	u_int8_t *frm;
45eec175Sdamien	u_int16_t params;
45eec175Sdamien
45eec175Sdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9);
45eec175Sdamien	if (m == NULL)
45eec175Sdamien		return m;
45eec175Sdamien
45eec175Sdamien	frm = mtod(m, u_int8_t *);
45eec175Sdamien	*frm++ = IEEE80211_CATEG_BA;
45eec175Sdamien	*frm++ = IEEE80211_ACTION_ADDBA_RESP;
ec69e05aSdamien	*frm++ = token;
45eec175Sdamien	LE_WRITE_2(frm, status); frm += 2;
ec69e05aSdamien	if (status == 0)
3367136cSstsp		params = ba->ba_params;
3367136cSstsp	else
3367136cSstsp		params = tid << IEEE80211_ADDBA_TID_SHIFT;
45eec175Sdamien	LE_WRITE_2(frm, params); frm += 2;
ec69e05aSdamien	if (status == 0)
387ad762Sstsp		LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU);
ec69e05aSdamien	else
ec69e05aSdamien		LE_WRITE_2(frm, 0);
ec69e05aSdamien	frm += 2;
45eec175Sdamien
45eec175Sdamien	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
45eec175Sdamien
45eec175Sdamien	return m;
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien/*-
45eec175Sdamien * DELBA frame format:
45eec175Sdamien * [1] Category
45eec175Sdamien * [1] Action
45eec175Sdamien * [2] DELBA Parameter Set
45eec175Sdamien * [2] Reason Code
45eec175Sdamien */
45eec175Sdamienstruct mbuf *
45eec175Sdamienieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni,
ec69e05aSdamien    u_int8_t tid, u_int8_t dir, u_int16_t reason)
45eec175Sdamien{
45eec175Sdamien	struct mbuf *m;
45eec175Sdamien	u_int8_t *frm;
45eec175Sdamien	u_int16_t params;
45eec175Sdamien
45eec175Sdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6);
45eec175Sdamien	if (m == NULL)
45eec175Sdamien		return m;
45eec175Sdamien
45eec175Sdamien	frm = mtod(m, u_int8_t *);
45eec175Sdamien	*frm++ = IEEE80211_CATEG_BA;
45eec175Sdamien	*frm++ = IEEE80211_ACTION_DELBA;
ec69e05aSdamien	params = tid << 12;
ec69e05aSdamien	if (dir)
ec69e05aSdamien		params |= IEEE80211_DELBA_INITIATOR;
45eec175Sdamien	LE_WRITE_2(frm, params); frm += 2;
45eec175Sdamien	LE_WRITE_2(frm, reason); frm += 2;
45eec175Sdamien
45eec175Sdamien	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
45eec175Sdamien
45eec175Sdamien	return m;
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamien/*-
678831beSjsg * SA Query Request/Response frame format:
45eec175Sdamien * [1]  Category
45eec175Sdamien * [1]  Action
45eec175Sdamien * [16] Transaction Identifier
45eec175Sdamien */
45eec175Sdamienstruct mbuf *
45eec175Sdamienieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni,
45eec175Sdamien    u_int8_t action)
45eec175Sdamien{
45eec175Sdamien	struct mbuf *m;
45eec175Sdamien	u_int8_t *frm;
45eec175Sdamien
199d5af3Sdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4);
45eec175Sdamien	if (m == NULL)
45eec175Sdamien		return NULL;
