1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * 26 * $FreeBSD: head/sys/net80211/ieee80211_output.c 198384 2009-10-23 11:13:08Z rpaulo $ 27 * $DragonFly$ 28 */ 29 30 #include "opt_inet.h" 31 #include "opt_inet6.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/kernel.h> 38 #include <sys/endian.h> 39 40 #include <sys/socket.h> 41 42 #include <net/bpf.h> 43 #include <net/ethernet.h> 44 #include <net/route.h> 45 #include <net/if.h> 46 #include <net/if_llc.h> 47 #include <net/if_media.h> 48 #include <net/ifq_var.h> 49 50 #include <netproto/802_11/ieee80211_var.h> 51 #include <netproto/802_11/ieee80211_regdomain.h> 52 #ifdef IEEE80211_SUPPORT_SUPERG 53 #include <netproto/802_11/ieee80211_superg.h> 54 #endif 55 #ifdef IEEE80211_SUPPORT_TDMA 56 #include <netproto/802_11/ieee80211_tdma.h> 57 #endif 58 #include <netproto/802_11/ieee80211_wds.h> 59 #include <netproto/802_11/ieee80211_mesh.h> 60 61 #ifdef INET 62 #include <netinet/in.h> 63 #include <netinet/if_ether.h> 64 #include <netinet/in_systm.h> 65 #include <netinet/ip.h> 66 #endif 67 #ifdef INET6 68 #include <netinet/ip6.h> 69 #endif 70 71 #define ETHER_HEADER_COPY(dst, src) \ 72 memcpy(dst, src, sizeof(struct ether_header)) 73 74 /* unalligned little endian access */ 75 #define LE_WRITE_2(p, v) do { \ 76 ((uint8_t *)(p))[0] = (v) & 0xff; \ 77 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 78 } while (0) 79 #define LE_WRITE_4(p, v) do { \ 80 ((uint8_t *)(p))[0] = (v) & 0xff; \ 81 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 82 ((uint8_t *)(p))[2] = ((v) >> 16) & 0xff; \ 83 ((uint8_t *)(p))[3] = ((v) >> 24) & 0xff; \ 84 } while (0) 85 86 static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 87 u_int hdrsize, u_int ciphdrsize, u_int mtu); 88 static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 89 90 #ifdef IEEE80211_DEBUG 91 /* 92 * Decide if an outbound management frame should be 93 * printed when debugging is enabled. This filters some 94 * of the less interesting frames that come frequently 95 * (e.g. beacons). 96 */ 97 static __inline int 98 doprint(struct ieee80211vap *vap, int subtype) 99 { 100 switch (subtype) { 101 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 102 return (vap->iv_opmode == IEEE80211_M_IBSS); 103 } 104 return 1; 105 } 106 #endif 107 108 /* 109 * Start method for vap's. All packets from the stack come 110 * through here. We handle common processing of the packets 111 * before dispatching them to the underlying device. 112 */ 113 void 114 ieee80211_start(struct ifnet *ifp) 115 { 116 #define IS_DWDS(vap) \ 117 (vap->iv_opmode == IEEE80211_M_WDS && \ 118 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 119 struct ieee80211vap *vap = ifp->if_softc; 120 struct ieee80211com *ic = vap->iv_ic; 121 struct ifnet *parent = ic->ic_ifp; 122 struct ieee80211_node *ni; 123 struct mbuf *m = NULL; 124 struct ether_header *eh; 125 int error; 126 127 /* NB: parent must be up and running */ 128 if (!IFNET_IS_UP_RUNNING(parent)) { 129 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 130 "%s: ignore queue, parent %s not up+running\n", 131 __func__, parent->if_xname); 132 /* XXX stat */ 133 ifq_purge(&ifp->if_snd); 134 return; 135 } 136 if (vap->iv_state == IEEE80211_S_SLEEP) { 137 /* 138 * In power save, wakeup device for transmit. 139 */ 140 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 141 ifq_purge(&ifp->if_snd); 142 return; 143 } 144 /* 145 * No data frames go out unless we're running. 146 * Note in particular this covers CAC and CSA 147 * states (though maybe we should check muting 148 * for CSA). 149 */ 150 if (vap->iv_state != IEEE80211_S_RUN) { 151 IEEE80211_LOCK(ic); 152 /* re-check under the com lock to avoid races */ 153 if (vap->iv_state != IEEE80211_S_RUN) { 154 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 155 "%s: ignore queue, in %s state\n", 156 __func__, ieee80211_state_name[vap->iv_state]); 157 vap->iv_stats.is_tx_badstate++; 158 ifp->if_flags |= IFF_OACTIVE; 159 IEEE80211_UNLOCK(ic); 160 return; 161 } 162 IEEE80211_UNLOCK(ic); 163 } 164 for (;;) { 165 m = ifq_dequeue(&ifp->if_snd, NULL); 166 if (m == NULL) 167 break; 168 /* 169 * Sanitize mbuf flags for net80211 use. We cannot 170 * clear M_PWR_SAV or M_MORE_DATA because these may 171 * be set for frames that are re-submitted from the 172 * power save queue. 173 * 174 * NB: This must be done before ieee80211_classify as 175 * it marks EAPOL in frames with M_EAPOL. 176 */ 177 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 178 /* 179 * Cancel any background scan. 180 */ 181 if (ic->ic_flags & IEEE80211_F_SCAN) 182 ieee80211_cancel_anyscan(vap); 183 /* 184 * Find the node for the destination so we can do 185 * things like power save and fast frames aggregation. 186 * 187 * NB: past this point various code assumes the first 188 * mbuf has the 802.3 header present (and contiguous). 189 */ 190 ni = NULL; 191 if (m->m_len < sizeof(struct ether_header) && 192 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 193 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 194 "discard frame, %s\n", "m_pullup failed"); 195 vap->iv_stats.is_tx_nobuf++; /* XXX */ 196 ifp->if_oerrors++; 197 continue; 198 } 199 eh = mtod(m, struct ether_header *); 200 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 201 if (IS_DWDS(vap)) { 202 /* 203 * Only unicast frames from the above go out 204 * DWDS vaps; multicast frames are handled by 205 * dispatching the frame as it comes through 206 * the AP vap (see below). 207 */ 208 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 209 eh->ether_dhost, "mcast", "%s", "on DWDS"); 210 vap->iv_stats.is_dwds_mcast++; 211 m_freem(m); 212 continue; 213 } 214 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 215 /* 216 * Spam DWDS vap's w/ multicast traffic. 217 */ 218 /* XXX only if dwds in use? */ 219 ieee80211_dwds_mcast(vap, m); 220 } 221 } 222 #ifdef IEEE80211_SUPPORT_MESH 223 if (vap->iv_opmode != IEEE80211_M_MBSS) { 224 #endif 225 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 226 if (ni == NULL) { 227 /* NB: ieee80211_find_txnode does stat+msg */ 228 ifp->if_oerrors++; 229 m_freem(m); 230 continue; 231 } 232 if (ni->ni_associd == 0 && 233 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 234 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 235 eh->ether_dhost, NULL, 236 "sta not associated (type 0x%04x)", 237 htons(eh->ether_type)); 238 vap->iv_stats.is_tx_notassoc++; 239 ifp->if_oerrors++; 240 m_freem(m); 241 ieee80211_free_node(ni); 242 continue; 243 } 244 #ifdef IEEE80211_SUPPORT_MESH 245 } else { 246 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) { 247 /* 248 * Proxy station only if configured. 249 */ 250 if (!ieee80211_mesh_isproxyena(vap)) { 251 IEEE80211_DISCARD_MAC(vap, 252 IEEE80211_MSG_OUTPUT | 253 IEEE80211_MSG_MESH, 254 eh->ether_dhost, NULL, 255 "%s", "proxy not enabled"); 256 vap->iv_stats.is_mesh_notproxy++; 257 ifp->if_oerrors++; 258 m_freem(m); 259 continue; 260 } 261 ieee80211_mesh_proxy_check(vap, eh->ether_shost); 262 } 263 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 264 if (ni == NULL) { 265 /* 266 * NB: ieee80211_mesh_discover holds/disposes 267 * frame (e.g. queueing on path discovery). 268 */ 269 ifp->if_oerrors++; 270 continue; 271 } 272 } 273 #endif 274 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 275 (m->m_flags & M_PWR_SAV) == 0) { 276 /* 277 * Station in power save mode; pass the frame 278 * to the 802.11 layer and continue. We'll get 279 * the frame back when the time is right. 280 * XXX lose WDS vap linkage? 281 */ 282 (void) ieee80211_pwrsave(ni, m); 283 ieee80211_free_node(ni); 284 continue; 285 } 286 /* calculate priority so drivers can find the tx queue */ 287 if (ieee80211_classify(ni, m)) { 288 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 289 eh->ether_dhost, NULL, 290 "%s", "classification failure"); 291 vap->iv_stats.is_tx_classify++; 292 ifp->if_oerrors++; 293 m_freem(m); 294 ieee80211_free_node(ni); 295 continue; 296 } 297 /* 298 * Stash the node pointer. Note that we do this after 299 * any call to ieee80211_dwds_mcast because that code 300 * uses any existing value for rcvif to identify the 301 * interface it (might have been) received on. 302 */ 303 m->m_pkthdr.rcvif = (void *)ni; 304 305 BPF_MTAP(ifp, m); /* 802.3 tx */ 306 307 /* 308 * Check if A-MPDU tx aggregation is setup or if we 309 * should try to enable it. The sta must be associated 310 * with HT and A-MPDU enabled for use. When the policy 311 * routine decides we should enable A-MPDU we issue an 312 * ADDBA request and wait for a reply. The frame being 313 * encapsulated will go out w/o using A-MPDU, or possibly 314 * it might be collected by the driver and held/retransmit. 315 * The default ic_ampdu_enable routine handles staggering 316 * ADDBA requests in case the receiver NAK's us or we are 317 * otherwise unable to establish a BA stream. 318 */ 319 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 320 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX) && 321 (m->m_flags & M_EAPOL) == 0) { 322 const int ac = M_WME_GETAC(m); 323 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac]; 324 325 ieee80211_txampdu_count_packet(tap); 326 if (IEEE80211_AMPDU_RUNNING(tap)) { 327 /* 328 * Operational, mark frame for aggregation. 329 * 330 * XXX do tx aggregation here 331 */ 332 m->m_flags |= M_AMPDU_MPDU; 333 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 334 ic->ic_ampdu_enable(ni, tap)) { 335 /* 336 * Not negotiated yet, request service. 337 */ 338 ieee80211_ampdu_request(ni, tap); 339 /* XXX hold frame for reply? */ 340 } 341 } 342 #ifdef IEEE80211_SUPPORT_SUPERG 343 else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)) { 344 m = ieee80211_ff_check(ni, m); 345 if (m == NULL) { 346 /* NB: any ni ref held on stageq */ 347 continue; 348 } 349 } 350 #endif /* IEEE80211_SUPPORT_SUPERG */ 351 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 352 /* 353 * Encapsulate the packet in prep for transmission. 354 */ 355 m = ieee80211_encap(vap, ni, m); 356 if (m == NULL) { 357 /* NB: stat+msg handled in ieee80211_encap */ 358 ieee80211_free_node(ni); 359 continue; 360 } 361 } 362 363 error = ieee80211_handoff(parent, m); 364 if (error != 0) { 365 /* NB: IFQ_HANDOFF reclaims mbuf */ 366 ieee80211_free_node(ni); 367 } else { 368 ifp->if_opackets++; 369 } 370 ic->ic_lastdata = ticks; 371 } 372 #undef IS_DWDS 373 } 374 375 376 /* 377 * 802.11 output routine. This is (currently) used only to 378 * connect bpf write calls to the 802.11 layer for injecting 379 * raw 802.11 frames. 380 */ 381 int 382 ieee80211_output(struct ifnet *ifp, struct mbuf *m, 383 struct sockaddr *dst, struct rtentry *rt) 384 { 385 #define senderr(e) do { error = (e); goto bad;} while (0) 386 struct ieee80211_node *ni = NULL; 387 struct ieee80211vap *vap; 388 struct ieee80211_frame *wh; 389 int error; 390 391 if (ifp->if_flags & IFF_OACTIVE) { 392 /* 393 * Short-circuit requests if the vap is marked OACTIVE 394 * as this can happen because a packet came down through 395 * ieee80211_start before the vap entered RUN state in 396 * which case it's ok to just drop the frame. This 397 * should not be necessary but callers of if_output don't 398 * check OACTIVE. 399 */ 400 senderr(ENETDOWN); 401 } 402 vap = ifp->if_softc; 403 /* 404 * Hand to the 802.3 code if not tagged as 405 * a raw 802.11 frame. 406 */ 407 if (dst->sa_family != AF_IEEE80211) 408 return vap->iv_output(ifp, m, dst, rt); 409 #ifdef MAC 410 error = mac_ifnet_check_transmit(ifp, m); 411 if (error) 412 senderr(error); 413 #endif 414 if (ifp->if_flags & IFF_MONITOR) 415 senderr(ENETDOWN); 416 if (!IFNET_IS_UP_RUNNING(ifp)) 417 senderr(ENETDOWN); 418 if (vap->iv_state == IEEE80211_S_CAC) { 419 IEEE80211_DPRINTF(vap, 420 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 421 "block %s frame in CAC state\n", "raw data"); 422 vap->iv_stats.is_tx_badstate++; 423 senderr(EIO); /* XXX */ 424 } 425 /* XXX bypass bridge, pfil, carp, etc. */ 426 427 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 428 senderr(EIO); /* XXX */ 429 wh = mtod(m, struct ieee80211_frame *); 430 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 431 IEEE80211_FC0_VERSION_0) 432 senderr(EIO); /* XXX */ 433 434 /* locate destination node */ 435 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 436 case IEEE80211_FC1_DIR_NODS: 437 case IEEE80211_FC1_DIR_FROMDS: 438 ni = ieee80211_find_txnode(vap, wh->i_addr1); 439 break; 440 case IEEE80211_FC1_DIR_TODS: 441 case IEEE80211_FC1_DIR_DSTODS: 442 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) 443 senderr(EIO); /* XXX */ 444 ni = ieee80211_find_txnode(vap, wh->i_addr3); 445 break; 446 default: 447 senderr(EIO); /* XXX */ 448 } 449 if (ni == NULL) { 450 /* 451 * Permit packets w/ bpf params through regardless 452 * (see below about sa_len). 