1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * 26 * $FreeBSD: head/sys/net80211/ieee80211_output.c 198384 2009-10-23 11:13:08Z rpaulo $ 27 */ 28 29 #include "opt_inet.h" 30 #include "opt_inet6.h" 31 #include "opt_wlan.h" 32 33 #include <sys/param.h> 34 #include <sys/systm.h> 35 #include <sys/mbuf.h> 36 #include <sys/kernel.h> 37 #include <sys/endian.h> 38 39 #include <sys/socket.h> 40 41 #include <net/bpf.h> 42 #include <net/ethernet.h> 43 #include <net/route.h> 44 #include <net/if.h> 45 #include <net/if_llc.h> 46 #include <net/if_media.h> 47 #include <net/ifq_var.h> 48 49 #include <netproto/802_11/ieee80211_var.h> 50 #include <netproto/802_11/ieee80211_regdomain.h> 51 #ifdef IEEE80211_SUPPORT_SUPERG 52 #include <netproto/802_11/ieee80211_superg.h> 53 #endif 54 #ifdef IEEE80211_SUPPORT_TDMA 55 #include <netproto/802_11/ieee80211_tdma.h> 56 #endif 57 #include <netproto/802_11/ieee80211_wds.h> 58 #include <netproto/802_11/ieee80211_mesh.h> 59 60 #ifdef INET 61 #include <netinet/in.h> 62 #include <netinet/if_ether.h> 63 #include <netinet/in_systm.h> 64 #include <netinet/ip.h> 65 #endif 66 #ifdef INET6 67 #include <netinet/ip6.h> 68 #endif 69 70 #define ETHER_HEADER_COPY(dst, src) \ 71 memcpy(dst, src, sizeof(struct ether_header)) 72 73 /* unalligned little endian access */ 74 #define LE_WRITE_2(p, v) do { \ 75 ((uint8_t *)(p))[0] = (v) & 0xff; \ 76 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 77 } while (0) 78 #define LE_WRITE_4(p, v) do { \ 79 ((uint8_t *)(p))[0] = (v) & 0xff; \ 80 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 81 ((uint8_t *)(p))[2] = ((v) >> 16) & 0xff; \ 82 ((uint8_t *)(p))[3] = ((v) >> 24) & 0xff; \ 83 } while (0) 84 85 static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 86 u_int hdrsize, u_int ciphdrsize, u_int mtu); 87 static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 88 89 #ifdef IEEE80211_DEBUG 90 /* 91 * Decide if an outbound management frame should be 92 * printed when debugging is enabled. This filters some 93 * of the less interesting frames that come frequently 94 * (e.g. beacons). 95 */ 96 static __inline int 97 doprint(struct ieee80211vap *vap, int subtype) 98 { 99 switch (subtype) { 100 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 101 return (vap->iv_opmode == IEEE80211_M_IBSS); 102 } 103 return 1; 104 } 105 #endif 106 107 /* 108 * Start method for vap's. All packets from the stack come 109 * through here. We handle common processing of the packets 110 * before dispatching them to the underlying device. 111 */ 112 void 113 ieee80211_start(struct ifnet *ifp, struct ifaltq_subque *ifsq) 114 { 115 #define IS_DWDS(vap) \ 116 (vap->iv_opmode == IEEE80211_M_WDS && \ 117 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 118 struct ieee80211vap *vap = ifp->if_softc; 119 struct ieee80211com *ic = vap->iv_ic; 120 struct ifnet *parent = ic->ic_ifp; 121 struct ieee80211_node *ni; 122 struct mbuf *m = NULL; 123 struct ether_header *eh; 124 int error; 125 126 ASSERT_ALTQ_SQ_DEFAULT(ifp, ifsq); 127 128 /* NB: parent must be up and running */ 129 if (!IFNET_IS_UP_RUNNING(parent)) { 130 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 131 "%s: ignore queue, parent %s not up+running\n", 132 __func__, parent->if_xname); 133 /* XXX stat */ 134 ifsq_purge(ifsq); 135 return; 136 } 137 if (vap->iv_state == IEEE80211_S_SLEEP) { 138 /* 139 * In power save, wakeup device for transmit. 140 */ 141 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 142 ifsq_purge(ifsq); 143 return; 144 } 145 /* 146 * No data frames go out unless we're running. 147 * Note in particular this covers CAC and CSA 148 * states (though maybe we should check muting 149 * for CSA). 150 */ 151 if (vap->iv_state != IEEE80211_S_RUN) { 152 /* re-check under the com lock to avoid races */ 153 if (vap->iv_state != IEEE80211_S_RUN) { 154 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 155 "%s: ignore queue, in %s state\n", 156 __func__, ieee80211_state_name[vap->iv_state]); 157 vap->iv_stats.is_tx_badstate++; 158 ifsq_set_oactive(ifsq); 159 return; 160 } 161 } 162 for (;;) { 163 m = ifsq_dequeue(ifsq, NULL); 164 if (m == NULL) 165 break; 166 /* 167 * Sanitize mbuf flags for net80211 use. We cannot 168 * clear M_PWR_SAV or M_MORE_DATA because these may 169 * be set for frames that are re-submitted from the 170 * power save queue. 171 * 172 * NB: This must be done before ieee80211_classify as 173 * it marks EAPOL in frames with M_EAPOL. 174 */ 175 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 176 /* 177 * Cancel any background scan. 178 */ 179 if (ic->ic_flags & IEEE80211_F_SCAN) 180 ieee80211_cancel_anyscan(vap); 181 /* 182 * Find the node for the destination so we can do 183 * things like power save and fast frames aggregation. 184 * 185 * NB: past this point various code assumes the first 186 * mbuf has the 802.3 header present (and contiguous). 187 */ 188 ni = NULL; 189 if (m->m_len < sizeof(struct ether_header) && 190 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 191 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 192 "discard frame, %s\n", "m_pullup failed"); 193 vap->iv_stats.is_tx_nobuf++; /* XXX */ 194 ifp->if_oerrors++; 195 continue; 196 } 197 eh = mtod(m, struct ether_header *); 198 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 199 if (IS_DWDS(vap)) { 200 /* 201 * Only unicast frames from the above go out 202 * DWDS vaps; multicast frames are handled by 203 * dispatching the frame as it comes through 204 * the AP vap (see below). 205 */ 206 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 207 eh->ether_dhost, "mcast", "%s", "on DWDS"); 208 vap->iv_stats.is_dwds_mcast++; 209 m_freem(m); 210 continue; 211 } 212 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 213 /* 214 * Spam DWDS vap's w/ multicast traffic. 215 */ 216 /* XXX only if dwds in use? */ 217 ieee80211_dwds_mcast(vap, m); 218 } 219 } 220 #ifdef IEEE80211_SUPPORT_MESH 221 if (vap->iv_opmode != IEEE80211_M_MBSS) { 222 #endif 223 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 224 if (ni == NULL) { 225 /* NB: ieee80211_find_txnode does stat+msg */ 226 ifp->if_oerrors++; 227 m_freem(m); 228 continue; 229 } 230 if (ni->ni_associd == 0 && 231 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 232 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 233 eh->ether_dhost, NULL, 234 "sta not associated (type 0x%04x)", 235 htons(eh->ether_type)); 236 vap->iv_stats.is_tx_notassoc++; 237 ifp->if_oerrors++; 238 m_freem(m); 239 ieee80211_free_node(ni); 240 continue; 241 } 242 #ifdef IEEE80211_SUPPORT_MESH 243 } else { 244 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) { 245 /* 246 * Proxy station only if configured. 247 */ 248 if (!ieee80211_mesh_isproxyena(vap)) { 249 IEEE80211_DISCARD_MAC(vap, 250 IEEE80211_MSG_OUTPUT | 251 IEEE80211_MSG_MESH, 252 eh->ether_dhost, NULL, 253 "%s", "proxy not enabled"); 254 vap->iv_stats.is_mesh_notproxy++; 255 ifp->if_oerrors++; 256 m_freem(m); 257 continue; 258 } 259 ieee80211_mesh_proxy_check(vap, eh->ether_shost); 260 } 261 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 262 if (ni == NULL) { 263 /* 264 * NB: ieee80211_mesh_discover holds/disposes 265 * frame (e.g. queueing on path discovery). 266 */ 267 ifp->if_oerrors++; 268 continue; 269 } 270 } 271 #endif 272 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 273 (m->m_flags & M_PWR_SAV) == 0) { 274 /* 275 * Station in power save mode; pass the frame 276 * to the 802.11 layer and continue. We'll get 277 * the frame back when the time is right. 278 * XXX lose WDS vap linkage? 279 */ 280 (void) ieee80211_pwrsave(ni, m); 281 ieee80211_free_node(ni); 282 continue; 283 } 284 /* calculate priority so drivers can find the tx queue */ 285 if (ieee80211_classify(ni, m)) { 286 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 287 eh->ether_dhost, NULL, 288 "%s", "classification failure"); 289 vap->iv_stats.is_tx_classify++; 290 ifp->if_oerrors++; 291 m_freem(m); 292 ieee80211_free_node(ni); 293 continue; 294 } 295 /* 296 * Stash the node pointer. Note that we do this after 297 * any call to ieee80211_dwds_mcast because that code 298 * uses any existing value for rcvif to identify the 299 * interface it (might have been) received on. 300 */ 301 m->m_pkthdr.rcvif = (void *)ni; 302 303 BPF_MTAP(ifp, m); /* 802.3 tx */ 304 305 /* 306 * Check if A-MPDU tx aggregation is setup or if we 307 * should try to enable it. The sta must be associated 308 * with HT and A-MPDU enabled for use. When the policy 309 * routine decides we should enable A-MPDU we issue an 310 * ADDBA request and wait for a reply. The frame being 311 * encapsulated will go out w/o using A-MPDU, or possibly 312 * it might be collected by the driver and held/retransmit. 313 * The default ic_ampdu_enable routine handles staggering 314 * ADDBA requests in case the receiver NAK's us or we are 315 * otherwise unable to establish a BA stream. 316 */ 317 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 318 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX) && 319 (m->m_flags & M_EAPOL) == 0) { 320 const int ac = M_WME_GETAC(m); 321 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac]; 322 323 ieee80211_txampdu_count_packet(tap); 324 if (IEEE80211_AMPDU_RUNNING(tap)) { 325 /* 326 * Operational, mark frame for aggregation. 327 * 328 * XXX do tx aggregation here 329 */ 330 m->m_flags |= M_AMPDU_MPDU; 331 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 332 ic->ic_ampdu_enable(ni, tap)) { 333 /* 334 * Not negotiated yet, request service. 335 */ 336 ieee80211_ampdu_request(ni, tap); 337 /* XXX hold frame for reply? */ 338 } 339 } 340 #ifdef IEEE80211_SUPPORT_SUPERG 341 else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)) { 342 m = ieee80211_ff_check(ni, m); 343 if (m == NULL) { 344 /* NB: any ni ref held on stageq */ 345 continue; 346 } 347 } 348 #endif /* IEEE80211_SUPPORT_SUPERG */ 349 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 350 /* 351 * Encapsulate the packet in prep for transmission. 352 */ 353 m = ieee80211_encap(vap, ni, m); 354 if (m == NULL) { 355 /* NB: stat+msg handled in ieee80211_encap */ 356 ieee80211_free_node(ni); 357 continue; 358 } 359 } 360 361 error = ieee80211_handoff(parent, m); 362 if (error != 0) { 363 /* NB: IFQ_HANDOFF reclaims mbuf */ 364 ieee80211_free_node(ni); 365 } else { 366 ifp->if_opackets++; 367 } 368 ic->ic_lastdata = ticks; 369 } 370 #undef IS_DWDS 371 } 372 373 374 /* 375 * 802.11 output routine. This is (currently) used only to 376 * connect bpf write calls to the 802.11 layer for injecting 377 * raw 802.11 frames. 378 */ 379 int 380 ieee80211_output(struct ifnet *ifp, struct mbuf *m, 381 struct sockaddr *dst, struct rtentry *rt) 382 { 383 #define senderr(e) do { error = (e); goto bad;} while (0) 384 struct ieee80211_node *ni = NULL; 385 struct ieee80211vap *vap; 386 struct ieee80211_frame *wh; 387 struct ifaltq_subque *ifsq; 388 int error; 389 390 ifsq = ifq_get_subq_default(&ifp->if_snd); 391 if (ifsq_is_oactive(ifsq)) { 392 /* 393 * Short-circuit requests if the vap is marked OACTIVE 394 * as this can happen because a packet came down through 395 * ieee80211_start before the vap entered RUN state in 396 * which case it's ok to just drop the frame. This 397 * should not be necessary but callers of if_output don't 398 * check OACTIVE. 399 */ 400 senderr(ENETDOWN); 401 } 402 vap = ifp->if_softc; 403 /* 404 * Hand to the 802.3 code if not tagged as 405 * a raw 802.11 frame. 406 */ 407 if (dst->sa_family != AF_IEEE80211) 408 return vap->iv_output(ifp, m, dst, rt); 409 #ifdef MAC 410 error = mac_ifnet_check_transmit(ifp, m); 411 if (error) 412 senderr(error); 413 #endif 414 if (ifp->if_flags & IFF_MONITOR) 415 senderr(ENETDOWN); 416 if (!IFNET_IS_UP_RUNNING(ifp)) 417 senderr(ENETDOWN); 418 if (vap->iv_state == IEEE80211_S_CAC) { 419 IEEE80211_DPRINTF(vap, 420 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 421 "block %s frame in CAC state\n", "raw data"); 422 vap->iv_stats.is_tx_badstate++; 423 senderr(EIO); /* XXX */ 424 } 425 /* XXX bypass bridge, pfil, carp, etc. */ 426 427 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 428 senderr(EIO); /* XXX */ 429 wh = mtod(m, struct ieee80211_frame *); 430 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 431 IEEE80211_FC0_VERSION_0) 432 senderr(EIO); /* XXX */ 433 434 /* locate destination node */ 435 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 436 case IEEE80211_FC1_DIR_NODS: 437 case IEEE80211_FC1_DIR_FROMDS: 438 ni = ieee80211_find_txnode(vap, wh->i_addr1); 439 break; 440 case IEEE80211_FC1_DIR_TODS: 441 case IEEE80211_FC1_DIR_DSTODS: 442 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) 443 senderr(EIO); /* XXX */ 444 ni = ieee80211_find_txnode(vap, wh->i_addr3); 445 break; 446 default: 447 senderr(EIO); /* XXX */ 448 } 449 if (ni == NULL) { 450 /* 451 * Permit packets w/ bpf params through regardless 452 * (see below about sa_len). 