45eec175Sdamien
45eec175Sdamien	frm = mtod(m, u_int8_t *);
45eec175Sdamien	*frm++ = IEEE80211_CATEG_SA_QUERY;
45eec175Sdamien	*frm++ = action;	/* ACTION_SA_QUERY_REQ/RESP */
199d5af3Sdamien	LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2;
199d5af3Sdamien
199d5af3Sdamien	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
45eec175Sdamien
45eec175Sdamien	return m;
45eec175Sdamien}
45eec175Sdamien
45eec175Sdamienstruct mbuf *
45eec175Sdamienieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni,
45eec175Sdamien    u_int8_t categ, u_int8_t action, int arg)
45eec175Sdamien{
45eec175Sdamien	struct mbuf *m = NULL;
45eec175Sdamien
45eec175Sdamien	switch (categ) {
45eec175Sdamien	case IEEE80211_CATEG_BA:
45eec175Sdamien		switch (action) {
45eec175Sdamien		case IEEE80211_ACTION_ADDBA_REQ:
45eec175Sdamien			m = ieee80211_get_addba_req(ic, ni, arg & 0xffff);
45eec175Sdamien			break;
45eec175Sdamien		case IEEE80211_ACTION_ADDBA_RESP:
ec69e05aSdamien			m = ieee80211_get_addba_resp(ic, ni, arg & 0xff,
ec69e05aSdamien			    arg >> 8, arg >> 16);
45eec175Sdamien			break;
45eec175Sdamien		case IEEE80211_ACTION_DELBA:
ec69e05aSdamien			m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8,
45eec175Sdamien			    arg >> 16);
45eec175Sdamien			break;
45eec175Sdamien		}
45eec175Sdamien		break;
45eec175Sdamien	case IEEE80211_CATEG_SA_QUERY:
45eec175Sdamien		switch (action) {
45eec175Sdamien#ifndef IEEE80211_STA_ONLY
45eec175Sdamien		case IEEE80211_ACTION_SA_QUERY_REQ:
45eec175Sdamien#endif
45eec175Sdamien		case IEEE80211_ACTION_SA_QUERY_RESP:
45eec175Sdamien			m = ieee80211_get_sa_query(ic, ni, action);
45eec175Sdamien			break;
45eec175Sdamien		}
45eec175Sdamien		break;
45eec175Sdamien	}
45eec175Sdamien	return m;
45eec175Sdamien}
45eec175Sdamien
5d49b5a5Sdamien/*
5d49b5a5Sdamien * Send a management frame.  The node is for the destination (or ic_bss
5d49b5a5Sdamien * when in station mode).  Nodes other than ic_bss have their reference
*54fbbda3Sjsg * count bumped to reflect our use for an indeterminate time.
5d49b5a5Sdamien */
5d49b5a5Sdamienint
5d49b5a5Sdamienieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni,
45eec175Sdamien    int type, int arg1, int arg2)
5d49b5a5Sdamien{
5d49b5a5Sdamien#define	senderr(_x, _v)	do { ic->ic_stats._v++; ret = _x; goto bad; } while (0)
5d49b5a5Sdamien	struct ifnet *ifp = &ic->ic_if;
5d49b5a5Sdamien	struct mbuf *m;
5d49b5a5Sdamien	int ret, timer;
5d49b5a5Sdamien
5d49b5a5Sdamien	if (ni == NULL)
5d49b5a5Sdamien		panic("null node");
5d49b5a5Sdamien
5d49b5a5Sdamien	/*
5d49b5a5Sdamien	 * Hold a reference on the node so it doesn't go away until after
5d49b5a5Sdamien	 * the xmit is complete all the way in the driver.  On error we
5d49b5a5Sdamien	 * will remove our reference.