453 */ 454 if (dst->sa_len == 0) 455 senderr(EHOSTUNREACH); 456 ni = ieee80211_ref_node(vap->iv_bss); 457 } 458 459 /* 460 * Sanitize mbuf for net80211 flags leaked from above. 461 * 462 * NB: This must be done before ieee80211_classify as 463 * it marks EAPOL in frames with M_EAPOL. 464 */ 465 m->m_flags &= ~M_80211_TX; 466 467 /* calculate priority so drivers can find the tx queue */ 468 /* XXX assumes an 802.3 frame */ 469 if (ieee80211_classify(ni, m)) 470 senderr(EIO); /* XXX */ 471 472 ifp->if_opackets++; 473 IEEE80211_NODE_STAT(ni, tx_data); 474 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 475 IEEE80211_NODE_STAT(ni, tx_mcast); 476 m->m_flags |= M_MCAST; 477 } else 478 IEEE80211_NODE_STAT(ni, tx_ucast); 479 /* NB: ieee80211_encap does not include 802.11 header */ 480 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len); 481 482 /* 483 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 484 * present by setting the sa_len field of the sockaddr (yes, 485 * this is a hack). 486 * NB: we assume sa_data is suitably aligned to cast. 487 */ 488 return vap->iv_ic->ic_raw_xmit(ni, m, 489 (const struct ieee80211_bpf_params *)(dst->sa_len ? 490 dst->sa_data : NULL)); 491 bad: 492 if (m != NULL) 493 m_freem(m); 494 if (ni != NULL) 495 ieee80211_free_node(ni); 496 ifp->if_oerrors++; 497 return error; 498 #undef senderr 499 } 500 501 /* 502 * Set the direction field and address fields of an outgoing 503 * frame. Note this should be called early on in constructing 504 * a frame as it sets i_fc[1]; other bits can then be or'd in. 505 */ 506 void 507 ieee80211_send_setup( 508 struct ieee80211_node *ni, 509 struct mbuf *m, 510 int type, int tid, 511 const uint8_t sa[IEEE80211_ADDR_LEN], 512 const uint8_t da[IEEE80211_ADDR_LEN], 513 const uint8_t bssid[IEEE80211_ADDR_LEN]) 514 { 515 #define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 516 struct ieee80211vap *vap = ni->ni_vap; 517 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 518 ieee80211_seq seqno; 519 520 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 521 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 522 switch (vap->iv_opmode) { 523 case IEEE80211_M_STA: 524 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 525 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 526 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 527 IEEE80211_ADDR_COPY(wh->i_addr3, da); 528 break; 529 case IEEE80211_M_IBSS: 530 case IEEE80211_M_AHDEMO: 531 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 532 IEEE80211_ADDR_COPY(wh->i_addr1, da); 533 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 534 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 535 break; 536 case IEEE80211_M_HOSTAP: 537 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 538 IEEE80211_ADDR_COPY(wh->i_addr1, da); 539 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 540 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 541 break; 542 case IEEE80211_M_WDS: 543 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 544 IEEE80211_ADDR_COPY(wh->i_addr1, da); 545 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 546 IEEE80211_ADDR_COPY(wh->i_addr3, da); 547 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 548 break; 549 case IEEE80211_M_MBSS: 550 #ifdef IEEE80211_SUPPORT_MESH 551 /* XXX add support for proxied addresses */ 552 if (IEEE80211_IS_MULTICAST(da)) { 553 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 554 /* XXX next hop */ 555 IEEE80211_ADDR_COPY(wh->i_addr1, da); 556 IEEE80211_ADDR_COPY(wh->i_addr2, 557 vap->iv_myaddr); 558 } else { 559 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 560 IEEE80211_ADDR_COPY(wh->i_addr1, da); 561 IEEE80211_ADDR_COPY(wh->i_addr2, 562 vap->iv_myaddr); 563 IEEE80211_ADDR_COPY(wh->i_addr3, da); 564 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 565 } 566 #endif 567 break; 568 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 569 break; 570 } 571 } else { 572 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 573 IEEE80211_ADDR_COPY(wh->i_addr1, da); 574 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 575 #ifdef IEEE80211_SUPPORT_MESH 576 if (vap->iv_opmode == IEEE80211_M_MBSS) 577 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 578 else 579 #endif 580 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 581 } 582 *(uint16_t *)&wh->i_dur[0] = 0; 583 584 seqno = ni->ni_txseqs[tid]++; 585 *(uint16_t *)&wh->i_seq[0] = htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 586 M_SEQNO_SET(m, seqno); 587 588 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 589 m->m_flags |= M_MCAST; 590 #undef WH4 591 } 592 593 /* 594 * Send a management frame to the specified node. The node pointer 595 * must have a reference as the pointer will be passed to the driver 596 * and potentially held for a long time. If the frame is successfully 597 * dispatched to the driver, then it is responsible for freeing the 598 * reference (and potentially free'ing up any associated storage); 599 * otherwise deal with reclaiming any reference (on error). 600 */ 601 int 602 ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 603 struct ieee80211_bpf_params *params) 604 { 605 struct ieee80211vap *vap = ni->ni_vap; 606 struct ieee80211com *ic = ni->ni_ic; 607 struct ieee80211_frame *wh; 608 609 KASSERT(ni != NULL, ("null node")); 610 611 if (vap->iv_state == IEEE80211_S_CAC) { 612 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 613 ni, "block %s frame in CAC state", 614 ieee80211_mgt_subtype_name[ 615 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 616 IEEE80211_FC0_SUBTYPE_SHIFT]); 617 vap->iv_stats.is_tx_badstate++; 618 ieee80211_free_node(ni); 619 m_freem(m); 620 return EIO; /* XXX */ 621 } 622 623 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 624 if (m == NULL) { 625 ieee80211_free_node(ni); 626 return ENOMEM; 627 } 628 629 wh = mtod(m, struct ieee80211_frame *); 630 ieee80211_send_setup(ni, m, 631 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 632 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 633 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 634 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 635 "encrypting frame (%s)", __func__); 636 wh->i_fc[1] |= IEEE80211_FC1_WEP; 637 } 638 m->m_flags |= M_ENCAP; /* mark encapsulated */ 639 640 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 641 M_WME_SETAC(m, params->ibp_pri); 642 643 #ifdef IEEE80211_DEBUG 644 /* avoid printing too many frames */ 645 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 646 ieee80211_msg_dumppkts(vap)) { 647 kprintf("[%6D] send %s on channel %u\n", 648 wh->i_addr1, ":", 649 ieee80211_mgt_subtype_name[ 650 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 651 IEEE80211_FC0_SUBTYPE_SHIFT], 652 ieee80211_chan2ieee(ic, ic->ic_curchan)); 653 } 654 #endif 655 IEEE80211_NODE_STAT(ni, tx_mgmt); 656 657 return ic->ic_raw_xmit(ni, m, params); 658 } 659 660 /* 661 * Send a null data frame to the specified node. If the station 662 * is setup for QoS then a QoS Null Data frame is constructed. 663 * If this is a WDS station then a 4-address frame is constructed. 664 * 665 * NB: the caller is assumed to have setup a node reference 666 * for use; this is necessary to deal with a race condition 667 * when probing for inactive stations. Like ieee80211_mgmt_output 668 * we must cleanup any node reference on error; however we 669 * can safely just unref it as we know it will never be the 670 * last reference to the node. 671 */ 672 int 673 ieee80211_send_nulldata(struct ieee80211_node *ni) 674 { 675 struct ieee80211vap *vap = ni->ni_vap; 676 struct ieee80211com *ic = ni->ni_ic; 677 struct mbuf *m; 678 struct ieee80211_frame *wh; 679 int hdrlen; 680 uint8_t *frm; 681 682 if (vap->iv_state == IEEE80211_S_CAC) { 683 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 684 ni, "block %s frame in CAC state", "null data"); 685 ieee80211_unref_node(&ni); 686 vap->iv_stats.is_tx_badstate++; 687 return EIO; /* XXX */ 688 } 689 690 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 691 hdrlen = sizeof(struct ieee80211_qosframe); 692 else 693 hdrlen = sizeof(struct ieee80211_frame); 694 /* NB: only WDS vap's get 4-address frames */ 695 if (vap->iv_opmode == IEEE80211_M_WDS) 696 hdrlen += IEEE80211_ADDR_LEN; 697 if (ic->ic_flags & IEEE80211_F_DATAPAD) 698 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 699 700 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 701 if (m == NULL) { 702 /* XXX debug msg */ 703 ieee80211_unref_node(&ni); 704 vap->iv_stats.is_tx_nobuf++; 705 return ENOMEM; 706 } 707 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 708 ("leading space %zd", M_LEADINGSPACE(m))); 709 M_PREPEND(m, hdrlen, MB_DONTWAIT); 710 if (m == NULL) { 711 /* NB: cannot happen */ 712 ieee80211_free_node(ni); 713 return ENOMEM; 714 } 715 716 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 717 if (ni->ni_flags & IEEE80211_NODE_QOS) { 718 const int tid = WME_AC_TO_TID(WME_AC_BE); 719 uint8_t *qos; 720 721 ieee80211_send_setup(ni, m, 722 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 723 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 724 725 if (vap->iv_opmode == IEEE80211_M_WDS) 726 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 727 else 728 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 729 qos[0] = tid & IEEE80211_QOS_TID; 730 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 731 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 732 qos[1] = 0; 733 } else { 734 ieee80211_send_setup(ni, m, 735 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 736 IEEE80211_NONQOS_TID, 737 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 738 } 739 if (vap->iv_opmode != IEEE80211_M_WDS) { 740 /* NB: power management bit is never sent by an AP */ 741 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 742 vap->iv_opmode != IEEE80211_M_HOSTAP) 743 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 744 } 745 m->m_len = m->m_pkthdr.len = hdrlen; 746 m->m_flags |= M_ENCAP; /* mark encapsulated */ 747 748 M_WME_SETAC(m, WME_AC_BE); 749 750 IEEE80211_NODE_STAT(ni, tx_data); 751 752 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 753 "send %snull data frame on channel %u, pwr mgt %s", 754 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 755 ieee80211_chan2ieee(ic, ic->ic_curchan), 756 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 757 758 return ic->ic_raw_xmit(ni, m, NULL); 759 } 760 761 /* 762 * Assign priority to a frame based on any vlan tag assigned 763 * to the station and/or any Diffserv setting in an IP header. 764 * Finally, if an ACM policy is setup (in station mode) it's 765 * applied. 766 */ 767 int 768 ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 769 { 770 const struct ether_header *eh = mtod(m, struct ether_header *); 771 int v_wme_ac, d_wme_ac, ac; 772 773 /* 774 * Always promote PAE/EAPOL frames to high priority. 775 */ 776 if (eh->ether_type == htons(ETHERTYPE_PAE)) { 777 /* NB: mark so others don't need to check header */ 778 m->m_flags |= M_EAPOL; 779 ac = WME_AC_VO; 780 goto done; 781 } 782 /* 783 * Non-qos traffic goes to BE. 784 */ 785 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 786 ac = WME_AC_BE; 787 goto done; 788 } 789 790 /* 791 * If node has a vlan tag then all traffic 792 * to it must have a matching tag. 793 */ 794 v_wme_ac = 0; 795 if (ni->ni_vlan != 0) { 796 if ((m->m_flags & M_VLANTAG) == 0) { 797 IEEE80211_NODE_STAT(ni, tx_novlantag); 798 return 1; 799 } 800 #ifdef __FreeBSD__ 801 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vlantag) != 802 EVL_VLANOFTAG(ni->ni_vlan)) { 803 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 804 return 1; 805 } 806 /* map vlan priority to AC */ 807 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 808 #endif 809 } 810 811 /* XXX m_copydata may be too slow for fast path */ 812 #ifdef INET 813 if (eh->ether_type == htons(ETHERTYPE_IP)) { 814 uint8_t tos; 815 /* 816 * IP frame, map the DSCP bits from the TOS field. 817 */ 818 /* NB: ip header may not be in first mbuf */ 819 m_copydata(m, sizeof(struct ether_header) + 820 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 821 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 822 d_wme_ac = TID_TO_WME_AC(tos); 823 } else { 824 #endif /* INET */ 825 #ifdef INET6 826 if (eh->ether_type == htons(ETHERTYPE_IPV6)) { 827 uint32_t flow; 828 uint8_t tos; 829 /* 830 * IPv6 frame, map the DSCP bits from the TOS field. 