453 */ 454 if (dst->sa_len == 0) 455 senderr(EHOSTUNREACH); 456 ni = ieee80211_ref_node(vap->iv_bss); 457 } 458 459 /* 460 * Sanitize mbuf for net80211 flags leaked from above. 461 * 462 * NB: This must be done before ieee80211_classify as 463 * it marks EAPOL in frames with M_EAPOL. 464 */ 465 m->m_flags &= ~M_80211_TX; 466 467 /* calculate priority so drivers can find the tx queue */ 468 /* XXX assumes an 802.3 frame */ 469 if (ieee80211_classify(ni, m)) 470 senderr(EIO); /* XXX */ 471 472 ifp->if_opackets++; 473 IEEE80211_NODE_STAT(ni, tx_data); 474 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 475 IEEE80211_NODE_STAT(ni, tx_mcast); 476 m->m_flags |= M_MCAST; 477 } else 478 IEEE80211_NODE_STAT(ni, tx_ucast); 479 /* NB: ieee80211_encap does not include 802.11 header */ 480 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len); 481 482 /* 483 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 484 * present by setting the sa_len field of the sockaddr (yes, 485 * this is a hack). 486 * NB: we assume sa_data is suitably aligned to cast. 487 */ 488 return vap->iv_ic->ic_raw_xmit(ni, m, 489 (const struct ieee80211_bpf_params *)(dst->sa_len ? 490 dst->sa_data : NULL)); 491 bad: 492 if (m != NULL) 493 m_freem(m); 494 if (ni != NULL) 495 ieee80211_free_node(ni); 496 ifp->if_oerrors++; 497 return error; 498 #undef senderr 499 } 500 501 /* 502 * Set the direction field and address fields of an outgoing 503 * frame. Note this should be called early on in constructing 504 * a frame as it sets i_fc[1]; other bits can then be or'd in. 505 */ 506 void 507 ieee80211_send_setup( 508 struct ieee80211_node *ni, 509 struct mbuf *m, 510 int type, int tid, 511 const uint8_t sa[IEEE80211_ADDR_LEN], 512 const uint8_t da[IEEE80211_ADDR_LEN], 513 const uint8_t bssid[IEEE80211_ADDR_LEN]) 514 { 515 #define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 516 struct ieee80211vap *vap = ni->ni_vap; 517 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 518 ieee80211_seq seqno; 519 520 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 521 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 522 switch (vap->iv_opmode) { 523 case IEEE80211_M_STA: 524 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 525 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 526 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 527 IEEE80211_ADDR_COPY(wh->i_addr3, da); 528 break; 529 case IEEE80211_M_IBSS: 530 case IEEE80211_M_AHDEMO: 531 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 532 IEEE80211_ADDR_COPY(wh->i_addr1, da); 533 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 534 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 535 break; 536 case IEEE80211_M_HOSTAP: 537 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 538 IEEE80211_ADDR_COPY(wh->i_addr1, da); 539 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 540 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 541 break; 542 case IEEE80211_M_WDS: 543 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 544 IEEE80211_ADDR_COPY(wh->i_addr1, da); 545 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 546 IEEE80211_ADDR_COPY(wh->i_addr3, da); 547 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 548 break; 549 case IEEE80211_M_MBSS: 550 #ifdef IEEE80211_SUPPORT_MESH 551 /* XXX add support for proxied addresses */ 552 if (IEEE80211_IS_MULTICAST(da)) { 553 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 554 /* XXX next hop */ 555 IEEE80211_ADDR_COPY(wh->i_addr1, da); 556 IEEE80211_ADDR_COPY(wh->i_addr2, 557 vap->iv_myaddr); 558 } else { 559 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 560 IEEE80211_ADDR_COPY(wh->i_addr1, da); 561 IEEE80211_ADDR_COPY(wh->i_addr2, 562 vap->iv_myaddr); 563 IEEE80211_ADDR_COPY(wh->i_addr3, da); 564 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 565 } 566 #endif 567 break; 568 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 569 break; 570 } 571 } else { 572 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 573 IEEE80211_ADDR_COPY(wh->i_addr1, da); 574 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 575 #ifdef IEEE80211_SUPPORT_MESH 576 if (vap->iv_opmode == IEEE80211_M_MBSS) 577 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 578 else 579 #endif 580 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 581 } 582 *(uint16_t *)&wh->i_dur[0] = 0; 583 584 seqno = ni->ni_txseqs[tid]++; 585 *(uint16_t *)&wh->i_seq[0] = htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 586 M_SEQNO_SET(m, seqno); 587 588 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 589 m->m_flags |= M_MCAST; 590 #undef WH4 591 } 592 593 /* 594 * Send a management frame to the specified node. The node pointer 595 * must have a reference as the pointer will be passed to the driver 596 * and potentially held for a long time. If the frame is successfully 597 * dispatched to the driver, then it is responsible for freeing the 598 * reference (and potentially free'ing up any associated storage); 599 * otherwise deal with reclaiming any reference (on error). 600 */ 601 int 602 ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 603 struct ieee80211_bpf_params *params) 604 { 605 struct ieee80211vap *vap = ni->ni_vap; 606 struct ieee80211com *ic = ni->ni_ic; 607 struct ieee80211_frame *wh; 608 #ifdef IEEE80211_DEBUG 609 char ethstr[ETHER_ADDRSTRLEN + 1]; 610 #endif 611 KASSERT(ni != NULL, ("null node")); 612 613 if (vap->iv_state == IEEE80211_S_CAC) { 614 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 615 ni, "block %s frame in CAC state", 616 ieee80211_mgt_subtype_name[ 617 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 618 IEEE80211_FC0_SUBTYPE_SHIFT]); 619 vap->iv_stats.is_tx_badstate++; 620 ieee80211_free_node(ni); 621 m_freem(m); 622 return EIO; /* XXX */ 623 } 624 625 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 626 if (m == NULL) { 627 ieee80211_free_node(ni); 628 return ENOMEM; 629 } 630 631 wh = mtod(m, struct ieee80211_frame *); 632 ieee80211_send_setup(ni, m, 633 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 634 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 635 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 636 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 637 "encrypting frame (%s)", __func__); 638 wh->i_fc[1] |= IEEE80211_FC1_WEP; 639 } 640 m->m_flags |= M_ENCAP; /* mark encapsulated */ 641 642 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 643 M_WME_SETAC(m, params->ibp_pri); 644 645 #ifdef IEEE80211_DEBUG 646 /* avoid printing too many frames */ 647 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 648 ieee80211_msg_dumppkts(vap)) { 649 kprintf("[%s] send %s on channel %u\n", 650 kether_ntoa(wh->i_addr1, ethstr), 651 ieee80211_mgt_subtype_name[ 652 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 653 IEEE80211_FC0_SUBTYPE_SHIFT], 654 ieee80211_chan2ieee(ic, ic->ic_curchan)); 655 } 656 #endif 657 IEEE80211_NODE_STAT(ni, tx_mgmt); 658 659 return ic->ic_raw_xmit(ni, m, params); 660 } 661 662 /* 663 * Send a null data frame to the specified node. If the station 664 * is setup for QoS then a QoS Null Data frame is constructed. 665 * If this is a WDS station then a 4-address frame is constructed. 666 * 667 * NB: the caller is assumed to have setup a node reference 668 * for use; this is necessary to deal with a race condition 669 * when probing for inactive stations. Like ieee80211_mgmt_output 670 * we must cleanup any node reference on error; however we 671 * can safely just unref it as we know it will never be the 672 * last reference to the node. 673 */ 674 int 675 ieee80211_send_nulldata(struct ieee80211_node *ni) 676 { 677 struct ieee80211vap *vap = ni->ni_vap; 678 struct ieee80211com *ic = ni->ni_ic; 679 struct mbuf *m; 680 struct ieee80211_frame *wh; 681 int hdrlen; 682 uint8_t *frm; 683 684 if (vap->iv_state == IEEE80211_S_CAC) { 685 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 686 ni, "block %s frame in CAC state", "null data"); 687 ieee80211_unref_node(&ni); 688 vap->iv_stats.is_tx_badstate++; 689 return EIO; /* XXX */ 690 } 691 692 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 693 hdrlen = sizeof(struct ieee80211_qosframe); 694 else 695 hdrlen = sizeof(struct ieee80211_frame); 696 /* NB: only WDS vap's get 4-address frames */ 697 if (vap->iv_opmode == IEEE80211_M_WDS) 698 hdrlen += IEEE80211_ADDR_LEN; 699 if (ic->ic_flags & IEEE80211_F_DATAPAD) 700 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 701 702 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 703 if (m == NULL) { 704 /* XXX debug msg */ 705 ieee80211_unref_node(&ni); 706 vap->iv_stats.is_tx_nobuf++; 707 return ENOMEM; 708 } 709 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 710 ("leading space %zd", M_LEADINGSPACE(m))); 711 M_PREPEND(m, hdrlen, MB_DONTWAIT); 712 if (m == NULL) { 713 /* NB: cannot happen */ 714 ieee80211_free_node(ni); 715 return ENOMEM; 716 } 717 718 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 719 if (ni->ni_flags & IEEE80211_NODE_QOS) { 720 const int tid = WME_AC_TO_TID(WME_AC_BE); 721 uint8_t *qos; 722 723 ieee80211_send_setup(ni, m, 724 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 725 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 726 727 if (vap->iv_opmode == IEEE80211_M_WDS) 728 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 729 else 730 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 731 qos[0] = tid & IEEE80211_QOS_TID; 732 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 733 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 734 qos[1] = 0; 735 } else { 736 ieee80211_send_setup(ni, m, 737 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 738 IEEE80211_NONQOS_TID, 739 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 740 } 741 if (vap->iv_opmode != IEEE80211_M_WDS) { 742 /* NB: power management bit is never sent by an AP */ 743 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 744 vap->iv_opmode != IEEE80211_M_HOSTAP) 745 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 746 } 747 m->m_len = m->m_pkthdr.len = hdrlen; 748 m->m_flags |= M_ENCAP; /* mark encapsulated */ 749 750 M_WME_SETAC(m, WME_AC_BE); 751 752 IEEE80211_NODE_STAT(ni, tx_data); 753 754 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 755 "send %snull data frame on channel %u, pwr mgt %s", 756 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 757 ieee80211_chan2ieee(ic, ic->ic_curchan), 758 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 759 760 return ic->ic_raw_xmit(ni, m, NULL); 761 } 762 763 /* 764 * Assign priority to a frame based on any vlan tag assigned 765 * to the station and/or any Diffserv setting in an IP header. 766 * Finally, if an ACM policy is setup (in station mode) it's 767 * applied. 768 */ 769 int 770 ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 771 { 772 const struct ether_header *eh = mtod(m, struct ether_header *); 773 int v_wme_ac, d_wme_ac, ac; 774 775 /* 776 * Always promote PAE/EAPOL frames to high priority. 777 */ 778 if (eh->ether_type == htons(ETHERTYPE_PAE)) { 779 /* NB: mark so others don't need to check header */ 780 m->m_flags |= M_EAPOL; 781 ac = WME_AC_VO; 782 goto done; 783 } 784 /* 785 * Non-qos traffic goes to BE. 786 */ 787 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 788 ac = WME_AC_BE; 789 goto done; 790 } 791 792 /* 793 * If node has a vlan tag then all traffic 794 * to it must have a matching tag. 795 */ 796 v_wme_ac = 0; 797 if (ni->ni_vlan != 0) { 798 if ((m->m_flags & M_VLANTAG) == 0) { 799 IEEE80211_NODE_STAT(ni, tx_novlantag); 800 return 1; 801 } 802 #ifdef __FreeBSD__ 803 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vlantag) != 804 EVL_VLANOFTAG(ni->ni_vlan)) { 805 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 806 return 1; 807 } 808 /* map vlan priority to AC */ 809 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 810 #endif 811 } 812 813 /* XXX m_copydata may be too slow for fast path */ 814 #ifdef INET 815 if (eh->ether_type == htons(ETHERTYPE_IP)) { 816 uint8_t tos; 817 /* 818 * IP frame, map the DSCP bits from the TOS field. 819 */ 820 /* NB: ip header may not be in first mbuf */ 821 m_copydata(m, sizeof(struct ether_header) + 822 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 823 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 824 d_wme_ac = TID_TO_WME_AC(tos); 825 } else { 826 #endif /* INET */ 827 #ifdef INET6 828 if (eh->ether_type == htons(ETHERTYPE_IPV6)) { 829 uint32_t flow; 830 uint8_t tos; 831 /* 832 * IPv6 frame, map the DSCP bits from the TOS field. 