1 /* $OpenBSD: ieee80211_output.c,v 1.135 2021/09/08 11:40:30 stsp Exp $ */ 2 /* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 #include "vlan.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/sysctl.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 #include <net/bpf.h> 51 52 #include <netinet/in.h> 53 #include <netinet/if_ether.h> 54 #include <netinet/ip.h> 55 #ifdef INET6 56 #include <netinet/ip6.h> 57 #endif 58 59 #if NVLAN > 0 60 #include <net/if_vlan_var.h> 61 #endif 62 63 #include <net80211/ieee80211_var.h> 64 #include <net80211/ieee80211_priv.h> 65 66 int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *, 67 struct mbuf *, int); 68 int ieee80211_can_use_ampdu(struct ieee80211com *, 69 struct ieee80211_node *); 70 u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *, 71 const struct ieee80211_node *, int); 72 struct mbuf *ieee80211_getmgmt(int, int, u_int); 73 struct mbuf *ieee80211_get_probe_req(struct ieee80211com *, 74 struct ieee80211_node *); 75 #ifndef IEEE80211_STA_ONLY 76 struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *); 77 #endif 78 struct mbuf *ieee80211_get_auth(struct ieee80211com *, 79 struct ieee80211_node *, u_int16_t, u_int16_t); 80 struct mbuf *ieee80211_get_deauth(struct ieee80211com *, 81 struct ieee80211_node *, u_int16_t); 82 struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *, 83 struct ieee80211_node *, int); 84 #ifndef IEEE80211_STA_ONLY 85 struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *, 86 struct ieee80211_node *, u_int16_t); 87 #endif 88 struct mbuf *ieee80211_get_disassoc(struct ieee80211com *, 89 struct ieee80211_node *, u_int16_t); 90 struct mbuf *ieee80211_get_addba_req(struct ieee80211com *, 91 struct ieee80211_node *, u_int8_t); 92 struct mbuf *ieee80211_get_addba_resp(struct ieee80211com *, 93 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 94 struct mbuf *ieee80211_get_delba(struct ieee80211com *, 95 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 96 uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *); 97 #ifndef IEEE80211_STA_ONLY 98 uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *); 99 #endif 100 struct mbuf *ieee80211_get_sa_query(struct ieee80211com *, 101 struct ieee80211_node *, u_int8_t); 102 struct mbuf *ieee80211_get_action(struct ieee80211com *, 103 struct ieee80211_node *, u_int8_t, u_int8_t, int); 104 105 /* 106 * IEEE 802.11 output routine. Normally this will directly call the 107 * Ethernet output routine because 802.11 encapsulation is called 108 * later by the driver. This function can be used to send raw frames 109 * if the mbuf has been tagged with a 802.11 data link type. 110 */ 111 int 112 ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 113 struct rtentry *rt) 114 { 115 struct ieee80211_frame *wh; 116 struct m_tag *mtag; 117 int error = 0; 118 119 /* Interface has to be up and running */ 120 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 121 (IFF_UP | IFF_RUNNING)) { 122 error = ENETDOWN; 123 goto bad; 124 } 125 126 /* Try to get the DLT from a mbuf tag */ 127 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 128 struct ieee80211com *ic = (void *)ifp; 129 u_int dlt = *(u_int *)(mtag + 1); 130 131 /* Fallback to ethernet for non-802.11 linktypes */ 132 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 133 goto fallback; 134 135 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 136 return (EINVAL); 137 wh = mtod(m, struct ieee80211_frame *); 138 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 139 IEEE80211_FC0_VERSION_0) 140 return (EINVAL); 141 if (!(ic->ic_caps & IEEE80211_C_RAWCTL) && 142 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 143 IEEE80211_FC0_TYPE_CTL) 144 return (EINVAL); 145 146 return (if_enqueue(ifp, m)); 147 } 148 149 fallback: 150 return (ether_output(ifp, m, dst, rt)); 151 152 bad: 153 m_freem(m); 154 return (error); 155 } 156 157 const char * 158 ieee80211_action_name(struct ieee80211_frame *wh) 159 { 160 const u_int8_t *frm = (const uint8_t *)&wh[1]; 161 const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" }; 162 163 if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name)) 164 return categ_ba_name[frm[1]]; 165 166 return "action"; 167 } 168 169 /* 170 * Send a management frame to the specified node. The node pointer 171 * must have a reference as the pointer will be passed to the driver 172 * and potentially held for a long time. If the frame is successfully 173 * dispatched to the driver, then it is responsible for freeing the 174 * reference (and potentially free'ing up any associated storage). 