1 /* $OpenBSD: ieee80211_output.c,v 1.134 2021/05/11 08:39:32 stsp Exp $ */ 2 /* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 #include "vlan.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/sysctl.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 #include <net/bpf.h> 51 52 #include <netinet/in.h> 53 #include <netinet/if_ether.h> 54 #include <netinet/ip.h> 55 #ifdef INET6 56 #include <netinet/ip6.h> 57 #endif 58 59 #if NVLAN > 0 60 #include <net/if_vlan_var.h> 61 #endif 62 63 #include <net80211/ieee80211_var.h> 64 #include <net80211/ieee80211_priv.h> 65 66 int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *, 67 struct mbuf *, int); 68 int ieee80211_can_use_ampdu(struct ieee80211com *, 69 struct ieee80211_node *); 70 u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *, 71 const struct ieee80211_node *, int); 72 struct mbuf *ieee80211_getmgmt(int, int, u_int); 73 struct mbuf *ieee80211_get_probe_req(struct ieee80211com *, 74 struct ieee80211_node *); 75 #ifndef IEEE80211_STA_ONLY 76 struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *); 77 #endif 78 struct mbuf *ieee80211_get_auth(struct ieee80211com *, 79 struct ieee80211_node *, u_int16_t, u_int16_t); 80 struct mbuf *ieee80211_get_deauth(struct ieee80211com *, 81 struct ieee80211_node *, u_int16_t); 82 struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *, 83 struct ieee80211_node *, int); 84 #ifndef IEEE80211_STA_ONLY 85 struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *, 86 struct ieee80211_node *, u_int16_t); 87 #endif 88 struct mbuf *ieee80211_get_disassoc(struct ieee80211com *, 89 struct ieee80211_node *, u_int16_t); 90 struct mbuf *ieee80211_get_addba_req(struct ieee80211com *, 91 struct ieee80211_node *, u_int8_t); 92 struct mbuf *ieee80211_get_addba_resp(struct ieee80211com *, 93 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 94 struct mbuf *ieee80211_get_delba(struct ieee80211com *, 95 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 96 uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *); 97 #ifndef IEEE80211_STA_ONLY 98 uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *); 99 #endif 100 struct mbuf *ieee80211_get_sa_query(struct ieee80211com *, 101 struct ieee80211_node *, u_int8_t); 102 struct mbuf *ieee80211_get_action(struct ieee80211com *, 103 struct ieee80211_node *, u_int8_t, u_int8_t, int); 104 105 /* 106 * IEEE 802.11 output routine. Normally this will directly call the 107 * Ethernet output routine because 802.11 encapsulation is called 108 * later by the driver. This function can be used to send raw frames 109 * if the mbuf has been tagged with a 802.11 data link type. 110 */ 111 int 112 ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 113 struct rtentry *rt) 114 { 115 struct ieee80211_frame *wh; 116 struct m_tag *mtag; 117 int error = 0; 118 119 /* Interface has to be up and running */ 120 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 121 (IFF_UP | IFF_RUNNING)) { 122 error = ENETDOWN; 123 goto bad; 124 } 125 126 /* Try to get the DLT from a mbuf tag */ 127 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 128 struct ieee80211com *ic = (void *)ifp; 129 u_int dlt = *(u_int *)(mtag + 1); 130 131 /* Fallback to ethernet for non-802.11 linktypes */ 132 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 133 goto fallback; 134 135 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 136 return (EINVAL); 137 wh = mtod(m, struct ieee80211_frame *); 138 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 139 IEEE80211_FC0_VERSION_0) 140 return (EINVAL); 141 if (!(ic->ic_caps & IEEE80211_C_RAWCTL) && 142 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 143 IEEE80211_FC0_TYPE_CTL) 144 return (EINVAL); 145 146 return (if_enqueue(ifp, m)); 147 } 148 149 fallback: 150 return (ether_output(ifp, m, dst, rt)); 151 152 bad: 153 m_freem(m); 154 return (error); 155 } 156 157 /* 158 * Send a management frame to the specified node. The node pointer 159 * must have a reference as the pointer will be passed to the driver 160 * and potentially held for a long time. If the frame is successfully 161 * dispatched to the driver, then it is responsible for freeing the 162 * reference (and potentially free'ing up any associated storage). 163 */ 164 int 165 ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni, 166 struct mbuf *m, int type) 167 { 168 struct ieee80211com *ic = (void *)ifp; 169 struct ieee80211_frame *wh; 170 171 if (ni == NULL) 172 panic("null node"); 173 ni->ni_inact = 0; 174 175 /* 176 * We want to pass the node down to the driver's start 177 * routine. We could stick this in an m_tag and tack that 178 * on to the mbuf. However that's rather expensive to do 179 * for every frame so instead we stuff it in a special pkthdr 180 * field. 181 */ 182 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 183 if (m == NULL) 184 return ENOMEM; 185 m->m_pkthdr.ph_cookie = ni; 186 187 wh = mtod(m, struct ieee80211_frame *); 188 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type; 189 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 190 *(u_int16_t *)&wh->i_dur[0] = 0; 191 *(u_int16_t *)&wh->i_seq[0] = 192 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 193 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 194 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 195 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 196 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 197 198 /* check if protection is required for this mgmt frame */ 199 if ((ic->ic_caps & IEEE80211_C_MFP) && 200 (type == IEEE80211_FC0_SUBTYPE_DISASSOC || 201 type == IEEE80211_FC0_SUBTYPE_DEAUTH || 202 type == IEEE80211_FC0_SUBTYPE_ACTION)) { 203 /* 204 * Hack: we should not set the Protected bit in outgoing 205 * group management frames, however it is used as an 206 * indication to the drivers that they must encrypt the 207 * frame. Drivers should clear this bit from group 208 * management frames (software crypto code will do it). 209 * XXX could use an mbuf flag.. 210 */ 211 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 212 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT)) 213 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 214 } 215 216 if (ifp->if_flags & IFF_DEBUG) { 217 /* avoid to print too many frames */ 218 if ( 219 #ifndef IEEE80211_STA_ONLY 220 ic->ic_opmode == IEEE80211_M_IBSS || 221 #endif 222 #ifdef IEEE80211_DEBUG 223 ieee80211_debug > 1 || 224 #endif 225 (type & IEEE80211_FC0_SUBTYPE_MASK) != 226 IEEE80211_FC0_SUBTYPE_PROBE_RESP) 227 printf("%s: sending %s to %s on channel %u mode %s\n", 228 ifp->if_xname, 229 ieee80211_mgt_subtype_name[ 230 (type & IEEE80211_FC0_SUBTYPE_MASK) 231 >> IEEE80211_FC0_SUBTYPE_SHIFT], 232 ether_sprintf(ni->ni_macaddr), 233 ieee80211_chan2ieee(ic, ni->ni_chan), 234 ieee80211_phymode_name[ic->ic_curmode]); 235 } 236 237 #ifndef IEEE80211_STA_ONLY 238 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 239 ieee80211_pwrsave(ic, m, ni) != 0) 240 return 0; 241 #endif 242 mq_enqueue(&ic->ic_mgtq, m); 243 ifp->if_timer = 1; 244 if_start(ifp); 245 return 0; 246 } 247 248 /*- 249 * EDCA tables are computed using the following formulas: 250 * 251 * 1) EDCATable (non-AP QSTA) 252 * 253 * AC CWmin CWmax AIFSN TXOP limit(ms) 254 * ------------------------------------------------------------- 255 * AC_BK aCWmin aCWmax 7 0 256 * AC_BE aCWmin aCWmax 3 0 257 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0 258 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0 259 * 260 * 2) QAPEDCATable (QAP) 261 * 262 * AC CWmin CWmax AIFSN TXOP limit(ms) 263 * ------------------------------------------------------------- 264 * AC_BK aCWmin aCWmax 7 0 265 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0 266 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0 267 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0 268 * 269 * and the following aCWmin/aCWmax values: 270 * 271 * PHY aCWmin aCWmax 272 * --------------------------- 273 * 11A 15 1023 274 * 