5d49b5a5Sdamien	 */
5d49b5a5Sdamien	ieee80211_ref_node(ni);
5d49b5a5Sdamien	timer = 0;
5d49b5a5Sdamien	switch (type) {
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
5d49b5a5Sdamien		if ((m = ieee80211_get_probe_req(ic, ni)) == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
5d49b5a5Sdamien
5d49b5a5Sdamien		timer = IEEE80211_TRANS_WAIT;
5d49b5a5Sdamien		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
774cd68cSstsp		if ((m = ieee80211_get_probe_resp(ic)) == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
5d49b5a5Sdamien		break;
171ac09aSdamien#endif
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_AUTH:
45eec175Sdamien		m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff);
5d49b5a5Sdamien		if (m == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
5d49b5a5Sdamien
5d49b5a5Sdamien		if (ic->ic_opmode == IEEE80211_M_STA)
5d49b5a5Sdamien			timer = IEEE80211_TRANS_WAIT;
5d49b5a5Sdamien		break;
5d49b5a5Sdamien
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_DEAUTH:
45eec175Sdamien		if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
a5879dd6Sstsp#ifndef IEEE80211_STA_ONLY
bc633e0cSstsp		if ((ifp->if_flags & IFF_DEBUG) &&
bc633e0cSstsp		    (ic->ic_opmode == IEEE80211_M_HOSTAP ||
bc633e0cSstsp		    ic->ic_opmode == IEEE80211_M_IBSS))
5d49b5a5Sdamien			printf("%s: station %s deauthenticate (reason %d)\n",
45eec175Sdamien			    ifp->if_xname, ether_sprintf(ni->ni_macaddr),
45eec175Sdamien			    arg1);
a5879dd6Sstsp#endif
5d49b5a5Sdamien		break;
5d49b5a5Sdamien
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
5d49b5a5Sdamien		if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
5d49b5a5Sdamien
5d49b5a5Sdamien		timer = IEEE80211_TRANS_WAIT;
5d49b5a5Sdamien		break;
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
5d49b5a5Sdamien	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
45eec175Sdamien		if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
91b2158bSmillert		break;
171ac09aSdamien#endif
91b2158bSmillert	case IEEE80211_FC0_SUBTYPE_DISASSOC:
45eec175Sdamien		if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL)
5d49b5a5Sdamien			senderr(ENOMEM, is_tx_nombuf);
a5879dd6Sstsp#ifndef IEEE80211_STA_ONLY
bc633e0cSstsp		if ((ifp->if_flags & IFF_DEBUG) &&
bc633e0cSstsp		    (ic->ic_opmode == IEEE80211_M_HOSTAP ||
bc633e0cSstsp		    ic->ic_opmode == IEEE80211_M_IBSS))
a0068c42Sjsg			printf("%s: station %s disassociate (reason %d)\n",
45eec175Sdamien			    ifp->if_xname, ether_sprintf(ni->ni_macaddr),
45eec175Sdamien			    arg1);
a5879dd6Sstsp#endif
91b2158bSmillert		break;
91b2158bSmillert
45eec175Sdamien	case IEEE80211_FC0_SUBTYPE_ACTION:
45eec175Sdamien		m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff,
45eec175Sdamien		    arg2);
45eec175Sdamien		if (m == NULL)
45eec175Sdamien			senderr(ENOMEM, is_tx_nombuf);
45eec175Sdamien		break;
45eec175Sdamien
91b2158bSmillert	default:
932b9027Sdamien		DPRINTF(("invalid mgmt frame type %u\n", type));
91b2158bSmillert		senderr(EINVAL, is_tx_unknownmgt);
91b2158bSmillert		/* NOTREACHED */
91b2158bSmillert	}
91b2158bSmillert
91b2158bSmillert	ret = ieee80211_mgmt_output(ifp, ni, m, type);
91b2158bSmillert	if (ret == 0) {
91b2158bSmillert		if (timer)
91b2158bSmillert			ic->ic_mgt_timer = timer;
91b2158bSmillert	} else {
91b2158bSmillertbad:
0fd4e251Sreyk		ieee80211_release_node(ic, ni);
91b2158bSmillert	}
91b2158bSmillert	return ret;
91b2158bSmillert#undef senderr
91b2158bSmillert}
91b2158bSmillert
b277585aSdamien/*
eba1a6b6Sdamien * Build a RTS (Request To Send) control frame (see 7.2.1.1).