831 */ 832 m_copydata(m, sizeof(struct ether_header) + 833 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 834 (caddr_t) &flow); 835 tos = (uint8_t)(ntohl(flow) >> 20); 836 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 837 d_wme_ac = TID_TO_WME_AC(tos); 838 } else { 839 #endif /* INET6 */ 840 d_wme_ac = WME_AC_BE; 841 #ifdef INET6 842 } 843 #endif 844 #ifdef INET 845 } 846 #endif 847 /* 848 * Use highest priority AC. 849 */ 850 if (v_wme_ac > d_wme_ac) 851 ac = v_wme_ac; 852 else 853 ac = d_wme_ac; 854 855 /* 856 * Apply ACM policy. 857 */ 858 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 859 static const int acmap[4] = { 860 WME_AC_BK, /* WME_AC_BE */ 861 WME_AC_BK, /* WME_AC_BK */ 862 WME_AC_BE, /* WME_AC_VI */ 863 WME_AC_VI, /* WME_AC_VO */ 864 }; 865 struct ieee80211com *ic = ni->ni_ic; 866 867 while (ac != WME_AC_BK && 868 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 869 ac = acmap[ac]; 870 } 871 done: 872 M_WME_SETAC(m, ac); 873 return 0; 874 } 875 876 /* 877 * Insure there is sufficient contiguous space to encapsulate the 878 * 802.11 data frame. If room isn't already there, arrange for it. 879 * Drivers and cipher modules assume we have done the necessary work 880 * and fail rudely if they don't find the space they need. 881 */ 882 struct mbuf * 883 ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 884 struct ieee80211_key *key, struct mbuf *m) 885 { 886 #define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 887 struct mbuf *mnew = NULL; 888 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 889 890 if (key != NULL) { 891 /* XXX belongs in crypto code? */ 892 needed_space += key->wk_cipher->ic_header; 893 /* XXX frags */ 894 /* 895 * When crypto is being done in the host we must insure 896 * the data are writable for the cipher routines; clone 897 * a writable mbuf chain. 898 * XXX handle SWMIC specially 899 */ 900 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 901 mnew = m_dup(m, MB_DONTWAIT); 902 if (m == NULL) { 903 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 904 "%s: cannot get writable mbuf\n", __func__); 905 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 906 return NULL; 907 } 908 m_freem(m); 909 m = mnew; 910 } 911 } 912 /* 913 * We know we are called just before stripping an Ethernet 914 * header and prepending an LLC header. This means we know 915 * there will be 916 * sizeof(struct ether_header) - sizeof(struct llc) 917 * bytes recovered to which we need additional space for the 918 * 802.11 header and any crypto header. 919 */ 920 /* XXX check trailing space and copy instead? */ 921 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 922 struct mbuf *n = m_gethdr(MB_DONTWAIT, m->m_type); 923 if (n == NULL) { 924 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 925 "%s: cannot expand storage\n", __func__); 926 vap->iv_stats.is_tx_nobuf++; 927 m_freem(m); 928 return NULL; 929 } 930 KASSERT(needed_space <= MHLEN, 931 ("not enough room, need %u got %zu\n", needed_space, MHLEN)); 932 /* 933 * Setup new mbuf to have leading space to prepend the 934 * 802.11 header and any crypto header bits that are 935 * required (the latter are added when the driver calls 936 * back to ieee80211_crypto_encap to do crypto encapsulation). 937 */ 938 /* NB: must be first 'cuz it clobbers m_data */ 939 m_move_pkthdr(n, m); 940 n->m_len = 0; /* NB: m_gethdr does not set */ 941 n->m_data += needed_space; 942 /* 943 * Pull up Ethernet header to create the expected layout. 944 * We could use m_pullup but that's overkill (i.e. we don't 945 * need the actual data) and it cannot fail so do it inline 946 * for speed. 947 */ 948 /* NB: struct ether_header is known to be contiguous */ 949 n->m_len += sizeof(struct ether_header); 950 m->m_len -= sizeof(struct ether_header); 951 m->m_data += sizeof(struct ether_header); 952 /* 953 * Replace the head of the chain. 954 */ 955 n->m_next = m; 956 m = n; 957 } 958 return m; 959 #undef TO_BE_RECLAIMED 960 } 961 962 /* 963 * Return the transmit key to use in sending a unicast frame. 964 * If a unicast key is set we use that. When no unicast key is set 965 * we fall back to the default transmit key. 966 */ 967 static __inline struct ieee80211_key * 968 ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 969 struct ieee80211_node *ni) 970 { 971 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 972 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 973 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 974 return NULL; 975 return &vap->iv_nw_keys[vap->iv_def_txkey]; 976 } else { 977 return &ni->ni_ucastkey; 978 } 979 } 980 981 /* 982 * Return the transmit key to use in sending a multicast frame. 983 * Multicast traffic always uses the group key which is installed as 984 * the default tx key. 985 */ 986 static __inline struct ieee80211_key * 987 ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 988 struct ieee80211_node *ni) 989 { 990 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 991 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 992 return NULL; 993 return &vap->iv_nw_keys[vap->iv_def_txkey]; 994 } 995 996 /* 997 * Encapsulate an outbound data frame. The mbuf chain is updated. 998 * If an error is encountered NULL is returned. The caller is required 999 * to provide a node reference and pullup the ethernet header in the 1000 * first mbuf. 1001 * 1002 * NB: Packet is assumed to be processed by ieee80211_classify which 1003 * marked EAPOL frames w/ M_EAPOL. 1004 */ 1005 struct mbuf * 1006 ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 1007 struct mbuf *m) 1008 { 1009 #define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 1010 struct ieee80211com *ic = ni->ni_ic; 1011 #ifdef IEEE80211_SUPPORT_MESH 1012 struct ieee80211_mesh_state *ms = vap->iv_mesh; 1013 struct ieee80211_meshcntl_ae10 *mc; 1014 #endif 1015 struct ether_header eh; 1016 struct ieee80211_frame *wh; 1017 struct ieee80211_key *key; 1018 struct llc *llc; 1019 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr; 1020 ieee80211_seq seqno; 1021 int meshhdrsize, meshae; 1022 uint8_t *qos; 1023 1024 /* 1025 * Copy existing Ethernet header to a safe place. The 1026 * rest of the code assumes it's ok to strip it when 1027 * reorganizing state for the final encapsulation. 1028 */ 1029 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1030 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1031 1032 /* 1033 * Insure space for additional headers. First identify 1034 * transmit key to use in calculating any buffer adjustments 1035 * required. This is also used below to do privacy 1036 * encapsulation work. Then calculate the 802.11 header 1037 * size and any padding required by the driver. 1038 * 1039 * Note key may be NULL if we fall back to the default 1040 * transmit key and that is not set. In that case the 1041 * buffer may not be expanded as needed by the cipher 1042 * routines, but they will/should discard it. 1043 */ 1044 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1045 if (vap->iv_opmode == IEEE80211_M_STA || 1046 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1047 (vap->iv_opmode == IEEE80211_M_WDS && 1048 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) 1049 key = ieee80211_crypto_getucastkey(vap, ni); 1050 else 1051 key = ieee80211_crypto_getmcastkey(vap, ni); 1052 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1053 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1054 eh.ether_dhost, 1055 "no default transmit key (%s) deftxkey %u", 1056 __func__, vap->iv_def_txkey); 1057 vap->iv_stats.is_tx_nodefkey++; 1058 goto bad; 1059 } 1060 } else 1061 key = NULL; 1062 /* 1063 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1064 * frames so suppress use. This may be an issue if other 1065 * ap's require all data frames to be QoS-encapsulated 1066 * once negotiated in which case we'll need to make this 1067 * configurable. 1068 */ 1069 addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) && 1070 (m->m_flags & M_EAPOL) == 0; 1071 if (addqos) 1072 hdrsize = sizeof(struct ieee80211_qosframe); 1073 else 1074 hdrsize = sizeof(struct ieee80211_frame); 1075 #ifdef IEEE80211_SUPPORT_MESH 1076 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1077 /* 1078 * Mesh data frames are encapsulated according to the 1079 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1080 * o Group Addressed data (aka multicast) originating 1081 * at the local sta are sent w/ 3-address format and 1082 * address extension mode 00 1083 * o Individually Addressed data (aka unicast) originating 1084 * at the local sta are sent w/ 4-address format and 1085 * address extension mode 00 1086 * o Group Addressed data forwarded from a non-mesh sta are 1087 * sent w/ 3-address format and address extension mode 01 1088 * o Individually Address data from another sta are sent 1089 * w/ 4-address format and address extension mode 10 1090 */ 1091 is4addr = 0; /* NB: don't use, disable */ 1092 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) 1093 hdrsize += IEEE80211_ADDR_LEN; /* unicast are 4-addr */ 1094 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1095 /* XXX defines for AE modes */ 1096 if (IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1097 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) 1098 meshae = 0; 1099 else 1100 meshae = 4; /* NB: pseudo */ 1101 } else if (IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1102 meshae = 1; 1103 meshhdrsize += 1*IEEE80211_ADDR_LEN; 1104 } else { 1105 meshae = 2; 1106 meshhdrsize += 2*IEEE80211_ADDR_LEN; 1107 } 1108 } else { 1109 #endif 1110 /* 1111 * 4-address frames need to be generated for: 1112 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1113 * o packets sent through a vap marked for relaying 1114 * (e.g. a station operating with dynamic WDS) 1115 */ 1116 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1117 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1118 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1119 if (is4addr) 1120 hdrsize += IEEE80211_ADDR_LEN; 1121 meshhdrsize = meshae = 0; 1122 #ifdef IEEE80211_SUPPORT_MESH 1123 } 1124 #endif 1125 /* 1126 * Honor driver DATAPAD requirement. 1127 */ 1128 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1129 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1130 else 1131 hdrspace = hdrsize; 1132 1133 if (__predict_true((m->m_flags & M_FF) == 0)) { 1134 /* 1135 * Normal frame. 1136 */ 1137 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1138 if (m == NULL) { 1139 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1140 goto bad; 1141 } 1142 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1143 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1144 llc = mtod(m, struct llc *); 1145 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1146 llc->llc_control = LLC_UI; 1147 llc->llc_snap.org_code[0] = 0; 1148 llc->llc_snap.org_code[1] = 0; 1149 llc->llc_snap.org_code[2] = 0; 1150 llc->llc_snap.ether_type = eh.ether_type; 1151 } else { 1152 #ifdef IEEE80211_SUPPORT_SUPERG 1153 /* 1154 * Aggregated frame. 