11B 31 1023 275 * 11G 15* 1023 (*) aCWmin(1) 276 * 11N 15 1023 277 */ 278 const struct ieee80211_edca_ac_params 279 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 280 [IEEE80211_MODE_11B] = { 281 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 282 [EDCA_AC_BE] = { 5, 10, 3, 0 }, 283 [EDCA_AC_VI] = { 4, 5, 2, 188 }, 284 [EDCA_AC_VO] = { 3, 4, 2, 102 } 285 }, 286 [IEEE80211_MODE_11A] = { 287 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 288 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 289 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 290 [EDCA_AC_VO] = { 2, 3, 2, 47 } 291 }, 292 [IEEE80211_MODE_11G] = { 293 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 294 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 295 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 296 [EDCA_AC_VO] = { 2, 3, 2, 47 } 297 }, 298 [IEEE80211_MODE_11N] = { 299 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 300 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 301 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 302 [EDCA_AC_VO] = { 2, 3, 2, 47 } 303 }, 304 }; 305 306 #ifndef IEEE80211_STA_ONLY 307 const struct ieee80211_edca_ac_params 308 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 309 [IEEE80211_MODE_11B] = { 310 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 311 [EDCA_AC_BE] = { 5, 7, 3, 0 }, 312 [EDCA_AC_VI] = { 4, 5, 1, 188 }, 313 [EDCA_AC_VO] = { 3, 4, 1, 102 } 314 }, 315 [IEEE80211_MODE_11A] = { 316 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 317 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 318 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 319 [EDCA_AC_VO] = { 2, 3, 1, 47 } 320 }, 321 [IEEE80211_MODE_11G] = { 322 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 323 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 324 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 325 [EDCA_AC_VO] = { 2, 3, 1, 47 } 326 }, 327 [IEEE80211_MODE_11N] = { 328 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 329 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 330 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 331 [EDCA_AC_VO] = { 2, 3, 1, 47 } 332 }, 333 }; 334 #endif /* IEEE80211_STA_ONLY */ 335 336 /* 337 * Return the EDCA Access Category to be used for transmitting a frame with 338 * user-priority `up'. 339 */ 340 enum ieee80211_edca_ac 341 ieee80211_up_to_ac(struct ieee80211com *ic, int up) 342 { 343 /* see Table 9-1 */ 344 static const enum ieee80211_edca_ac up_to_ac[] = { 345 EDCA_AC_BE, /* BE */ 346 EDCA_AC_BK, /* BK */ 347 EDCA_AC_BK, /* -- */ 348 EDCA_AC_BE, /* EE */ 349 EDCA_AC_VI, /* CL */ 350 EDCA_AC_VI, /* VI */ 351 EDCA_AC_VO, /* VO */ 352 EDCA_AC_VO /* NC */ 353 }; 354 enum ieee80211_edca_ac ac; 355 356 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE; 357 358 #ifndef IEEE80211_STA_ONLY 359 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 360 return ac; 361 #endif 362 /* 363 * We do not support the admission control procedure defined in 364 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that 365 * non-AP QSTAs that don't support this procedure shall use EDCA 366 * parameters of a lower priority AC that does not require 367 * admission control. 368 */ 369 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) { 370 switch (ac) { 371 case EDCA_AC_BK: 372 /* can't get there */ 373 break; 374 case EDCA_AC_BE: 375 /* BE shouldn't require admission control */ 376 ac = EDCA_AC_BK; 377 break; 378 case EDCA_AC_VI: 379 ac = EDCA_AC_BE; 380 break; 381 case EDCA_AC_VO: 382 ac = EDCA_AC_VI; 383 break; 384 } 385 } 386 return ac; 387 } 388 389 /* 390 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority 391 * based on the DSCP (Differentiated Services Codepoint) field. 392 */ 393 int 394 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m) 395 { 396 struct ether_header eh; 397 u_int8_t ds_field; 398 #if NVLAN > 0 399 if (m->m_flags & M_VLANTAG) /* use VLAN 802.1D user-priority */ 400 return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag); 401 #endif 402 m_copydata(m, 0, sizeof(eh), (caddr_t)&eh); 403 if (eh.ether_type == htons(ETHERTYPE_IP)) { 404 struct ip ip; 405 m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip); 406 if (ip.ip_v != 4) 407 return 0; 408 ds_field = ip.ip_tos; 409 } 410 #ifdef INET6 411 else if (eh.ether_type == htons(ETHERTYPE_IPV6)) { 412 struct ip6_hdr ip6; 413 u_int32_t flowlabel; 414 m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6); 415 flowlabel = ntohl(ip6.ip6_flow); 416 if ((flowlabel >> 28) != 6) 417 return 0; 418 ds_field = (flowlabel >> 20) & 0xff; 419 } 420 #endif /* INET6 */ 421 else /* neither IPv4 nor IPv6 */ 422 return 0; 423 424 /* 425 * Map Differentiated Services Codepoint field (see RFC2474). 426 * Preserves backward compatibility with IP Precedence field. 427 */ 428 switch (ds_field & 0xfc) { 429 case IPTOS_PREC_PRIORITY: 430 return EDCA_AC_VI; 431 case IPTOS_PREC_IMMEDIATE: 432 return EDCA_AC_BK; 433 case IPTOS_PREC_FLASH: 434 case IPTOS_PREC_FLASHOVERRIDE: 435 case IPTOS_PREC_CRITIC_ECP: 436 case IPTOS_PREC_INTERNETCONTROL: 437 case IPTOS_PREC_NETCONTROL: 438 return EDCA_AC_VO; 439 default: 440 return EDCA_AC_BE; 441 } 442 } 443 444 int 445 ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni) 446 { 447 return (ni->ni_flags & IEEE80211_NODE_HT) && 448 (ic->ic_caps & IEEE80211_C_TX_AMPDU) && 449 !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) && 450 /* 451 * Don't use A-MPDU on non-encrypted networks. There are devices 452 * with buggy firmware which allow an attacker to inject 802.11 453 * frames into a wifi network by embedding rogue A-MPDU subframes 454 * in an arbitrary data payload (e.g. PNG images) which may end 455 * up appearing as actual frames after de-aggregation by a buggy 456 * device; see https://github.com/rpp0/aggr-inject for details. 457 * WPA2 prevents this injection attack since the attacker would 458 * need to inject frames which get decrypted correctly. 459 */ 460 ((ic->ic_flags & IEEE80211_F_RSNON) && 461 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)); 462 } 463 464 void 465 ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni, 466 int tid, uint16_t ssn) 467 { 468 struct ifnet *ifp = &ic->ic_if; 469 struct mbuf *m; 470 471 m = ieee80211_get_compressed_bar(ic, ni, tid, ssn); 472 if (m == NULL) 473 return; 474 475 ieee80211_ref_node(ni); 476 if (mq_enqueue(&ic->ic_mgtq, m) == 0) 477 if_start(ifp); 478 else 479 ieee80211_release_node(ic, ni); 480 } 481 482 /* 483 * Encapsulate an outbound data frame. The mbuf chain is updated and 484 * a reference to the destination node is returned. If an error is 485 * encountered NULL is returned and the node reference will also be NULL. 486 * 487 * NB: The caller is responsible for free'ing a returned node reference. 