175 */ 176 int 177 ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni, 178 struct mbuf *m, int type) 179 { 180 struct ieee80211com *ic = (void *)ifp; 181 struct ieee80211_frame *wh; 182 183 if (ni == NULL) 184 panic("null node"); 185 ni->ni_inact = 0; 186 187 /* 188 * We want to pass the node down to the driver's start 189 * routine. We could stick this in an m_tag and tack that 190 * on to the mbuf. However that's rather expensive to do 191 * for every frame so instead we stuff it in a special pkthdr 192 * field. 193 */ 194 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 195 if (m == NULL) 196 return ENOMEM; 197 m->m_pkthdr.ph_cookie = ni; 198 199 wh = mtod(m, struct ieee80211_frame *); 200 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type; 201 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 202 *(u_int16_t *)&wh->i_dur[0] = 0; 203 *(u_int16_t *)&wh->i_seq[0] = 204 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 205 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 206 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 207 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 208 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 209 210 /* check if protection is required for this mgmt frame */ 211 if ((ic->ic_caps & IEEE80211_C_MFP) && 212 (type == IEEE80211_FC0_SUBTYPE_DISASSOC || 213 type == IEEE80211_FC0_SUBTYPE_DEAUTH || 214 type == IEEE80211_FC0_SUBTYPE_ACTION)) { 215 /* 216 * Hack: we should not set the Protected bit in outgoing 217 * group management frames, however it is used as an 218 * indication to the drivers that they must encrypt the 219 * frame. Drivers should clear this bit from group 220 * management frames (software crypto code will do it). 221 * XXX could use an mbuf flag.. 222 */ 223 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 224 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT)) 225 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 226 } 227 228 if (ifp->if_flags & IFF_DEBUG) { 229 /* avoid to print too many frames */ 230 if ( 231 #ifndef IEEE80211_STA_ONLY 232 ic->ic_opmode == IEEE80211_M_IBSS || 233 #endif 234 #ifdef IEEE80211_DEBUG 235 ieee80211_debug > 1 || 236 #endif 237 (type & IEEE80211_FC0_SUBTYPE_MASK) != 238 IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 239 const char *subtype_name; 240 if ((type & IEEE80211_FC0_SUBTYPE_MASK) == 241 IEEE80211_FC0_SUBTYPE_ACTION) 242 subtype_name = ieee80211_action_name(wh); 243 else 244 subtype_name = ieee80211_mgt_subtype_name[ 245 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 246 IEEE80211_FC0_SUBTYPE_SHIFT]; 247 printf("%s: sending %s to %s on channel %u mode %s\n", 248 ifp->if_xname, subtype_name, 249 ether_sprintf(ni->ni_macaddr), 250 ieee80211_chan2ieee(ic, ni->ni_chan), 251 ieee80211_phymode_name[ic->ic_curmode]); 252 } 253 } 254 255 #ifndef IEEE80211_STA_ONLY 256 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 257 ieee80211_pwrsave(ic, m, ni) != 0) 258 return 0; 259 #endif 260 mq_enqueue(&ic->ic_mgtq, m); 261 ifp->if_timer = 1; 262 if_start(ifp); 263 return 0; 264 } 265 266 /*- 267 * EDCA tables are computed using the following formulas: 268 * 269 * 1) EDCATable (non-AP QSTA) 270 * 271 * AC CWmin CWmax AIFSN TXOP limit(ms) 272 * ------------------------------------------------------------- 273 * AC_BK aCWmin aCWmax 7 0 274 * AC_BE aCWmin aCWmax 3 0 275 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0 276 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0 277 * 278 * 2) QAPEDCATable (QAP) 279 * 280 * AC CWmin CWmax AIFSN TXOP limit(ms) 281 * ------------------------------------------------------------- 282 * AC_BK aCWmin aCWmax 7 0 283 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0 284 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0 285 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0 286 * 287 * and the following aCWmin/aCWmax values: 288 * 289 * PHY aCWmin aCWmax 290 * --------------------------- 291 * 11A 15 1023 292 * 11B 31 1023 293 * 11G 15* 1023 (*) aCWmin(1) 294 * 11N 15 1023 295 */ 296 const struct