1 /* $OpenBSD: ieee80211_output.c,v 1.79 2008/09/27 15:16:09 damien Exp $ */ 2 /* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007, 2008 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 #include "vlan.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/proc.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_dl.h> 49 #include <net/if_media.h> 50 #include <net/if_arp.h> 51 #include <net/if_llc.h> 52 #include <net/bpf.h> 53 54 #ifdef INET 55 #include <netinet/in.h> 56 #include <netinet/if_ether.h> 57 #include <netinet/in_systm.h> 58 #include <netinet/ip.h> 59 #ifdef INET6 60 #include <netinet/ip6.h> 61 #endif 62 #endif 63 64 #if NVLAN > 0 65 #include <net/if_types.h> 66 #include <net/if_vlan_var.h> 67 #endif 68 69 #include <net80211/ieee80211_var.h> 70 #include <net80211/ieee80211_priv.h> 71 72 int ieee80211_classify(struct ieee80211com *, struct mbuf *); 73 int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *, 74 struct mbuf *, int); 75 u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *, 76 const struct ieee80211_node *, int); 77 struct mbuf *ieee80211_getmgmt(int, int, u_int); 78 struct mbuf *ieee80211_get_probe_req(struct ieee80211com *, 79 struct ieee80211_node *); 80 #ifndef IEEE80211_STA_ONLY 81 struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *, 82 struct ieee80211_node *); 83 #endif 84 struct mbuf *ieee80211_get_auth(struct ieee80211com *, 85 struct ieee80211_node *, u_int16_t, u_int16_t); 86 struct mbuf *ieee80211_get_deauth(struct ieee80211com *, 87 struct ieee80211_node *, u_int16_t); 88 struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *, 89 struct ieee80211_node *, int); 90 #ifndef IEEE80211_STA_ONLY 91 struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *, 92 struct ieee80211_node *, u_int16_t); 93 #endif 94 struct mbuf *ieee80211_get_disassoc(struct ieee80211com *, 95 struct ieee80211_node *, u_int16_t); 96 97 /* 98 * IEEE 802.11 output routine. Normally this will directly call the 99 * Ethernet output routine because 802.11 encapsulation is called 100 * later by the driver. This function can be used to send raw frames 101 * if the mbuf has been tagged with a 802.11 data link type. 102 */ 103 int 104 ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 105 struct rtentry *rt) 106 { 107 struct m_tag *mtag; 108 int s, len, error = 0; 109 u_short mflags; 110 111 /* Interface has to be up and running */ 112 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 113 (IFF_UP | IFF_RUNNING)) { 114 error = ENETDOWN; 115 goto bad; 116 } 117 118 /* Try to get the DLT from a mbuf tag */ 119 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 120 u_int dlt = *(u_int *)(mtag + 1); 121 122 /* Fallback to ethernet for non-802.11 linktypes */ 123 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 124 goto fallback; 125 126 /* 127 * Queue message on interface without adding any 128 * further headers, and start output if interface not 129 * yet active. 130 */ 131 mflags = m->m_flags; 132 len = m->m_pkthdr.len; 133 s = splnet(); 134 IFQ_ENQUEUE(&ifp->if_snd, m, NULL, error); 135 if (error) { 136 /* mbuf is already freed */ 137 splx(s); 138 printf("%s: failed to queue raw tx frame\n", 139 ifp->if_xname); 140 return (error); 141 } 142 ifp->if_obytes += len; 143 if (mflags & M_MCAST) 144 ifp->if_omcasts++; 145 if ((ifp->if_flags & IFF_OACTIVE) == 0) 146 (*ifp->if_start)(ifp); 147 splx(s); 148 149 return (error); 150 } 151 152 fallback: 153 return (ether_output(ifp, m, dst, rt)); 154 155 bad: 156 if (m) 157 m_freem(m); 158 return (error); 159 } 160 161 /* 162 * Send a management frame to the specified node. The node pointer 163 * must have a reference as the pointer will be passed to the driver 164 * and potentially held for a long time. If the frame is successfully 165 * dispatched to the driver, then it is responsible for freeing the 166 * reference (and potentially free'ing up any associated storage). 167 */ 168 int 169 ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni, 170 struct mbuf *m, int type) 171 { 172 struct ieee80211com *ic = (void *)ifp; 173 struct ieee80211_frame *wh; 174 175 if (ni == NULL) 176 panic("null node"); 177 ni->ni_inact = 0; 178 179 /* 180 * Yech, hack alert! We want to pass the node down to the 181 * driver's start routine. We could stick this in an m_tag 182 * and tack that on to the mbuf. However that's rather 183 * expensive to do for every frame so instead we stuff it in 184 * the rcvif field since outbound frames do not (presently) 185 * use this. 186 */ 187 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 188 if (m == NULL) 189 return ENOMEM; 190 m->m_pkthdr.rcvif = (void *)ni; 191 192 wh = mtod(m, struct ieee80211_frame *); 193 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type; 194 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 195 *(u_int16_t *)&wh->i_dur[0] = 0; 196 *(u_int16_t *)&wh->i_seq[0] = 197 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 198 ni->ni_txseq++; 199 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 200 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 201 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 202 203 /* check if protection is required for this mgmt frame */ 204 if ((ic->ic_caps & IEEE80211_C_MFP) && 205 (type == IEEE80211_FC0_SUBTYPE_DISASSOC || 206 type == IEEE80211_FC0_SUBTYPE_DEAUTH || 207 type == IEEE80211_FC0_SUBTYPE_ACTION)) { 208 /* 209 * Hack: we should not set the Protected bit in outgoing 210 * group management frames, however it is used as an 211 * indication to the drivers that they must encrypt the 212 * frame. Drivers should clear this bit from group 213 * management frames (software crypto code will do it). 