488 * The convention is ic_bss is not reference counted; the caller must 489 * maintain that. 490 */ 491 struct mbuf * 492 ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni) 493 { 494 struct ieee80211com *ic = (void *)ifp; 495 struct ether_header eh; 496 struct ieee80211_frame *wh; 497 struct ieee80211_node *ni = NULL; 498 struct llc *llc; 499 struct m_tag *mtag; 500 u_int8_t *addr; 501 u_int dlt, hdrlen; 502 int addqos, tid; 503 504 /* Handle raw frames if mbuf is tagged as 802.11 */ 505 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 506 dlt = *(u_int *)(mtag + 1); 507 508 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 509 goto fallback; 510 511 wh = mtod(m, struct ieee80211_frame *); 512 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 513 case IEEE80211_FC1_DIR_NODS: 514 case IEEE80211_FC1_DIR_FROMDS: 515 addr = wh->i_addr1; 516 break; 517 case IEEE80211_FC1_DIR_DSTODS: 518 case IEEE80211_FC1_DIR_TODS: 519 addr = wh->i_addr3; 520 break; 521 default: 522 goto bad; 523 } 524 525 ni = ieee80211_find_txnode(ic, addr); 526 if (ni == NULL) 527 ni = ieee80211_ref_node(ic->ic_bss); 528 if (ni == NULL) { 529 printf("%s: no node for dst %s, " 530 "discard raw tx frame\n", ifp->if_xname, 531 ether_sprintf(addr)); 532 ic->ic_stats.is_tx_nonode++; 533 goto bad; 534 } 535 ni->ni_inact = 0; 536 537 *pni = ni; 538 return (m); 539 } 540 541 fallback: 542 if (m->m_len < sizeof(struct ether_header)) { 543 m = m_pullup(m, sizeof(struct ether_header)); 544 if (m == NULL) { 545 ic->ic_stats.is_tx_nombuf++; 546 goto bad; 547 } 548 } 549 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 550 551 ni = ieee80211_find_txnode(ic, eh.ether_dhost); 552 if (ni == NULL) { 553 DPRINTF(("no node for dst %s, discard frame\n", 554 ether_sprintf(eh.ether_dhost))); 555 ic->ic_stats.is_tx_nonode++; 556 goto bad; 557 } 558 559 #ifndef IEEE80211_STA_ONLY 560 if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss && 561 ni->ni_state != IEEE80211_STA_ASSOC) { 562 ic->ic_stats.is_tx_nonode++; 563 goto bad; 564 } 565 #endif 566 567 if ((ic->ic_flags & IEEE80211_F_RSNON) && 568 !ni->ni_port_valid && 569 eh.ether_type != htons(ETHERTYPE_PAE)) { 570 DPRINTF(("port not valid: %s\n", 571 ether_sprintf(eh.ether_dhost))); 572 ic->ic_stats.is_tx_noauth++; 573 goto bad; 574 } 575 576 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 577 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP) 578 /* XXX TKIP countermeasures! */; 579 580 ni->ni_inact = 0; 581 582 if ((ic->ic_flags & IEEE80211_F_QOS) && 583 (ni->ni_flags & IEEE80211_NODE_QOS) && 584 /* do not QoS-encapsulate EAPOL frames */ 585 eh.ether_type != htons(ETHERTYPE_PAE)) { 586 struct ieee80211_tx_ba *ba; 587 tid = ieee80211_classify(ic, m); 588 ba = &ni->ni_tx_ba[tid]; 589 /* We use QoS data frames for aggregation only. */ 590 if (ba->ba_state != IEEE80211_BA_AGREED) { 591 hdrlen = sizeof(struct ieee80211_frame); 592 addqos = 0; 593 if (ieee80211_can_use_ampdu(ic, ni)) 594 ieee80211_node_trigger_addba_req(ni, tid); 595 } else { 596 hdrlen = sizeof(struct ieee80211_qosframe); 597 addqos = 1; 598 } 599 } else { 600 hdrlen = sizeof(struct ieee80211_frame); 601 addqos = 0; 602 } 603 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN); 604 llc = mtod(m, struct llc *); 605 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 606 llc->llc_control = LLC_UI; 607 llc->llc_snap.org_code[0] = 0; 608 llc->llc_snap.org_code[1] = 0; 609 llc->llc_snap.org_code[2] = 0; 610 llc->llc_snap.ether_type = eh.ether_type; 611 M_PREPEND(m, hdrlen, M_DONTWAIT); 612 if (m == NULL) { 613 ic->ic_stats.is_tx_nombuf++; 614 goto bad; 615 } 616 wh = mtod(m, struct ieee80211_frame *); 617 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 618 *(u_int16_t *)&wh->i_dur[0] = 0; 619 if (addqos) { 620 struct ieee80211_qosframe *qwh = 621 (struct ieee80211_qosframe *)wh; 622 u_int16_t qos = tid; 623 624 if (ic->ic_tid_noack & (1 << tid)) 625 qos |= IEEE80211_QOS_ACK_POLICY_NOACK; 626 else { 627 /* Use HT immediate block-ack. */ 628 qos |= IEEE80211_QOS_ACK_POLICY_NORMAL; 629 } 630 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 631 *(u_int16_t *)qwh->i_qos = htole16(qos); 632 *(u_int16_t *)qwh->i_seq = 633 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 634 ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff; 635 } else { 636 *(u_int16_t *)&wh->i_seq[0] = 637 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 638 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 639 } 640 switch (ic->ic_opmode) { 641 case IEEE80211_M_STA: 642 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 643 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 644 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 645 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 646 break; 647 #ifndef IEEE80211_STA_ONLY 648 case IEEE80211_M_IBSS: 649 case IEEE80211_M_AHDEMO: 650 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 651 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 652 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 653 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 654 break; 655 case IEEE80211_M_HOSTAP: 656 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 657 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 658 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 659 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 660 break; 661 #endif 662 default: 663 /* should not get there */ 664 goto bad; 665 } 666 667 if ((ic->ic_flags & IEEE80211_F_WEPON) || 668 ((ic->ic_flags & IEEE80211_F_RSNON) && 669 (ni->ni_flags & IEEE80211_NODE_TXPROT))) 670 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 671 672 #ifndef IEEE80211_STA_ONLY 673 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 674 ieee80211_pwrsave(ic, m, ni) != 0) { 675 *pni = NULL; 676 return NULL; 677 } 678 #endif 679 *pni = ni; 680 return m; 681 bad: 682 m_freem(m); 683 if (ni != NULL) 684 ieee80211_release_node(ic, ni); 685 *pni = NULL; 686 return NULL; 687 } 688 689 /* 690 * Add a Capability Information field to a frame (see 7.3.1.4). 691 */ 692 u_int8_t * 693 ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic, 694 const struct ieee80211_node *ni) 695 { 696 u_int16_t capinfo; 697 698 #ifndef IEEE80211_STA_ONLY 699 if (ic->ic_opmode == IEEE80211_M_IBSS) 700 capinfo = IEEE80211_CAPINFO_IBSS; 701 else if (ic->ic_opmode == IEEE80211_M_HOSTAP) 702 capinfo = IEEE80211_CAPINFO_ESS; 703 else 704 #endif 705 capinfo = 0; 706 #ifndef IEEE80211_STA_ONLY 707 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 708 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON))) 709 capinfo |= IEEE80211_CAPINFO_PRIVACY; 710 #endif 711 /* NB: some 11a AP's reject the request when short preamble is set */ 712 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 713 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 714 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 715 if (ic->ic_flags & IEEE80211_F_SHSLOT) 716 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 717 LE_WRITE_2(frm, capinfo); 718 return frm + 2; 719 } 720 721 /* 722 * Add an SSID element to a frame (see 7.3.2.1). 723 */ 724 u_int8_t * 725 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 726 { 727 *frm++ = IEEE80211_ELEMID_SSID; 728 *frm++ = len; 729 memcpy(frm, ssid, len); 730 return frm + len; 731 } 732 733 /* 734 * Add a supported rates element to a frame (see 7.3.2.2). 735 */ 736 u_int8_t * 737 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 738 { 739 int nrates; 740 741 *frm++ = IEEE80211_ELEMID_RATES; 742 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE); 743 *frm++ = nrates; 744 memcpy(frm, rs->rs_rates, nrates); 745 return frm + nrates; 746 } 747 748 #ifndef IEEE80211_STA_ONLY 749 /* 750 * Add a DS Parameter Set element to a frame (see 7.3.2.4). 751 */ 752 u_int8_t * 753 ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic, 754 const struct ieee80211_node *ni) 755 { 756 *frm++ = IEEE80211_ELEMID_DSPARMS; 757 *frm++ = 1; 758 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 759 return frm; 760 } 761 762 /* 763 * Add a TIM element to a frame (see 7.3.2.6 and Annex L). 764 */ 765 u_int8_t * 766 ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic) 767 { 768 u_int i, offset = 0, len; 769 770 /* find first non-zero octet in the virtual bit map */ 771 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++); 772 773 /* clear the lsb as it is reserved for the broadcast indication bit */ 774 if (i < ic->ic_tim_len) 775 offset = i & ~1; 776 777 /* find last non-zero octet in the virtual bit map */ 778 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--); 779 780 len = i - offset + 1; 781 782 *frm++ = IEEE80211_ELEMID_TIM; 783 *frm++ = len + 3; /* length */ 784 *frm++ = ic->ic_dtim_count; /* DTIM count */ 785 *frm++ = ic->ic_dtim_period; /* DTIM period */ 786 787 /* Bitmap Control */ 788 *frm = offset; 789 /* set broadcast/multicast indication bit if necessary */ 790 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending) 791 *frm |= 0x01; 792 frm++; 793 794 /* Partial Virtual Bitmap */ 795 memcpy(frm, &ic->ic_tim_bitmap[offset], len); 796 return frm + len; 797 } 798 799 /* 800 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7). 