ieee80211_edca_ac_params 297 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 298 [IEEE80211_MODE_11B] = { 299 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 300 [EDCA_AC_BE] = { 5, 10, 3, 0 }, 301 [EDCA_AC_VI] = { 4, 5, 2, 188 }, 302 [EDCA_AC_VO] = { 3, 4, 2, 102 } 303 }, 304 [IEEE80211_MODE_11A] = { 305 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 306 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 307 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 308 [EDCA_AC_VO] = { 2, 3, 2, 47 } 309 }, 310 [IEEE80211_MODE_11G] = { 311 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 312 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 313 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 314 [EDCA_AC_VO] = { 2, 3, 2, 47 } 315 }, 316 [IEEE80211_MODE_11N] = { 317 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 318 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 319 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 320 [EDCA_AC_VO] = { 2, 3, 2, 47 } 321 }, 322 }; 323 324 #ifndef IEEE80211_STA_ONLY 325 const struct ieee80211_edca_ac_params 326 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 327 [IEEE80211_MODE_11B] = { 328 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 329 [EDCA_AC_BE] = { 5, 7, 3, 0 }, 330 [EDCA_AC_VI] = { 4, 5, 1, 188 }, 331 [EDCA_AC_VO] = { 3, 4, 1, 102 } 332 }, 333 [IEEE80211_MODE_11A] = { 334 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 335 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 336 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 337 [EDCA_AC_VO] = { 2, 3, 1, 47 } 338 }, 339 [IEEE80211_MODE_11G] = { 340 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 341 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 342 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 343 [EDCA_AC_VO] = { 2, 3, 1, 47 } 344 }, 345 [IEEE80211_MODE_11N] = { 346 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 347 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 348 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 349 [EDCA_AC_VO] = { 2, 3, 1, 47 } 350 }, 351 }; 352 #endif /* IEEE80211_STA_ONLY */ 353 354 /* 355 * Return the EDCA Access Category to be used for transmitting a frame with 356 * user-priority `up'. 357 */ 358 enum ieee80211_edca_ac 359 ieee80211_up_to_ac(struct ieee80211com *ic, int up) 360 { 361 /* see Table 9-1 */ 362 static const enum ieee80211_edca_ac up_to_ac[] = { 363 EDCA_AC_BE, /* BE */ 364 EDCA_AC_BK, /* BK */ 365 EDCA_AC_BK, /* -- */ 366 EDCA_AC_BE, /* EE */ 367 EDCA_AC_VI, /* CL */ 368 EDCA_AC_VI, /* VI */ 369 EDCA_AC_VO, /* VO */ 370 EDCA_AC_VO /* NC */ 371 }; 372 enum ieee80211_edca_ac ac; 373 374 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE; 375 376 #ifndef IEEE80211_STA_ONLY 377 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 378 return ac; 379 #endif 380 /* 381 * We do not support the admission control procedure defined in 382 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that 383 * non-AP QSTAs that don't support this procedure shall use EDCA 384 * parameters of a lower priority AC that does not require 385 * admission control. 386 */ 387 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) { 388 switch (ac) { 389 case EDCA_AC_BK: 390 /* can't get there */ 391 break; 392 case EDCA_AC_BE: 393 /* BE shouldn't require admission control */ 394 ac = EDCA_AC_BK; 395 break; 396 case EDCA_AC_VI: 397 ac = EDCA_AC_BE; 398 break; 399 case EDCA_AC_VO: 400 ac = EDCA_AC_VI; 401 break; 402 } 403 } 404 return ac; 405 } 406 407 /* 408 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority 409 * based on the DSCP (Differentiated Services Codepoint) field. 410 */ 411 int 412 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m) 413 { 414 struct ether_header eh; 415 u_int8_t ds_field; 416 #if NVLAN > 0 417 if (m->m_flags & M_VLANTAG) /* use VLAN 802.1D user-priority */ 418 return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag); 419 #endif 420 m_copydata(m, 0, sizeof(eh), (caddr_t)&eh); 421 if (eh.ether_type == htons(ETHERTYPE_IP)) { 422 struct ip ip; 423 m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip); 424 if (ip.ip_v != 4) 425 return 0; 426 ds_field = ip.ip_tos; 427 } 428 #ifdef INET6 429 else if (eh.ether_type == htons(ETHERTYPE_IPV6)) { 430 struct ip6_hdr ip6; 431 u_int32_t flowlabel; 432 m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6); 433 flowlabel = ntohl(ip6.ip6_flow); 434 if ((flowlabel >> 28) != 6) 435 return 0; 436 ds_field = (flowlabel >> 20) & 0xff; 437 } 438 #endif /* INET6 */ 439 else /* neither IPv4 nor IPv6 */ 440 return 0; 441 442 /* 443 * Map Differentiated Services Codepoint field (see RFC2474). 