b277585aSdamien */
b277585aSdamienstruct mbuf *
b277585aSdamienieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh,
b277585aSdamien    u_int16_t dur)
b277585aSdamien{
b277585aSdamien	struct ieee80211_frame_rts *rts;
b277585aSdamien	struct mbuf *m;
b277585aSdamien
b277585aSdamien	MGETHDR(m, M_DONTWAIT, MT_DATA);
acc347deSdamien	if (m == NULL)
b277585aSdamien		return NULL;
acc347deSdamien
b277585aSdamien	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts);
b277585aSdamien
b277585aSdamien	rts = mtod(m, struct ieee80211_frame_rts *);
b277585aSdamien	rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
b277585aSdamien	    IEEE80211_FC0_SUBTYPE_RTS;
b277585aSdamien	rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
b39feb1dSdamien	*(u_int16_t *)rts->i_dur = htole16(dur);
b277585aSdamien	IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1);
b277585aSdamien	IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2);
b277585aSdamien
b277585aSdamien	return m;
b277585aSdamien}
b277585aSdamien
b277585aSdamien/*
eba1a6b6Sdamien * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2).
b277585aSdamien */
b277585aSdamienstruct mbuf *
b277585aSdamienieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur)
b277585aSdamien{
b277585aSdamien	struct ieee80211_frame_cts *cts;
b277585aSdamien	struct mbuf *m;
b277585aSdamien
b277585aSdamien	MGETHDR(m, M_DONTWAIT, MT_DATA);
acc347deSdamien	if (m == NULL)
b277585aSdamien		return NULL;
acc347deSdamien
b277585aSdamien	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts);
b277585aSdamien
b277585aSdamien	cts = mtod(m, struct ieee80211_frame_cts *);
b277585aSdamien	cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
b277585aSdamien	    IEEE80211_FC0_SUBTYPE_CTS;
b277585aSdamien	cts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
b39feb1dSdamien	*(u_int16_t *)cts->i_dur = htole16(dur);
b277585aSdamien	IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr);
b277585aSdamien
b277585aSdamien	return m;
b277585aSdamien}
b277585aSdamien
aefc44daSstsp/*
aefc44daSstsp * Build a compressed Block Ack Request control frame.
aefc44daSstsp */
aefc44daSstspstruct mbuf *
aefc44daSstspieee80211_get_compressed_bar(struct ieee80211com *ic,
aefc44daSstsp    struct ieee80211_node *ni, int tid, uint16_t ssn)
aefc44daSstsp{
aefc44daSstsp	struct ieee80211_frame_min *wh;
aefc44daSstsp	uint8_t *frm;
aefc44daSstsp	uint16_t ctl;
aefc44daSstsp	struct mbuf *m;
aefc44daSstsp
aefc44daSstsp	MGETHDR(m, M_DONTWAIT, MT_DATA);
aefc44daSstsp	if (m == NULL)
aefc44daSstsp		return NULL;
aefc44daSstsp
aefc44daSstsp	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) +
aefc44daSstsp	    sizeof(ctl) + sizeof(ssn);
aefc44daSstsp
aefc44daSstsp	wh = mtod(m, struct ieee80211_frame_min *);
aefc44daSstsp	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
aefc44daSstsp	    IEEE80211_FC0_SUBTYPE_BAR;
aefc44daSstsp	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
aefc44daSstsp	*(u_int16_t *)wh->i_dur = 0;
aefc44daSstsp	IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
aefc44daSstsp	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
aefc44daSstsp	frm = (uint8_t *)&wh[1];
aefc44daSstsp
aefc44daSstsp	ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT);
aefc44daSstsp	LE_WRITE_2(frm, ctl);
aefc44daSstsp	frm += 2;
aefc44daSstsp
aefc44daSstsp	LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT);
aefc44daSstsp	frm += 2;
aefc44daSstsp
aefc44daSstsp	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
aefc44daSstsp	m->m_pkthdr.ph_cookie = ni;
aefc44daSstsp