1155 */ 1156 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1157 if (m == NULL) 1158 #endif 1159 goto bad; 1160 } 1161 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1162 1163 M_PREPEND(m, hdrspace + meshhdrsize, MB_DONTWAIT); 1164 if (m == NULL) { 1165 vap->iv_stats.is_tx_nobuf++; 1166 goto bad; 1167 } 1168 wh = mtod(m, struct ieee80211_frame *); 1169 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1170 *(uint16_t *)wh->i_dur = 0; 1171 qos = NULL; /* NB: quiet compiler */ 1172 if (is4addr) { 1173 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1174 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1175 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1176 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1177 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1178 } else switch (vap->iv_opmode) { 1179 case IEEE80211_M_STA: 1180 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1181 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1182 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1183 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1184 break; 1185 case IEEE80211_M_IBSS: 1186 case IEEE80211_M_AHDEMO: 1187 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1188 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1189 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1190 /* 1191 * NB: always use the bssid from iv_bss as the 1192 * neighbor's may be stale after an ibss merge 1193 */ 1194 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1195 break; 1196 case IEEE80211_M_HOSTAP: 1197 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1198 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1199 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1200 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1201 break; 1202 #ifdef IEEE80211_SUPPORT_MESH 1203 case IEEE80211_M_MBSS: 1204 /* NB: offset by hdrspace to deal with DATAPAD */ 1205 mc = (struct ieee80211_meshcntl_ae10 *) 1206 (mtod(m, uint8_t *) + hdrspace); 1207 switch (meshae) { 1208 case 0: /* ucast, no proxy */ 1209 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1210 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1211 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1212 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1213 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1214 mc->mc_flags = 0; 1215 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1216 break; 1217 case 4: /* mcast, no proxy */ 1218 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1219 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1220 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1221 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1222 mc->mc_flags = 0; /* NB: AE is really 0 */ 1223 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1224 break; 1225 case 1: /* mcast, proxy */ 1226 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1227 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1228 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1229 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr); 1230 mc->mc_flags = 1; 1231 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_shost); 1232 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1233 break; 1234 case 2: /* ucast, proxy */ 1235 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1236 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1237 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1238 /* XXX not right, need MeshDA */ 1239 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1240 /* XXX assume are MeshSA */ 1241 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr); 1242 mc->mc_flags = 2; 1243 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_dhost); 1244 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_shost); 1245 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1246 break; 1247 default: 1248 KASSERT(0, ("meshae %d", meshae)); 1249 break; 1250 } 1251 mc->mc_ttl = ms->ms_ttl; 1252 ms->ms_seq++; 1253 LE_WRITE_4(mc->mc_seq, ms->ms_seq); 1254 break; 1255 #endif 1256 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1257 default: 1258 goto bad; 1259 } 1260 if (m->m_flags & M_MORE_DATA) 1261 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1262 if (addqos) { 1263 int ac, tid; 1264 1265 if (is4addr) { 1266 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1267 /* NB: mesh case handled earlier */ 1268 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1269 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1270 ac = M_WME_GETAC(m); 1271 /* map from access class/queue to 11e header priorty value */ 1272 tid = WME_AC_TO_TID(ac); 1273 qos[0] = tid & IEEE80211_QOS_TID; 1274 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1275 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1276 qos[1] = 0; 1277 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 1278 1279 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1280 /* 1281 * NB: don't assign a sequence # to potential 1282 * aggregates; we expect this happens at the 1283 * point the frame comes off any aggregation q 1284 * as otherwise we may introduce holes in the 1285 * BA sequence space and/or make window accouting 1286 * more difficult. 1287 * 1288 * XXX may want to control this with a driver 1289 * capability; this may also change when we pull 1290 * aggregation up into net80211 1291 */ 1292 seqno = ni->ni_txseqs[tid]++; 1293 *(uint16_t *)wh->i_seq = 1294 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1295 M_SEQNO_SET(m, seqno); 1296 } 1297 } else { 1298 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1299 *(uint16_t *)wh->i_seq = 1300 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1301 M_SEQNO_SET(m, seqno); 1302 } 1303 1304 1305 /* check if xmit fragmentation is required */ 1306 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1307 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1308 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1309 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1310 if (key != NULL) { 1311 /* 1312 * IEEE 802.1X: send EAPOL frames always in the clear. 1313 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1314 */ 1315 if ((m->m_flags & M_EAPOL) == 0 || 1316 ((vap->iv_flags & IEEE80211_F_WPA) && 1317 (vap->iv_opmode == IEEE80211_M_STA ? 1318 !IEEE80211_KEY_UNDEFINED(key) : 1319 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1320 wh->i_fc[1] |= IEEE80211_FC1_WEP; 1321 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1322 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1323 eh.ether_dhost, 1324 "%s", "enmic failed, discard frame"); 1325 vap->iv_stats.is_crypto_enmicfail++; 1326 goto bad; 1327 } 1328 } 1329 } 1330 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1331 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1332 goto bad; 1333 1334 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1335 1336 IEEE80211_NODE_STAT(ni, tx_data); 1337 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1338 IEEE80211_NODE_STAT(ni, tx_mcast); 1339 m->m_flags |= M_MCAST; 1340 } else 1341 IEEE80211_NODE_STAT(ni, tx_ucast); 1342 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1343 1344 return m; 1345 bad: 1346 if (m != NULL) 1347 m_freem(m); 1348 return NULL; 1349 #undef WH4 1350 } 1351 1352 /* 1353 * Fragment the frame according to the specified mtu. 1354 * The size of the 802.11 header (w/o padding) is provided 1355 * so we don't need to recalculate it. We create a new 1356 * mbuf for each fragment and chain it through m_nextpkt; 1357 * we might be able to optimize this by reusing the original 1358 * packet's mbufs but that is significantly more complicated. 1359 */ 1360 static int 1361 ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1362 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1363 { 1364 struct ieee80211_frame *wh, *whf; 1365 struct mbuf *m, *prev, *next; 1366 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1367 1368 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1369 KASSERT(m0->m_pkthdr.len > mtu, 1370 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1371 1372 wh = mtod(m0, struct ieee80211_frame *); 1373 /* NB: mark the first frag; it will be propagated below */ 1374 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1375 totalhdrsize = hdrsize + ciphdrsize; 1376 fragno = 1; 1377 off = mtu - ciphdrsize; 1378 remainder = m0->m_pkthdr.len - off; 1379 prev = m0; 1380 do { 1381 fragsize = totalhdrsize + remainder; 1382 if (fragsize > mtu) 1383 fragsize = mtu; 1384 /* XXX fragsize can be >2048! */ 1385 KASSERT(fragsize < MCLBYTES, 1386 ("fragment size %u too big!", fragsize)); 1387 if (fragsize > MHLEN) 1388 m = m_getcl(MB_DONTWAIT, MT_DATA, M_PKTHDR); 1389 else 1390 m = m_gethdr(MB_DONTWAIT, MT_DATA); 1391 if (m == NULL) 1392 goto bad; 1393 /* leave room to prepend any cipher header */ 1394 m_align(m, fragsize - ciphdrsize); 1395 1396 /* 1397 * Form the header in the fragment. Note that since 1398 * we mark the first fragment with the MORE_FRAG bit 1399 * it automatically is propagated to each fragment; we 1400 * need only clear it on the last fragment (done below). 1401 */ 1402 whf = mtod(m, struct ieee80211_frame *); 1403 memcpy(whf, wh, hdrsize); 1404 *(uint16_t *)&whf->i_seq[0] |= htole16( 1405 (fragno & IEEE80211_SEQ_FRAG_MASK) << 1406 IEEE80211_SEQ_FRAG_SHIFT); 1407 fragno++; 1408 1409 payload = fragsize - totalhdrsize; 1410 /* NB: destination is known to be contiguous */ 1411 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize); 1412 m->m_len = hdrsize + payload; 1413 m->m_pkthdr.len = hdrsize + payload; 1414 m->m_flags |= M_FRAG; 1415 1416 /* chain up the fragment */ 1417 prev->m_nextpkt = m; 1418 prev = m; 1419 1420 /* deduct fragment just formed */ 1421 remainder -= payload; 1422 off += payload; 1423 } while (remainder != 0); 1424 1425 /* set the last fragment */ 1426 m->m_flags |= M_LASTFRAG; 1427 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 1428 1429 /* strip first mbuf now that everything has been copied */ 1430 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 1431 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 1432 1433 vap->iv_stats.is_tx_fragframes++; 1434 vap->iv_stats.is_tx_frags += fragno-1; 1435 1436 return 1; 1437 bad: 1438 /* reclaim fragments but leave original frame for caller to free */ 1439 for (m = m0->m_nextpkt; m != NULL; m = next) { 1440 next = m->m_nextpkt; 1441 m->m_nextpkt = NULL; /* XXX paranoid */ 1442 m_freem(m); 1443 } 1444 m0->m_nextpkt = NULL; 1445 return 0; 1446 } 1447 1448 /* 1449 * Add a supported rates element id to a frame. 1450 */ 1451 uint8_t * 1452 ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 1453 { 1454 int nrates; 1455 1456 *frm++ = IEEE80211_ELEMID_RATES; 1457 nrates = rs->rs_nrates; 1458 if (nrates > IEEE80211_RATE_SIZE) 1459 nrates = IEEE80211_RATE_SIZE; 1460 *frm++ = nrates; 1461 memcpy(frm, rs->rs_rates, nrates); 1462 return frm + nrates; 1463 } 1464 1465 /* 1466 * Add an extended supported rates element id to a frame. 1467 */ 1468 uint8_t * 1469 ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 1470 { 1471 /* 1472 * Add an extended supported rates element if operating in 11g mode. 1473 */ 1474 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 1475 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1476 *frm++ = IEEE80211_ELEMID_XRATES; 1477 *frm++ = nrates; 1478 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1479 frm += nrates; 1480 } 1481 return frm; 1482 } 1483 1484 /* 1485 * Add an ssid element to a frame. 1486 */ 1487 static uint8_t * 1488 ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 1489 { 1490 *frm++ = IEEE80211_ELEMID_SSID; 1491 *frm++ = len; 1492 memcpy(frm, ssid, len); 1493 return frm + len; 1494 } 1495 1496 /* 1497 * Add an erp element to a frame. 1498 */ 1499 static uint8_t * 1500 ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic) 1501 { 1502 uint8_t erp; 1503 1504 *frm++ = IEEE80211_ELEMID_ERP; 1505 *frm++ = 1; 1506 erp = 0; 1507 if (ic->ic_nonerpsta != 0) 1508 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1509 if (ic->ic_flags & IEEE80211_F_USEPROT) 1510 erp |= IEEE80211_ERP_USE_PROTECTION; 1511 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1512 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1513 *frm++ = erp; 1514 return frm; 1515 } 1516 1517 /* 1518 * Add a CFParams element to a frame. 1519 */ 1520 static uint8_t * 1521 ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 1522 { 1523 #define ADDSHORT(frm, v) do { \ 1524 LE_WRITE_2(frm, v); \ 1525 frm += 2; \ 1526 } while (0) 1527 *frm++ = IEEE80211_ELEMID_CFPARMS; 1528 *frm++ = 6; 1529 *frm++ = 0; /* CFP count */ 1530 *frm++ = 2; /* CFP period */ 1531 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 1532 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 1533 return frm; 1534 #undef ADDSHORT 1535 } 1536 1537 static __inline uint8_t * 1538 add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 1539 { 1540 memcpy(frm, ie->ie_data, ie->ie_len); 1541 return frm + ie->ie_len; 1542 } 1543 1544 static __inline uint8_t * 1545 add_ie(uint8_t *frm, const uint8_t *ie) 1546 { 1547 memcpy(frm, ie, 2 + ie[1]); 1548 return frm + 2 + ie[1]; 1549 } 1550 1551 #define WME_OUI_BYTES 0x00, 0x50, 0xf2 1552 /* 1553 * Add a WME information element to a frame. 1554 */ 1555 static uint8_t * 1556 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme) 1557 { 1558 static const struct ieee80211_wme_info info = { 1559 .wme_id = IEEE80211_ELEMID_VENDOR, 1560 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1561 .wme_oui = { WME_OUI_BYTES }, 1562 .wme_type = WME_OUI_TYPE, 1563 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1564 .wme_version = WME_VERSION, 1565 .wme_info = 0, 1566 }; 1567 memcpy(frm, &info, sizeof(info)); 1568 return frm + sizeof(info); 1569 } 1570 1571 /* 1572 * Add a WME parameters element to a frame. 