214 * XXX could use an mbuf flag.. 215 */ 216 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 217 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT)) 218 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 219 } 220 221 if (ifp->if_flags & IFF_DEBUG) { 222 /* avoid to print too many frames */ 223 if ( 224 #ifndef IEEE80211_STA_ONLY 225 ic->ic_opmode == IEEE80211_M_IBSS || 226 #endif 227 #ifdef IEEE80211_DEBUG 228 ieee80211_debug > 1 || 229 #endif 230 (type & IEEE80211_FC0_SUBTYPE_MASK) != 231 IEEE80211_FC0_SUBTYPE_PROBE_RESP) 232 printf("%s: sending %s to %s on channel %u mode %s\n", 233 ifp->if_xname, 234 ieee80211_mgt_subtype_name[ 235 (type & IEEE80211_FC0_SUBTYPE_MASK) 236 >> IEEE80211_FC0_SUBTYPE_SHIFT], 237 ether_sprintf(ni->ni_macaddr), 238 ieee80211_chan2ieee(ic, ni->ni_chan), 239 ieee80211_phymode_name[ 240 ieee80211_chan2mode(ic, ni->ni_chan)]); 241 } 242 243 #ifndef IEEE80211_STA_ONLY 244 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 245 ieee80211_pwrsave(ic, m, ni) != 0) 246 return 0; 247 #endif 248 IF_ENQUEUE(&ic->ic_mgtq, m); 249 ifp->if_timer = 1; 250 (*ifp->if_start)(ifp); 251 return 0; 252 } 253 254 /*- 255 * EDCA tables are computed using the following formulas: 256 * 257 * 1) EDCATable (non-AP QSTA) 258 * 259 * AC CWmin CWmax AIFSN TXOP limit(ms) 260 * ------------------------------------------------------------- 261 * AC_BK aCWmin aCWmax 7 0 262 * AC_BE aCWmin aCWmax 3 0 263 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0 264 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0 265 * 266 * 2) QAPEDCATable (QAP) 267 * 268 * AC CWmin CWmax AIFSN TXOP limit(ms) 269 * ------------------------------------------------------------- 270 * AC_BK aCWmin aCWmax 7 0 271 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0 272 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0 273 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0 274 * 275 * and the following aCWmin/aCWmax values: 276 * 277 * PHY aCWmin aCWmax 278 * --------------------------- 279 * 11A 15 1023 280 * 11B 31 1023 281 * 11G 15* 1023 (*) aCWmin(1) 282 * Turbo A/G 7 1023 (Atheros proprietary mode) 283 */ 284 static const struct ieee80211_edca_ac_params 285 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 286 [IEEE80211_MODE_11B] = { 287 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 288 [EDCA_AC_BE] = { 5, 10, 3, 0 }, 289 [EDCA_AC_VI] = { 4, 5, 2, 188 }, 290 [EDCA_AC_VO] = { 3, 4, 2, 102 } 291 }, 292 [IEEE80211_MODE_11A] = { 293 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 294 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 295 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 296 [EDCA_AC_VO] = { 2, 3, 2, 47 } 297 }, 298 [IEEE80211_MODE_11G] = { 299 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 300 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 301 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 302 [EDCA_AC_VO] = { 2, 3, 2, 47 } 303 }, 304 [IEEE80211_MODE_TURBO] = { 305 [EDCA_AC_BK] = { 3, 10, 7, 0 }, 306 [EDCA_AC_BE] = { 3, 10, 2, 0 }, 307 [EDCA_AC_VI] = { 2, 3, 2, 94 }, 308 [EDCA_AC_VO] = { 2, 2, 1, 47 } 309 } 310 }; 311 312 #ifndef IEEE80211_STA_ONLY 313 static const struct ieee80211_edca_ac_params 314 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 315 [IEEE80211_MODE_11B] = { 316 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 317 [EDCA_AC_BE] = { 5, 7, 3, 0 }, 318 [EDCA_AC_VI] = { 4, 5, 1, 188 }, 319 [EDCA_AC_VO] = { 3, 4, 1, 102 } 320 }, 321 [IEEE80211_MODE_11A] = { 322 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 323 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 324 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 325 [EDCA_AC_VO] = { 2, 3, 1, 47 } 326 }, 327 [IEEE80211_MODE_11G] = { 328 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 329 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 330 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 331 [EDCA_AC_VO] = { 2, 3, 1, 47 } 332 }, 333 [IEEE80211_MODE_TURBO] = { 334 [EDCA_AC_BK] = { 3, 10, 7, 0 }, 335 [EDCA_AC_BE] = { 3, 5, 2, 0 }, 336 [EDCA_AC_VI] = { 2, 3, 1, 94 }, 337 [EDCA_AC_VO] = { 2, 2, 1, 47 } 338 } 339 }; 340 #endif /* IEEE80211_STA_ONLY */ 341 342 /* 343 * Return the EDCA Access Category to be used for transmitting a frame with 344 * user-priority `up'. 345 */ 346 enum ieee80211_edca_ac 347 ieee80211_up_to_ac(struct ieee80211com *ic, int up) 348 { 349 /* see Table 9-1 */ 350 static const enum ieee80211_edca_ac up_to_ac[] = { 351 EDCA_AC_BE, /* BE */ 352 EDCA_AC_BK, /* BK */ 353 EDCA_AC_BK, /* -- */ 354 EDCA_AC_BE, /* EE */ 355 EDCA_AC_VI, /* CL */ 356 EDCA_AC_VI, /* VI */ 357 EDCA_AC_VO, /* VO */ 358 EDCA_AC_VO /* NC */ 359 }; 360 enum ieee80211_edca_ac ac; 361 362 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE; 363 364 #ifndef IEEE80211_STA_ONLY 365 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 366 return ac; 367 #endif 368 /* 369 * We do not support the admission control procedure defined in 370 * IEEE Std 802.11-2007 section 9.9.3.1.2. The spec says that 371 * non-AP QSTAs that don't support this procedure shall use EDCA 372 * parameters of a lower priority AC that does not require 373 * admission control. 374 */ 375 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) { 376 switch (ac) { 377 case EDCA_AC_BK: 378 /* can't get there */ 379 break; 380 case EDCA_AC_BE: 381 /* BE shouldn't require admission control */ 382 ac = EDCA_AC_BK; 383 break; 384 case EDCA_AC_VI: 385 ac = EDCA_AC_BE; 386 break; 387 case EDCA_AC_VO: 388 ac = EDCA_AC_VI; 389 break; 390 } 391 } 392 return ac; 393 } 394 395 /* 396 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority 397 * based on the DSCP (Differentiated Services Codepoint) field. 398 */ 399 int 400 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m) 401 { 402 #ifdef INET 403 struct ether_header *eh; 404 u_int8_t ds_field; 405 #endif 406 #if NVLAN > 0 407 if ((m->m_flags & M_PROTO1) == M_PROTO1 && m->m_pkthdr.rcvif != NULL) { 408 struct ifvlan *ifv = m->m_pkthdr.rcvif->if_softc; 409 410 /* use VLAN 802.1D user-priority */ 411 if (ifv->ifv_prio <= 7) 412 return ifv->ifv_prio; 413 } 414 #endif 415 #ifdef INET 416 eh = mtod(m, struct ether_header *); 417 if (eh->ether_type == htons(ETHERTYPE_IP)) { 418 struct ip *ip = (struct ip *)&eh[1]; 419 if (ip->ip_v != 4) 420 return 0; 421 ds_field = ip->ip_tos; 422 } 423 #ifdef INET6 424 else if (eh->ether_type == htons(ETHERTYPE_IPV6)) { 425 struct ip6_hdr *ip6 = (struct ip6_hdr *)&eh[1]; 426 u_int32_t flowlabel; 427 428 flowlabel = ntohl(ip6->ip6_flow); 429 if ((flowlabel >> 28) != 6) 430 return 0; 431 ds_field = (flowlabel >> 20) & 0xff; 432 } 433 #endif /* INET6 */ 434 else /* neither IPv4 nor IPv6 */ 435 return 0; 436 437 /* 438 * Map Differentiated Services Codepoint field (see RFC2474). 