801 */ 802 u_int8_t * 803 ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni) 804 { 805 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 806 *frm++ = 2; 807 LE_WRITE_2(frm, 0); /* TODO: ATIM window */ 808 return frm + 2; 809 } 810 811 /* 812 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29). 813 */ 814 u_int8_t * 815 ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic) 816 { 817 const struct ieee80211_edca_ac_params *edca; 818 int aci; 819 820 *frm++ = IEEE80211_ELEMID_EDCAPARMS; 821 *frm++ = 18; /* length */ 822 *frm++ = 0; /* QoS Info */ 823 *frm++ = 0; /* reserved */ 824 825 /* setup AC Parameter Records */ 826 edca = ieee80211_edca_table[ic->ic_curmode]; 827 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 828 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 829 830 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 831 (ac->ac_aifsn & 0xf); 832 *frm++ = (ac->ac_ecwmax << 4) | 833 (ac->ac_ecwmin & 0xf); 834 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 835 } 836 return frm; 837 } 838 839 /* 840 * Add an ERP element to a frame (see 7.3.2.13). 841 */ 842 u_int8_t * 843 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 844 { 845 u_int8_t erp; 846 int nonerpsta = 0; 847 848 *frm++ = IEEE80211_ELEMID_ERP; 849 *frm++ = 1; 850 erp = 0; 851 /* 852 * The NonERP_Present bit shall be set to 1 when a NonERP STA 853 * is associated with the BSS. 854 */ 855 ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta); 856 if (nonerpsta != 0) 857 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 858 /* 859 * If one or more NonERP STAs are associated in the BSS, the 860 * Use_Protection bit shall be set to 1 in transmitted ERP 861 * Information Elements. 862 */ 863 if (ic->ic_flags & IEEE80211_F_USEPROT) 864 erp |= IEEE80211_ERP_USE_PROTECTION; 865 /* 866 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP 867 * Information Element sender if one or more associated NonERP 868 * STAs are not short preamble capable. 869 */ 870 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) 871 erp |= IEEE80211_ERP_BARKER_MODE; 872 *frm++ = erp; 873 return frm; 874 } 875 #endif /* IEEE80211_STA_ONLY */ 876 877 /* 878 * Add a QoS Capability element to a frame (see 7.3.2.35). 879 */ 880 u_int8_t * 881 ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic) 882 { 883 *frm++ = IEEE80211_ELEMID_QOS_CAP; 884 *frm++ = 1; 885 *frm++ = 0; /* QoS Info */ 886 return frm; 887 } 888 889 /* 890 * Add a Wifi-Alliance WME (aka WMM) info element to a frame. 891 * WME is a requirement for Wifi-Alliance compliance and some 892 * 11n APs will not negotiate HT if this element is missing. 893 */ 894 uint8_t * 895 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic) 896 { 897 *frm++ = IEEE80211_ELEMID_VENDOR; 898 *frm++ = 7; 899 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 900 *frm++ = 2; /* OUI type */ 901 *frm++ = 0; /* OUI subtype */ 902 *frm++ = 1; /* version */ 903 *frm++ = 0; /* info */ 904 905 return frm; 906 } 907 908 #ifndef IEEE80211_STA_ONLY 909 /* 910 * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame. 911 */ 912 uint8_t * 913 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic) 914 { 915 const struct ieee80211_edca_ac_params *edca; 916 int aci; 917 918 *frm++ = IEEE80211_ELEMID_VENDOR; 919 *frm++ = 24; 920 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 921 *frm++ = 2; /* OUI type */ 922 *frm++ = 1; /* OUI subtype */ 923 *frm++ = 1; /* version */ 924 *frm++ = 0; /* info */ 925 *frm++ = 0; /* reserved */ 926 927 /* setup AC Parameter Records */ 928 edca = ieee80211_edca_table[ic->ic_curmode]; 929 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 930 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 931 932 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 933 (ac->ac_aifsn & 0xf); 934 *frm++ = (ac->ac_ecwmax << 4) | 935 (ac->ac_ecwmin & 0xf); 936 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 937 } 938 939 return frm; 940 } 941 #endif 942 943 /* 944 * Add an RSN element to a frame (see 802.11-2012 8.4.2.27) 945 */ 946 u_int8_t * 947 ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic, 948 const struct ieee80211_node *ni, int wpa) 949 { 950 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI; 951 u_int8_t *pcount; 952 u_int16_t count, rsncaps; 953 954 /* write Version field */ 955 LE_WRITE_2(frm, 1); frm += 2; 956 957 /* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */ 958 memcpy(frm, oui, 3); frm += 3; 959 switch (ni->ni_rsngroupcipher) { 960 case IEEE80211_CIPHER_WEP40: 961 *frm++ = 1; 962 break; 963 case IEEE80211_CIPHER_TKIP: 964 *frm++ = 2; 965 break; 966 case IEEE80211_CIPHER_CCMP: 967 *frm++ = 4; 968 break; 969 case IEEE80211_CIPHER_WEP104: 970 *frm++ = 5; 971 break; 972 default: 973 /* can't get there */ 974 panic("invalid group data cipher!"); 975 } 976 977 pcount = frm; frm += 2; 978 count = 0; 979 /* write Pairwise Cipher Suite List */ 980 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) { 981 memcpy(frm, oui, 3); frm += 3; 982 *frm++ = 0; 983 count++; 984 } 985 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) { 986 memcpy(frm, oui, 3); frm += 3; 987 *frm++ = 2; 988 count++; 989 } 990 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) { 991 memcpy(frm, oui, 3); frm += 3; 992 *frm++ = 4; 993 count++; 994 } 995 /* write Pairwise Cipher Suite Count field */ 996 LE_WRITE_2(pcount, count); 997 998 pcount = frm; frm += 2; 999 count = 0; 1000 /* write AKM Suite List (see Table 20dc) */ 1001 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) { 1002 memcpy(frm, oui, 3); frm += 3; 1003 *frm++ = 1; 1004 count++; 1005 } 1006 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) { 1007 memcpy(frm, oui, 3); frm += 3; 1008 *frm++ = 2; 1009 count++; 1010 } 1011 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) { 1012 memcpy(frm, oui, 3); frm += 3; 1013 *frm++ = 5; 1014 count++; 1015 } 1016 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) { 1017 memcpy(frm, oui, 3); frm += 3; 1018 *frm++ = 6; 1019 count++; 1020 } 1021 /* write AKM Suite List Count field */ 1022 LE_WRITE_2(pcount, count); 1023 1024 if (wpa) 1025 return frm; 1026 1027 /* write RSN Capabilities field */ 1028 rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK | 1029 IEEE80211_RSNCAP_GTKSA_RCNT_MASK)); 1030 if (ic->ic_caps & IEEE80211_C_MFP) { 1031 rsncaps |= IEEE80211_RSNCAP_MFPC; 1032 if (ic->ic_flags & IEEE80211_F_MFPR) 1033 rsncaps |= IEEE80211_RSNCAP_MFPR; 1034 } 1035 if (ic->ic_flags & IEEE80211_F_PBAR) 1036 rsncaps |= IEEE80211_RSNCAP_PBAC; 1037 LE_WRITE_2(frm, rsncaps); frm += 2; 1038 1039 if (ni->ni_flags & IEEE80211_NODE_PMKID) { 1040 /* write PMKID Count field */ 1041 LE_WRITE_2(frm, 1); frm += 2; 1042 /* write PMKID List (only 1) */ 1043 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN); 1044 frm += IEEE80211_PMKID_LEN; 1045 } 1046 1047 if (!(ic->ic_caps & IEEE80211_C_MFP)) 1048 return frm; 1049 1050 if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) { 1051 /* no PMKID (PMKID Count=0) */ 1052 LE_WRITE_2(frm, 0); frm += 2; 1053 } 1054 1055 /* write Group Integrity Cipher Suite field */ 1056 memcpy(frm, oui, 3); frm += 3; 1057 switch (ic->ic_rsngroupmgmtcipher) { 1058 case IEEE80211_CIPHER_BIP: 1059 *frm++ = 6; 1060 break; 1061 default: 1062 /* can't get there */ 1063 panic("invalid integrity group cipher!"); 1064 } 1065 return frm; 1066 } 1067 1068 u_int8_t * 1069 ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic, 1070 const struct ieee80211_node *ni) 1071 { 1072 u_int8_t *plen; 1073 1074 *frm++ = IEEE80211_ELEMID_RSN; 1075 plen = frm++; /* length filled in later */ 1076 frm = ieee80211_add_rsn_body(frm, ic, ni, 0); 1077 1078 /* write length field */ 1079 *plen = frm - plen - 1; 1080 return frm; 1081 } 1082 1083 /* 1084 * Add a vendor-specific WPA element to a frame. 