1573 */ 1574 static uint8_t * 1575 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme) 1576 { 1577 #define SM(_v, _f) (((_v) << _f##_S) & _f) 1578 #define ADDSHORT(frm, v) do { \ 1579 LE_WRITE_2(frm, v); \ 1580 frm += 2; \ 1581 } while (0) 1582 /* NB: this works 'cuz a param has an info at the front */ 1583 static const struct ieee80211_wme_info param = { 1584 .wme_id = IEEE80211_ELEMID_VENDOR, 1585 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1586 .wme_oui = { WME_OUI_BYTES }, 1587 .wme_type = WME_OUI_TYPE, 1588 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1589 .wme_version = WME_VERSION, 1590 }; 1591 int i; 1592 1593 memcpy(frm, ¶m, sizeof(param)); 1594 frm += __offsetof(struct ieee80211_wme_info, wme_info); 1595 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1596 *frm++ = 0; /* reserved field */ 1597 for (i = 0; i < WME_NUM_AC; i++) { 1598 const struct wmeParams *ac = 1599 &wme->wme_bssChanParams.cap_wmeParams[i]; 1600 *frm++ = SM(i, WME_PARAM_ACI) 1601 | SM(ac->wmep_acm, WME_PARAM_ACM) 1602 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1603 ; 1604 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1605 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1606 ; 1607 ADDSHORT(frm, ac->wmep_txopLimit); 1608 } 1609 return frm; 1610 #undef SM 1611 #undef ADDSHORT 1612 } 1613 #undef WME_OUI_BYTES 1614 1615 /* 1616 * Add an 11h Power Constraint element to a frame. 1617 */ 1618 static uint8_t * 1619 ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 1620 { 1621 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 1622 /* XXX per-vap tx power limit? */ 1623 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 1624 1625 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 1626 frm[1] = 1; 1627 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 1628 return frm + 3; 1629 } 1630 1631 /* 1632 * Add an 11h Power Capability element to a frame. 1633 */ 1634 static uint8_t * 1635 ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 1636 { 1637 frm[0] = IEEE80211_ELEMID_PWRCAP; 1638 frm[1] = 2; 1639 frm[2] = c->ic_minpower; 1640 frm[3] = c->ic_maxpower; 1641 return frm + 4; 1642 } 1643 1644 /* 1645 * Add an 11h Supported Channels element to a frame. 1646 */ 1647 static uint8_t * 1648 ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 1649 { 1650 static const int ielen = 26; 1651 1652 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 1653 frm[1] = ielen; 1654 /* XXX not correct */ 1655 memcpy(frm+2, ic->ic_chan_avail, ielen); 1656 return frm + 2 + ielen; 1657 } 1658 1659 /* 1660 * Add an 11h Channel Switch Announcement element to a frame. 1661 * Note that we use the per-vap CSA count to adjust the global 1662 * counter so we can use this routine to form probe response 1663 * frames and get the current count. 1664 */ 1665 static uint8_t * 1666 ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 1667 { 1668 struct ieee80211com *ic = vap->iv_ic; 1669 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 1670 1671 csa->csa_ie = IEEE80211_ELEMID_CSA; 1672 csa->csa_len = 3; 1673 csa->csa_mode = 1; /* XXX force quiet on channel */ 1674 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 1675 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 1676 return frm + sizeof(*csa); 1677 } 1678 1679 /* 1680 * Add an 11h country information element to a frame. 1681 */ 1682 static uint8_t * 1683 ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 1684 { 1685 1686 if (ic->ic_countryie == NULL || 1687 ic->ic_countryie_chan != ic->ic_bsschan) { 1688 /* 1689 * Handle lazy construction of ie. This is done on 1690 * first use and after a channel change that requires 1691 * re-calculation. 1692 */ 1693 if (ic->ic_countryie != NULL) 1694 kfree(ic->ic_countryie, M_80211_NODE_IE); 1695 ic->ic_countryie = ieee80211_alloc_countryie(ic); 1696 if (ic->ic_countryie == NULL) 1697 return frm; 1698 ic->ic_countryie_chan = ic->ic_bsschan; 1699 } 1700 return add_appie(frm, ic->ic_countryie); 1701 } 1702 1703 /* 1704 * Send a probe request frame with the specified ssid 1705 * and any optional information element data. 1706 */ 1707 int 1708 ieee80211_send_probereq(struct ieee80211_node *ni, 1709 const uint8_t sa[IEEE80211_ADDR_LEN], 1710 const uint8_t da[IEEE80211_ADDR_LEN], 1711 const uint8_t bssid[IEEE80211_ADDR_LEN], 1712 const uint8_t *ssid, size_t ssidlen) 1713 { 1714 struct ieee80211vap *vap = ni->ni_vap; 1715 struct ieee80211com *ic = ni->ni_ic; 1716 const struct ieee80211_txparam *tp; 1717 struct ieee80211_bpf_params params; 1718 struct ieee80211_frame *wh; 1719 const struct ieee80211_rateset *rs; 1720 struct mbuf *m; 1721 uint8_t *frm; 1722 1723 if (vap->iv_state == IEEE80211_S_CAC) { 1724 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 1725 "block %s frame in CAC state", "probe request"); 1726 vap->iv_stats.is_tx_badstate++; 1727 return EIO; /* XXX */ 1728 } 1729 1730 /* 1731 * Hold a reference on the node so it doesn't go away until after 1732 * the xmit is complete all the way in the driver. On error we 1733 * will remove our reference. 1734 */ 1735 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1736 "ieee80211_ref_node (%s:%u) %p<%6D> refcnt %d\n", 1737 __func__, __LINE__, 1738 ni, ni->ni_macaddr, ":", 1739 ieee80211_node_refcnt(ni)+1); 1740 ieee80211_ref_node(ni); 1741 1742 /* 1743 * prreq frame format 1744 * [tlv] ssid 1745 * [tlv] supported rates 1746 * [tlv] RSN (optional) 1747 * [tlv] extended supported rates 1748 * [tlv] WPA (optional) 1749 * [tlv] user-specified ie's 1750 */ 1751 m = ieee80211_getmgtframe(&frm, 1752 ic->ic_headroom + sizeof(struct ieee80211_frame), 1753 2 + IEEE80211_NWID_LEN 1754 + 2 + IEEE80211_RATE_SIZE 1755 + sizeof(struct ieee80211_ie_wpa) 1756 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1757 + sizeof(struct ieee80211_ie_wpa) 1758 + (vap->iv_appie_probereq != NULL ? 1759 vap->iv_appie_probereq->ie_len : 0) 1760 ); 1761 if (m == NULL) { 1762 vap->iv_stats.is_tx_nobuf++; 1763 ieee80211_free_node(ni); 1764 return ENOMEM; 1765 } 1766 1767 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1768 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1769 frm = ieee80211_add_rates(frm, rs); 1770 if (vap->iv_flags & IEEE80211_F_WPA2) { 1771 if (vap->iv_rsn_ie != NULL) 1772 frm = add_ie(frm, vap->iv_rsn_ie); 1773 /* XXX else complain? */ 1774 } 1775 frm = ieee80211_add_xrates(frm, rs); 1776 if (vap->iv_flags & IEEE80211_F_WPA1) { 1777 if (vap->iv_wpa_ie != NULL) 1778 frm = add_ie(frm, vap->iv_wpa_ie); 1779 /* XXX else complain? */ 1780 } 1781 if (vap->iv_appie_probereq != NULL) 1782 frm = add_appie(frm, vap->iv_appie_probereq); 1783 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1784 1785 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 1786 ("leading space %zd", M_LEADINGSPACE(m))); 1787 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 1788 if (m == NULL) { 1789 /* NB: cannot happen */ 1790 ieee80211_free_node(ni); 1791 return ENOMEM; 1792 } 1793 1794 wh = mtod(m, struct ieee80211_frame *); 1795 ieee80211_send_setup(ni, m, 1796 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1797 IEEE80211_NONQOS_TID, sa, da, bssid); 1798 /* XXX power management? */ 1799 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1800 1801 M_WME_SETAC(m, WME_AC_BE); 1802 1803 IEEE80211_NODE_STAT(ni, tx_probereq); 1804 IEEE80211_NODE_STAT(ni, tx_mgmt); 1805 1806 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1807 "send probe req on channel %u bssid %6D ssid \"%.*s\"\n", 1808 ieee80211_chan2ieee(ic, ic->ic_curchan), bssid, ":", 1809 ssidlen, ssid); 1810 1811 memset(¶ms, 0, sizeof(params)); 1812 params.ibp_pri = M_WME_GETAC(m); 1813 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 1814 params.ibp_rate0 = tp->mgmtrate; 1815 if (IEEE80211_IS_MULTICAST(da)) { 1816 params.ibp_flags |= IEEE80211_BPF_NOACK; 1817 params.ibp_try0 = 1; 1818 } else 1819 params.ibp_try0 = tp->maxretry; 1820 params.ibp_power = ni->ni_txpower; 1821 return ic->ic_raw_xmit(ni, m, ¶ms); 1822 } 1823 1824 /* 1825 * Calculate capability information for mgt frames. 1826 */ 1827 uint16_t 1828 ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 1829 { 1830 struct ieee80211com *ic = vap->iv_ic; 1831 uint16_t capinfo; 1832 1833 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 1834 1835 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 1836 capinfo = IEEE80211_CAPINFO_ESS; 1837 else if (vap->iv_opmode == IEEE80211_M_IBSS) 1838 capinfo = IEEE80211_CAPINFO_IBSS; 1839 else 1840 capinfo = 0; 1841 if (vap->iv_flags & IEEE80211_F_PRIVACY) 1842 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1843 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1844 IEEE80211_IS_CHAN_2GHZ(chan)) 1845 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1846 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1847 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1848 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 1849 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 1850 return capinfo; 1851 } 1852 1853 /* 1854 * Send a management frame. The node is for the destination (or ic_bss 1855 * when in station mode). Nodes other than ic_bss have their reference 1856 * count bumped to reflect our use for an indeterminant time. 1857 */ 1858 int 1859 ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 1860 { 1861 #define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 1862 #define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 1863 struct ieee80211vap *vap = ni->ni_vap; 1864 struct ieee80211com *ic = ni->ni_ic; 1865 struct ieee80211_node *bss = vap->iv_bss; 1866 struct ieee80211_bpf_params params; 1867 struct mbuf *m; 1868 uint8_t *frm; 1869 uint16_t capinfo; 1870 int has_challenge, is_shared_key, ret, status; 1871 1872 KASSERT(ni != NULL, ("null node")); 1873 1874 /* 1875 * Hold a reference on the node so it doesn't go away until after 1876 * the xmit is complete all the way in the driver. On error we 1877 * will remove our reference. 1878 */ 1879 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1880 "ieee80211_ref_node (%s:%u) %p<%6D> refcnt %d\n", 1881 __func__, __LINE__, 1882 ni, ni->ni_macaddr, ":", 1883 ieee80211_node_refcnt(ni)+1); 1884 ieee80211_ref_node(ni); 1885 1886 memset(¶ms, 0, sizeof(params)); 1887 switch (type) { 1888 1889 case IEEE80211_FC0_SUBTYPE_AUTH: 1890 status = arg >> 16; 1891 arg &= 0xffff; 1892 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1893 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1894 ni->ni_challenge != NULL); 1895 1896 /* 1897 * Deduce whether we're doing open authentication or 1898 * shared key authentication. We do the latter if 1899 * we're in the middle of a shared key authentication 1900 * handshake or if we're initiating an authentication 1901 * request and configured to use shared key. 1902 */ 1903 is_shared_key = has_challenge || 1904 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1905 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1906 bss->ni_authmode == IEEE80211_AUTH_SHARED); 1907 1908 m = ieee80211_getmgtframe(&frm, 1909 ic->ic_headroom + sizeof(struct ieee80211_frame), 1910 3 * sizeof(uint16_t) 1911 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1912 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 1913 ); 1914 if (m == NULL) 1915 senderr(ENOMEM, is_tx_nobuf); 1916 1917 ((uint16_t *)frm)[0] = 1918 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 1919 : htole16(IEEE80211_AUTH_ALG_OPEN); 1920 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 1921 ((uint16_t *)frm)[2] = htole16(status);/* status */ 1922 1923 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 1924 ((uint16_t *)frm)[3] = 1925 htole16((IEEE80211_CHALLENGE_LEN << 8) | 1926 IEEE80211_ELEMID_CHALLENGE); 1927 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 1928 IEEE80211_CHALLENGE_LEN); 1929 m->m_pkthdr.len = m->m_len = 1930 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 1931 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 1932 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1933 "request encrypt frame (%s)", __func__); 1934 /* mark frame for encryption */ 1935 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 1936 } 1937 } else 1938 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 1939 1940 /* XXX not right for shared key */ 1941 if (status == IEEE80211_STATUS_SUCCESS) 1942 IEEE80211_NODE_STAT(ni, tx_auth); 1943 else 1944 IEEE80211_NODE_STAT(ni, tx_auth_fail); 1945 1946 if (vap->iv_opmode == IEEE80211_M_STA) 1947 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 1948 (void *) vap->iv_state); 1949 break; 1950 1951 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1952 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1953 "send station deauthenticate (reason %d)", arg); 1954 m = ieee80211_getmgtframe(&frm, 1955 ic->ic_headroom + sizeof(struct ieee80211_frame), 1956 sizeof(uint16_t)); 1957 if (m == NULL) 1958 senderr(ENOMEM, is_tx_nobuf); 1959 *(uint16_t *)frm = htole16(arg); /* reason */ 1960 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 1961 1962 IEEE80211_NODE_STAT(ni, tx_deauth); 1963 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 1964 1965 ieee80211_node_unauthorize(ni); /* port closed */ 1966 break; 1967 1968 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1969 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1970 /* 1971 * asreq frame format 1972 * [2] capability information 1973 * [2] listen interval 1974 * [6*] current AP address (reassoc only) 1975 * [tlv] ssid 1976 * [tlv] supported rates 1977 * [tlv] extended supported rates 1978 * [4] power capability (optional) 1979 * [28] supported channels (optional) 1980 * [tlv] HT capabilities 1981 * [tlv] WME (optional) 1982 * [tlv] Vendor OUI HT capabilities (optional) 1983 * [tlv] Atheros capabilities (if negotiated) 1984 * [tlv] AppIE's (optional) 1985 */ 1986 m = ieee80211_getmgtframe(&frm, 1987 ic->ic_headroom + sizeof(struct ieee80211_frame), 1988 sizeof(uint16_t) 1989 + sizeof(uint16_t) 1990 + IEEE80211_ADDR_LEN 1991 + 2 + IEEE80211_NWID_LEN 1992 + 2 + IEEE80211_RATE_SIZE 1993 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1994 + 4 1995 + 2 + 26 1996 + sizeof(struct ieee80211_wme_info) 1997 + sizeof(struct ieee80211_ie_htcap) 1998 + 4 + sizeof(struct ieee80211_ie_htcap) 1999 #ifdef IEEE80211_SUPPORT_SUPERG 2000 + sizeof(struct ieee80211_ath_ie) 2001 #endif 2002 + (vap->iv_appie_wpa != NULL ? 