833 */ 834 m_copydata(m, sizeof(struct ether_header) + 835 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 836 (caddr_t) &flow); 837 tos = (uint8_t)(ntohl(flow) >> 20); 838 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 839 d_wme_ac = TID_TO_WME_AC(tos); 840 } else { 841 #endif /* INET6 */ 842 d_wme_ac = WME_AC_BE; 843 #ifdef INET6 844 } 845 #endif 846 #ifdef INET 847 } 848 #endif 849 /* 850 * Use highest priority AC. 851 */ 852 if (v_wme_ac > d_wme_ac) 853 ac = v_wme_ac; 854 else 855 ac = d_wme_ac; 856 857 /* 858 * Apply ACM policy. 859 */ 860 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 861 static const int acmap[4] = { 862 WME_AC_BK, /* WME_AC_BE */ 863 WME_AC_BK, /* WME_AC_BK */ 864 WME_AC_BE, /* WME_AC_VI */ 865 WME_AC_VI, /* WME_AC_VO */ 866 }; 867 struct ieee80211com *ic = ni->ni_ic; 868 869 while (ac != WME_AC_BK && 870 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 871 ac = acmap[ac]; 872 } 873 done: 874 M_WME_SETAC(m, ac); 875 return 0; 876 } 877 878 /* 879 * Insure there is sufficient contiguous space to encapsulate the 880 * 802.11 data frame. If room isn't already there, arrange for it. 881 * Drivers and cipher modules assume we have done the necessary work 882 * and fail rudely if they don't find the space they need. 883 */ 884 struct mbuf * 885 ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 886 struct ieee80211_key *key, struct mbuf *m) 887 { 888 #define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 889 struct mbuf *mnew = NULL; 890 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 891 892 if (key != NULL) { 893 /* XXX belongs in crypto code? */ 894 needed_space += key->wk_cipher->ic_header; 895 /* XXX frags */ 896 /* 897 * When crypto is being done in the host we must insure 898 * the data are writable for the cipher routines; clone 899 * a writable mbuf chain. 900 * XXX handle SWMIC specially 901 */ 902 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 903 mnew = m_dup(m, MB_DONTWAIT); 904 if (m == NULL) { 905 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 906 "%s: cannot get writable mbuf\n", __func__); 907 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 908 return NULL; 909 } 910 m_freem(m); 911 m = mnew; 912 } 913 } 914 /* 915 * We know we are called just before stripping an Ethernet 916 * header and prepending an LLC header. This means we know 917 * there will be 918 * sizeof(struct ether_header) - sizeof(struct llc) 919 * bytes recovered to which we need additional space for the 920 * 802.11 header and any crypto header. 921 */ 922 /* XXX check trailing space and copy instead? */ 923 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 924 struct mbuf *n = m_gethdr(MB_DONTWAIT, m->m_type); 925 if (n == NULL) { 926 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 927 "%s: cannot expand storage\n", __func__); 928 vap->iv_stats.is_tx_nobuf++; 929 m_freem(m); 930 return NULL; 931 } 932 KASSERT(needed_space <= MHLEN, 933 ("not enough room, need %u got %zu", needed_space, MHLEN)); 934 /* 935 * Setup new mbuf to have leading space to prepend the 936 * 802.11 header and any crypto header bits that are 937 * required (the latter are added when the driver calls 938 * back to ieee80211_crypto_encap to do crypto encapsulation). 939 */ 940 /* NB: must be first 'cuz it clobbers m_data */ 941 m_move_pkthdr(n, m); 942 n->m_len = 0; /* NB: m_gethdr does not set */ 943 n->m_data += needed_space; 944 /* 945 * Pull up Ethernet header to create the expected layout. 946 * We could use m_pullup but that's overkill (i.e. we don't 947 * need the actual data) and it cannot fail so do it inline 948 * for speed. 949 */ 950 /* NB: struct ether_header is known to be contiguous */ 951 n->m_len += sizeof(struct ether_header); 952 m->m_len -= sizeof(struct ether_header); 953 m->m_data += sizeof(struct ether_header); 954 /* 955 * Replace the head of the chain. 956 */ 957 n->m_next = m; 958 m = n; 959 } 960 return m; 961 #undef TO_BE_RECLAIMED 962 } 963 964 /* 965 * Return the transmit key to use in sending a unicast frame. 966 * If a unicast key is set we use that. When no unicast key is set 967 * we fall back to the default transmit key. 968 */ 969 static __inline struct ieee80211_key * 970 ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 971 struct ieee80211_node *ni) 972 { 973 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 974 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 975 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 976 return NULL; 977 return &vap->iv_nw_keys[vap->iv_def_txkey]; 978 } else { 979 return &ni->ni_ucastkey; 980 } 981 } 982 983 /* 984 * Return the transmit key to use in sending a multicast frame. 985 * Multicast traffic always uses the group key which is installed as 986 * the default tx key. 987 */ 988 static __inline struct ieee80211_key * 989 ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 990 struct ieee80211_node *ni) 991 { 992 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 993 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 994 return NULL; 995 return &vap->iv_nw_keys[vap->iv_def_txkey]; 996 } 997 998 /* 999 * Encapsulate an outbound data frame. The mbuf chain is updated. 1000 * If an error is encountered NULL is returned. The caller is required 1001 * to provide a node reference and pullup the ethernet header in the 1002 * first mbuf. 1003 * 1004 * NB: Packet is assumed to be processed by ieee80211_classify which 1005 * marked EAPOL frames w/ M_EAPOL. 1006 */ 1007 struct mbuf * 1008 ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 1009 struct mbuf *m) 1010 { 1011 #define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 1012 struct ieee80211com *ic = ni->ni_ic; 1013 #ifdef IEEE80211_SUPPORT_MESH 1014 struct ieee80211_mesh_state *ms = vap->iv_mesh; 1015 struct ieee80211_meshcntl_ae10 *mc; 1016 #endif 1017 struct ether_header eh; 1018 struct ieee80211_frame *wh; 1019 struct ieee80211_key *key; 1020 struct llc *llc; 1021 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr; 1022 ieee80211_seq seqno; 1023 int meshhdrsize, meshae; 1024 uint8_t *qos; 1025 1026 /* 1027 * Copy existing Ethernet header to a safe place. The 1028 * rest of the code assumes it's ok to strip it when 1029 * reorganizing state for the final encapsulation. 1030 */ 1031 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1032 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1033 1034 /* 1035 * Insure space for additional headers. First identify 1036 * transmit key to use in calculating any buffer adjustments 1037 * required. This is also used below to do privacy 1038 * encapsulation work. Then calculate the 802.11 header 1039 * size and any padding required by the driver. 1040 * 1041 * Note key may be NULL if we fall back to the default 1042 * transmit key and that is not set. In that case the 1043 * buffer may not be expanded as needed by the cipher 1044 * routines, but they will/should discard it. 1045 */ 1046 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1047 if (vap->iv_opmode == IEEE80211_M_STA || 1048 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1049 (vap->iv_opmode == IEEE80211_M_WDS && 1050 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) 1051 key = ieee80211_crypto_getucastkey(vap, ni); 1052 else 1053 key = ieee80211_crypto_getmcastkey(vap, ni); 1054 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1055 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1056 eh.ether_dhost, 1057 "no default transmit key (%s) deftxkey %u", 1058 __func__, vap->iv_def_txkey); 1059 vap->iv_stats.is_tx_nodefkey++; 1060 goto bad; 1061 } 1062 } else 1063 key = NULL; 1064 /* 1065 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1066 * frames so suppress use. This may be an issue if other 1067 * ap's require all data frames to be QoS-encapsulated 1068 * once negotiated in which case we'll need to make this 1069 * configurable. 1070 */ 1071 addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) && 1072 (m->m_flags & M_EAPOL) == 0; 1073 if (addqos) 1074 hdrsize = sizeof(struct ieee80211_qosframe); 1075 else 1076 hdrsize = sizeof(struct ieee80211_frame); 1077 #ifdef IEEE80211_SUPPORT_MESH 1078 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1079 /* 1080 * Mesh data frames are encapsulated according to the 1081 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1082 * o Group Addressed data (aka multicast) originating 1083 * at the local sta are sent w/ 3-address format and 1084 * address extension mode 00 1085 * o Individually Addressed data (aka unicast) originating 1086 * at the local sta are sent w/ 4-address format and 1087 * address extension mode 00 1088 * o Group Addressed data forwarded from a non-mesh sta are 1089 * sent w/ 3-address format and address extension mode 01 1090 * o Individually Address data from another sta are sent 1091 * w/ 4-address format and address extension mode 10 1092 */ 1093 is4addr = 0; /* NB: don't use, disable */ 1094 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) 1095 hdrsize += IEEE80211_ADDR_LEN; /* unicast are 4-addr */ 1096 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1097 /* XXX defines for AE modes */ 1098 if (IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1099 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) 1100 meshae = 0; 1101 else 1102 meshae = 4; /* NB: pseudo */ 1103 } else if (IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1104 meshae = 1; 1105 meshhdrsize += 1*IEEE80211_ADDR_LEN; 1106 } else { 1107 meshae = 2; 1108 meshhdrsize += 2*IEEE80211_ADDR_LEN; 1109 } 1110 } else { 1111 #endif 1112 /* 1113 * 4-address frames need to be generated for: 1114 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1115 * o packets sent through a vap marked for relaying 1116 * (e.g. a station operating with dynamic WDS) 1117 */ 1118 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1119 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1120 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1121 if (is4addr) 1122 hdrsize += IEEE80211_ADDR_LEN; 1123 meshhdrsize = meshae = 0; 1124 #ifdef IEEE80211_SUPPORT_MESH 1125 } 1126 #endif 1127 /* 1128 * Honor driver DATAPAD requirement. 1129 */ 1130 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1131 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1132 else 1133 hdrspace = hdrsize; 1134 1135 if (__predict_true((m->m_flags & M_FF) == 0)) { 1136 /* 1137 * Normal frame. 1138 */ 1139 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1140 if (m == NULL) { 1141 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1142 goto bad; 1143 } 1144 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1145 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1146 llc = mtod(m, struct llc *); 1147 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1148 llc->llc_control = LLC_UI; 1149 llc->llc_snap.org_code[0] = 0; 1150 llc->llc_snap.org_code[1] = 0; 1151 llc->llc_snap.org_code[2] = 0; 1152 llc->llc_snap.ether_type = eh.ether_type; 1153 } else { 1154 #ifdef IEEE80211_SUPPORT_SUPERG 1155 /* 1156 * Aggregated frame. 