439 * Preserves backward compatibility with IP Precedence field. 440 */ 441 switch (ds_field & 0xfc) { 442 case IPTOS_PREC_PRIORITY: 443 return 2; 444 case IPTOS_PREC_IMMEDIATE: 445 return 1; 446 case IPTOS_PREC_FLASH: 447 return 3; 448 case IPTOS_PREC_FLASHOVERRIDE: 449 return 4; 450 case IPTOS_PREC_CRITIC_ECP: 451 return 5; 452 case IPTOS_PREC_INTERNETCONTROL: 453 return 6; 454 case IPTOS_PREC_NETCONTROL: 455 return 7; 456 } 457 #endif /* INET */ 458 return 0; /* default to Best-Effort */ 459 } 460 461 /* 462 * Encapsulate an outbound data frame. The mbuf chain is updated and 463 * a reference to the destination node is returned. If an error is 464 * encountered NULL is returned and the node reference will also be NULL. 465 * 466 * NB: The caller is responsible for free'ing a returned node reference. 467 * The convention is ic_bss is not reference counted; the caller must 468 * maintain that. 469 */ 470 struct mbuf * 471 ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni) 472 { 473 struct ieee80211com *ic = (void *)ifp; 474 struct ether_header eh; 475 struct ieee80211_frame *wh; 476 struct ieee80211_node *ni = NULL; 477 struct llc *llc; 478 struct m_tag *mtag; 479 u_int8_t *addr; 480 u_int dlt, hdrlen; 481 int addqos, tid; 482 483 /* Handle raw frames if mbuf is tagged as 802.11 */ 484 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 485 dlt = *(u_int *)(mtag + 1); 486 487 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 488 goto fallback; 489 490 wh = mtod(m, struct ieee80211_frame *); 491 492 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 493 goto bad; 494 495 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 496 IEEE80211_FC0_VERSION_0) 497 goto bad; 498 499 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 500 case IEEE80211_FC1_DIR_NODS: 501 case IEEE80211_FC1_DIR_FROMDS: 502 addr = wh->i_addr1; 503 break; 504 case IEEE80211_FC1_DIR_DSTODS: 505 case IEEE80211_FC1_DIR_TODS: 506 addr = wh->i_addr3; 507 break; 508 default: 509 goto bad; 510 } 511 512 ni = ieee80211_find_txnode(ic, addr); 513 if (ni == NULL) 514 ni = ieee80211_ref_node(ic->ic_bss); 515 if (ni == NULL) { 516 printf("%s: no node for dst %s, " 517 "discard raw tx frame\n", ifp->if_xname, 518 ether_sprintf(addr)); 519 ic->ic_stats.is_tx_nonode++; 520 goto bad; 521 } 522 ni->ni_inact = 0; 523 524 *pni = ni; 525 return (m); 526 } 527 528 fallback: 529 if (m->m_len < sizeof(struct ether_header)) { 530 m = m_pullup(m, sizeof(struct ether_header)); 531 if (m == NULL) { 532 ic->ic_stats.is_tx_nombuf++; 533 goto bad; 534 } 535 } 536 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 537 538 ni = ieee80211_find_txnode(ic, eh.ether_dhost); 539 if (ni == NULL) { 540 DPRINTF(("no node for dst %s, discard frame\n", 541 ether_sprintf(eh.ether_dhost))); 542 ic->ic_stats.is_tx_nonode++; 543 goto bad; 544 } 545 546 if ((ic->ic_flags & IEEE80211_F_RSNON) && 547 !ni->ni_port_valid && 548 eh.ether_type != htons(ETHERTYPE_PAE)) { 549 DPRINTF(("port not valid: %s\n", 550 ether_sprintf(eh.ether_dhost))); 551 ic->ic_stats.is_tx_noauth++; 552 goto bad; 553 } 554 555 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 556 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP) 557 /* XXX TKIP countermeasures! */; 558 559 ni->ni_inact = 0; 560 561 if ((ic->ic_flags & IEEE80211_F_QOS) && 562 (ni->ni_flags & IEEE80211_NODE_QOS) && 563 /* do not QoS-encapsulate EAPOL frames */ 564 eh.ether_type != htons(ETHERTYPE_PAE)) { 565 tid = ieee80211_classify(ic, m); 566 hdrlen = sizeof(struct ieee80211_qosframe); 567 addqos = 1; 568 } else { 569 hdrlen = sizeof(struct ieee80211_frame); 570 addqos = 0; 571 } 572 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN); 573 llc = mtod(m, struct llc *); 574 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 575 llc->llc_control = LLC_UI; 576 llc->llc_snap.org_code[0] = 0; 577 llc->llc_snap.org_code[1] = 0; 578 llc->llc_snap.org_code[2] = 0; 579 llc->llc_snap.ether_type = eh.ether_type; 580 M_PREPEND(m, hdrlen, M_DONTWAIT); 581 if (m == NULL) { 582 ic->ic_stats.is_tx_nombuf++; 583 goto bad; 584 } 585 wh = mtod(m, struct ieee80211_frame *); 586 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 587 *(u_int16_t *)&wh->i_dur[0] = 0; 588 if (addqos) { 589 struct ieee80211_qosframe *qwh = 590 (struct ieee80211_qosframe *)wh; 591 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 592 qwh->i_qos[0] = tid; 593 if (ic->ic_tid_noack & (1 << tid)) { 594 qwh->i_qos[0] |= IEEE80211_QOS_ACK_POLICY_NOACK << 595 IEEE80211_QOS_ACK_POLICY_SHIFT; 596 } 597 qwh->i_qos[1] = 0; /* unused/set by hardware */ 598 *(u_int16_t *)&qwh->i_seq[0] = 599 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 600 ni->ni_qos_txseqs[tid]++; 601 } else { 602 *(u_int16_t *)&wh->i_seq[0] = 603 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 604 ni->ni_txseq++; 605 } 606 switch (ic->ic_opmode) { 607 case IEEE80211_M_STA: 608 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 609 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 610 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 611 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 612 break; 613 #ifndef IEEE80211_STA_ONLY 614 case IEEE80211_M_IBSS: 615 case IEEE80211_M_AHDEMO: 616 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 617 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 618 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 619 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 620 break; 621 case IEEE80211_M_HOSTAP: 622 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 623 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 624 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 625 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 626 break; 627 #endif 628 default: 629 /* should not get there */ 630 goto bad; 631 } 632 633 if ((ic->ic_flags & IEEE80211_F_WEPON) || 634 ((ic->ic_flags & IEEE80211_F_RSNON) && 635 (ni->ni_flags & IEEE80211_NODE_TXPROT))) 636 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 637 638 #ifndef IEEE80211_STA_ONLY 639 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 640 ieee80211_pwrsave(ic, m, ni) != 0) { 641 *pni = NULL; 642 return NULL; 643 } 644 #endif 645 *pni = ni; 646 return m; 647 bad: 648 if (m != NULL) 649 m_freem(m); 650 if (ni != NULL) 651 ieee80211_release_node(ic, ni); 652 *pni = NULL; 653 return NULL; 654 } 655 656 /* 657 * Add a Capability Information field to a frame (see 7.3.1.4). 