aefc44daSstsp	return m;
aefc44daSstsp}
aefc44daSstsp
171ac09aSdamien#ifndef IEEE80211_STA_ONLY
8d0ac44dSdamien/*-
8d0ac44dSdamien * Beacon frame format:
8d0ac44dSdamien * [8]   Timestamp
8d0ac44dSdamien * [2]   Beacon interval
8d0ac44dSdamien * [2]   Capability
8d0ac44dSdamien * [tlv] Service Set Identifier (SSID)
8d0ac44dSdamien * [tlv] Supported rates
45eec175Sdamien * [tlv] DS Parameter Set (802.11g)
45eec175Sdamien * [tlv] IBSS Parameter Set
8d0ac44dSdamien * [tlv] Traffic Indication Map (TIM)
8d0ac44dSdamien * [tlv] ERP Information (802.11g)
8d0ac44dSdamien * [tlv] Extended Supported Rates (802.11g)
8d0ac44dSdamien * [tlv] RSN (802.11i)
8d0ac44dSdamien * [tlv] EDCA Parameter Set (802.11e)
45eec175Sdamien * [tlv] HT Capabilities (802.11n)
45eec175Sdamien * [tlv] HT Operation (802.11n)
8d0ac44dSdamien */
313f2acbSdamienstruct mbuf *
313f2acbSdamienieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni)
313f2acbSdamien{
9b4ad7b6Sdamien	const struct ieee80211_rateset *rs = &ni->ni_rates;
313f2acbSdamien	struct ieee80211_frame *wh;
313f2acbSdamien	struct mbuf *m;
313f2acbSdamien	u_int8_t *frm;
313f2acbSdamien
e03e709cSdamien	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
9b4ad7b6Sdamien	    8 + 2 + 2 +
534bf8f4Sstsp	    2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ?
534bf8f4Sstsp	    0 : ni->ni_esslen) +
9b4ad7b6Sdamien	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
e63afc57Sdamien	    2 + 1 +
9b4ad7b6Sdamien	    2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) +
9b4ad7b6Sdamien	    ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) +
9b4ad7b6Sdamien	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
9b4ad7b6Sdamien		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
e03e709cSdamien	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
9654ac02Sdamien	      (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
9654ac02Sdamien		2 + IEEE80211_RSNIE_MAXLEN : 0) +
9b4ad7b6Sdamien	    ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) +
e03e709cSdamien	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
9654ac02Sdamien	      (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
45eec175Sdamien		2 + IEEE80211_WPAIE_MAXLEN : 0) +
5fb37217Sstsp	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
313f2acbSdamien	if (m == NULL)
313f2acbSdamien		return NULL;
313f2acbSdamien
e03e709cSdamien	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
e03e709cSdamien	if (m == NULL)
e03e709cSdamien		return NULL;
313f2acbSdamien	wh = mtod(m, struct ieee80211_frame *);
313f2acbSdamien	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
313f2acbSdamien	    IEEE80211_FC0_SUBTYPE_BEACON;
313f2acbSdamien	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
313f2acbSdamien	*(u_int16_t *)wh->i_dur = 0;
313f2acbSdamien	IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr);
313f2acbSdamien	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
313f2acbSdamien	IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
313f2acbSdamien	*(u_int16_t *)wh->i_seq = 0;
313f2acbSdamien
313f2acbSdamien	frm = (u_int8_t *)&wh[1];
9b4ad7b6Sdamien	memset(frm, 0, 8); frm += 8;	/* timestamp is set by hardware */
8d0ac44dSdamien	LE_WRITE_2(frm, ni->ni_intval); frm += 2;
8d0ac44dSdamien	frm = ieee80211_add_capinfo(frm, ic, ni);
534bf8f4Sstsp	if (ic->ic_userflags & IEEE80211_F_HIDENWID)
a6ad66bcSdamien		frm = ieee80211_add_ssid(frm, NULL, 0);
75175d43Sreyk	else
6e5bd35cSdamien		frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
313f2acbSdamien	frm = ieee80211_add_rates(frm, rs);