1157 */ 1158 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1159 if (m == NULL) 1160 #endif 1161 goto bad; 1162 } 1163 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1164 1165 M_PREPEND(m, hdrspace + meshhdrsize, MB_DONTWAIT); 1166 if (m == NULL) { 1167 vap->iv_stats.is_tx_nobuf++; 1168 goto bad; 1169 } 1170 wh = mtod(m, struct ieee80211_frame *); 1171 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1172 *(uint16_t *)wh->i_dur = 0; 1173 qos = NULL; /* NB: quiet compiler */ 1174 if (is4addr) { 1175 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1176 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1177 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1178 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1179 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1180 } else switch (vap->iv_opmode) { 1181 case IEEE80211_M_STA: 1182 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1183 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1184 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1185 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1186 break; 1187 case IEEE80211_M_IBSS: 1188 case IEEE80211_M_AHDEMO: 1189 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1190 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1191 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1192 /* 1193 * NB: always use the bssid from iv_bss as the 1194 * neighbor's may be stale after an ibss merge 1195 */ 1196 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1197 break; 1198 case IEEE80211_M_HOSTAP: 1199 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1200 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1201 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1202 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1203 break; 1204 #ifdef IEEE80211_SUPPORT_MESH 1205 case IEEE80211_M_MBSS: 1206 /* NB: offset by hdrspace to deal with DATAPAD */ 1207 mc = (struct ieee80211_meshcntl_ae10 *) 1208 (mtod(m, uint8_t *) + hdrspace); 1209 switch (meshae) { 1210 case 0: /* ucast, no proxy */ 1211 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1212 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1213 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1214 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1215 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1216 mc->mc_flags = 0; 1217 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1218 break; 1219 case 4: /* mcast, no proxy */ 1220 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1221 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1222 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1223 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1224 mc->mc_flags = 0; /* NB: AE is really 0 */ 1225 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1226 break; 1227 case 1: /* mcast, proxy */ 1228 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1229 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1230 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1231 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr); 1232 mc->mc_flags = 1; 1233 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_shost); 1234 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1235 break; 1236 case 2: /* ucast, proxy */ 1237 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1238 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1239 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1240 /* XXX not right, need MeshDA */ 1241 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1242 /* XXX assume are MeshSA */ 1243 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr); 1244 mc->mc_flags = 2; 1245 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_dhost); 1246 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_shost); 1247 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1248 break; 1249 default: 1250 KASSERT(0, ("meshae %d", meshae)); 1251 break; 1252 } 1253 mc->mc_ttl = ms->ms_ttl; 1254 ms->ms_seq++; 1255 LE_WRITE_4(mc->mc_seq, ms->ms_seq); 1256 break; 1257 #endif 1258 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1259 default: 1260 goto bad; 1261 } 1262 if (m->m_flags & M_MORE_DATA) 1263 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1264 if (addqos) { 1265 int ac, tid; 1266 1267 if (is4addr) { 1268 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1269 /* NB: mesh case handled earlier */ 1270 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1271 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1272 ac = M_WME_GETAC(m); 1273 /* map from access class/queue to 11e header priorty value */ 1274 tid = WME_AC_TO_TID(ac); 1275 qos[0] = tid & IEEE80211_QOS_TID; 1276 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1277 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1278 qos[1] = 0; 1279 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 1280 1281 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1282 /* 1283 * NB: don't assign a sequence # to potential 1284 * aggregates; we expect this happens at the 1285 * point the frame comes off any aggregation q 1286 * as otherwise we may introduce holes in the 1287 * BA sequence space and/or make window accouting 1288 * more difficult. 1289 * 1290 * XXX may want to control this with a driver 1291 * capability; this may also change when we pull 1292 * aggregation up into net80211 1293 */ 1294 seqno = ni->ni_txseqs[tid]++; 1295 *(uint16_t *)wh->i_seq = 1296 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1297 M_SEQNO_SET(m, seqno); 1298 } 1299 } else { 1300 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1301 *(uint16_t *)wh->i_seq = 1302 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1303 M_SEQNO_SET(m, seqno); 1304 } 1305 1306 1307 /* check if xmit fragmentation is required */ 1308 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1309 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1310 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1311 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1312 if (key != NULL) { 1313 /* 1314 * IEEE 802.1X: send EAPOL frames always in the clear. 1315 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1316 */ 1317 if ((m->m_flags & M_EAPOL) == 0 || 1318 ((vap->iv_flags & IEEE80211_F_WPA) && 1319 (vap->iv_opmode == IEEE80211_M_STA ? 1320 !IEEE80211_KEY_UNDEFINED(key) : 1321 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1322 wh->i_fc[1] |= IEEE80211_FC1_WEP; 1323 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1324 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1325 eh.ether_dhost, 1326 "%s", "enmic failed, discard frame"); 1327 vap->iv_stats.is_crypto_enmicfail++; 1328 goto bad; 1329 } 1330 } 1331 } 1332 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1333 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1334 goto bad; 1335 1336 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1337 1338 IEEE80211_NODE_STAT(ni, tx_data); 1339 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1340 IEEE80211_NODE_STAT(ni, tx_mcast); 1341 m->m_flags |= M_MCAST; 1342 } else 1343 IEEE80211_NODE_STAT(ni, tx_ucast); 1344 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1345 1346 return m; 1347 bad: 1348 if (m != NULL) 1349 m_freem(m); 1350 return NULL; 1351 #undef WH4 1352 } 1353 1354 /* 1355 * Fragment the frame according to the specified mtu. 1356 * The size of the 802.11 header (w/o padding) is provided 1357 * so we don't need to recalculate it. We create a new 1358 * mbuf for each fragment and chain it through m_nextpkt; 1359 * we might be able to optimize this by reusing the original 1360 * packet's mbufs but that is significantly more complicated. 1361 */ 1362 static int 1363 ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1364 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1365 { 1366 struct ieee80211_frame *wh, *whf; 1367 struct mbuf *m, *prev, *next; 1368 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1369 1370 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1371 KASSERT(m0->m_pkthdr.len > mtu, 1372 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1373 1374 wh = mtod(m0, struct ieee80211_frame *); 1375 /* NB: mark the first frag; it will be propagated below */ 1376 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1377 totalhdrsize = hdrsize + ciphdrsize; 1378 fragno = 1; 1379 off = mtu - ciphdrsize; 1380 remainder = m0->m_pkthdr.len - off; 1381 prev = m0; 1382 do { 1383 fragsize = totalhdrsize + remainder; 1384 if (fragsize > mtu) 1385 fragsize = mtu; 1386 /* XXX fragsize can be >2048! */ 1387 KASSERT(fragsize < MCLBYTES, 1388 ("fragment size %u too big!", fragsize)); 1389 if (fragsize > MHLEN) 1390 m = m_getcl(MB_DONTWAIT, MT_DATA, M_PKTHDR); 1391 else 1392 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1393 if (m == NULL) 1394 goto bad; 1395 /* leave room to prepend any cipher header */ 1396 m_align(m, fragsize - ciphdrsize); 1397 1398 /* 1399 * Form the header in the fragment. Note that since 1400 * we mark the first fragment with the MORE_FRAG bit 1401 * it automatically is propagated to each fragment; we 1402 * need only clear it on the last fragment (done below). 1403 */ 1404 whf = mtod(m, struct ieee80211_frame *); 1405 memcpy(whf, wh, hdrsize); 1406 *(uint16_t *)&whf->i_seq[0] |= htole16( 1407 (fragno & IEEE80211_SEQ_FRAG_MASK) << 1408 IEEE80211_SEQ_FRAG_SHIFT); 1409 fragno++; 1410 1411 payload = fragsize - totalhdrsize; 1412 /* NB: destination is known to be contiguous */ 1413 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize); 1414 m->m_len = hdrsize + payload; 1415 m->m_pkthdr.len = hdrsize + payload; 1416 m->m_flags |= M_FRAG; 1417 m->m_pkthdr.rcvif = m0->m_pkthdr.rcvif; 1418 1419 /* chain up the fragment */ 1420 prev->m_nextpkt = m; 1421 prev = m; 1422 1423 /* deduct fragment just formed */ 1424 remainder -= payload; 1425 off += payload; 1426 } while (remainder != 0); 1427 1428 /* set the last fragment */ 1429 m->m_flags |= M_LASTFRAG; 1430 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 1431 1432 /* strip first mbuf now that everything has been copied */ 1433 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 1434 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 1435 1436 vap->iv_stats.is_tx_fragframes++; 1437 vap->iv_stats.is_tx_frags += fragno-1; 1438 1439 return 1; 1440 bad: 1441 /* reclaim fragments but leave original frame for caller to free */ 1442 for (m = m0->m_nextpkt; m != NULL; m = next) { 1443 next = m->m_nextpkt; 1444 m->m_nextpkt = NULL; /* XXX paranoid */ 1445 m_freem(m); 1446 } 1447 m0->m_nextpkt = NULL; 1448 return 0; 1449 } 1450 1451 /* 1452 * Add a supported rates element id to a frame. 1453 */ 1454 uint8_t * 1455 ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 1456 { 1457 int nrates; 1458 1459 *frm++ = IEEE80211_ELEMID_RATES; 1460 nrates = rs->rs_nrates; 1461 if (nrates > IEEE80211_RATE_SIZE) 1462 nrates = IEEE80211_RATE_SIZE; 1463 *frm++ = nrates; 1464 memcpy(frm, rs->rs_rates, nrates); 1465 return frm + nrates; 1466 } 1467 1468 /* 1469 * Add an extended supported rates element id to a frame. 1470 */ 1471 uint8_t * 1472 ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 1473 { 1474 /* 1475 * Add an extended supported rates element if operating in 11g mode. 1476 */ 1477 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 1478 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1479 *frm++ = IEEE80211_ELEMID_XRATES; 1480 *frm++ = nrates; 1481 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1482 frm += nrates; 1483 } 1484 return frm; 1485 } 1486 1487 /* 1488 * Add an ssid element to a frame. 1489 */ 1490 static uint8_t * 1491 ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 1492 { 1493 *frm++ = IEEE80211_ELEMID_SSID; 1494 *frm++ = len; 1495 memcpy(frm, ssid, len); 1496 return frm + len; 1497 } 1498 1499 /* 1500 * Add an erp element to a frame. 1501 */ 1502 static uint8_t * 1503 ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic) 1504 { 1505 uint8_t erp; 1506 1507 *frm++ = IEEE80211_ELEMID_ERP; 1508 *frm++ = 1; 1509 erp = 0; 1510 if (ic->ic_nonerpsta != 0) 1511 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1512 if (ic->ic_flags & IEEE80211_F_USEPROT) 1513 erp |= IEEE80211_ERP_USE_PROTECTION; 1514 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1515 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1516 *frm++ = erp; 1517 return frm; 1518 } 1519 1520 /* 1521 * Add a CFParams element to a frame. 1522 */ 1523 static uint8_t * 1524 ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 1525 { 1526 #define ADDSHORT(frm, v) do { \ 1527 LE_WRITE_2(frm, v); \ 1528 frm += 2; \ 1529 } while (0) 1530 *frm++ = IEEE80211_ELEMID_CFPARMS; 1531 *frm++ = 6; 1532 *frm++ = 0; /* CFP count */ 1533 *frm++ = 2; /* CFP period */ 1534 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 1535 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 1536 return frm; 1537 #undef ADDSHORT 1538 } 1539 1540 static __inline uint8_t * 1541 add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 1542 { 1543 memcpy(frm, ie->ie_data, ie->ie_len); 1544 return frm + ie->ie_len; 1545 } 1546 1547 static __inline uint8_t * 1548 add_ie(uint8_t *frm, const uint8_t *ie) 1549 { 1550 memcpy(frm, ie, 2 + ie[1]); 1551 return frm + 2 + ie[1]; 1552 } 1553 1554 #define WME_OUI_BYTES 0x00, 0x50, 0xf2 1555 /* 1556 * Add a WME information element to a frame. 1557 */ 1558 static uint8_t * 1559 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme) 1560 { 1561 static const struct ieee80211_wme_info info = { 1562 .wme_id = IEEE80211_ELEMID_VENDOR, 1563 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1564 .wme_oui = { WME_OUI_BYTES }, 1565 .wme_type = WME_OUI_TYPE, 1566 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1567 .wme_version = WME_VERSION, 1568 .wme_info = 0, 1569 }; 1570 memcpy(frm, &info, sizeof(info)); 1571 return frm + sizeof(info); 1572 } 1573 1574 /* 1575 * Add a WME parameters element to a frame. 