658 */ 659 u_int8_t * 660 ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic, 661 const struct ieee80211_node *ni) 662 { 663 u_int16_t capinfo; 664 665 #ifndef IEEE80211_STA_ONLY 666 if (ic->ic_opmode == IEEE80211_M_IBSS) 667 capinfo = IEEE80211_CAPINFO_IBSS; 668 else if (ic->ic_opmode == IEEE80211_M_HOSTAP) 669 capinfo = IEEE80211_CAPINFO_ESS; 670 else 671 #endif 672 capinfo = 0; 673 #ifndef IEEE80211_STA_ONLY 674 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 675 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON))) 676 capinfo |= IEEE80211_CAPINFO_PRIVACY; 677 #endif 678 /* NB: some 11a AP's reject the request when short preamble is set */ 679 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 680 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 681 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 682 if (ic->ic_flags & IEEE80211_F_SHSLOT) 683 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 684 LE_WRITE_2(frm, capinfo); 685 return frm + 2; 686 } 687 688 /* 689 * Add an SSID element to a frame (see 7.3.2.1). 690 */ 691 u_int8_t * 692 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 693 { 694 *frm++ = IEEE80211_ELEMID_SSID; 695 *frm++ = len; 696 memcpy(frm, ssid, len); 697 return frm + len; 698 } 699 700 /* 701 * Add a supported rates element to a frame (see 7.3.2.2). 702 */ 703 u_int8_t * 704 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 705 { 706 int nrates; 707 708 *frm++ = IEEE80211_ELEMID_RATES; 709 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE); 710 *frm++ = nrates; 711 memcpy(frm, rs->rs_rates, nrates); 712 return frm + nrates; 713 } 714 715 #ifndef IEEE80211_STA_ONLY 716 /* 717 * Add a DS Parameter Set element to a frame (see 7.3.2.4). 718 */ 719 u_int8_t * 720 ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic, 721 const struct ieee80211_node *ni) 722 { 723 *frm++ = IEEE80211_ELEMID_DSPARMS; 724 *frm++ = 1; 725 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 726 return frm; 727 } 728 729 /* 730 * Add a TIM element to a frame (see 7.3.2.6 and Annex L). 731 */ 732 u_int8_t * 733 ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic) 734 { 735 u_int i, offset = 0, len; 736 737 /* find first non-zero octet in the virtual bit map */ 738 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++); 739 740 /* clear the lsb as it is reserved for the broadcast indication bit */ 741 if (i < ic->ic_tim_len) 742 offset = i & ~1; 743 744 /* find last non-zero octet in the virtual bit map */ 745 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--); 746 747 len = i - offset + 1; 748 749 *frm++ = IEEE80211_ELEMID_TIM; 750 *frm++ = len + 3; /* length */ 751 *frm++ = ic->ic_dtim_count; /* DTIM count */ 752 *frm++ = ic->ic_dtim_period; /* DTIM period */ 753 754 /* Bitmap Control */ 755 *frm = offset; 756 /* set broadcast/multicast indication bit if necessary */ 757 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending) 758 *frm |= 0x01; 759 frm++; 760 761 /* Partial Virtual Bitmap */ 762 memcpy(frm, &ic->ic_tim_bitmap[offset], len); 763 return frm + len; 764 } 765 766 /* 767 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7). 768 */ 769 u_int8_t * 770 ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni) 771 { 772 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 773 *frm++ = 2; 774 LE_WRITE_2(frm, 0); /* TODO: ATIM window */ 775 return frm + 2; 776 } 777 778 /* 779 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29). 780 */ 781 u_int8_t * 782 ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic) 783 { 784 const struct ieee80211_edca_ac_params *edca; 785 int aci; 786 787 *frm++ = IEEE80211_ELEMID_EDCAPARMS; 788 *frm++ = 18; /* length */ 789 *frm++ = 0; /* QoS Info */ 790 *frm++ = 0; /* reserved */ 791 792 /* setup AC Parameter Records */ 793 edca = ieee80211_qap_edca_table[ic->ic_curmode]; 794 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 795 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 796 797 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 798 (ac->ac_aifsn & 0xf); 799 *frm++ = (ac->ac_ecwmax << 4) | 800 (ac->ac_ecwmin & 0xf); 801 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 802 } 803 return frm; 804 } 805 806 /* 807 * Add an ERP element to a frame (see 7.3.2.13). 808 */ 809 u_int8_t * 810 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 811 { 812 u_int8_t erp; 813 814 *frm++ = IEEE80211_ELEMID_ERP; 815 *frm++ = 1; 816 erp = 0; 817 /* 818 * The NonERP_Present bit shall be set to 1 when a NonERP STA 819 * is associated with the BSS. 820 */ 821 if (ic->ic_nonerpsta != 0) 822 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 823 /* 824 * If one or more NonERP STAs are associated in the BSS, the 825 * Use_Protection bit shall be set to 1 in transmitted ERP 826 * Information Elements. 827 */ 828 if (ic->ic_flags & IEEE80211_F_USEPROT) 829 erp |= IEEE80211_ERP_USE_PROTECTION; 830 /* 831 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP 832 * Information Element sender if one or more associated NonERP 833 * STAs are not short preamble capable. 834 */ 835 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) 836 erp |= IEEE80211_ERP_BARKER_MODE; 837 *frm++ = erp; 838 return frm; 839 } 840 #endif /* IEEE80211_STA_ONLY */ 841 842 /* 843 * Add a QoS Capability element to a frame (see 7.3.2.35). 