1085 * This is required for compatibility with Wi-Fi Alliance WPA. 1086 */ 1087 u_int8_t * 1088 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic, 1089 const struct ieee80211_node *ni) 1090 { 1091 u_int8_t *plen; 1092 1093 *frm++ = IEEE80211_ELEMID_VENDOR; 1094 plen = frm++; /* length filled in later */ 1095 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 1096 *frm++ = 1; /* WPA */ 1097 frm = ieee80211_add_rsn_body(frm, ic, ni, 1); 1098 1099 /* write length field */ 1100 *plen = frm - plen - 1; 1101 return frm; 1102 } 1103 1104 /* 1105 * Add an extended supported rates element to a frame (see 7.3.2.14). 1106 */ 1107 u_int8_t * 1108 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 1109 { 1110 int nrates; 1111 1112 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE); 1113 1114 *frm++ = IEEE80211_ELEMID_XRATES; 1115 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1116 *frm++ = nrates; 1117 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1118 return frm + nrates; 1119 } 1120 1121 /* 1122 * Add an HT Capabilities element to a frame (see 7.3.2.57). 1123 */ 1124 u_int8_t * 1125 ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic) 1126 { 1127 *frm++ = IEEE80211_ELEMID_HTCAPS; 1128 *frm++ = 26; 1129 LE_WRITE_2(frm, ic->ic_htcaps); frm += 2; 1130 *frm++ = ic->ic_ampdu_params; 1131 memcpy(frm, ic->ic_sup_mcs, 10); frm += 10; 1132 LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH)); 1133 frm += 2; 1134 *frm++ = ic->ic_tx_mcs_set; 1135 *frm++ = 0; /* reserved */ 1136 *frm++ = 0; /* reserved */ 1137 *frm++ = 0; /* reserved */ 1138 LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2; 1139 LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4; 1140 *frm++ = ic->ic_aselcaps; 1141 return frm; 1142 } 1143 1144 #ifndef IEEE80211_STA_ONLY 1145 /* 1146 * Add an HT Operation element to a frame (see 7.3.2.58). 1147 */ 1148 u_int8_t * 1149 ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic) 1150 { 1151 *frm++ = IEEE80211_ELEMID_HTOP; 1152 *frm++ = 22; 1153 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1154 *frm++ = ic->ic_bss->ni_htop0; 1155 LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2; 1156 LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2; 1157 memset(frm, 0, 16); frm += 16; 1158 return frm; 1159 } 1160 #endif /* !IEEE80211_STA_ONLY */ 1161 1162 #ifndef IEEE80211_STA_ONLY 1163 /* 1164 * Add a Timeout Interval element to a frame (see 7.3.2.49). 1165 */ 1166 u_int8_t * 1167 ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value) 1168 { 1169 *frm++ = IEEE80211_ELEMID_TIE; 1170 *frm++ = 5; /* length */ 1171 *frm++ = type; /* Timeout Interval type */ 1172 LE_WRITE_4(frm, value); 1173 return frm + 4; 1174 } 1175 #endif 1176 1177 struct mbuf * 1178 ieee80211_getmgmt(int flags, int type, u_int pktlen) 1179 { 1180 struct mbuf *m; 1181 1182 /* reserve space for 802.11 header */ 1183 pktlen += sizeof(struct ieee80211_frame); 1184 1185 if (pktlen > MCLBYTES) 1186 panic("management frame too large: %u", pktlen); 1187 MGETHDR(m, flags, type); 1188 if (m == NULL) 1189 return NULL; 1190 if (pktlen > MHLEN) { 1191 MCLGET(m, flags); 1192 if (!(m->m_flags & M_EXT)) 1193 return m_free(m); 1194 } 1195 m->m_data += sizeof(struct ieee80211_frame); 1196 return m; 1197 } 1198 1199 /*- 1200 * Probe request frame format: 1201 * [tlv] SSID 1202 * [tlv] Supported rates 1203 * [tlv] Extended Supported Rates (802.11g) 1204 * [tlv] HT Capabilities (802.11n) 1205 */ 1206 struct mbuf * 1207 ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni) 1208 { 1209 const struct ieee80211_rateset *rs = 1210 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 1211 struct mbuf *m; 1212 u_int8_t *frm; 1213 1214 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1215 2 + ic->ic_des_esslen + 1216 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1217 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1218 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1219 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0)); 1220 if (m == NULL) 1221 return NULL; 1222 1223 frm = mtod(m, u_int8_t *); 1224 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen); 1225 frm = ieee80211_add_rates(frm, rs); 1226 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1227 frm = ieee80211_add_xrates(frm, rs); 1228 if (ic->ic_flags & IEEE80211_F_HTON) { 1229 frm = ieee80211_add_htcaps(frm, ic); 1230 frm = ieee80211_add_wme_info(frm, ic); 1231 } 1232 1233 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1234 1235 return m; 1236 } 1237 1238 #ifndef IEEE80211_STA_ONLY 1239 /*- 1240 * Probe response frame format: 1241 * [8] Timestamp 1242 * [2] Beacon interval 1243 * [2] Capability 1244 * [tlv] Service Set Identifier (SSID) 1245 * [tlv] Supported rates 1246 * [tlv] DS Parameter Set (802.11g) 1247 * [tlv] ERP Information (802.11g) 1248 * [tlv] Extended Supported Rates (802.11g) 1249 * [tlv] RSN (802.11i) 1250 * [tlv] EDCA Parameter Set (802.11e) 1251 * [tlv] HT Capabilities (802.11n) 1252 * [tlv] HT Operation (802.11n) 1253 */ 1254 struct mbuf * 1255 ieee80211_get_probe_resp(struct ieee80211com *ic) 1256 { 1257 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates; 1258 struct mbuf *m; 1259 u_int8_t *frm; 1260 1261 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1262 8 + 2 + 2 + 1263 2 + ic->ic_bss->ni_esslen + 1264 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1265 2 + 1 + 1266 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) + 1267 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1268 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1269 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1270 (((ic->ic_flags & IEEE80211_F_RSNON) && 1271 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1272 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1273 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1274 (((ic->ic_flags & IEEE80211_F_RSNON) && 1275 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1276 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1277 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1278 if (m == NULL) 1279 return NULL; 1280 1281 frm = mtod(m, u_int8_t *); 1282 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1283 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2; 1284 frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss); 1285 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1286 ic->ic_bss->ni_esslen); 1287 frm = ieee80211_add_rates(frm, rs); 1288 frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss); 1289 if (ic->ic_opmode == IEEE80211_M_IBSS) 1290 frm = ieee80211_add_ibss_params(frm, ic->ic_bss); 1291 if (ic->ic_curmode == IEEE80211_MODE_11G) 1292 frm = ieee80211_add_erp(frm, ic); 1293 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1294 frm = ieee80211_add_xrates(frm, rs); 1295 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1296 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1297 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); 1298 if (ic->ic_flags & IEEE80211_F_QOS) 1299 frm = ieee80211_add_edca_params(frm, ic); 1300 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1301 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1302 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); 1303 if (ic->ic_flags & IEEE80211_F_HTON) { 1304 frm = ieee80211_add_htcaps(frm, ic); 1305 frm = ieee80211_add_htop(frm, ic); 1306 frm = ieee80211_add_wme_param(frm, ic); 1307 } 1308 1309 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1310 1311 return m; 1312 } 1313 #endif /* IEEE80211_STA_ONLY */ 1314 1315 /*- 1316 * Authentication frame format: 1317 * [2] Authentication algorithm number 1318 * [2] Authentication transaction sequence number 1319 * [2] Status code 1320 */ 1321 struct mbuf * 1322 ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni, 1323 u_int16_t status, u_int16_t seq) 1324 { 1325 struct mbuf *m; 1326 u_int8_t *frm; 1327 1328 MGETHDR(m, M_DONTWAIT, MT_DATA); 1329 if (m == NULL) 1330 return NULL; 1331 m_align(m, 2 * 3); 1332 m->m_pkthdr.len = m->m_len = 2 * 3; 1333 1334 frm = mtod(m, u_int8_t *); 1335 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2; 