1576 */ 1577 static uint8_t * 1578 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme) 1579 { 1580 #define SM(_v, _f) (((_v) << _f##_S) & _f) 1581 #define ADDSHORT(frm, v) do { \ 1582 LE_WRITE_2(frm, v); \ 1583 frm += 2; \ 1584 } while (0) 1585 /* NB: this works 'cuz a param has an info at the front */ 1586 static const struct ieee80211_wme_info param = { 1587 .wme_id = IEEE80211_ELEMID_VENDOR, 1588 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1589 .wme_oui = { WME_OUI_BYTES }, 1590 .wme_type = WME_OUI_TYPE, 1591 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1592 .wme_version = WME_VERSION, 1593 }; 1594 int i; 1595 1596 memcpy(frm, ¶m, sizeof(param)); 1597 frm += __offsetof(struct ieee80211_wme_info, wme_info); 1598 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1599 *frm++ = 0; /* reserved field */ 1600 for (i = 0; i < WME_NUM_AC; i++) { 1601 const struct wmeParams *ac = 1602 &wme->wme_bssChanParams.cap_wmeParams[i]; 1603 *frm++ = SM(i, WME_PARAM_ACI) 1604 | SM(ac->wmep_acm, WME_PARAM_ACM) 1605 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1606 ; 1607 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1608 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1609 ; 1610 ADDSHORT(frm, ac->wmep_txopLimit); 1611 } 1612 return frm; 1613 #undef SM 1614 #undef ADDSHORT 1615 } 1616 #undef WME_OUI_BYTES 1617 1618 /* 1619 * Add an 11h Power Constraint element to a frame. 1620 */ 1621 static uint8_t * 1622 ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 1623 { 1624 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 1625 /* XXX per-vap tx power limit? */ 1626 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 1627 1628 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 1629 frm[1] = 1; 1630 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 1631 return frm + 3; 1632 } 1633 1634 /* 1635 * Add an 11h Power Capability element to a frame. 1636 */ 1637 static uint8_t * 1638 ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 1639 { 1640 frm[0] = IEEE80211_ELEMID_PWRCAP; 1641 frm[1] = 2; 1642 frm[2] = c->ic_minpower; 1643 frm[3] = c->ic_maxpower; 1644 return frm + 4; 1645 } 1646 1647 /* 1648 * Add an 11h Supported Channels element to a frame. 1649 */ 1650 static uint8_t * 1651 ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 1652 { 1653 static const int ielen = 26; 1654 1655 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 1656 frm[1] = ielen; 1657 /* XXX not correct */ 1658 memcpy(frm+2, ic->ic_chan_avail, ielen); 1659 return frm + 2 + ielen; 1660 } 1661 1662 /* 1663 * Add an 11h Channel Switch Announcement element to a frame. 1664 * Note that we use the per-vap CSA count to adjust the global 1665 * counter so we can use this routine to form probe response 1666 * frames and get the current count. 1667 */ 1668 static uint8_t * 1669 ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 1670 { 1671 struct ieee80211com *ic = vap->iv_ic; 1672 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 1673 1674 csa->csa_ie = IEEE80211_ELEMID_CSA; 1675 csa->csa_len = 3; 1676 csa->csa_mode = 1; /* XXX force quiet on channel */ 1677 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 1678 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 1679 return frm + sizeof(*csa); 1680 } 1681 1682 /* 1683 * Add an 11h country information element to a frame. 1684 */ 1685 static uint8_t * 1686 ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 1687 { 1688 1689 if (ic->ic_countryie == NULL || 1690 ic->ic_countryie_chan != ic->ic_bsschan) { 1691 /* 1692 * Handle lazy construction of ie. This is done on 1693 * first use and after a channel change that requires 1694 * re-calculation. 1695 */ 1696 if (ic->ic_countryie != NULL) 1697 kfree(ic->ic_countryie, M_80211_NODE_IE); 1698 ic->ic_countryie = ieee80211_alloc_countryie(ic); 1699 if (ic->ic_countryie == NULL) 1700 return frm; 1701 ic->ic_countryie_chan = ic->ic_bsschan; 1702 } 1703 return add_appie(frm, ic->ic_countryie); 1704 } 1705 1706 /* 1707 * Send a probe request frame with the specified ssid 1708 * and any optional information element data. 1709 */ 1710 int 1711 ieee80211_send_probereq(struct ieee80211_node *ni, 1712 const uint8_t sa[IEEE80211_ADDR_LEN], 1713 const uint8_t da[IEEE80211_ADDR_LEN], 1714 const uint8_t bssid[IEEE80211_ADDR_LEN], 1715 const uint8_t *ssid, size_t ssidlen) 1716 { 1717 struct ieee80211vap *vap = ni->ni_vap; 1718 struct ieee80211com *ic = ni->ni_ic; 1719 const struct ieee80211_txparam *tp; 1720 struct ieee80211_bpf_params params; 1721 const struct ieee80211_rateset *rs; 1722 struct mbuf *m; 1723 uint8_t *frm; 1724 #ifdef IEEE80211_DEBUG 1725 char ethstr[ETHER_ADDRSTRLEN + 1]; 1726 #endif 1727 1728 if (vap->iv_state == IEEE80211_S_CAC) { 1729 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 1730 "block %s frame in CAC state", "probe request"); 1731 vap->iv_stats.is_tx_badstate++; 1732 return EIO; /* XXX */ 1733 } 1734 1735 /* 1736 * Hold a reference on the node so it doesn't go away until after 1737 * the xmit is complete all the way in the driver. On error we 1738 * will remove our reference. 1739 */ 1740 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1741 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1742 __func__, __LINE__, 1743 ni, kether_ntoa(ni->ni_macaddr, ethstr), 1744 ieee80211_node_refcnt(ni)+1); 1745 ieee80211_ref_node(ni); 1746 1747 /* 1748 * prreq frame format 1749 * [tlv] ssid 1750 * [tlv] supported rates 1751 * [tlv] RSN (optional) 1752 * [tlv] extended supported rates 1753 * [tlv] WPA (optional) 1754 * [tlv] user-specified ie's 1755 */ 1756 m = ieee80211_getmgtframe(&frm, 1757 ic->ic_headroom + sizeof(struct ieee80211_frame), 1758 2 + IEEE80211_NWID_LEN 1759 + 2 + IEEE80211_RATE_SIZE 1760 + sizeof(struct ieee80211_ie_wpa) 1761 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1762 + sizeof(struct ieee80211_ie_wpa) 1763 + (vap->iv_appie_probereq != NULL ? 1764 vap->iv_appie_probereq->ie_len : 0) 1765 ); 1766 if (m == NULL) { 1767 vap->iv_stats.is_tx_nobuf++; 1768 ieee80211_free_node(ni); 1769 return ENOMEM; 1770 } 1771 1772 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1773 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1774 frm = ieee80211_add_rates(frm, rs); 1775 if (vap->iv_flags & IEEE80211_F_WPA2) { 1776 if (vap->iv_rsn_ie != NULL) 1777 frm = add_ie(frm, vap->iv_rsn_ie); 1778 /* XXX else complain? */ 1779 } 1780 frm = ieee80211_add_xrates(frm, rs); 1781 if (vap->iv_flags & IEEE80211_F_WPA1) { 1782 if (vap->iv_wpa_ie != NULL) 1783 frm = add_ie(frm, vap->iv_wpa_ie); 1784 /* XXX else complain? */ 1785 } 1786 if (vap->iv_appie_probereq != NULL) 1787 frm = add_appie(frm, vap->iv_appie_probereq); 1788 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1789 1790 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 1791 ("leading space %zd", M_LEADINGSPACE(m))); 1792 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 1793 if (m == NULL) { 1794 /* NB: cannot happen */ 1795 ieee80211_free_node(ni); 1796 return ENOMEM; 1797 } 1798 1799 ieee80211_send_setup(ni, m, 1800 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1801 IEEE80211_NONQOS_TID, sa, da, bssid); 1802 /* XXX power management? */ 1803 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1804 1805 M_WME_SETAC(m, WME_AC_BE); 1806 1807 IEEE80211_NODE_STAT(ni, tx_probereq); 1808 IEEE80211_NODE_STAT(ni, tx_mgmt); 1809 1810 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1811 "send probe req on channel %u bssid %s ssid \"%.*s\"\n", 1812 ieee80211_chan2ieee(ic, ic->ic_curchan), kether_ntoa(bssid, ethstr), 1813 (int)ssidlen, ssid); 1814 1815 memset(¶ms, 0, sizeof(params)); 1816 params.ibp_pri = M_WME_GETAC(m); 1817 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 1818 params.ibp_rate0 = tp->mgmtrate; 1819 if (IEEE80211_IS_MULTICAST(da)) { 1820 params.ibp_flags |= IEEE80211_BPF_NOACK; 1821 params.ibp_try0 = 1; 1822 } else 1823 params.ibp_try0 = tp->maxretry; 1824 params.ibp_power = ni->ni_txpower; 1825 return ic->ic_raw_xmit(ni, m, ¶ms); 1826 } 1827 1828 /* 1829 * Calculate capability information for mgt frames. 1830 */ 1831 uint16_t 1832 ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 1833 { 1834 struct ieee80211com *ic = vap->iv_ic; 1835 uint16_t capinfo; 1836 1837 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 1838 1839 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 1840 capinfo = IEEE80211_CAPINFO_ESS; 1841 else if (vap->iv_opmode == IEEE80211_M_IBSS) 1842 capinfo = IEEE80211_CAPINFO_IBSS; 1843 else 1844 capinfo = 0; 1845 if (vap->iv_flags & IEEE80211_F_PRIVACY) 1846 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1847 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1848 IEEE80211_IS_CHAN_2GHZ(chan)) 1849 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1850 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1851 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1852 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 1853 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 1854 return capinfo; 1855 } 1856 1857 /* 1858 * Send a management frame. The node is for the destination (or ic_bss 1859 * when in station mode). Nodes other than ic_bss have their reference 1860 * count bumped to reflect our use for an indeterminant time. 1861 */ 1862 int 1863 ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 1864 { 1865 #define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 1866 #define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 1867 struct ieee80211vap *vap = ni->ni_vap; 1868 struct ieee80211com *ic = ni->ni_ic; 1869 struct ieee80211_node *bss = vap->iv_bss; 1870 struct ieee80211_bpf_params params; 1871 struct mbuf *m; 1872 uint8_t *frm; 1873 uint16_t capinfo; 1874 int has_challenge, is_shared_key, ret, status; 1875 #ifdef IEEE80211_DEBUG 1876 char ethstr[ETHER_ADDRSTRLEN + 1]; 1877 #endif 1878 1879 KASSERT(ni != NULL, ("null node")); 1880 1881 /* 1882 * Hold a reference on the node so it doesn't go away until after 1883 * the xmit is complete all the way in the driver. On error we 1884 * will remove our reference. 1885 */ 1886 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1887 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1888 __func__, __LINE__, 1889 ni, kether_ntoa(ni->ni_macaddr, ethstr), 1890 ieee80211_node_refcnt(ni)+1); 1891 ieee80211_ref_node(ni); 1892 1893 memset(¶ms, 0, sizeof(params)); 1894 switch (type) { 1895 1896 case IEEE80211_FC0_SUBTYPE_AUTH: 1897 status = arg >> 16; 1898 arg &= 0xffff; 1899 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1900 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1901 ni->ni_challenge != NULL); 1902 1903 /* 1904 * Deduce whether we're doing open authentication or 1905 * shared key authentication. We do the latter if 1906 * we're in the middle of a shared key authentication 1907 * handshake or if we're initiating an authentication 1908 * request and configured to use shared key. 1909 */ 1910 is_shared_key = has_challenge || 1911 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1912 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1913 bss->ni_authmode == IEEE80211_AUTH_SHARED); 1914 1915 m = ieee80211_getmgtframe(&frm, 1916 ic->ic_headroom + sizeof(struct ieee80211_frame), 1917 3 * sizeof(uint16_t) 1918 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1919 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 1920 ); 1921 if (m == NULL) 1922 senderr(ENOMEM, is_tx_nobuf); 1923 1924 ((uint16_t *)frm)[0] = 1925 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 1926 : htole16(IEEE80211_AUTH_ALG_OPEN); 1927 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 1928 ((uint16_t *)frm)[2] = htole16(status);/* status */ 1929 1930 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 1931 ((uint16_t *)frm)[3] = 1932 htole16((IEEE80211_CHALLENGE_LEN << 8) | 1933 IEEE80211_ELEMID_CHALLENGE); 1934 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 1935 IEEE80211_CHALLENGE_LEN); 1936 m->m_pkthdr.len = m->m_len = 1937 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 1938 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 1939 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1940 "request encrypt frame (%s)", __func__); 1941 /* mark frame for encryption */ 1942 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 1943 } 1944 } else 1945 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 1946 1947 /* XXX not right for shared key */ 1948 if (status == IEEE80211_STATUS_SUCCESS) 1949 IEEE80211_NODE_STAT(ni, tx_auth); 1950 else 1951 IEEE80211_NODE_STAT(ni, tx_auth_fail); 1952 1953 if (vap->iv_opmode == IEEE80211_M_STA) 1954 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 1955 (void *) vap->iv_state); 1956 break; 1957 1958 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1959 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1960 "send station deauthenticate (reason %d)", arg); 1961 m = ieee80211_getmgtframe(&frm, 1962 ic->ic_headroom + sizeof(struct ieee80211_frame), 1963 sizeof(uint16_t)); 1964 if (m == NULL) 1965 senderr(ENOMEM, is_tx_nobuf); 1966 *(uint16_t *)frm = htole16(arg); /* reason */ 1967 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 1968 1969 IEEE80211_NODE_STAT(ni, tx_deauth); 1970 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 1971 1972 ieee80211_node_unauthorize(ni); /* port closed */ 1973 break; 1974 1975 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1976 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1977 /* 1978 * asreq frame format 1979 * [2] capability information 1980 * [2] listen interval 1981 * [6*] current AP address (reassoc only) 1982 * [tlv] ssid 1983 * [tlv] supported rates 1984 * [tlv] extended supported rates 1985 * [4] power capability (optional) 1986 * [28] supported channels (optional) 1987 * [tlv] HT capabilities 1988 * [tlv] WME (optional) 1989 * [tlv] Vendor OUI HT capabilities (optional) 1990 * [tlv] Atheros capabilities (if negotiated) 1991 * [tlv] AppIE's (optional) 1992 */ 1993 m = ieee80211_getmgtframe(&frm, 1994 ic->ic_headroom + sizeof(struct ieee80211_frame), 1995 sizeof(uint16_t) 1996 + sizeof(uint16_t) 1997 + IEEE80211_ADDR_LEN 1998 + 2 + IEEE80211_NWID_LEN 1999 + 2 + IEEE80211_RATE_SIZE 2000 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2001 + 4 2002 + 2 + 26 2003 + sizeof(struct ieee80211_wme_info) 2004 + sizeof(struct ieee80211_ie_htcap) 2005 + 4 + sizeof(struct ieee80211_ie_htcap) 2006 #ifdef IEEE80211_SUPPORT_SUPERG 2007 + sizeof(struct ieee80211_ath_ie) 2008 #endif 2009 + (vap->iv_appie_wpa != NULL ? 