844 */ 845 u_int8_t * 846 ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic) 847 { 848 *frm++ = IEEE80211_ELEMID_QOS_CAP; 849 *frm++ = 1; 850 *frm++ = 0; /* QoS Info */ 851 return frm; 852 } 853 854 /* 855 * Add an RSN element to a frame (see 7.3.2.25). 856 */ 857 u_int8_t * 858 ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic, 859 const struct ieee80211_node *ni, int wpa) 860 { 861 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI; 862 u_int8_t *pcount; 863 u_int16_t count; 864 865 /* write Version field */ 866 LE_WRITE_2(frm, 1); frm += 2; 867 868 /* write Group Data Cipher Suite field (see Table 20da) */ 869 memcpy(frm, oui, 3); frm += 3; 870 switch (ni->ni_rsngroupcipher) { 871 case IEEE80211_CIPHER_WEP40: 872 *frm++ = 1; 873 break; 874 case IEEE80211_CIPHER_TKIP: 875 *frm++ = 2; 876 break; 877 case IEEE80211_CIPHER_CCMP: 878 *frm++ = 4; 879 break; 880 case IEEE80211_CIPHER_WEP104: 881 *frm++ = 5; 882 break; 883 default: 884 /* can't get there */ 885 panic("invalid group data cipher!"); 886 } 887 888 pcount = frm; frm += 2; 889 count = 0; 890 /* write Pairwise Cipher Suite List */ 891 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) { 892 memcpy(frm, oui, 3); frm += 3; 893 *frm++ = 0; 894 count++; 895 } 896 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) { 897 memcpy(frm, oui, 3); frm += 3; 898 *frm++ = 2; 899 count++; 900 } 901 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) { 902 memcpy(frm, oui, 3); frm += 3; 903 *frm++ = 4; 904 count++; 905 } 906 /* write Pairwise Cipher Suite Count field */ 907 LE_WRITE_2(pcount, count); 908 909 pcount = frm; frm += 2; 910 count = 0; 911 /* write AKM Suite List (see Table 20dc) */ 912 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) { 913 memcpy(frm, oui, 3); frm += 3; 914 *frm++ = 1; 915 count++; 916 } 917 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) { 918 memcpy(frm, oui, 3); frm += 3; 919 *frm++ = 2; 920 count++; 921 } 922 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) { 923 memcpy(frm, oui, 3); frm += 3; 924 *frm++ = 5; 925 count++; 926 } 927 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) { 928 memcpy(frm, oui, 3); frm += 3; 929 *frm++ = 6; 930 count++; 931 } 932 /* write AKM Suite List Count field */ 933 LE_WRITE_2(pcount, count); 934 935 if (wpa) 936 return frm; 937 938 /* write RSN Capabilities field */ 939 LE_WRITE_2(frm, ni->ni_rsncaps); frm += 2; 940 941 if (ni->ni_flags & IEEE80211_NODE_PMKID) { 942 /* write PMKID Count field */ 943 LE_WRITE_2(frm, 1); frm += 2; 944 /* write PMKID List (only 1) */ 945 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN); 946 frm += IEEE80211_PMKID_LEN; 947 } else { 948 /* no PMKID (PMKID Count=0) */ 949 LE_WRITE_2(frm, 0); frm += 2; 950 } 951 952 if (!(ic->ic_caps & IEEE80211_C_MFP)) 953 return frm; 954 955 /* write Group Integrity Cipher Suite field */ 956 memcpy(frm, oui, 3); frm += 3; 957 switch (ic->ic_rsngroupmgmtcipher) { 958 case IEEE80211_CIPHER_AES128_CMAC: 959 *frm++ = 6; 960 break; 961 default: 962 /* can't get there */ 963 panic("invalid integrity group cipher!"); 964 } 965 return frm; 966 } 967 968 u_int8_t * 969 ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic, 970 const struct ieee80211_node *ni) 971 { 972 u_int8_t *plen; 973 974 *frm++ = IEEE80211_ELEMID_RSN; 975 plen = frm++; /* length filled in later */ 976 frm = ieee80211_add_rsn_body(frm, ic, ni, 0); 977 978 /* write length field */ 979 *plen = frm - plen - 1; 980 return frm; 981 } 982 983 /* 984 * Add a vendor-specific WPA element to a frame. 985 * This is required for compatibility with Wi-Fi Alliance WPA. 986 */ 987 u_int8_t * 988 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic, 989 const struct ieee80211_node *ni) 990 { 991 u_int8_t *plen; 992 993 *frm++ = IEEE80211_ELEMID_VENDOR; 994 plen = frm++; /* length filled in later */ 995 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 996 *frm++ = 1; /* WPA */ 997 frm = ieee80211_add_rsn_body(frm, ic, ni, 1); 998 999 /* write length field */ 1000 *plen = frm - plen - 1; 1001 return frm; 1002 } 1003 1004 /* 1005 * Add an extended supported rates element to a frame (see 7.3.2.14). 1006 */ 1007 u_int8_t * 1008 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 1009 { 1010 int nrates; 1011 1012 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE); 1013 1014 *frm++ = IEEE80211_ELEMID_XRATES; 1015 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1016 *frm++ = nrates; 1017 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1018 return frm + nrates; 1019 } 1020 1021 struct mbuf * 1022 ieee80211_getmgmt(int flags, int type, u_int pktlen) 1023 { 1024 struct mbuf *m; 1025 1026 /* reserve space for 802.11 header */ 1027 pktlen += sizeof(struct ieee80211_frame); 1028 1029 if (pktlen > MCLBYTES) 1030 panic("management frame too large: %u", pktlen); 1031 MGETHDR(m, flags, type); 1032 if (m == NULL) 1033 return NULL; 1034 if (pktlen > MHLEN) { 1035 MCLGET(m, flags); 1036 if (!(m->m_flags & M_EXT)) 1037 return m_free(m); 1038 } 1039 m->m_data += sizeof(struct ieee80211_frame); 1040 return m; 1041 } 1042 1043 /*- 1044 * Probe request frame format: 1045 * [tlv] SSID 1046 * [tlv] Supported rates 1047 * [tlv] Extended Supported Rates (802.11g) 1048 */ 1049 struct mbuf * 1050 ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni) 1051 { 1052 const struct ieee80211_rateset *rs = 1053 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 1054 struct mbuf *m; 1055 u_int8_t *frm; 1056 1057 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1058 2 + ic->ic_des_esslen + 1059 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1060 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1061 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0)); 1062 if (m == NULL) 1063 return NULL; 1064 1065 frm = mtod(m, u_int8_t *); 1066 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen); 1067 frm = ieee80211_add_rates(frm, rs); 1068 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1069 frm = ieee80211_add_xrates(frm, rs); 1070 1071 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1072 1073 return m; 1074 } 1075 1076 #ifndef IEEE80211_STA_ONLY 1077 /*- 1078 * Probe response frame format: 1079 * [8] Timestamp 1080 * [2] Beacon interval 1081 * [2] Capability 1082 * [tlv] Service Set Identifier (SSID) 1083 * [tlv] Supported rates 1084 * [tlv*] DS Parameter Set (802.11g) 1085 * [tlv] ERP Information (802.11g) 1086 * [tlv] Extended Supported Rates (802.11g) 1087 * [tlv] RSN (802.11i) 1088 * [tlv] EDCA Parameter Set (802.11e) 1089 */ 1090 struct mbuf * 1091 ieee80211_get_probe_resp(struct ieee80211com *ic, struct ieee80211_node *ni) 1092 { 1093 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates; 1094 struct mbuf *m; 1095 u_int8_t *frm; 1096 1097 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1098 8 + 2 + 2 + 1099 2 + ni->ni_esslen + 1100 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1101 2 + 1 + 1102 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) + 1103 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1104 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1105 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1106 (((ic->ic_flags & IEEE80211_F_RSNON) && 1107 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1108 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1109 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1110 (((ic->ic_flags & IEEE80211_F_RSNON) && 1111 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1112 2 + IEEE80211_WPAIE_MAXLEN : 0)); 1113 if (m == NULL) 1114 return NULL; 1115 1116 frm = mtod(m, u_int8_t *); 1117 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1118 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2; 1119 frm = ieee80211_add_capinfo(frm, ic, ni); 1120 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1121 ic->ic_bss->ni_esslen); 1122 frm = ieee80211_add_rates(frm, rs); 1123 frm = ieee80211_add_ds_params(frm, ic, ni); 1124 if (ic->ic_opmode == IEEE80211_M_IBSS) 1125 frm = ieee80211_add_ibss_params(frm, ni); 1126 if (ic->ic_curmode == IEEE80211_MODE_11G) 1127 frm = ieee80211_add_erp(frm, ic); 1128 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1129 frm = ieee80211_add_xrates(frm, rs); 1130 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1131 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1132 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); 1133 if (ic->ic_flags & IEEE80211_F_QOS) 1134 frm = ieee80211_add_edca_params(frm, ic); 1135 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1136 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1137 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); 1138 1139 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1140 1141 return m; 1142 } 1143 #endif /* IEEE80211_STA_ONLY */ 1144 1145 /*- 1146 * Authentication frame format: 1147 * [2] Authentication algorithm number 1148 * [2] Authentication transaction sequence number 1149 * [2] Status code 1150 */ 1151 struct mbuf * 1152 ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni, 1153 u_int16_t status, u_int16_t seq) 1154 { 1155 struct mbuf *m; 1156 u_int8_t *frm; 1157 1158 MGETHDR(m, M_DONTWAIT, MT_DATA); 1159 if (m == NULL) 1160 return NULL; 1161 MH_ALIGN(m, 2 * 3); 1162 m->m_pkthdr.len = m->m_len = 2 * 3; 1163 1164 frm = mtod(m, u_int8_t *); 1165 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2; 1166 LE_WRITE_2(frm, seq); frm += 2; 1167 LE_WRITE_2(frm, status); 1168 1169 return m; 1170 } 1171 1172 /*- 1173 * Deauthentication frame format: 1174 * [2] Reason code 1175 */ 1176 struct mbuf * 1177 ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni, 1178 u_int16_t reason) 1179 { 1180 struct mbuf *m; 1181 1182 MGETHDR(m, M_DONTWAIT, MT_DATA); 1183 if (m == NULL) 1184 return NULL; 1185 MH_ALIGN(m, 2); 1186 1187 m->m_pkthdr.len = m->m_len = 2; 1188 *mtod(m, u_int16_t *) = htole16(reason); 1189 1190 return m; 1191 } 1192 1193 /*- 1194 * (Re)Association request frame format: 1195 * [2] Capability information 1196 * [2] Listen interval 1197 * [6*] Current AP address (Reassociation only) 1198 * [tlv] SSID 1199 * [tlv] Supported rates 1200 * [tlv] Extended Supported Rates (802.11g) 1201 * [tlv] RSN (802.11i) 1202 * [tlv] QoS Capability (802.11e) 1203 */ 1204 struct mbuf * 1205 ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1206 int type) 1207 { 1208 const struct ieee80211_rateset *rs = &ni->ni_rates; 1209 struct mbuf *m; 1210 u_int8_t *frm; 1211 u_int16_t capinfo; 1212 1213 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1214 2 + 2 + 1215 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ? 1216 IEEE80211_ADDR_LEN : 0) + 1217 2 + ni->ni_esslen + 1218 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1219 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1220 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1221 (((ic->ic_flags & IEEE80211_F_RSNON) && 1222 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1223 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1224 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 1 : 0) + 1225 (((ic->ic_flags & IEEE80211_F_RSNON) && 1226 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1227 2 + IEEE80211_WPAIE_MAXLEN : 0)); 1228 if (m == NULL) 1229 return NULL; 1230 1231 frm = mtod(m, u_int8_t *); 1232 capinfo = IEEE80211_CAPINFO_ESS; 1233 if (ic->ic_flags & IEEE80211_F_WEPON) 1234 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1235 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1236 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1237 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1238 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME) && 1239 (ic->ic_flags & IEEE80211_F_SHSLOT)) 1240 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1241 LE_WRITE_2(frm, capinfo); frm += 2; 1242 LE_WRITE_2(frm, ic->ic_lintval); frm += 2; 1243 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1244 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1245 frm += IEEE80211_ADDR_LEN; 1246 } 1247 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1248 frm = ieee80211_add_rates(frm, rs); 1249 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1250 frm = ieee80211_add_xrates(frm, rs); 