2003 vap->iv_appie_wpa->ie_len : 0) 2004 + (vap->iv_appie_assocreq != NULL ? 2005 vap->iv_appie_assocreq->ie_len : 0) 2006 ); 2007 if (m == NULL) 2008 senderr(ENOMEM, is_tx_nobuf); 2009 2010 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 2011 ("wrong mode %u", vap->iv_opmode)); 2012 capinfo = IEEE80211_CAPINFO_ESS; 2013 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2014 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2015 /* 2016 * NB: Some 11a AP's reject the request when 2017 * short premable is set. 2018 */ 2019 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 2020 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 2021 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2022 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2023 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2024 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2025 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2026 (vap->iv_flags & IEEE80211_F_DOTH)) 2027 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2028 *(uint16_t *)frm = htole16(capinfo); 2029 frm += 2; 2030 2031 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2032 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2033 bss->ni_intval)); 2034 frm += 2; 2035 2036 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2037 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2038 frm += IEEE80211_ADDR_LEN; 2039 } 2040 2041 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2042 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2043 if (vap->iv_flags & IEEE80211_F_WPA2) { 2044 if (vap->iv_rsn_ie != NULL) 2045 frm = add_ie(frm, vap->iv_rsn_ie); 2046 /* XXX else complain? */ 2047 } 2048 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2049 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2050 frm = ieee80211_add_powercapability(frm, 2051 ic->ic_curchan); 2052 frm = ieee80211_add_supportedchannels(frm, ic); 2053 } 2054 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2055 ni->ni_ies.htcap_ie != NULL && 2056 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) 2057 frm = ieee80211_add_htcap(frm, ni); 2058 if (vap->iv_flags & IEEE80211_F_WPA1) { 2059 if (vap->iv_wpa_ie != NULL) 2060 frm = add_ie(frm, vap->iv_wpa_ie); 2061 /* XXX else complain */ 2062 } 2063 if ((ic->ic_flags & IEEE80211_F_WME) && 2064 ni->ni_ies.wme_ie != NULL) 2065 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 2066 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2067 ni->ni_ies.htcap_ie != NULL && 2068 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) 2069 frm = ieee80211_add_htcap_vendor(frm, ni); 2070 #ifdef IEEE80211_SUPPORT_SUPERG 2071 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2072 frm = ieee80211_add_ath(frm, 2073 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2074 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2075 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2076 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2077 } 2078 #endif /* IEEE80211_SUPPORT_SUPERG */ 2079 if (vap->iv_appie_assocreq != NULL) 2080 frm = add_appie(frm, vap->iv_appie_assocreq); 2081 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2082 2083 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2084 (void *) vap->iv_state); 2085 break; 2086 2087 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2088 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2089 /* 2090 * asresp frame format 2091 * [2] capability information 2092 * [2] status 2093 * [2] association ID 2094 * [tlv] supported rates 2095 * [tlv] extended supported rates 2096 * [tlv] HT capabilities (standard, if STA enabled) 2097 * [tlv] HT information (standard, if STA enabled) 2098 * [tlv] WME (if configured and STA enabled) 2099 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2100 * [tlv] HT information (vendor OUI, if STA enabled) 2101 * [tlv] Atheros capabilities (if STA enabled) 2102 * [tlv] AppIE's (optional) 2103 */ 2104 m = ieee80211_getmgtframe(&frm, 2105 ic->ic_headroom + sizeof(struct ieee80211_frame), 2106 sizeof(uint16_t) 2107 + sizeof(uint16_t) 2108 + sizeof(uint16_t) 2109 + 2 + IEEE80211_RATE_SIZE 2110 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2111 + sizeof(struct ieee80211_ie_htcap) + 4 2112 + sizeof(struct ieee80211_ie_htinfo) + 4 2113 + sizeof(struct ieee80211_wme_param) 2114 #ifdef IEEE80211_SUPPORT_SUPERG 2115 + sizeof(struct ieee80211_ath_ie) 2116 #endif 2117 + (vap->iv_appie_assocresp != NULL ? 2118 vap->iv_appie_assocresp->ie_len : 0) 2119 ); 2120 if (m == NULL) 2121 senderr(ENOMEM, is_tx_nobuf); 2122 2123 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2124 *(uint16_t *)frm = htole16(capinfo); 2125 frm += 2; 2126 2127 *(uint16_t *)frm = htole16(arg); /* status */ 2128 frm += 2; 2129 2130 if (arg == IEEE80211_STATUS_SUCCESS) { 2131 *(uint16_t *)frm = htole16(ni->ni_associd); 2132 IEEE80211_NODE_STAT(ni, tx_assoc); 2133 } else 2134 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2135 frm += 2; 2136 2137 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2138 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2139 /* NB: respond according to what we received */ 2140 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2141 frm = ieee80211_add_htcap(frm, ni); 2142 frm = ieee80211_add_htinfo(frm, ni); 2143 } 2144 if ((vap->iv_flags & IEEE80211_F_WME) && 2145 ni->ni_ies.wme_ie != NULL) 2146 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2147 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2148 frm = ieee80211_add_htcap_vendor(frm, ni); 2149 frm = ieee80211_add_htinfo_vendor(frm, ni); 2150 } 2151 #ifdef IEEE80211_SUPPORT_SUPERG 2152 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 2153 frm = ieee80211_add_ath(frm, 2154 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2155 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2156 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2157 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2158 #endif /* IEEE80211_SUPPORT_SUPERG */ 2159 if (vap->iv_appie_assocresp != NULL) 2160 frm = add_appie(frm, vap->iv_appie_assocresp); 2161 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2162 break; 2163 2164 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2165 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2166 "send station disassociate (reason %d)", arg); 2167 m = ieee80211_getmgtframe(&frm, 2168 ic->ic_headroom + sizeof(struct ieee80211_frame), 2169 sizeof(uint16_t)); 2170 if (m == NULL) 2171 senderr(ENOMEM, is_tx_nobuf); 2172 *(uint16_t *)frm = htole16(arg); /* reason */ 2173 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2174 2175 IEEE80211_NODE_STAT(ni, tx_disassoc); 2176 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 2177 break; 2178 2179 default: 2180 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 2181 "invalid mgmt frame type %u", type); 2182 senderr(EINVAL, is_tx_unknownmgt); 2183 /* NOTREACHED */ 2184 } 2185 2186 /* NB: force non-ProbeResp frames to the highest queue */ 2187 params.ibp_pri = WME_AC_VO; 2188 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 2189 /* NB: we know all frames are unicast */ 2190 params.ibp_try0 = bss->ni_txparms->maxretry; 2191 params.ibp_power = bss->ni_txpower; 2192 return ieee80211_mgmt_output(ni, m, type, ¶ms); 2193 bad: 2194 ieee80211_free_node(ni); 2195 return ret; 2196 #undef senderr 2197 #undef HTFLAGS 2198 } 2199 2200 /* 2201 * Return an mbuf with a probe response frame in it. 2202 * Space is left to prepend and 802.11 header at the 2203 * front but it's left to the caller to fill in. 2204 */ 2205 struct mbuf * 2206 ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 2207 { 2208 struct ieee80211vap *vap = bss->ni_vap; 2209 struct ieee80211com *ic = bss->ni_ic; 2210 const struct ieee80211_rateset *rs; 2211 struct mbuf *m; 2212 uint16_t capinfo; 2213 uint8_t *frm; 2214 2215 /* 2216 * probe response frame format 2217 * [8] time stamp 2218 * [2] beacon interval 2219 * [2] cabability information 2220 * [tlv] ssid 2221 * [tlv] supported rates 2222 * [tlv] parameter set (FH/DS) 2223 * [tlv] parameter set (IBSS) 2224 * [tlv] country (optional) 2225 * [3] power control (optional) 2226 * [5] channel switch announcement (CSA) (optional) 2227 * [tlv] extended rate phy (ERP) 2228 * [tlv] extended supported rates 2229 * [tlv] RSN (optional) 2230 * [tlv] HT capabilities 2231 * [tlv] HT information 2232 * [tlv] WPA (optional) 2233 * [tlv] WME (optional) 2234 * [tlv] Vendor OUI HT capabilities (optional) 2235 * [tlv] Vendor OUI HT information (optional) 2236 * [tlv] Atheros capabilities 2237 * [tlv] AppIE's (optional) 2238 * [tlv] Mesh ID (MBSS) 2239 * [tlv] Mesh Conf (MBSS) 2240 */ 2241 m = ieee80211_getmgtframe(&frm, 2242 ic->ic_headroom + sizeof(struct ieee80211_frame), 2243 8 2244 + sizeof(uint16_t) 2245 + sizeof(uint16_t) 2246 + 2 + IEEE80211_NWID_LEN 2247 + 2 + IEEE80211_RATE_SIZE 2248 + 7 /* max(7,3) */ 2249 + IEEE80211_COUNTRY_MAX_SIZE 2250 + 3 2251 + sizeof(struct ieee80211_csa_ie) 2252 + 3 2253 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2254 + sizeof(struct ieee80211_ie_wpa) 2255 + sizeof(struct ieee80211_ie_htcap) 2256 + sizeof(struct ieee80211_ie_htinfo) 2257 + sizeof(struct ieee80211_ie_wpa) 2258 + sizeof(struct ieee80211_wme_param) 2259 + 4 + sizeof(struct ieee80211_ie_htcap) 2260 + 4 + sizeof(struct ieee80211_ie_htinfo) 2261 #ifdef IEEE80211_SUPPORT_SUPERG 2262 + sizeof(struct ieee80211_ath_ie) 2263 #endif 2264 #ifdef IEEE80211_SUPPORT_MESH 2265 + 2 + IEEE80211_MESHID_LEN 2266 + sizeof(struct ieee80211_meshconf_ie) 2267 #endif 2268 + (vap->iv_appie_proberesp != NULL ? 