2010 vap->iv_appie_wpa->ie_len : 0) 2011 + (vap->iv_appie_assocreq != NULL ? 2012 vap->iv_appie_assocreq->ie_len : 0) 2013 ); 2014 if (m == NULL) 2015 senderr(ENOMEM, is_tx_nobuf); 2016 2017 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 2018 ("wrong mode %u", vap->iv_opmode)); 2019 capinfo = IEEE80211_CAPINFO_ESS; 2020 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2021 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2022 /* 2023 * NB: Some 11a AP's reject the request when 2024 * short premable is set. 2025 */ 2026 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 2027 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 2028 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2029 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2030 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2031 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2032 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2033 (vap->iv_flags & IEEE80211_F_DOTH)) 2034 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2035 *(uint16_t *)frm = htole16(capinfo); 2036 frm += 2; 2037 2038 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2039 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2040 bss->ni_intval)); 2041 frm += 2; 2042 2043 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2044 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2045 frm += IEEE80211_ADDR_LEN; 2046 } 2047 2048 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2049 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2050 if (vap->iv_flags & IEEE80211_F_WPA2) { 2051 if (vap->iv_rsn_ie != NULL) 2052 frm = add_ie(frm, vap->iv_rsn_ie); 2053 /* XXX else complain? */ 2054 } 2055 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2056 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2057 frm = ieee80211_add_powercapability(frm, 2058 ic->ic_curchan); 2059 frm = ieee80211_add_supportedchannels(frm, ic); 2060 } 2061 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2062 ni->ni_ies.htcap_ie != NULL && 2063 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) 2064 frm = ieee80211_add_htcap(frm, ni); 2065 if (vap->iv_flags & IEEE80211_F_WPA1) { 2066 if (vap->iv_wpa_ie != NULL) 2067 frm = add_ie(frm, vap->iv_wpa_ie); 2068 /* XXX else complain */ 2069 } 2070 if ((ic->ic_flags & IEEE80211_F_WME) && 2071 ni->ni_ies.wme_ie != NULL) 2072 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 2073 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2074 ni->ni_ies.htcap_ie != NULL && 2075 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) 2076 frm = ieee80211_add_htcap_vendor(frm, ni); 2077 #ifdef IEEE80211_SUPPORT_SUPERG 2078 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2079 frm = ieee80211_add_ath(frm, 2080 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2081 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2082 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2083 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2084 } 2085 #endif /* IEEE80211_SUPPORT_SUPERG */ 2086 if (vap->iv_appie_assocreq != NULL) 2087 frm = add_appie(frm, vap->iv_appie_assocreq); 2088 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2089 2090 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2091 (void *) vap->iv_state); 2092 break; 2093 2094 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2095 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2096 /* 2097 * asresp frame format 2098 * [2] capability information 2099 * [2] status 2100 * [2] association ID 2101 * [tlv] supported rates 2102 * [tlv] extended supported rates 2103 * [tlv] HT capabilities (standard, if STA enabled) 2104 * [tlv] HT information (standard, if STA enabled) 2105 * [tlv] WME (if configured and STA enabled) 2106 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2107 * [tlv] HT information (vendor OUI, if STA enabled) 2108 * [tlv] Atheros capabilities (if STA enabled) 2109 * [tlv] AppIE's (optional) 2110 */ 2111 m = ieee80211_getmgtframe(&frm, 2112 ic->ic_headroom + sizeof(struct ieee80211_frame), 2113 sizeof(uint16_t) 2114 + sizeof(uint16_t) 2115 + sizeof(uint16_t) 2116 + 2 + IEEE80211_RATE_SIZE 2117 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2118 + sizeof(struct ieee80211_ie_htcap) + 4 2119 + sizeof(struct ieee80211_ie_htinfo) + 4 2120 + sizeof(struct ieee80211_wme_param) 2121 #ifdef IEEE80211_SUPPORT_SUPERG 2122 + sizeof(struct ieee80211_ath_ie) 2123 #endif 2124 + (vap->iv_appie_assocresp != NULL ? 2125 vap->iv_appie_assocresp->ie_len : 0) 2126 ); 2127 if (m == NULL) 2128 senderr(ENOMEM, is_tx_nobuf); 2129 2130 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2131 *(uint16_t *)frm = htole16(capinfo); 2132 frm += 2; 2133 2134 *(uint16_t *)frm = htole16(arg); /* status */ 2135 frm += 2; 2136 2137 if (arg == IEEE80211_STATUS_SUCCESS) { 2138 *(uint16_t *)frm = htole16(ni->ni_associd); 2139 IEEE80211_NODE_STAT(ni, tx_assoc); 2140 } else 2141 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2142 frm += 2; 2143 2144 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2145 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2146 /* NB: respond according to what we received */ 2147 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2148 frm = ieee80211_add_htcap(frm, ni); 2149 frm = ieee80211_add_htinfo(frm, ni); 2150 } 2151 if ((vap->iv_flags & IEEE80211_F_WME) && 2152 ni->ni_ies.wme_ie != NULL) 2153 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2154 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2155 frm = ieee80211_add_htcap_vendor(frm, ni); 2156 frm = ieee80211_add_htinfo_vendor(frm, ni); 2157 } 2158 #ifdef IEEE80211_SUPPORT_SUPERG 2159 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 2160 frm = ieee80211_add_ath(frm, 2161 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2162 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2163 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2164 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2165 #endif /* IEEE80211_SUPPORT_SUPERG */ 2166 if (vap->iv_appie_assocresp != NULL) 2167 frm = add_appie(frm, vap->iv_appie_assocresp); 2168 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2169 break; 2170 2171 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2172 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2173 "send station disassociate (reason %d)", arg); 2174 m = ieee80211_getmgtframe(&frm, 2175 ic->ic_headroom + sizeof(struct ieee80211_frame), 2176 sizeof(uint16_t)); 2177 if (m == NULL) 2178 senderr(ENOMEM, is_tx_nobuf); 2179 *(uint16_t *)frm = htole16(arg); /* reason */ 2180 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2181 2182 IEEE80211_NODE_STAT(ni, tx_disassoc); 2183 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 2184 break; 2185 2186 default: 2187 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 2188 "invalid mgmt frame type %u", type); 2189 senderr(EINVAL, is_tx_unknownmgt); 2190 /* NOTREACHED */ 2191 } 2192 2193 /* NB: force non-ProbeResp frames to the highest queue */ 2194 params.ibp_pri = WME_AC_VO; 2195 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 2196 /* NB: we know all frames are unicast */ 2197 params.ibp_try0 = bss->ni_txparms->maxretry; 2198 params.ibp_power = bss->ni_txpower; 2199 return ieee80211_mgmt_output(ni, m, type, ¶ms); 2200 bad: 2201 ieee80211_free_node(ni); 2202 return ret; 2203 #undef senderr 2204 #undef HTFLAGS 2205 } 2206 2207 /* 2208 * Return an mbuf with a probe response frame in it. 2209 * Space is left to prepend and 802.11 header at the 2210 * front but it's left to the caller to fill in. 2211 */ 2212 struct mbuf * 2213 ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 2214 { 2215 struct ieee80211vap *vap = bss->ni_vap; 2216 struct ieee80211com *ic = bss->ni_ic; 2217 const struct ieee80211_rateset *rs; 2218 struct mbuf *m; 2219 uint16_t capinfo; 2220 uint8_t *frm; 2221 2222 /* 2223 * probe response frame format 2224 * [8] time stamp 2225 * [2] beacon interval 2226 * [2] cabability information 2227 * [tlv] ssid 2228 * [tlv] supported rates 2229 * [tlv] parameter set (FH/DS) 2230 * [tlv] parameter set (IBSS) 2231 * [tlv] country (optional) 2232 * [3] power control (optional) 2233 * [5] channel switch announcement (CSA) (optional) 2234 * [tlv] extended rate phy (ERP) 2235 * [tlv] extended supported rates 2236 * [tlv] RSN (optional) 2237 * [tlv] HT capabilities 2238 * [tlv] HT information 2239 * [tlv] WPA (optional) 2240 * [tlv] WME (optional) 2241 * [tlv] Vendor OUI HT capabilities (optional) 2242 * [tlv] Vendor OUI HT information (optional) 2243 * [tlv] Atheros capabilities 2244 * [tlv] AppIE's (optional) 2245 * [tlv] Mesh ID (MBSS) 2246 * [tlv] Mesh Conf (MBSS) 2247 */ 2248 m = ieee80211_getmgtframe(&frm, 2249 ic->ic_headroom + sizeof(struct ieee80211_frame), 2250 8 2251 + sizeof(uint16_t) 2252 + sizeof(uint16_t) 2253 + 2 + IEEE80211_NWID_LEN 2254 + 2 + IEEE80211_RATE_SIZE 2255 + 7 /* max(7,3) */ 2256 + IEEE80211_COUNTRY_MAX_SIZE 2257 + 3 2258 + sizeof(struct ieee80211_csa_ie) 2259 + 3 2260 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2261 + sizeof(struct ieee80211_ie_wpa) 2262 + sizeof(struct ieee80211_ie_htcap) 2263 + sizeof(struct ieee80211_ie_htinfo) 2264 + sizeof(struct ieee80211_ie_wpa) 2265 + sizeof(struct ieee80211_wme_param) 2266 + 4 + sizeof(struct ieee80211_ie_htcap) 2267 + 4 + sizeof(struct ieee80211_ie_htinfo) 2268 #ifdef IEEE80211_SUPPORT_SUPERG 2269 + sizeof(struct ieee80211_ath_ie) 2270 #endif 2271 #ifdef IEEE80211_SUPPORT_MESH 2272 + 2 + IEEE80211_MESHID_LEN 2273 + sizeof(struct ieee80211_meshconf_ie) 2274 #endif 2275 + (vap->iv_appie_proberesp != NULL ? 