1336 LE_WRITE_2(frm, seq); frm += 2; 1337 LE_WRITE_2(frm, status); 1338 1339 return m; 1340 } 1341 1342 /*- 1343 * Deauthentication frame format: 1344 * [2] Reason code 1345 */ 1346 struct mbuf * 1347 ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni, 1348 u_int16_t reason) 1349 { 1350 struct mbuf *m; 1351 1352 MGETHDR(m, M_DONTWAIT, MT_DATA); 1353 if (m == NULL) 1354 return NULL; 1355 m_align(m, 2); 1356 m->m_pkthdr.len = m->m_len = 2; 1357 1358 *mtod(m, u_int16_t *) = htole16(reason); 1359 1360 return m; 1361 } 1362 1363 /*- 1364 * (Re)Association request frame format: 1365 * [2] Capability information 1366 * [2] Listen interval 1367 * [6*] Current AP address (Reassociation only) 1368 * [tlv] SSID 1369 * [tlv] Supported rates 1370 * [tlv] Extended Supported Rates (802.11g) 1371 * [tlv] RSN (802.11i) 1372 * [tlv] QoS Capability (802.11e) 1373 * [tlv] HT Capabilities (802.11n) 1374 */ 1375 struct mbuf * 1376 ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1377 int type) 1378 { 1379 const struct ieee80211_rateset *rs = &ni->ni_rates; 1380 struct mbuf *m; 1381 u_int8_t *frm; 1382 u_int16_t capinfo; 1383 1384 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1385 2 + 2 + 1386 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ? 1387 IEEE80211_ADDR_LEN : 0) + 1388 2 + ni->ni_esslen + 1389 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1390 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1391 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1392 (((ic->ic_flags & IEEE80211_F_RSNON) && 1393 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1394 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1395 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) + 1396 (((ic->ic_flags & IEEE80211_F_RSNON) && 1397 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1398 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1399 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0)); 1400 if (m == NULL) 1401 return NULL; 1402 1403 frm = mtod(m, u_int8_t *); 1404 capinfo = IEEE80211_CAPINFO_ESS; 1405 if (ic->ic_flags & IEEE80211_F_WEPON) 1406 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1407 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1408 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1409 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1410 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1411 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1412 LE_WRITE_2(frm, capinfo); frm += 2; 1413 LE_WRITE_2(frm, ic->ic_lintval); frm += 2; 1414 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1415 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1416 frm += IEEE80211_ADDR_LEN; 1417 } 1418 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1419 frm = ieee80211_add_rates(frm, rs); 1420 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1421 frm = ieee80211_add_xrates(frm, rs); 1422 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1423 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1424 frm = ieee80211_add_rsn(frm, ic, ni); 1425 if (ni->ni_flags & IEEE80211_NODE_QOS) 1426 frm = ieee80211_add_qos_capability(frm, ic); 1427 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1428 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1429 frm = ieee80211_add_wpa(frm, ic, ni); 1430 if (ic->ic_flags & IEEE80211_F_HTON) { 1431 frm = ieee80211_add_htcaps(frm, ic); 1432 frm = ieee80211_add_wme_info(frm, ic); 1433 } 1434 1435 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1436 1437 return m; 1438 } 1439 1440 #ifndef IEEE80211_STA_ONLY 1441 /*- 1442 * (Re)Association response frame format: 1443 * [2] Capability information 1444 * [2] Status code 1445 * [2] Association ID (AID) 1446 * [tlv] Supported rates 1447 * [tlv] Extended Supported Rates (802.11g) 1448 * [tlv] EDCA Parameter Set (802.11e) 1449 * [tlv] Timeout Interval (802.11w) 1450 * [tlv] HT Capabilities (802.11n) 1451 * [tlv] HT Operation (802.11n) 1452 */ 1453 struct mbuf * 1454 ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1455 u_int16_t status) 1456 { 1457 const struct ieee80211_rateset *rs = &ni->ni_rates; 1458 struct mbuf *m; 1459 u_int8_t *frm; 1460 1461 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1462 2 + 2 + 2 + 1463 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1464 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1465 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1466 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) + 1467 ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) + 1468 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1469 if (m == NULL) 1470 return NULL; 1471 1472 frm = mtod(m, u_int8_t *); 1473 frm = ieee80211_add_capinfo(frm, ic, ni); 1474 LE_WRITE_2(frm, status); frm += 2; 1475 if (status == IEEE80211_STATUS_SUCCESS) 1476 LE_WRITE_2(frm, ni->ni_associd); 1477 else 1478 LE_WRITE_2(frm, 0); 1479 frm += 2; 1480 frm = ieee80211_add_rates(frm, rs); 1481 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1482 frm = ieee80211_add_xrates(frm, rs); 1483 if (ni->ni_flags & IEEE80211_NODE_QOS) 1484 frm = ieee80211_add_edca_params(frm, ic); 1485 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 1486 status == IEEE80211_STATUS_TRY_AGAIN_LATER) { 1487 /* Association Comeback Time */ 1488 frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */); 1489 } 1490 if (ic->ic_flags & IEEE80211_F_HTON) { 1491 frm = ieee80211_add_htcaps(frm, ic); 1492 frm = ieee80211_add_htop(frm, ic); 1493 frm = ieee80211_add_wme_param(frm, ic); 1494 } 1495 1496 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1497 1498 return m; 1499 } 1500 #endif /* IEEE80211_STA_ONLY */ 1501 1502 /*- 1503 * Disassociation frame format: 1504 * [2] Reason code 1505 */ 1506 struct mbuf * 1507 ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni, 1508 u_int16_t reason) 1509 { 1510 struct mbuf *m; 1511 1512 MGETHDR(m, M_DONTWAIT, MT_DATA); 1513 if (m == NULL) 1514 return NULL; 1515 m_align(m, 2); 1516 m->m_pkthdr.len = m->m_len = 2; 1517 1518 *mtod(m, u_int16_t *) = htole16(reason); 1519 1520 return m; 1521 } 1522 1523 /*- 1524 * ADDBA Request frame format: 1525 * [1] Category 1526 * [1] Action 1527 * [1] Dialog Token 1528 * [2] Block Ack Parameter Set 1529 * [2] Block Ack Timeout Value 1530 * [2] Block Ack Starting Sequence Control 1531 */ 1532 struct mbuf * 1533 ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1534 u_int8_t tid) 1535 { 1536 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1537 struct mbuf *m; 1538 u_int8_t *frm; 1539 1540 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1541 if (m == NULL) 1542 return m; 1543 1544 frm = mtod(m, u_int8_t *); 1545 *frm++ = IEEE80211_CATEG_BA; 1546 *frm++ = IEEE80211_ACTION_ADDBA_REQ; 1547 *frm++ = ba->ba_token; 1548 LE_WRITE_2(frm, ba->ba_params); frm += 2; 1549 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2; 1550 LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2; 1551 1552 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1553 1554 return m; 1555 } 1556 1557 /* Move Tx BA window forward to the specified SSN. */ 1558 void 1559 ieee80211_output_ba_move_window(struct ieee80211com *ic, 1560 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1561 { 1562 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1563 uint16_t s = ba->ba_winstart; 1564 1565 while (SEQ_LT(s, ssn) && ba->ba_bitmap) { 1566 s = (s + 1) % 0xfff; 1567 ba->ba_bitmap >>= 1; 1568 } 1569 1570 ba->ba_winstart = (ssn & 0xfff); 1571 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1572 } 1573 1574 /* 1575 * Move Tx BA window forward up to the first hole in the bitmap 1576 * or up to the specified SSN, whichever comes first. 1577 * After calling this function, frames before the start of the 1578 * potentially changed BA window should be discarded. 