2269 vap->iv_appie_proberesp->ie_len : 0) 2270 ); 2271 if (m == NULL) { 2272 vap->iv_stats.is_tx_nobuf++; 2273 return NULL; 2274 } 2275 2276 memset(frm, 0, 8); /* timestamp should be filled later */ 2277 frm += 8; 2278 *(uint16_t *)frm = htole16(bss->ni_intval); 2279 frm += 2; 2280 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2281 *(uint16_t *)frm = htole16(capinfo); 2282 frm += 2; 2283 2284 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 2285 rs = ieee80211_get_suprates(ic, bss->ni_chan); 2286 frm = ieee80211_add_rates(frm, rs); 2287 2288 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 2289 *frm++ = IEEE80211_ELEMID_FHPARMS; 2290 *frm++ = 5; 2291 *frm++ = bss->ni_fhdwell & 0x00ff; 2292 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 2293 *frm++ = IEEE80211_FH_CHANSET( 2294 ieee80211_chan2ieee(ic, bss->ni_chan)); 2295 *frm++ = IEEE80211_FH_CHANPAT( 2296 ieee80211_chan2ieee(ic, bss->ni_chan)); 2297 *frm++ = bss->ni_fhindex; 2298 } else { 2299 *frm++ = IEEE80211_ELEMID_DSPARMS; 2300 *frm++ = 1; 2301 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 2302 } 2303 2304 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2305 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2306 *frm++ = 2; 2307 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2308 } 2309 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2310 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2311 frm = ieee80211_add_countryie(frm, ic); 2312 if (vap->iv_flags & IEEE80211_F_DOTH) { 2313 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 2314 frm = ieee80211_add_powerconstraint(frm, vap); 2315 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2316 frm = ieee80211_add_csa(frm, vap); 2317 } 2318 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 2319 frm = ieee80211_add_erp(frm, ic); 2320 frm = ieee80211_add_xrates(frm, rs); 2321 if (vap->iv_flags & IEEE80211_F_WPA2) { 2322 if (vap->iv_rsn_ie != NULL) 2323 frm = add_ie(frm, vap->iv_rsn_ie); 2324 /* XXX else complain? */ 2325 } 2326 /* 2327 * NB: legacy 11b clients do not get certain ie's. 2328 * The caller identifies such clients by passing 2329 * a token in legacy to us. Could expand this to be 2330 * any legacy client for stuff like HT ie's. 2331 */ 2332 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2333 legacy != IEEE80211_SEND_LEGACY_11B) { 2334 frm = ieee80211_add_htcap(frm, bss); 2335 frm = ieee80211_add_htinfo(frm, bss); 2336 } 2337 if (vap->iv_flags & IEEE80211_F_WPA1) { 2338 if (vap->iv_wpa_ie != NULL) 2339 frm = add_ie(frm, vap->iv_wpa_ie); 2340 /* XXX else complain? */ 2341 } 2342 if (vap->iv_flags & IEEE80211_F_WME) 2343 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2344 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2345 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 2346 legacy != IEEE80211_SEND_LEGACY_11B) { 2347 frm = ieee80211_add_htcap_vendor(frm, bss); 2348 frm = ieee80211_add_htinfo_vendor(frm, bss); 2349 } 2350 #ifdef IEEE80211_SUPPORT_SUPERG 2351 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 2352 legacy != IEEE80211_SEND_LEGACY_11B) 2353 frm = ieee80211_add_athcaps(frm, bss); 2354 #endif 2355 if (vap->iv_appie_proberesp != NULL) 2356 frm = add_appie(frm, vap->iv_appie_proberesp); 2357 #ifdef IEEE80211_SUPPORT_MESH 2358 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2359 frm = ieee80211_add_meshid(frm, vap); 2360 frm = ieee80211_add_meshconf(frm, vap); 2361 } 2362 #endif 2363 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2364 2365 return m; 2366 } 2367 2368 /* 2369 * Send a probe response frame to the specified mac address. 2370 * This does not go through the normal mgt frame api so we 2371 * can specify the destination address and re-use the bss node 2372 * for the sta reference. 2373 */ 2374 int 2375 ieee80211_send_proberesp(struct ieee80211vap *vap, 2376 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 2377 { 2378 struct ieee80211_node *bss = vap->iv_bss; 2379 struct ieee80211com *ic = vap->iv_ic; 2380 struct ieee80211_frame *wh; 2381 struct mbuf *m; 2382 2383 if (vap->iv_state == IEEE80211_S_CAC) { 2384 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 2385 "block %s frame in CAC state", "probe response"); 2386 vap->iv_stats.is_tx_badstate++; 2387 return EIO; /* XXX */ 2388 } 2389 2390 /* 2391 * Hold a reference on the node so it doesn't go away until after 2392 * the xmit is complete all the way in the driver. On error we 2393 * will remove our reference. 2394 */ 2395 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2396 "ieee80211_ref_node (%s:%u) %p<%6D> refcnt %d\n", 2397 __func__, __LINE__, bss, bss->ni_macaddr, ":", 2398 ieee80211_node_refcnt(bss)+1); 2399 ieee80211_ref_node(bss); 2400 2401 m = ieee80211_alloc_proberesp(bss, legacy); 2402 if (m == NULL) { 2403 ieee80211_free_node(bss); 2404 return ENOMEM; 2405 } 2406 2407 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 2408 KASSERT(m != NULL, ("no room for header")); 2409 2410 wh = mtod(m, struct ieee80211_frame *); 2411 ieee80211_send_setup(bss, m, 2412 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 2413 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 2414 /* XXX power management? */ 2415 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2416 2417 M_WME_SETAC(m, WME_AC_BE); 2418 2419 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2420 "send probe resp on channel %u to %6D%s\n", 2421 ieee80211_chan2ieee(ic, ic->ic_curchan), da, ":", 2422 legacy ? " <legacy>" : ""); 2423 IEEE80211_NODE_STAT(bss, tx_mgmt); 2424 2425 return ic->ic_raw_xmit(bss, m, NULL); 2426 } 2427 2428 /* 2429 * Allocate and build a RTS (Request To Send) control frame. 2430 */ 2431 struct mbuf * 2432 ieee80211_alloc_rts(struct ieee80211com *ic, 2433 const uint8_t ra[IEEE80211_ADDR_LEN], 2434 const uint8_t ta[IEEE80211_ADDR_LEN], 2435 uint16_t dur) 2436 { 2437 struct ieee80211_frame_rts *rts; 2438 struct mbuf *m; 2439 2440 /* XXX honor ic_headroom */ 2441 m = m_gethdr(MB_DONTWAIT, MT_DATA); 2442 if (m != NULL) { 2443 rts = mtod(m, struct ieee80211_frame_rts *); 2444 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2445 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 2446 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2447 *(u_int16_t *)rts->i_dur = htole16(dur); 2448 IEEE80211_ADDR_COPY(rts->i_ra, ra); 2449 IEEE80211_ADDR_COPY(rts->i_ta, ta); 2450 2451 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 2452 } 2453 return m; 2454 } 2455 2456 /* 2457 * Allocate and build a CTS (Clear To Send) control frame. 2458 */ 2459 struct mbuf * 2460 ieee80211_alloc_cts(struct ieee80211com *ic, 2461 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 2462 { 2463 struct ieee80211_frame_cts *cts; 2464 struct mbuf *m; 2465 2466 /* XXX honor ic_headroom */ 2467 m = m_gethdr(MB_DONTWAIT, MT_DATA); 2468 if (m != NULL) { 2469 cts = mtod(m, struct ieee80211_frame_cts *); 2470 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2471 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 2472 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2473 *(u_int16_t *)cts->i_dur = htole16(dur); 2474 IEEE80211_ADDR_COPY(cts->i_ra, ra); 2475 2476 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 2477 } 2478 return m; 2479 } 2480 2481 static void 2482 ieee80211_tx_mgt_timeout(void *arg) 2483 { 2484 struct ieee80211_node *ni = arg; 2485 struct ieee80211vap *vap = ni->ni_vap; 2486 2487 if (vap->iv_state != IEEE80211_S_INIT && 2488 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 2489 /* 2490 * NB: it's safe to specify a timeout as the reason here; 2491 * it'll only be used in the right state. 2492 */ 2493 ieee80211_new_state(vap, IEEE80211_S_SCAN, 2494 IEEE80211_SCAN_FAIL_TIMEOUT); 2495 } 2496 } 2497 2498 static void 2499 ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 2500 { 2501 struct ieee80211vap *vap = ni->ni_vap; 2502 enum ieee80211_state ostate = (enum ieee80211_state) arg; 2503 2504 /* 2505 * Frame transmit completed; arrange timer callback. If 2506 * transmit was successfuly we wait for response. Otherwise 2507 * we arrange an immediate callback instead of doing the 2508 * callback directly since we don't know what state the driver 2509 * is in (e.g. what locks it is holding). This work should 2510 * not be too time-critical and not happen too often so the 2511 * added overhead is acceptable. 2512 * 2513 * XXX what happens if !acked but response shows up before callback? 2514 */ 2515 if (vap->iv_state == ostate) 2516 callout_reset(&vap->iv_mgtsend, 2517 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 2518 ieee80211_tx_mgt_timeout, ni); 2519 } 2520 2521 static void 2522 ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 2523 struct ieee80211_beacon_offsets *bo, struct ieee80211_node *ni) 2524 { 2525 struct ieee80211vap *vap = ni->ni_vap; 2526 struct ieee80211com *ic = ni->ni_ic; 2527 struct ieee80211_rateset *rs = &ni->ni_rates; 2528 uint16_t capinfo; 2529 2530 /* 2531 * beacon frame format 2532 * [8] time stamp 2533 * [2] beacon interval 2534 * [2] cabability information 2535 * [tlv] ssid 2536 * [tlv] supported rates 2537 * [3] parameter set (DS) 2538 * [8] CF parameter set (optional) 2539 * [tlv] parameter set (IBSS/TIM) 2540 * [tlv] country (optional) 2541 * [3] power control (optional) 2542 * [5] channel switch announcement (CSA) (optional) 2543 * [tlv] extended rate phy (ERP) 2544 * [tlv] extended supported rates 2545 * [tlv] RSN parameters 2546 * [tlv] HT capabilities 2547 * [tlv] HT information 2548 * XXX Vendor-specific OIDs (e.g. Atheros) 2549 * [tlv] WPA parameters 2550 * [tlv] WME parameters 2551 * [tlv] Vendor OUI HT capabilities (optional) 2552 * [tlv] Vendor OUI HT information (optional) 2553 * [tlv] Atheros capabilities (optional) 2554 * [tlv] TDMA parameters (optional) 2555 * [tlv] Mesh ID (MBSS) 2556 * [tlv] Mesh Conf (MBSS) 2557 * [tlv] application data (optional) 2558 */ 2559 2560 memset(bo, 0, sizeof(*bo)); 2561 2562 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 2563 frm += 8; 2564 *(uint16_t *)frm = htole16(ni->ni_intval); 2565 frm += 2; 2566 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2567 bo->bo_caps = (uint16_t *)frm; 2568 *(uint16_t *)frm = htole16(capinfo); 2569 frm += 2; 2570 *frm++ = IEEE80211_ELEMID_SSID; 2571 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 2572 *frm++ = ni->ni_esslen; 2573 memcpy(frm, ni->ni_essid, ni->ni_esslen); 2574 frm += ni->ni_esslen; 2575 } else 2576 *frm++ = 0; 2577 frm = ieee80211_add_rates(frm, rs); 2578 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 2579 *frm++ = IEEE80211_ELEMID_DSPARMS; 2580 *frm++ = 1; 2581 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 2582 } 2583 if (ic->ic_flags & IEEE80211_F_PCF) { 2584 bo->bo_cfp = frm; 2585 frm = ieee80211_add_cfparms(frm, ic); 2586 } 2587 bo->bo_tim = frm; 2588 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2589 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2590 *frm++ = 2; 2591 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2592 bo->bo_tim_len = 0; 2593 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2594 vap->iv_opmode == IEEE80211_M_MBSS) { 2595 /* TIM IE is the same for Mesh and Hostap */ 2596 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 2597 2598 tie->tim_ie = IEEE80211_ELEMID_TIM; 2599 tie->tim_len = 4; /* length */ 2600 tie->tim_count = 0; /* DTIM count */ 2601 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 2602 tie->tim_bitctl = 0; /* bitmap control */ 2603 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 2604 frm += sizeof(struct ieee80211_tim_ie); 2605 bo->bo_tim_len = 1; 2606 } 2607 bo->bo_tim_trailer = frm; 2608 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2609 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2610 frm = ieee80211_add_countryie(frm, ic); 2611 if (vap->iv_flags & IEEE80211_F_DOTH) { 2612 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 2613 frm = ieee80211_add_powerconstraint(frm, vap); 2614 bo->bo_csa = frm; 2615 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2616 frm = ieee80211_add_csa(frm, vap); 2617 } else 2618 bo->bo_csa = frm; 2619 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 2620 bo->bo_erp = frm; 2621 frm = ieee80211_add_erp(frm, ic); 2622 } 2623 frm = ieee80211_add_xrates(frm, rs); 2624 if (vap->iv_flags & IEEE80211_F_WPA2) { 2625 if (vap->iv_rsn_ie != NULL) 2626 frm = add_ie(frm, vap->iv_rsn_ie); 2627 /* XXX else complain */ 2628 } 2629 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 2630 frm = ieee80211_add_htcap(frm, ni); 2631 bo->bo_htinfo = frm; 2632 frm = ieee80211_add_htinfo(frm, ni); 2633 } 2634 if (vap->iv_flags & IEEE80211_F_WPA1) { 2635 if (vap->iv_wpa_ie != NULL) 2636 frm = add_ie(frm, vap->iv_wpa_ie); 2637 /* XXX else complain */ 2638 } 2639 if (vap->iv_flags & IEEE80211_F_WME) { 2640 bo->bo_wme = frm; 2641 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2642 } 2643 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2644 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 2645 frm = ieee80211_add_htcap_vendor(frm, ni); 2646 frm = ieee80211_add_htinfo_vendor(frm, ni); 2647 } 2648 #ifdef IEEE80211_SUPPORT_SUPERG 2649 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 2650 bo->bo_ath = frm; 2651 frm = ieee80211_add_athcaps(frm, ni); 2652 } 2653 #endif 2654 #ifdef IEEE80211_SUPPORT_TDMA 2655 if (vap->iv_caps & IEEE80211_C_TDMA) { 2656 bo->bo_tdma = frm; 2657 frm = ieee80211_add_tdma(frm, vap); 2658 } 2659 #endif 2660 if (vap->iv_appie_beacon != NULL) { 2661 bo->bo_appie = frm; 2662 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 2663 frm = add_appie(frm, vap->iv_appie_beacon); 2664 } 2665 #ifdef IEEE80211_SUPPORT_MESH 2666 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2667 frm = ieee80211_add_meshid(frm, vap); 2668 bo->bo_meshconf = frm; 2669 frm = ieee80211_add_meshconf(frm, vap); 2670 } 2671 #endif 2672 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 2673 bo->bo_csa_trailer_len = frm - bo->bo_csa; 2674 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2675 } 2676 2677 /* 2678 * Allocate a beacon frame and fillin the appropriate bits. 2679 */ 2680 struct mbuf * 2681 ieee80211_beacon_alloc(struct ieee80211_node *ni, 2682 struct ieee80211_beacon_offsets *bo) 2683 { 2684 struct ieee80211vap *vap = ni->ni_vap; 2685 struct ieee80211com *ic = ni->ni_ic; 2686 struct ifnet *ifp = vap->iv_ifp; 2687 struct ieee80211_frame *wh; 2688 struct mbuf *m; 2689 int pktlen; 2690 uint8_t *frm; 2691 2692 /* 2693 * beacon frame format 2694 * [8] time stamp 2695 * [2] beacon interval 2696 * [2] cabability information 2697 * [tlv] ssid 2698 * [tlv] supported rates 2699 * [3] parameter set (DS) 2700 * [8] CF parameter set (optional) 2701 * [tlv] parameter set (IBSS/TIM) 2702 * [tlv] country (optional) 2703 * [3] power control (optional) 2704 * [5] channel switch announcement (CSA) (optional) 2705 * [tlv] extended rate phy (ERP) 2706 * [tlv] extended supported rates 2707 * [tlv] RSN parameters 2708 * [tlv] HT capabilities 2709 * [tlv] HT information 2710 * [tlv] Vendor OUI HT capabilities (optional) 2711 * [tlv] Vendor OUI HT information (optional) 2712 * XXX Vendor-specific OIDs (e.g. Atheros) 2713 * [tlv] WPA parameters 2714 * [tlv] WME parameters 2715 * [tlv] TDMA parameters (optional) 2716 * [tlv] Mesh ID (MBSS) 2717 * [tlv] Mesh Conf (MBSS) 2718 * [tlv] application data (optional) 2719 * NB: we allocate the max space required for the TIM bitmap. 