2276 vap->iv_appie_proberesp->ie_len : 0) 2277 ); 2278 if (m == NULL) { 2279 vap->iv_stats.is_tx_nobuf++; 2280 return NULL; 2281 } 2282 2283 memset(frm, 0, 8); /* timestamp should be filled later */ 2284 frm += 8; 2285 *(uint16_t *)frm = htole16(bss->ni_intval); 2286 frm += 2; 2287 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2288 *(uint16_t *)frm = htole16(capinfo); 2289 frm += 2; 2290 2291 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 2292 rs = ieee80211_get_suprates(ic, bss->ni_chan); 2293 frm = ieee80211_add_rates(frm, rs); 2294 2295 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 2296 *frm++ = IEEE80211_ELEMID_FHPARMS; 2297 *frm++ = 5; 2298 *frm++ = bss->ni_fhdwell & 0x00ff; 2299 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 2300 *frm++ = IEEE80211_FH_CHANSET( 2301 ieee80211_chan2ieee(ic, bss->ni_chan)); 2302 *frm++ = IEEE80211_FH_CHANPAT( 2303 ieee80211_chan2ieee(ic, bss->ni_chan)); 2304 *frm++ = bss->ni_fhindex; 2305 } else { 2306 *frm++ = IEEE80211_ELEMID_DSPARMS; 2307 *frm++ = 1; 2308 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 2309 } 2310 2311 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2312 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2313 *frm++ = 2; 2314 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2315 } 2316 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2317 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2318 frm = ieee80211_add_countryie(frm, ic); 2319 if (vap->iv_flags & IEEE80211_F_DOTH) { 2320 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 2321 frm = ieee80211_add_powerconstraint(frm, vap); 2322 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2323 frm = ieee80211_add_csa(frm, vap); 2324 } 2325 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 2326 frm = ieee80211_add_erp(frm, ic); 2327 frm = ieee80211_add_xrates(frm, rs); 2328 if (vap->iv_flags & IEEE80211_F_WPA2) { 2329 if (vap->iv_rsn_ie != NULL) 2330 frm = add_ie(frm, vap->iv_rsn_ie); 2331 /* XXX else complain? */ 2332 } 2333 /* 2334 * NB: legacy 11b clients do not get certain ie's. 2335 * The caller identifies such clients by passing 2336 * a token in legacy to us. Could expand this to be 2337 * any legacy client for stuff like HT ie's. 2338 */ 2339 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2340 legacy != IEEE80211_SEND_LEGACY_11B) { 2341 frm = ieee80211_add_htcap(frm, bss); 2342 frm = ieee80211_add_htinfo(frm, bss); 2343 } 2344 if (vap->iv_flags & IEEE80211_F_WPA1) { 2345 if (vap->iv_wpa_ie != NULL) 2346 frm = add_ie(frm, vap->iv_wpa_ie); 2347 /* XXX else complain? */ 2348 } 2349 if (vap->iv_flags & IEEE80211_F_WME) 2350 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2351 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2352 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 2353 legacy != IEEE80211_SEND_LEGACY_11B) { 2354 frm = ieee80211_add_htcap_vendor(frm, bss); 2355 frm = ieee80211_add_htinfo_vendor(frm, bss); 2356 } 2357 #ifdef IEEE80211_SUPPORT_SUPERG 2358 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 2359 legacy != IEEE80211_SEND_LEGACY_11B) 2360 frm = ieee80211_add_athcaps(frm, bss); 2361 #endif 2362 if (vap->iv_appie_proberesp != NULL) 2363 frm = add_appie(frm, vap->iv_appie_proberesp); 2364 #ifdef IEEE80211_SUPPORT_MESH 2365 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2366 frm = ieee80211_add_meshid(frm, vap); 2367 frm = ieee80211_add_meshconf(frm, vap); 2368 } 2369 #endif 2370 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2371 2372 return m; 2373 } 2374 2375 /* 2376 * Send a probe response frame to the specified mac address. 2377 * This does not go through the normal mgt frame api so we 2378 * can specify the destination address and re-use the bss node 2379 * for the sta reference. 2380 */ 2381 int 2382 ieee80211_send_proberesp(struct ieee80211vap *vap, 2383 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 2384 { 2385 struct ieee80211_node *bss = vap->iv_bss; 2386 struct ieee80211com *ic = vap->iv_ic; 2387 struct mbuf *m; 2388 #ifdef IEEE80211_DEBUG 2389 char ethstr[ETHER_ADDRSTRLEN + 1]; 2390 #endif 2391 2392 if (vap->iv_state == IEEE80211_S_CAC) { 2393 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 2394 "block %s frame in CAC state", "probe response"); 2395 vap->iv_stats.is_tx_badstate++; 2396 return EIO; /* XXX */ 2397 } 2398 2399 /* 2400 * Hold a reference on the node so it doesn't go away until after 2401 * the xmit is complete all the way in the driver. On error we 2402 * will remove our reference. 2403 */ 2404 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2405 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2406 __func__, __LINE__, bss, kether_ntoa(bss->ni_macaddr, ethstr), 2407 ieee80211_node_refcnt(bss)+1); 2408 ieee80211_ref_node(bss); 2409 2410 m = ieee80211_alloc_proberesp(bss, legacy); 2411 if (m == NULL) { 2412 ieee80211_free_node(bss); 2413 return ENOMEM; 2414 } 2415 2416 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 2417 KASSERT(m != NULL, ("no room for header")); 2418 2419 ieee80211_send_setup(bss, m, 2420 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 2421 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 2422 /* XXX power management? */ 2423 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2424 2425 M_WME_SETAC(m, WME_AC_BE); 2426 2427 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2428 "send probe resp on channel %u to %s%s\n", 2429 ieee80211_chan2ieee(ic, ic->ic_curchan), kether_ntoa(da, ethstr), 2430 legacy ? " <legacy>" : ""); 2431 IEEE80211_NODE_STAT(bss, tx_mgmt); 2432 2433 return ic->ic_raw_xmit(bss, m, NULL); 2434 } 2435 2436 /* 2437 * Allocate and build a RTS (Request To Send) control frame. 2438 */ 2439 struct mbuf * 2440 ieee80211_alloc_rts(struct ieee80211com *ic, 2441 const uint8_t ra[IEEE80211_ADDR_LEN], 2442 const uint8_t ta[IEEE80211_ADDR_LEN], 2443 uint16_t dur) 2444 { 2445 struct ieee80211_frame_rts *rts; 2446 struct mbuf *m; 2447 2448 /* XXX honor ic_headroom */ 2449 m = m_gethdr(MB_DONTWAIT, MT_DATA); 2450 if (m != NULL) { 2451 rts = mtod(m, struct ieee80211_frame_rts *); 2452 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2453 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 2454 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2455 *(u_int16_t *)rts->i_dur = htole16(dur); 2456 IEEE80211_ADDR_COPY(rts->i_ra, ra); 2457 IEEE80211_ADDR_COPY(rts->i_ta, ta); 2458 2459 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 2460 } 2461 return m; 2462 } 2463 2464 /* 2465 * Allocate and build a CTS (Clear To Send) control frame. 2466 */ 2467 struct mbuf * 2468 ieee80211_alloc_cts(struct ieee80211com *ic, 2469 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 2470 { 2471 struct ieee80211_frame_cts *cts; 2472 struct mbuf *m; 2473 2474 /* XXX honor ic_headroom */ 2475 m = m_gethdr(MB_DONTWAIT, MT_DATA); 2476 if (m != NULL) { 2477 cts = mtod(m, struct ieee80211_frame_cts *); 2478 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2479 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 2480 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2481 *(u_int16_t *)cts->i_dur = htole16(dur); 2482 IEEE80211_ADDR_COPY(cts->i_ra, ra); 2483 2484 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 2485 } 2486 return m; 2487 } 2488 2489 static void 2490 ieee80211_tx_mgt_timeout_callout(void *arg) 2491 { 2492 struct ieee80211_node *ni = arg; 2493 struct ieee80211vap *vap; 2494 2495 wlan_serialize_enter(); 2496 vap = ni->ni_vap; 2497 if (vap->iv_state != IEEE80211_S_INIT && 2498 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 2499 /* 2500 * NB: it's safe to specify a timeout as the reason here; 2501 * it'll only be used in the right state. 2502 */ 2503 ieee80211_new_state(vap, IEEE80211_S_SCAN, 2504 IEEE80211_SCAN_FAIL_TIMEOUT); 2505 } 2506 wlan_serialize_exit(); 2507 } 2508 2509 static void 2510 ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 2511 { 2512 struct ieee80211vap *vap = ni->ni_vap; 2513 enum ieee80211_state ostate = (enum ieee80211_state) arg; 2514 2515 /* 2516 * Frame transmit completed; arrange timer callback. If 2517 * transmit was successfuly we wait for response. Otherwise 2518 * we arrange an immediate callback instead of doing the 2519 * callback directly since we don't know what state the driver 2520 * is in (e.g. what locks it is holding). This work should 2521 * not be too time-critical and not happen too often so the 2522 * added overhead is acceptable. 2523 * 2524 * XXX what happens if !acked but response shows up before callback? 2525 */ 2526 if (vap->iv_state == ostate) 2527 callout_reset(&vap->iv_mgtsend, 2528 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 2529 ieee80211_tx_mgt_timeout_callout, ni); 2530 } 2531 2532 static void 2533 ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 2534 struct ieee80211_beacon_offsets *bo, struct ieee80211_node *ni) 2535 { 2536 struct ieee80211vap *vap = ni->ni_vap; 2537 struct ieee80211com *ic = ni->ni_ic; 2538 struct ieee80211_rateset *rs = &ni->ni_rates; 2539 uint16_t capinfo; 2540 2541 /* 2542 * beacon frame format 2543 * [8] time stamp 2544 * [2] beacon interval 2545 * [2] cabability information 2546 * [tlv] ssid 2547 * [tlv] supported rates 2548 * [3] parameter set (DS) 2549 * [8] CF parameter set (optional) 2550 * [tlv] parameter set (IBSS/TIM) 2551 * [tlv] country (optional) 2552 * [3] power control (optional) 2553 * [5] channel switch announcement (CSA) (optional) 2554 * [tlv] extended rate phy (ERP) 2555 * [tlv] extended supported rates 2556 * [tlv] RSN parameters 2557 * [tlv] HT capabilities 2558 * [tlv] HT information 2559 * XXX Vendor-specific OIDs (e.g. Atheros) 2560 * [tlv] WPA parameters 2561 * [tlv] WME parameters 2562 * [tlv] Vendor OUI HT capabilities (optional) 2563 * [tlv] Vendor OUI HT information (optional) 2564 * [tlv] Atheros capabilities (optional) 2565 * [tlv] TDMA parameters (optional) 2566 * [tlv] Mesh ID (MBSS) 2567 * [tlv] Mesh Conf (MBSS) 2568 * [tlv] application data (optional) 2569 */ 2570 2571 memset(bo, 0, sizeof(*bo)); 2572 2573 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 2574 frm += 8; 2575 *(uint16_t *)frm = htole16(ni->ni_intval); 2576 frm += 2; 2577 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2578 bo->bo_caps = (uint16_t *)frm; 2579 *(uint16_t *)frm = htole16(capinfo); 2580 frm += 2; 2581 *frm++ = IEEE80211_ELEMID_SSID; 2582 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 2583 *frm++ = ni->ni_esslen; 2584 memcpy(frm, ni->ni_essid, ni->ni_esslen); 2585 frm += ni->ni_esslen; 2586 } else 2587 *frm++ = 0; 2588 frm = ieee80211_add_rates(frm, rs); 2589 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 2590 *frm++ = IEEE80211_ELEMID_DSPARMS; 2591 *frm++ = 1; 2592 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 2593 } 2594 if (ic->ic_flags & IEEE80211_F_PCF) { 2595 bo->bo_cfp = frm; 2596 frm = ieee80211_add_cfparms(frm, ic); 2597 } 2598 bo->bo_tim = frm; 2599 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2600 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2601 *frm++ = 2; 2602 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2603 bo->bo_tim_len = 0; 2604 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2605 vap->iv_opmode == IEEE80211_M_MBSS) { 2606 /* TIM IE is the same for Mesh and Hostap */ 2607 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 2608 2609 tie->tim_ie = IEEE80211_ELEMID_TIM; 2610 tie->tim_len = 4; /* length */ 2611 tie->tim_count = 0; /* DTIM count */ 2612 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 2613 tie->tim_bitctl = 0; /* bitmap control */ 2614 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 2615 frm += sizeof(struct ieee80211_tim_ie); 2616 bo->bo_tim_len = 1; 2617 } 2618 bo->bo_tim_trailer = frm; 2619 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2620 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2621 frm = ieee80211_add_countryie(frm, ic); 2622 if (vap->iv_flags & IEEE80211_F_DOTH) { 2623 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 2624 frm = ieee80211_add_powerconstraint(frm, vap); 2625 bo->bo_csa = frm; 2626 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2627 frm = ieee80211_add_csa(frm, vap); 2628 } else 2629 bo->bo_csa = frm; 2630 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 2631 bo->bo_erp = frm; 2632 frm = ieee80211_add_erp(frm, ic); 2633 } 2634 frm = ieee80211_add_xrates(frm, rs); 2635 if (vap->iv_flags & IEEE80211_F_WPA2) { 2636 if (vap->iv_rsn_ie != NULL) 2637 frm = add_ie(frm, vap->iv_rsn_ie); 2638 /* XXX else complain */ 2639 } 2640 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 2641 frm = ieee80211_add_htcap(frm, ni); 2642 bo->bo_htinfo = frm; 2643 frm = ieee80211_add_htinfo(frm, ni); 2644 } 2645 if (vap->iv_flags & IEEE80211_F_WPA1) { 2646 if (vap->iv_wpa_ie != NULL) 2647 frm = add_ie(frm, vap->iv_wpa_ie); 2648 /* XXX else complain */ 2649 } 2650 if (vap->iv_flags & IEEE80211_F_WME) { 2651 bo->bo_wme = frm; 2652 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2653 } 2654 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2655 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 2656 frm = ieee80211_add_htcap_vendor(frm, ni); 2657 frm = ieee80211_add_htinfo_vendor(frm, ni); 2658 } 2659 #ifdef IEEE80211_SUPPORT_SUPERG 2660 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 2661 bo->bo_ath = frm; 2662 frm = ieee80211_add_athcaps(frm, ni); 2663 } 2664 #endif 2665 #ifdef IEEE80211_SUPPORT_TDMA 2666 if (vap->iv_caps & IEEE80211_C_TDMA) { 2667 bo->bo_tdma = frm; 2668 frm = ieee80211_add_tdma(frm, vap); 2669 } 2670 #endif 2671 if (vap->iv_appie_beacon != NULL) { 2672 bo->bo_appie = frm; 2673 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 2674 frm = add_appie(frm, vap->iv_appie_beacon); 2675 } 2676 #ifdef IEEE80211_SUPPORT_MESH 2677 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2678 frm = ieee80211_add_meshid(frm, vap); 2679 bo->bo_meshconf = frm; 2680 frm = ieee80211_add_meshconf(frm, vap); 2681 } 2682 #endif 2683 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 2684 bo->bo_csa_trailer_len = frm - bo->bo_csa; 2685 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2686 } 2687 2688 /* 2689 * Allocate a beacon frame and fillin the appropriate bits. 2690 */ 2691 struct mbuf * 2692 ieee80211_beacon_alloc(struct ieee80211_node *ni, 2693 struct ieee80211_beacon_offsets *bo) 2694 { 2695 struct ieee80211vap *vap = ni->ni_vap; 2696 struct ieee80211com *ic = ni->ni_ic; 2697 struct ifnet *ifp = vap->iv_ifp; 2698 struct ieee80211_frame *wh; 2699 struct mbuf *m; 2700 int pktlen; 2701 uint8_t *frm; 2702 2703 /* 2704 * beacon frame format 2705 * [8] time stamp 2706 * [2] beacon interval 2707 * [2] cabability information 2708 * [tlv] ssid 2709 * [tlv] supported rates 2710 * [3] parameter set (DS) 2711 * [8] CF parameter set (optional) 2712 * [tlv] parameter set (IBSS/TIM) 2713 * [tlv] country (optional) 2714 * [3] power control (optional) 2715 * [5] channel switch announcement (CSA) (optional) 2716 * [tlv] extended rate phy (ERP) 2717 * [tlv] extended supported rates 2718 * [tlv] RSN parameters 2719 * [tlv] HT capabilities 2720 * [tlv] HT information 2721 * [tlv] Vendor OUI HT capabilities (optional) 2722 * [tlv] Vendor OUI HT information (optional) 2723 * XXX Vendor-specific OIDs (e.g. Atheros) 2724 * [tlv] WPA parameters 2725 * [tlv] WME parameters 2726 * [tlv] TDMA parameters (optional) 2727 * [tlv] Mesh ID (MBSS) 2728 * [tlv] Mesh Conf (MBSS) 2729 * [tlv] application data (optional) 2730 * NB: we allocate the max space required for the TIM bitmap. 