1579 */ 1580 void 1581 ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic, 1582 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1583 { 1584 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1585 uint16_t s = ba->ba_winstart; 1586 uint64_t bitmap = ba->ba_bitmap; 1587 int can_move_window = 0; 1588 1589 while (bitmap && SEQ_LT(s, ssn)) { 1590 if ((bitmap & 1) == 0) 1591 break; 1592 s = (s + 1) % 0xfff; 1593 bitmap >>= 1; 1594 can_move_window = 1; 1595 } 1596 1597 if (can_move_window) 1598 ieee80211_output_ba_move_window(ic, ni, tid, s); 1599 } 1600 1601 /* Record an ACK for a frame with a given SSN within the Tx BA window. */ 1602 void 1603 ieee80211_output_ba_record_ack(struct ieee80211com *ic, 1604 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1605 { 1606 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1607 int i = 0; 1608 uint16_t s = ba->ba_winstart; 1609 1610 KASSERT(!SEQ_LT(ssn, ba->ba_winstart)); 1611 KASSERT(!SEQ_LT(ba->ba_winend, ssn)); 1612 1613 while (SEQ_LT(s, ssn)) { 1614 s = (s + 1) % 0xfff; 1615 i++; 1616 } 1617 if (i < ba->ba_winsize) 1618 ba->ba_bitmap |= (1 << i); 1619 } 1620 1621 /*- 1622 * ADDBA Response frame format: 1623 * [1] Category 1624 * [1] Action 1625 * [1] Dialog Token 1626 * [2] Status Code 1627 * [2] Block Ack Parameter Set 1628 * [2] Block Ack Timeout Value 1629 */ 1630 struct mbuf * 1631 ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1632 u_int8_t tid, u_int8_t token, u_int16_t status) 1633 { 1634 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1635 struct mbuf *m; 1636 u_int8_t *frm; 1637 u_int16_t params; 1638 1639 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1640 if (m == NULL) 1641 return m; 1642 1643 frm = mtod(m, u_int8_t *); 1644 *frm++ = IEEE80211_CATEG_BA; 1645 *frm++ = IEEE80211_ACTION_ADDBA_RESP; 1646 *frm++ = token; 1647 LE_WRITE_2(frm, status); frm += 2; 1648 if (status == 0) 1649 params = ba->ba_params; 1650 else 1651 params = tid << IEEE80211_ADDBA_TID_SHIFT; 1652 LE_WRITE_2(frm, params); frm += 2; 1653 if (status == 0) 1654 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); 1655 else 1656 LE_WRITE_2(frm, 0); 1657 frm += 2; 1658 1659 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1660 1661 return m; 1662 } 1663 1664 /*- 1665 * DELBA frame format: 1666 * [1] Category 1667 * [1] Action 1668 * [2] DELBA Parameter Set 1669 * [2] Reason Code 1670 */ 1671 struct mbuf * 1672 ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni, 1673 u_int8_t tid, u_int8_t dir, u_int16_t reason) 1674 { 1675 struct mbuf *m; 1676 u_int8_t *frm; 1677 u_int16_t params; 1678 1679 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6); 1680 if (m == NULL) 1681 return m; 1682 1683 frm = mtod(m, u_int8_t *); 1684 *frm++ = IEEE80211_CATEG_BA; 1685 *frm++ = IEEE80211_ACTION_DELBA; 1686 params = tid << 12; 1687 if (dir) 1688 params |= IEEE80211_DELBA_INITIATOR; 1689 LE_WRITE_2(frm, params); frm += 2; 1690 LE_WRITE_2(frm, reason); frm += 2; 1691 1692 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1693 1694 return m; 1695 } 1696 1697 /*- 1698 * SA Query Request/Response frame format: 1699 * [1] Category 1700 * [1] Action 1701 * [16] Transaction Identifier 1702 */ 1703 struct mbuf * 1704 ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni, 1705 u_int8_t action) 1706 { 1707 struct mbuf *m; 1708 u_int8_t *frm; 1709 1710 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4); 1711 if (m == NULL) 1712 return NULL; 1713 1714 frm = mtod(m, u_int8_t *); 1715 *frm++ = IEEE80211_CATEG_SA_QUERY; 1716 *frm++ = action; /* ACTION_SA_QUERY_REQ/RESP */ 1717 LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2; 1718 1719 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1720 1721 return m; 1722 } 1723 1724 struct mbuf * 1725 ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni, 1726 u_int8_t categ, u_int8_t action, int arg) 1727 { 1728 struct mbuf *m = NULL; 1729 1730 switch (categ) { 1731 case IEEE80211_CATEG_BA: 1732 switch (action) { 1733 case IEEE80211_ACTION_ADDBA_REQ: 1734 m = ieee80211_get_addba_req(ic, ni, arg & 0xffff); 1735 break; 1736 case IEEE80211_ACTION_ADDBA_RESP: 1737 m = ieee80211_get_addba_resp(ic, ni, arg & 0xff, 1738 arg >> 8, arg >> 16); 1739 break; 1740 case IEEE80211_ACTION_DELBA: 1741 m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8, 1742 arg >> 16); 1743 break; 1744 } 1745 break; 1746 case IEEE80211_CATEG_SA_QUERY: 1747 switch (action) { 1748 #ifndef IEEE80211_STA_ONLY 1749 case IEEE80211_ACTION_SA_QUERY_REQ: 1750 #endif 1751 case IEEE80211_ACTION_SA_QUERY_RESP: 1752 m = ieee80211_get_sa_query(ic, ni, action); 1753 break; 1754 } 1755 break; 1756 } 1757 return m; 1758 } 1759 1760 /* 1761 * Send a management frame. The node is for the destination (or ic_bss 1762 * when in station mode). Nodes other than ic_bss have their reference 1763 * count bumped to reflect our use for an indeterminant time. 1764 */ 1765 int 1766 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1767 int type, int arg1, int arg2) 1768 { 1769 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1770 struct ifnet *ifp = &ic->ic_if; 1771 struct mbuf *m; 1772 int ret, timer; 1773 1774 if (ni == NULL) 1775 panic("null node"); 1776 1777 /* 1778 * Hold a reference on the node so it doesn't go away until after 1779 * the xmit is complete all the way in the driver. On error we 1780 * will remove our reference. 1781 */ 1782 ieee80211_ref_node(ni); 1783 timer = 0; 1784 switch (type) { 1785 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1786 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL) 1787 senderr(ENOMEM, is_tx_nombuf); 1788 1789 timer = IEEE80211_TRANS_WAIT; 1790 break; 1791 #ifndef IEEE80211_STA_ONLY 1792 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1793 if ((m = ieee80211_get_probe_resp(ic)) == NULL) 1794 senderr(ENOMEM, is_tx_nombuf); 1795 break; 1796 #endif 1797 case IEEE80211_FC0_SUBTYPE_AUTH: 1798 m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff); 1799 if (m == NULL) 1800 senderr(ENOMEM, is_tx_nombuf); 1801 1802 if (ic->ic_opmode == IEEE80211_M_STA) 1803 timer = IEEE80211_TRANS_WAIT; 1804 break; 1805 1806 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1807 if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL) 1808 senderr(ENOMEM, is_tx_nombuf); 1809 #ifndef IEEE80211_STA_ONLY 1810 if ((ifp->if_flags & IFF_DEBUG) && 1811 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1812 ic->ic_opmode == IEEE80211_M_IBSS)) 1813 printf("%s: station %s deauthenticate (reason %d)\n", 1814 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1815 arg1); 1816 #endif 1817 break; 1818 1819 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1820 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1821 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL) 1822 senderr(ENOMEM, is_tx_nombuf); 1823 1824 timer = IEEE80211_TRANS_WAIT; 1825 break; 1826 #ifndef IEEE80211_STA_ONLY 1827 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1828 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1829 if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL) 1830 senderr(ENOMEM, is_tx_nombuf); 1831 break; 1832 #endif 1833 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1834 if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL) 1835 senderr(ENOMEM, is_tx_nombuf); 1836 #ifndef IEEE80211_STA_ONLY 1837 if ((ifp->if_flags & IFF_DEBUG) && 1838 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1839 ic->ic_opmode == IEEE80211_M_IBSS)) 1840 printf("%s: station %s disassociate (reason %d)\n", 1841 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1842 arg1); 1843 #endif 1844 break; 1845 1846 case IEEE80211_FC0_SUBTYPE_ACTION: 1847 m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff, 1848 arg2); 1849 if (m == NULL) 1850 senderr(ENOMEM, is_tx_nombuf); 1851 break; 1852 1853 default: 1854 DPRINTF(("invalid mgmt frame type %u\n", type)); 1855 senderr(EINVAL, is_tx_unknownmgt); 1856 /* NOTREACHED */ 1857 } 1858 1859 ret = ieee80211_mgmt_output(ifp, ni, m, type); 1860 if (ret == 0) { 1861 if (timer) 1862 ic->ic_mgt_timer = timer; 1863 } else { 1864 bad: 1865 ieee80211_release_node(ic, ni); 1866 } 1867 return ret; 1868 #undef senderr 1869 } 1870 1871 /* 1872 * Build a RTS (Request To Send) control frame (see 7.2.1.1). 