1251 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1252 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1253 frm = ieee80211_add_rsn(frm, ic, ni); 1254 if ((ic->ic_flags & IEEE80211_F_QOS) && 1255 (ni->ni_flags & IEEE80211_NODE_QOS)) 1256 frm = ieee80211_add_qos_capability(frm, ic); 1257 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1258 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1259 frm = ieee80211_add_wpa(frm, ic, ni); 1260 1261 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1262 1263 return m; 1264 } 1265 1266 #ifndef IEEE80211_STA_ONLY 1267 /*- 1268 * (Re)Association response frame format: 1269 * [2] Capability information 1270 * [2] Status code 1271 * [2] Association ID (AID) 1272 * [tlv] Supported rates 1273 * [tlv] Extended Supported Rates (802.11g) 1274 * [tlv] EDCA Parameter Set (802.11e) 1275 */ 1276 struct mbuf * 1277 ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1278 u_int16_t status) 1279 { 1280 const struct ieee80211_rateset *rs = &ni->ni_rates; 1281 struct mbuf *m; 1282 u_int8_t *frm; 1283 1284 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1285 2 + 2 + 2 + 1286 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1287 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1288 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1289 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0)); 1290 if (m == NULL) 1291 return NULL; 1292 1293 frm = mtod(m, u_int8_t *); 1294 frm = ieee80211_add_capinfo(frm, ic, ni); 1295 LE_WRITE_2(frm, status); frm += 2; 1296 if (status == IEEE80211_STATUS_SUCCESS) 1297 LE_WRITE_2(frm, ni->ni_associd); 1298 else 1299 LE_WRITE_2(frm, 0); 1300 frm += 2; 1301 frm = ieee80211_add_rates(frm, rs); 1302 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1303 frm = ieee80211_add_xrates(frm, rs); 1304 if ((ic->ic_flags & IEEE80211_F_QOS) && 1305 (ni->ni_flags & IEEE80211_NODE_QOS)) 1306 frm = ieee80211_add_edca_params(frm, ic); 1307 1308 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1309 1310 return m; 1311 } 1312 #endif /* IEEE80211_STA_ONLY */ 1313 1314 /*- 1315 * Disassociation frame format: 1316 * [2] Reason code 1317 */ 1318 struct mbuf * 1319 ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni, 1320 u_int16_t reason) 1321 { 1322 struct mbuf *m; 1323 1324 MGETHDR(m, M_DONTWAIT, MT_DATA); 1325 if (m == NULL) 1326 return NULL; 1327 MH_ALIGN(m, 2); 1328 1329 m->m_pkthdr.len = m->m_len = 2; 1330 *mtod(m, u_int16_t *) = htole16(reason); 1331 1332 return m; 1333 } 1334 1335 /* 1336 * Send a management frame. The node is for the destination (or ic_bss 1337 * when in station mode). Nodes other than ic_bss have their reference 1338 * count bumped to reflect our use for an indeterminant time. 1339 */ 1340 int 1341 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1342 int type, int arg) 1343 { 1344 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1345 struct ifnet *ifp = &ic->ic_if; 1346 struct mbuf *m; 1347 int ret, timer; 1348 1349 if (ni == NULL) 1350 panic("null node"); 1351 1352 /* 1353 * Hold a reference on the node so it doesn't go away until after 1354 * the xmit is complete all the way in the driver. On error we 1355 * will remove our reference. 1356 */ 1357 ieee80211_ref_node(ni); 1358 timer = 0; 1359 switch (type) { 1360 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1361 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL) 1362 senderr(ENOMEM, is_tx_nombuf); 1363 1364 timer = IEEE80211_TRANS_WAIT; 1365 break; 1366 #ifndef IEEE80211_STA_ONLY 1367 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1368 if ((m = ieee80211_get_probe_resp(ic, ni)) == NULL) 1369 senderr(ENOMEM, is_tx_nombuf); 1370 break; 1371 #endif 1372 case IEEE80211_FC0_SUBTYPE_AUTH: 1373 m = ieee80211_get_auth(ic, ni, arg >> 16, arg & 0xffff); 1374 if (m == NULL) 1375 senderr(ENOMEM, is_tx_nombuf); 1376 1377 if (ic->ic_opmode == IEEE80211_M_STA) 1378 timer = IEEE80211_TRANS_WAIT; 1379 break; 1380 1381 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1382 if ((m = ieee80211_get_deauth(ic, ni, arg)) == NULL) 1383 senderr(ENOMEM, is_tx_nombuf); 1384 1385 if (ifp->if_flags & IFF_DEBUG) { 1386 printf("%s: station %s deauthenticate (reason %d)\n", 1387 ifp->if_xname, ether_sprintf(ni->ni_macaddr), arg); 1388 } 1389 break; 1390 1391 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1392 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1393 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL) 1394 senderr(ENOMEM, is_tx_nombuf); 1395 1396 timer = IEEE80211_TRANS_WAIT; 1397 break; 1398 #ifndef IEEE80211_STA_ONLY 1399 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1400 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1401 if ((m = ieee80211_get_assoc_resp(ic, ni, arg)) == NULL) 1402 senderr(ENOMEM, is_tx_nombuf); 1403 break; 1404 #endif 1405 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1406 if ((m = ieee80211_get_disassoc(ic, ni, arg)) == NULL) 1407 senderr(ENOMEM, is_tx_nombuf); 1408 1409 if (ifp->if_flags & IFF_DEBUG) { 1410 printf("%s: station %s disassociate (reason %d)\n", 1411 ifp->if_xname, ether_sprintf(ni->ni_macaddr), arg); 1412 } 1413 break; 1414 1415 default: 1416 DPRINTF(("invalid mgmt frame type %u\n", type)); 1417 senderr(EINVAL, is_tx_unknownmgt); 1418 /* NOTREACHED */ 1419 } 1420 1421 ret = ieee80211_mgmt_output(ifp, ni, m, type); 1422 if (ret == 0) { 1423 if (timer) 1424 ic->ic_mgt_timer = timer; 1425 } else { 1426 bad: 1427 ieee80211_release_node(ic, ni); 1428 } 1429 return ret; 1430 #undef senderr 1431 } 1432 1433 /* 1434 * Build a RTS (Request To Send) control frame (see 7.2.1.1). 1435 */ 1436 struct mbuf * 1437 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1438 u_int16_t dur) 1439 { 1440 struct ieee80211_frame_rts *rts; 1441 struct mbuf *m; 1442 1443 MGETHDR(m, M_DONTWAIT, MT_DATA); 1444 if (m == NULL) 1445 return NULL; 1446 1447 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1448 1449 rts = mtod(m, struct ieee80211_frame_rts *); 1450 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1451 IEEE80211_FC0_SUBTYPE_RTS; 1452 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1453 *(u_int16_t *)rts->i_dur = htole16(dur); 1454 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1455 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1456 1457 return m; 1458 } 1459 1460 /* 1461 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2). 