8d0ac44dSdamien	frm = ieee80211_add_ds_params(frm, ic, ni);
158c4605Sdamien	if (ic->ic_opmode == IEEE80211_M_IBSS)
8d0ac44dSdamien		frm = ieee80211_add_ibss_params(frm, ni);
158c4605Sdamien	else
158c4605Sdamien		frm = ieee80211_add_tim(frm, ic);
1bb78573Sdamien	if (ic->ic_curmode == IEEE80211_MODE_11G)
1bb78573Sdamien		frm = ieee80211_add_erp(frm, ic);
8c4d58d2Sdamien	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
313f2acbSdamien		frm = ieee80211_add_xrates(frm, rs);
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e03e709cSdamien	    (ni->ni_rsnprotos & IEEE80211_PROTO_RSN))
3a557689Sdamien		frm = ieee80211_add_rsn(frm, ic, ni);
6003857fSdamien	if (ic->ic_flags & IEEE80211_F_QOS)
6003857fSdamien		frm = ieee80211_add_edca_params(frm, ic);
e03e709cSdamien	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
e03e709cSdamien	    (ni->ni_rsnprotos & IEEE80211_PROTO_WPA))
e03e709cSdamien		frm = ieee80211_add_wpa(frm, ic, ni);
45eec175Sdamien	if (ic->ic_flags & IEEE80211_F_HTON) {
45eec175Sdamien		frm = ieee80211_add_htcaps(frm, ic);
45eec175Sdamien		frm = ieee80211_add_htop(frm, ic);
5fb37217Sstsp		frm = ieee80211_add_wme_param(frm, ic);
45eec175Sdamien	}
8d0ac44dSdamien
313f2acbSdamien	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
6da4b19dSmpi	m->m_pkthdr.ph_cookie = ni;
1bb78573Sdamien
313f2acbSdamien	return m;
313f2acbSdamien}
313f2acbSdamien
93d01030Sdamien/*
93d01030Sdamien * Check if an outgoing MSDU or management frame should be buffered into
93d01030Sdamien * the AP for power management.  Return 1 if the frame was buffered into
93d01030Sdamien * the AP, or 0 if the frame shall be transmitted immediately.
93d01030Sdamien */
93d01030Sdamienint
93d01030Sdamienieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m,
93d01030Sdamien    struct ieee80211_node *ni)
91b2158bSmillert{
93d01030Sdamien	const struct ieee80211_frame *wh;
ca7fda7eSstsp	int pssta = 0;
91b2158bSmillert
93d01030Sdamien	KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP);
93d01030Sdamien	if (!(ic->ic_caps & IEEE80211_C_APPMGT))
93d01030Sdamien		return 0;
93d01030Sdamien
93d01030Sdamien	wh = mtod(m, struct ieee80211_frame *);
93d01030Sdamien	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
93d01030Sdamien		/*
93d01030Sdamien		 * Buffer group addressed MSDUs with the Order bit clear
93d01030Sdamien		 * if any associated STAs are in PS mode.
93d01030Sdamien		 */
ca7fda7eSstsp		ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta);
ca7fda7eSstsp		if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0)
93d01030Sdamien			return 0;
93d01030Sdamien		ic->ic_tim_mcast_pending = 1;
91b2158bSmillert	} else {
158c4605Sdamien		/*
93d01030Sdamien		 * Buffer MSDUs, A-MSDUs or management frames destined for
93d01030Sdamien		 * PS STAs.
91b2158bSmillert		 */
93d01030Sdamien		if (ni->ni_pwrsave == IEEE80211_PS_AWAKE ||
93d01030Sdamien		    (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
93d01030Sdamien		    IEEE80211_FC0_TYPE_CTL)
93d01030Sdamien			return 0;
351e1934Sdlg		if (mq_empty(&ni->ni_savedq))
93d01030Sdamien			(*ic->ic_set_tim)(ic, ni->ni_associd, 1);
93d01030Sdamien	}
93d01030Sdamien	/* NB: ni == ic->ic_bss for broadcast/multicast */
93d01030Sdamien	/*
6da4b19dSmpi	 * Similar to ieee80211_mgmt_output, store the node in a
6da4b19dSmpi	 * special pkthdr field.
93d01030Sdamien	 */
6da4b19dSmpi	m->m_pkthdr.ph_cookie = ni;
351e1934Sdlg	mq_enqueue(&ni->ni_savedq, m);
93d01030Sdamien	return 1;
91b2158bSmillert}
171ac09aSdamien#endif	/* IEEE80211_STA_ONLY */