2731 * XXX how big is this? 2732 */ 2733 pktlen = 8 /* time stamp */ 2734 + sizeof(uint16_t) /* beacon interval */ 2735 + sizeof(uint16_t) /* capabilities */ 2736 + 2 + ni->ni_esslen /* ssid */ 2737 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 2738 + 2 + 1 /* DS parameters */ 2739 + 2 + 6 /* CF parameters */ 2740 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 2741 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 2742 + 2 + 1 /* power control */ 2743 + sizeof(struct ieee80211_csa_ie) /* CSA */ 2744 + 2 + 1 /* ERP */ 2745 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2746 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 2747 2*sizeof(struct ieee80211_ie_wpa) : 0) 2748 /* XXX conditional? */ 2749 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 2750 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 2751 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 2752 sizeof(struct ieee80211_wme_param) : 0) 2753 #ifdef IEEE80211_SUPPORT_SUPERG 2754 + sizeof(struct ieee80211_ath_ie) /* ATH */ 2755 #endif 2756 #ifdef IEEE80211_SUPPORT_TDMA 2757 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 2758 sizeof(struct ieee80211_tdma_param) : 0) 2759 #endif 2760 #ifdef IEEE80211_SUPPORT_MESH 2761 + 2 + ni->ni_meshidlen 2762 + sizeof(struct ieee80211_meshconf_ie) 2763 #endif 2764 + IEEE80211_MAX_APPIE 2765 ; 2766 m = ieee80211_getmgtframe(&frm, 2767 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 2768 if (m == NULL) { 2769 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 2770 "%s: cannot get buf; size %u\n", __func__, pktlen); 2771 vap->iv_stats.is_tx_nobuf++; 2772 return NULL; 2773 } 2774 ieee80211_beacon_construct(m, frm, bo, ni); 2775 2776 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 2777 KASSERT(m != NULL, ("no space for 802.11 header?")); 2778 wh = mtod(m, struct ieee80211_frame *); 2779 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2780 IEEE80211_FC0_SUBTYPE_BEACON; 2781 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2782 *(uint16_t *)wh->i_dur = 0; 2783 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 2784 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 2785 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2786 *(uint16_t *)wh->i_seq = 0; 2787 2788 return m; 2789 } 2790 2791 /* 2792 * Update the dynamic parts of a beacon frame based on the current state. 2793 */ 2794 int 2795 ieee80211_beacon_update(struct ieee80211_node *ni, 2796 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 2797 { 2798 struct ieee80211vap *vap = ni->ni_vap; 2799 struct ieee80211com *ic = ni->ni_ic; 2800 int len_changed = 0; 2801 uint16_t capinfo; 2802 2803 /* 2804 * Handle 11h channel change when we've reached the count. 2805 * We must recalculate the beacon frame contents to account 2806 * for the new channel. Note we do this only for the first 2807 * vap that reaches this point; subsequent vaps just update 2808 * their beacon state to reflect the recalculated channel. 2809 */ 2810 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 2811 vap->iv_csa_count == ic->ic_csa_count) { 2812 vap->iv_csa_count = 0; 2813 /* 2814 * Effect channel change before reconstructing the beacon 2815 * frame contents as many places reference ni_chan. 2816 */ 2817 if (ic->ic_csa_newchan != NULL) 2818 ieee80211_csa_completeswitch(ic); 2819 /* 2820 * NB: ieee80211_beacon_construct clears all pending 2821 * updates in bo_flags so we don't need to explicitly 2822 * clear IEEE80211_BEACON_CSA. 2823 */ 2824 ieee80211_beacon_construct(m, 2825 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), bo, ni); 2826 2827 /* XXX do WME aggressive mode processing? */ 2828 return 1; /* just assume length changed */ 2829 } 2830 2831 /* XXX faster to recalculate entirely or just changes? */ 2832 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2833 *bo->bo_caps = htole16(capinfo); 2834 2835 if (vap->iv_flags & IEEE80211_F_WME) { 2836 struct ieee80211_wme_state *wme = &ic->ic_wme; 2837 2838 /* 2839 * Check for agressive mode change. When there is 2840 * significant high priority traffic in the BSS 2841 * throttle back BE traffic by using conservative 2842 * parameters. Otherwise BE uses agressive params 2843 * to optimize performance of legacy/non-QoS traffic. 2844 */ 2845 if (wme->wme_flags & WME_F_AGGRMODE) { 2846 if (wme->wme_hipri_traffic > 2847 wme->wme_hipri_switch_thresh) { 2848 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2849 "%s: traffic %u, disable aggressive mode\n", 2850 __func__, wme->wme_hipri_traffic); 2851 wme->wme_flags &= ~WME_F_AGGRMODE; 2852 ieee80211_wme_updateparams_locked(vap); 2853 wme->wme_hipri_traffic = 2854 wme->wme_hipri_switch_hysteresis; 2855 } else 2856 wme->wme_hipri_traffic = 0; 2857 } else { 2858 if (wme->wme_hipri_traffic <= 2859 wme->wme_hipri_switch_thresh) { 2860 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2861 "%s: traffic %u, enable aggressive mode\n", 2862 __func__, wme->wme_hipri_traffic); 2863 wme->wme_flags |= WME_F_AGGRMODE; 2864 ieee80211_wme_updateparams_locked(vap); 2865 wme->wme_hipri_traffic = 0; 2866 } else 2867 wme->wme_hipri_traffic = 2868 wme->wme_hipri_switch_hysteresis; 2869 } 2870 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 2871 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 2872 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 2873 } 2874 } 2875 2876 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 2877 ieee80211_ht_update_beacon(vap, bo); 2878 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 2879 } 2880 #ifdef IEEE80211_SUPPORT_TDMA 2881 if (vap->iv_caps & IEEE80211_C_TDMA) { 2882 /* 2883 * NB: the beacon is potentially updated every TBTT. 2884 */ 2885 ieee80211_tdma_update_beacon(vap, bo); 2886 } 2887 #endif 2888 #ifdef IEEE80211_SUPPORT_MESH 2889 if (vap->iv_opmode == IEEE80211_M_MBSS) 2890 ieee80211_mesh_update_beacon(vap, bo); 2891 #endif 2892 2893 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2894 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 2895 struct ieee80211_tim_ie *tie = 2896 (struct ieee80211_tim_ie *) bo->bo_tim; 2897 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 2898 u_int timlen, timoff, i; 2899 /* 2900 * ATIM/DTIM needs updating. If it fits in the 2901 * current space allocated then just copy in the 2902 * new bits. Otherwise we need to move any trailing 2903 * data to make room. Note that we know there is 2904 * contiguous space because ieee80211_beacon_allocate 2905 * insures there is space in the mbuf to write a 2906 * maximal-size virtual bitmap (based on iv_max_aid). 2907 */ 2908 /* 2909 * Calculate the bitmap size and offset, copy any 2910 * trailer out of the way, and then copy in the 2911 * new bitmap and update the information element. 2912 * Note that the tim bitmap must contain at least 2913 * one byte and any offset must be even. 2914 */ 2915 if (vap->iv_ps_pending != 0) { 2916 timoff = 128; /* impossibly large */ 2917 for (i = 0; i < vap->iv_tim_len; i++) 2918 if (vap->iv_tim_bitmap[i]) { 2919 timoff = i &~ 1; 2920 break; 2921 } 2922 KASSERT(timoff != 128, ("tim bitmap empty!")); 2923 for (i = vap->iv_tim_len-1; i >= timoff; i--) 2924 if (vap->iv_tim_bitmap[i]) 2925 break; 2926 timlen = 1 + (i - timoff); 2927 } else { 2928 timoff = 0; 2929 timlen = 1; 2930 } 2931 if (timlen != bo->bo_tim_len) { 2932 /* copy up/down trailer */ 2933 int adjust = tie->tim_bitmap+timlen 2934 - bo->bo_tim_trailer; 2935 ovbcopy(bo->bo_tim_trailer, 2936 bo->bo_tim_trailer+adjust, 2937 bo->bo_tim_trailer_len); 2938 bo->bo_tim_trailer += adjust; 2939 bo->bo_erp += adjust; 2940 bo->bo_htinfo += adjust; 2941 #ifdef IEEE80211_SUPERG_SUPPORT 2942 bo->bo_ath += adjust; 2943 #endif 2944 #ifdef IEEE80211_TDMA_SUPPORT 2945 bo->bo_tdma += adjust; 2946 #endif 2947 #ifdef IEEE80211_MESH_SUPPORT 2948 bo->bo_meshconf += adjust; 2949 #endif 2950 bo->bo_appie += adjust; 2951 bo->bo_wme += adjust; 2952 bo->bo_csa += adjust; 2953 bo->bo_tim_len = timlen; 2954 2955 /* update information element */ 2956 tie->tim_len = 3 + timlen; 2957 tie->tim_bitctl = timoff; 2958 len_changed = 1; 2959 } 2960 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 2961 bo->bo_tim_len); 2962 2963 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 2964 2965 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 2966 "%s: TIM updated, pending %u, off %u, len %u\n", 2967 __func__, vap->iv_ps_pending, timoff, timlen); 2968 } 2969 /* count down DTIM period */ 2970 if (tie->tim_count == 0) 2971 tie->tim_count = tie->tim_period - 1; 2972 else 2973 tie->tim_count--; 2974 /* update state for buffered multicast frames on DTIM */ 2975 if (mcast && tie->tim_count == 0) 2976 tie->tim_bitctl |= 1; 2977 else 2978 tie->tim_bitctl &= ~1; 2979 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 2980 struct ieee80211_csa_ie *csa = 2981 (struct ieee80211_csa_ie *) bo->bo_csa; 2982 2983 /* 2984 * Insert or update CSA ie. If we're just starting 2985 * to count down to the channel switch then we need 2986 * to insert the CSA ie. Otherwise we just need to 2987 * drop the count. The actual change happens above 2988 * when the vap's count reaches the target count. 2989 */ 2990 if (vap->iv_csa_count == 0) { 2991 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 2992 bo->bo_erp += sizeof(*csa); 2993 bo->bo_htinfo += sizeof(*csa); 2994 bo->bo_wme += sizeof(*csa); 2995 #ifdef IEEE80211_SUPERG_SUPPORT 2996 bo->bo_ath += sizeof(*csa); 2997 #endif 2998 #ifdef IEEE80211_TDMA_SUPPORT 2999 bo->bo_tdma += sizeof(*csa); 3000 #endif 3001 #ifdef IEEE80211_MESH_SUPPORT 3002 bo->bo_meshconf += sizeof(*csa); 3003 #endif 3004 bo->bo_appie += sizeof(*csa); 3005 bo->bo_csa_trailer_len += sizeof(*csa); 3006 bo->bo_tim_trailer_len += sizeof(*csa); 3007 m->m_len += sizeof(*csa); 3008 m->m_pkthdr.len += sizeof(*csa); 3009 3010 ieee80211_add_csa(bo->bo_csa, vap); 3011 } else 3012 csa->csa_count--; 3013 vap->iv_csa_count++; 3014 /* NB: don't clear IEEE80211_BEACON_CSA */ 3015 } 3016 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 3017 /* 3018 * ERP element needs updating. 3019 */ 3020 (void) ieee80211_add_erp(bo->bo_erp, ic); 3021 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 3022 } 3023 #ifdef IEEE80211_SUPPORT_SUPERG 3024 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 3025 ieee80211_add_athcaps(bo->bo_ath, ni); 3026 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 3027 } 3028 #endif 3029 } 3030 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 3031 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 3032 int aielen; 3033 uint8_t *frm; 3034 3035 aielen = 0; 3036 if (aie != NULL) 3037 aielen += aie->ie_len; 3038 if (aielen != bo->bo_appie_len) { 3039 /* copy up/down trailer */ 3040 int adjust = aielen - bo->bo_appie_len; 3041 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 3042 bo->bo_tim_trailer_len); 3043 bo->bo_tim_trailer += adjust; 3044 bo->bo_appie += adjust; 3045 bo->bo_appie_len = aielen; 3046 3047 len_changed = 1; 3048 } 3049 frm = bo->bo_appie; 3050 if (aie != NULL) 3051 frm = add_appie(frm, aie); 3052 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 3053 } 3054 3055 return len_changed; 3056 } 3057