1873 */ 1874 struct mbuf * 1875 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1876 u_int16_t dur) 1877 { 1878 struct ieee80211_frame_rts *rts; 1879 struct mbuf *m; 1880 1881 MGETHDR(m, M_DONTWAIT, MT_DATA); 1882 if (m == NULL) 1883 return NULL; 1884 1885 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1886 1887 rts = mtod(m, struct ieee80211_frame_rts *); 1888 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1889 IEEE80211_FC0_SUBTYPE_RTS; 1890 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1891 *(u_int16_t *)rts->i_dur = htole16(dur); 1892 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1893 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1894 1895 return m; 1896 } 1897 1898 /* 1899 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2). 1900 */ 1901 struct mbuf * 1902 ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur) 1903 { 1904 struct ieee80211_frame_cts *cts; 1905 struct mbuf *m; 1906 1907 MGETHDR(m, M_DONTWAIT, MT_DATA); 1908 if (m == NULL) 1909 return NULL; 1910 1911 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1912 1913 cts = mtod(m, struct ieee80211_frame_cts *); 1914 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1915 IEEE80211_FC0_SUBTYPE_CTS; 1916 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1917 *(u_int16_t *)cts->i_dur = htole16(dur); 1918 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1919 1920 return m; 1921 } 1922 1923 /* 1924 * Build a compressed Block Ack Request control frame. 1925 */ 1926 struct mbuf * 1927 ieee80211_get_compressed_bar(struct ieee80211com *ic, 1928 struct ieee80211_node *ni, int tid, uint16_t ssn) 1929 { 1930 struct ieee80211_frame_min *wh; 1931 uint8_t *frm; 1932 uint16_t ctl; 1933 struct mbuf *m; 1934 1935 MGETHDR(m, M_DONTWAIT, MT_DATA); 1936 if (m == NULL) 1937 return NULL; 1938 1939 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) + 1940 sizeof(ctl) + sizeof(ssn); 1941 1942 wh = mtod(m, struct ieee80211_frame_min *); 1943 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1944 IEEE80211_FC0_SUBTYPE_BAR; 1945 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1946 *(u_int16_t *)wh->i_dur = 0; 1947 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1948 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 1949 frm = (uint8_t *)&wh[1]; 1950 1951 ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT); 1952 LE_WRITE_2(frm, ctl); 1953 frm += 2; 1954 1955 LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT); 1956 frm += 2; 1957 1958 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1959 m->m_pkthdr.ph_cookie = ni; 1960 1961 return m; 1962 } 1963 1964 #ifndef IEEE80211_STA_ONLY 1965 /*- 1966 * Beacon frame format: 1967 * [8] Timestamp 1968 * [2] Beacon interval 1969 * [2] Capability 1970 * [tlv] Service Set Identifier (SSID) 1971 * [tlv] Supported rates 1972 * [tlv] DS Parameter Set (802.11g) 1973 * [tlv] IBSS Parameter Set 1974 * [tlv] Traffic Indication Map (TIM) 1975 * [tlv] ERP Information (802.11g) 1976 * [tlv] Extended Supported Rates (802.11g) 1977 * [tlv] RSN (802.11i) 1978 * [tlv] EDCA Parameter Set (802.11e) 1979 * [tlv] HT Capabilities (802.11n) 1980 * [tlv] HT Operation (802.11n) 1981 */ 1982 struct mbuf * 1983 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni) 1984 { 1985 const struct ieee80211_rateset *rs = &ni->ni_rates; 1986 struct ieee80211_frame *wh; 1987 struct mbuf *m; 1988 u_int8_t *frm; 1989 1990 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1991 8 + 2 + 2 + 1992 2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ? 1993 0 : ni->ni_esslen) + 1994 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1995 2 + 1 + 1996 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) + 1997 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1998 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1999 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 2000 (((ic->ic_flags & IEEE80211_F_RSNON) && 2001 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 2002 2 + IEEE80211_RSNIE_MAXLEN : 0) + 2003 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 2004 (((ic->ic_flags & IEEE80211_F_RSNON) && 2005 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 2006 2 + IEEE80211_WPAIE_MAXLEN : 0) + 2007 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 2008 if (m == NULL) 2009 return NULL; 2010 2011 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2012 if (m == NULL) 2013 return NULL; 2014 wh = mtod(m, struct ieee80211_frame *); 2015 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2016 IEEE80211_FC0_SUBTYPE_BEACON; 2017 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2018 *(u_int16_t *)wh->i_dur = 0; 2019 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr); 2020 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2021 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2022 *(u_int16_t *)wh->i_seq = 0; 2023 2024 frm = (u_int8_t *)&wh[1]; 2025 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 2026 LE_WRITE_2(frm, ni->ni_intval); frm += 2; 2027 frm = ieee80211_add_capinfo(frm, ic, ni); 2028 if (ic->ic_userflags & IEEE80211_F_HIDENWID) 2029 frm = ieee80211_add_ssid(frm, NULL, 0); 2030 else 2031 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2032 frm = ieee80211_add_rates(frm, rs); 2033 frm = ieee80211_add_ds_params(frm, ic, ni); 2034 if (ic->ic_opmode == IEEE80211_M_IBSS) 2035 frm = ieee80211_add_ibss_params(frm, ni); 2036 else 2037 frm = ieee80211_add_tim(frm, ic); 2038 if (ic->ic_curmode == IEEE80211_MODE_11G) 2039 frm = ieee80211_add_erp(frm, ic); 2040 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 2041 frm = ieee80211_add_xrates(frm, rs); 2042 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2043 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 2044 frm = ieee80211_add_rsn(frm, ic, ni); 2045 if (ic->ic_flags & IEEE80211_F_QOS) 2046 frm = ieee80211_add_edca_params(frm, ic); 2047 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2048 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 2049 frm = ieee80211_add_wpa(frm, ic, ni); 2050 if (ic->ic_flags & IEEE80211_F_HTON) { 2051 frm = ieee80211_add_htcaps(frm, ic); 2052 frm = ieee80211_add_htop(frm, ic); 2053 frm = ieee80211_add_wme_param(frm, ic); 2054 } 2055 2056 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2057 m->m_pkthdr.ph_cookie = ni; 2058 2059 return m; 2060 } 2061 2062 /* 2063 * Check if an outgoing MSDU or management frame should be buffered into 2064 * the AP for power management. Return 1 if the frame was buffered into 2065 * the AP, or 0 if the frame shall be transmitted immediately. 2066 */ 2067 int 2068 ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m, 2069 struct ieee80211_node *ni) 2070 { 2071 const struct ieee80211_frame *wh; 2072 int pssta = 0; 2073 2074 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 2075 if (!(ic->ic_caps & IEEE80211_C_APPMGT)) 2076 return 0; 2077 2078 wh = mtod(m, struct ieee80211_frame *); 2079 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2080 /* 2081 * Buffer group addressed MSDUs with the Order bit clear 2082 * if any associated STAs are in PS mode. 2083 */ 2084 ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta); 2085 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0) 2086 return 0; 2087 ic->ic_tim_mcast_pending = 1; 2088 } else { 2089 /* 2090 * Buffer MSDUs, A-MSDUs or management frames destined for 2091 * PS STAs. 2092 */ 2093 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE || 2094 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 2095 IEEE80211_FC0_TYPE_CTL) 2096 return 0; 2097 if (mq_empty(&ni->ni_savedq)) 2098 (*ic->ic_set_tim)(ic, ni->ni_associd, 1); 2099 } 2100 /* NB: ni == ic->ic_bss for broadcast/multicast */ 2101 /* 2102 * Similar to ieee80211_mgmt_output, store the node in a 2103 * special pkthdr field. 2104 */ 2105 m->m_pkthdr.ph_cookie = ni; 2106 mq_enqueue(&ni->ni_savedq, m); 2107 return 1; 2108 } 2109 #endif /* IEEE80211_STA_ONLY */ 2110