1462 */ 1463 struct mbuf * 1464 ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur) 1465 { 1466 struct ieee80211_frame_cts *cts; 1467 struct mbuf *m; 1468 1469 MGETHDR(m, M_DONTWAIT, MT_DATA); 1470 if (m == NULL) 1471 return NULL; 1472 1473 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1474 1475 cts = mtod(m, struct ieee80211_frame_cts *); 1476 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1477 IEEE80211_FC0_SUBTYPE_CTS; 1478 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1479 *(u_int16_t *)cts->i_dur = htole16(dur); 1480 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1481 1482 return m; 1483 } 1484 1485 #ifndef IEEE80211_STA_ONLY 1486 /*- 1487 * Beacon frame format: 1488 * [8] Timestamp 1489 * [2] Beacon interval 1490 * [2] Capability 1491 * [tlv] Service Set Identifier (SSID) 1492 * [tlv] Supported rates 1493 * [tlv*] DS Parameter Set (802.11g) 1494 * [tlv*] IBSS Parameter Set 1495 * [tlv] Traffic Indication Map (TIM) 1496 * [tlv] ERP Information (802.11g) 1497 * [tlv] Extended Supported Rates (802.11g) 1498 * [tlv] RSN (802.11i) 1499 * [tlv] EDCA Parameter Set (802.11e) 1500 */ 1501 struct mbuf * 1502 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni) 1503 { 1504 const struct ieee80211_rateset *rs = &ni->ni_rates; 1505 struct ieee80211_frame *wh; 1506 struct mbuf *m; 1507 u_int8_t *frm; 1508 1509 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1510 8 + 2 + 2 + 1511 2 + ((ic->ic_flags & IEEE80211_F_HIDENWID) ? 0 : ni->ni_esslen) + 1512 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1513 2 + 1 + 1514 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) + 1515 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1516 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1517 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1518 (((ic->ic_flags & IEEE80211_F_RSNON) && 1519 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1520 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1521 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1522 (((ic->ic_flags & IEEE80211_F_RSNON) && 1523 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1524 2 + IEEE80211_WPAIE_MAXLEN : 0)); 1525 if (m == NULL) 1526 return NULL; 1527 1528 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 1529 if (m == NULL) 1530 return NULL; 1531 wh = mtod(m, struct ieee80211_frame *); 1532 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 1533 IEEE80211_FC0_SUBTYPE_BEACON; 1534 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1535 *(u_int16_t *)wh->i_dur = 0; 1536 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr); 1537 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 1538 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 1539 *(u_int16_t *)wh->i_seq = 0; 1540 1541 frm = (u_int8_t *)&wh[1]; 1542 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1543 LE_WRITE_2(frm, ni->ni_intval); frm += 2; 1544 frm = ieee80211_add_capinfo(frm, ic, ni); 1545 if (ic->ic_flags & IEEE80211_F_HIDENWID) 1546 frm = ieee80211_add_ssid(frm, NULL, 0); 1547 else 1548 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1549 frm = ieee80211_add_rates(frm, rs); 1550 frm = ieee80211_add_ds_params(frm, ic, ni); 1551 if (ic->ic_opmode == IEEE80211_M_IBSS) 1552 frm = ieee80211_add_ibss_params(frm, ni); 1553 else 1554 frm = ieee80211_add_tim(frm, ic); 1555 if (ic->ic_curmode == IEEE80211_MODE_11G) 1556 frm = ieee80211_add_erp(frm, ic); 1557 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1558 frm = ieee80211_add_xrates(frm, rs); 1559 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1560 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1561 frm = ieee80211_add_rsn(frm, ic, ni); 1562 if (ic->ic_flags & IEEE80211_F_QOS) 1563 frm = ieee80211_add_edca_params(frm, ic); 1564 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1565 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1566 frm = ieee80211_add_wpa(frm, ic, ni); 1567 1568 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1569 m->m_pkthdr.rcvif = (void *)ni; 1570 1571 return m; 1572 } 1573 1574 /* 1575 * Check if an outgoing MSDU or management frame should be buffered into 1576 * the AP for power management. Return 1 if the frame was buffered into 1577 * the AP, or 0 if the frame shall be transmitted immediately. 1578 */ 1579 int 1580 ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m, 1581 struct ieee80211_node *ni) 1582 { 1583 const struct ieee80211_frame *wh; 1584 1585 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 1586 if (!(ic->ic_caps & IEEE80211_C_APPMGT)) 1587 return 0; 1588 1589 wh = mtod(m, struct ieee80211_frame *); 1590 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1591 /* 1592 * Buffer group addressed MSDUs with the Order bit clear 1593 * if any associated STAs are in PS mode. 1594 */ 1595 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || 1596 ic->ic_pssta == 0) 1597 return 0; 1598 ic->ic_tim_mcast_pending = 1; 1599 } else { 1600 /* 1601 * Buffer MSDUs, A-MSDUs or management frames destined for 1602 * PS STAs. 1603 */ 1604 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE || 1605 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 1606 IEEE80211_FC0_TYPE_CTL) 1607 return 0; 1608 if (IF_IS_EMPTY(&ni->ni_savedq)) 1609 (*ic->ic_set_tim)(ic, ni->ni_associd, 1); 1610 } 1611 /* NB: ni == ic->ic_bss for broadcast/multicast */ 1612 if (IF_QFULL(&ni->ni_savedq)) { 1613 /* XXX should we drop the oldest instead? */ 1614 IF_DROP(&ni->ni_savedq); 1615 m_freem(m); 1616 } else { 1617 IF_ENQUEUE(&ni->ni_savedq, m); 1618 /* 1619 * Similar to ieee80211_mgmt_output, store the node in the 1620 * rcvif field. 1621 */ 1622 m->m_pkthdr.rcvif = (void *)ni; 1623 } 1624 return 1; 1625 } 1626 #endif /* IEEE80211_STA_ONLY */ 1627