2720 * XXX how big is this? 2721 */ 2722 pktlen = 8 /* time stamp */ 2723 + sizeof(uint16_t) /* beacon interval */ 2724 + sizeof(uint16_t) /* capabilities */ 2725 + 2 + ni->ni_esslen /* ssid */ 2726 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 2727 + 2 + 1 /* DS parameters */ 2728 + 2 + 6 /* CF parameters */ 2729 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 2730 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 2731 + 2 + 1 /* power control */ 2732 + sizeof(struct ieee80211_csa_ie) /* CSA */ 2733 + 2 + 1 /* ERP */ 2734 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2735 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 2736 2*sizeof(struct ieee80211_ie_wpa) : 0) 2737 /* XXX conditional? */ 2738 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 2739 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 2740 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 2741 sizeof(struct ieee80211_wme_param) : 0) 2742 #ifdef IEEE80211_SUPPORT_SUPERG 2743 + sizeof(struct ieee80211_ath_ie) /* ATH */ 2744 #endif 2745 #ifdef IEEE80211_SUPPORT_TDMA 2746 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 2747 sizeof(struct ieee80211_tdma_param) : 0) 2748 #endif 2749 #ifdef IEEE80211_SUPPORT_MESH 2750 + 2 + ni->ni_meshidlen 2751 + sizeof(struct ieee80211_meshconf_ie) 2752 #endif 2753 + IEEE80211_MAX_APPIE 2754 ; 2755 m = ieee80211_getmgtframe(&frm, 2756 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 2757 if (m == NULL) { 2758 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 2759 "%s: cannot get buf; size %u\n", __func__, pktlen); 2760 vap->iv_stats.is_tx_nobuf++; 2761 return NULL; 2762 } 2763 ieee80211_beacon_construct(m, frm, bo, ni); 2764 2765 M_PREPEND(m, sizeof(struct ieee80211_frame), MB_DONTWAIT); 2766 KASSERT(m != NULL, ("no space for 802.11 header?")); 2767 wh = mtod(m, struct ieee80211_frame *); 2768 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2769 IEEE80211_FC0_SUBTYPE_BEACON; 2770 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2771 *(uint16_t *)wh->i_dur = 0; 2772 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 2773 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 2774 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2775 *(uint16_t *)wh->i_seq = 0; 2776 2777 return m; 2778 } 2779 2780 /* 2781 * Update the dynamic parts of a beacon frame based on the current state. 2782 */ 2783 int 2784 ieee80211_beacon_update(struct ieee80211_node *ni, 2785 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 2786 { 2787 struct ieee80211vap *vap = ni->ni_vap; 2788 struct ieee80211com *ic = ni->ni_ic; 2789 int len_changed = 0; 2790 uint16_t capinfo; 2791 2792 IEEE80211_LOCK(ic); 2793 /* 2794 * Handle 11h channel change when we've reached the count. 2795 * We must recalculate the beacon frame contents to account 2796 * for the new channel. Note we do this only for the first 2797 * vap that reaches this point; subsequent vaps just update 2798 * their beacon state to reflect the recalculated channel. 2799 */ 2800 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 2801 vap->iv_csa_count == ic->ic_csa_count) { 2802 vap->iv_csa_count = 0; 2803 /* 2804 * Effect channel change before reconstructing the beacon 2805 * frame contents as many places reference ni_chan. 2806 */ 2807 if (ic->ic_csa_newchan != NULL) 2808 ieee80211_csa_completeswitch(ic); 2809 /* 2810 * NB: ieee80211_beacon_construct clears all pending 2811 * updates in bo_flags so we don't need to explicitly 2812 * clear IEEE80211_BEACON_CSA. 2813 */ 2814 ieee80211_beacon_construct(m, 2815 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), bo, ni); 2816 2817 /* XXX do WME aggressive mode processing? */ 2818 IEEE80211_UNLOCK(ic); 2819 return 1; /* just assume length changed */ 2820 } 2821 2822 /* XXX faster to recalculate entirely or just changes? */ 2823 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2824 *bo->bo_caps = htole16(capinfo); 2825 2826 if (vap->iv_flags & IEEE80211_F_WME) { 2827 struct ieee80211_wme_state *wme = &ic->ic_wme; 2828 2829 /* 2830 * Check for agressive mode change. When there is 2831 * significant high priority traffic in the BSS 2832 * throttle back BE traffic by using conservative 2833 * parameters. Otherwise BE uses agressive params 2834 * to optimize performance of legacy/non-QoS traffic. 2835 */ 2836 if (wme->wme_flags & WME_F_AGGRMODE) { 2837 if (wme->wme_hipri_traffic > 2838 wme->wme_hipri_switch_thresh) { 2839 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2840 "%s: traffic %u, disable aggressive mode\n", 2841 __func__, wme->wme_hipri_traffic); 2842 wme->wme_flags &= ~WME_F_AGGRMODE; 2843 ieee80211_wme_updateparams_locked(vap); 2844 wme->wme_hipri_traffic = 2845 wme->wme_hipri_switch_hysteresis; 2846 } else 2847 wme->wme_hipri_traffic = 0; 2848 } else { 2849 if (wme->wme_hipri_traffic <= 2850 wme->wme_hipri_switch_thresh) { 2851 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2852 "%s: traffic %u, enable aggressive mode\n", 2853 __func__, wme->wme_hipri_traffic); 2854 wme->wme_flags |= WME_F_AGGRMODE; 2855 ieee80211_wme_updateparams_locked(vap); 2856 wme->wme_hipri_traffic = 0; 2857 } else 2858 wme->wme_hipri_traffic = 2859 wme->wme_hipri_switch_hysteresis; 2860 } 2861 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 2862 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 2863 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 2864 } 2865 } 2866 2867 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 2868 ieee80211_ht_update_beacon(vap, bo); 2869 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 2870 } 2871 #ifdef IEEE80211_SUPPORT_TDMA 2872 if (vap->iv_caps & IEEE80211_C_TDMA) { 2873 /* 2874 * NB: the beacon is potentially updated every TBTT. 2875 */ 2876 ieee80211_tdma_update_beacon(vap, bo); 2877 } 2878 #endif 2879 #ifdef IEEE80211_SUPPORT_MESH 2880 if (vap->iv_opmode == IEEE80211_M_MBSS) 2881 ieee80211_mesh_update_beacon(vap, bo); 2882 #endif 2883 2884 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2885 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 2886 struct ieee80211_tim_ie *tie = 2887 (struct ieee80211_tim_ie *) bo->bo_tim; 2888 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 2889 u_int timlen, timoff, i; 2890 /* 2891 * ATIM/DTIM needs updating. If it fits in the 2892 * current space allocated then just copy in the 2893 * new bits. Otherwise we need to move any trailing 2894 * data to make room. Note that we know there is 2895 * contiguous space because ieee80211_beacon_allocate 2896 * insures there is space in the mbuf to write a 2897 * maximal-size virtual bitmap (based on iv_max_aid). 2898 */ 2899 /* 2900 * Calculate the bitmap size and offset, copy any 2901 * trailer out of the way, and then copy in the 2902 * new bitmap and update the information element. 2903 * Note that the tim bitmap must contain at least 2904 * one byte and any offset must be even. 2905 */ 2906 if (vap->iv_ps_pending != 0) { 2907 timoff = 128; /* impossibly large */ 2908 for (i = 0; i < vap->iv_tim_len; i++) 2909 if (vap->iv_tim_bitmap[i]) { 2910 timoff = i &~ 1; 2911 break; 2912 } 2913 KASSERT(timoff != 128, ("tim bitmap empty!")); 2914 for (i = vap->iv_tim_len-1; i >= timoff; i--) 2915 if (vap->iv_tim_bitmap[i]) 2916 break; 2917 timlen = 1 + (i - timoff); 2918 } else { 2919 timoff = 0; 2920 timlen = 1; 2921 } 2922 if (timlen != bo->bo_tim_len) { 2923 /* copy up/down trailer */ 2924 int adjust = tie->tim_bitmap+timlen 2925 - bo->bo_tim_trailer; 2926 ovbcopy(bo->bo_tim_trailer, 2927 bo->bo_tim_trailer+adjust, 2928 bo->bo_tim_trailer_len); 2929 bo->bo_tim_trailer += adjust; 2930 bo->bo_erp += adjust; 2931 bo->bo_htinfo += adjust; 2932 #ifdef IEEE80211_SUPERG_SUPPORT 2933 bo->bo_ath += adjust; 2934 #endif 2935 #ifdef IEEE80211_TDMA_SUPPORT 2936 bo->bo_tdma += adjust; 2937 #endif 2938 #ifdef IEEE80211_MESH_SUPPORT 2939 bo->bo_meshconf += adjust; 2940 #endif 2941 bo->bo_appie += adjust; 2942 bo->bo_wme += adjust; 2943 bo->bo_csa += adjust; 2944 bo->bo_tim_len = timlen; 2945 2946 /* update information element */ 2947 tie->tim_len = 3 + timlen; 2948 tie->tim_bitctl = timoff; 2949 len_changed = 1; 2950 } 2951 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 2952 bo->bo_tim_len); 2953 2954 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 2955 2956 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 2957 "%s: TIM updated, pending %u, off %u, len %u\n", 2958 __func__, vap->iv_ps_pending, timoff, timlen); 2959 } 2960 /* count down DTIM period */ 2961 if (tie->tim_count == 0) 2962 tie->tim_count = tie->tim_period - 1; 2963 else 2964 tie->tim_count--; 2965 /* update state for buffered multicast frames on DTIM */ 2966 if (mcast && tie->tim_count == 0) 2967 tie->tim_bitctl |= 1; 2968 else 2969 tie->tim_bitctl &= ~1; 2970 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 2971 struct ieee80211_csa_ie *csa = 2972 (struct ieee80211_csa_ie *) bo->bo_csa; 2973 2974 /* 2975 * Insert or update CSA ie. If we're just starting 2976 * to count down to the channel switch then we need 2977 * to insert the CSA ie. Otherwise we just need to 2978 * drop the count. The actual change happens above 2979 * when the vap's count reaches the target count. 2980 */ 2981 if (vap->iv_csa_count == 0) { 2982 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 2983 bo->bo_erp += sizeof(*csa); 2984 bo->bo_htinfo += sizeof(*csa); 2985 bo->bo_wme += sizeof(*csa); 2986 #ifdef IEEE80211_SUPERG_SUPPORT 2987 bo->bo_ath += sizeof(*csa); 2988 #endif 2989 #ifdef IEEE80211_TDMA_SUPPORT 2990 bo->bo_tdma += sizeof(*csa); 2991 #endif 2992 #ifdef IEEE80211_MESH_SUPPORT 2993 bo->bo_meshconf += sizeof(*csa); 2994 #endif 2995 bo->bo_appie += sizeof(*csa); 2996 bo->bo_csa_trailer_len += sizeof(*csa); 2997 bo->bo_tim_trailer_len += sizeof(*csa); 2998 m->m_len += sizeof(*csa); 2999 m->m_pkthdr.len += sizeof(*csa); 3000 3001 ieee80211_add_csa(bo->bo_csa, vap); 3002 } else 3003 csa->csa_count--; 3004 vap->iv_csa_count++; 3005 /* NB: don't clear IEEE80211_BEACON_CSA */ 3006 } 3007 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 3008 /* 3009 * ERP element needs updating. 3010 */ 3011 (void) ieee80211_add_erp(bo->bo_erp, ic); 3012 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 3013 } 3014 #ifdef IEEE80211_SUPPORT_SUPERG 3015 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 3016 ieee80211_add_athcaps(bo->bo_ath, ni); 3017 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 3018 } 3019 #endif 3020 } 3021 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 3022 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 3023 int aielen; 3024 uint8_t *frm; 3025 3026 aielen = 0; 3027 if (aie != NULL) 3028 aielen += aie->ie_len; 3029 if (aielen != bo->bo_appie_len) { 3030 /* copy up/down trailer */ 3031 int adjust = aielen - bo->bo_appie_len; 3032 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 3033 bo->bo_tim_trailer_len); 3034 bo->bo_tim_trailer += adjust; 3035 bo->bo_appie += adjust; 3036 bo->bo_appie_len = aielen; 3037 3038 len_changed = 1; 3039 } 3040 frm = bo->bo_appie; 3041 if (aie != NULL) 3042 frm = add_appie(frm, aie); 3043 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 3044 } 3045 IEEE80211_UNLOCK(ic); 3046 3047 return len_changed; 3048 } 3049