444 * Preserves backward compatibility with IP Precedence field. 445 */ 446 switch (ds_field & 0xfc) { 447 case IPTOS_PREC_PRIORITY: 448 return EDCA_AC_VI; 449 case IPTOS_PREC_IMMEDIATE: 450 return EDCA_AC_BK; 451 case IPTOS_PREC_FLASH: 452 case IPTOS_PREC_FLASHOVERRIDE: 453 case IPTOS_PREC_CRITIC_ECP: 454 case IPTOS_PREC_INTERNETCONTROL: 455 case IPTOS_PREC_NETCONTROL: 456 return EDCA_AC_VO; 457 default: 458 return EDCA_AC_BE; 459 } 460 } 461 462 int 463 ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni) 464 { 465 return (ni->ni_flags & IEEE80211_NODE_HT) && 466 (ic->ic_caps & IEEE80211_C_TX_AMPDU) && 467 !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) && 468 /* 469 * Don't use A-MPDU on non-encrypted networks. There are devices 470 * with buggy firmware which allow an attacker to inject 802.11 471 * frames into a wifi network by embedding rogue A-MPDU subframes 472 * in an arbitrary data payload (e.g. PNG images) which may end 473 * up appearing as actual frames after de-aggregation by a buggy 474 * device; see https://github.com/rpp0/aggr-inject for details. 475 * WPA2 prevents this injection attack since the attacker would 476 * need to inject frames which get decrypted correctly. 477 */ 478 ((ic->ic_flags & IEEE80211_F_RSNON) && 479 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)); 480 } 481 482 void 483 ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni, 484 int tid, uint16_t ssn) 485 { 486 struct ifnet *ifp = &ic->ic_if; 487 struct mbuf *m; 488 489 m = ieee80211_get_compressed_bar(ic, ni, tid, ssn); 490 if (m == NULL) 491 return; 492 493 ieee80211_ref_node(ni); 494 if (mq_enqueue(&ic->ic_mgtq, m) == 0) 495 if_start(ifp); 496 else 497 ieee80211_release_node(ic, ni); 498 } 499 500 /* 501 * Encapsulate an outbound data frame. The mbuf chain is updated and 502 * a reference to the destination node is returned. If an error is 503 * encountered NULL is returned and the node reference will also be NULL. 504 * 505 * NB: The caller is responsible for free'ing a returned node reference. 506 * The convention is ic_bss is not reference counted; the caller must 507 * maintain that. 508 */ 509 struct mbuf * 510 ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni) 511 { 512 struct ieee80211com *ic = (void *)ifp; 513 struct ether_header eh; 514 struct ieee80211_frame *wh; 515 struct ieee80211_node *ni = NULL; 516 struct llc *llc; 517 struct m_tag *mtag; 518 u_int8_t *addr; 519 u_int dlt, hdrlen; 520 int addqos, tid; 521 522 /* Handle raw frames if mbuf is tagged as 802.11 */ 523 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 524 dlt = *(u_int *)(mtag + 1); 525 526 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 527 goto fallback; 528 529 wh = mtod(m, struct ieee80211_frame *); 530 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 531 case IEEE80211_FC1_DIR_NODS: 532 case IEEE80211_FC1_DIR_FROMDS: 533 addr = wh->i_addr1; 534 break; 535 case IEEE80211_FC1_DIR_DSTODS: 536 case IEEE80211_FC1_DIR_TODS: 537 addr = wh->i_addr3; 538 break; 539 default: 540 goto bad; 541 } 542 543 ni = ieee80211_find_txnode(ic, addr); 544 if (ni == NULL) 545 ni = ieee80211_ref_node(ic->ic_bss); 546 if (ni == NULL) { 547 printf("%s: no node for dst %s, " 548 "discard raw tx frame\n", ifp->if_xname, 549 ether_sprintf(addr)); 550 ic->ic_stats.is_tx_nonode++; 551 goto bad; 552 } 553 ni->ni_inact = 0; 554 555 *pni = ni; 556 return (m); 557 } 558 559 fallback: 560 if (m->m_len < sizeof(struct ether_header)) { 561 m = m_pullup(m, sizeof(struct ether_header)); 562 if (m == NULL) { 563 ic->ic_stats.is_tx_nombuf++; 564 goto bad; 565 } 566 } 567 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 568 569 ni = ieee80211_find_txnode(ic, eh.ether_dhost); 570 if (ni == NULL) { 571 DPRINTF(("no node for dst %s, discard frame\n", 572 ether_sprintf(eh.ether_dhost))); 573 ic->ic_stats.is_tx_nonode++; 574 goto bad; 575 } 576 577 #ifndef IEEE80211_STA_ONLY 578 if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss && 579 ni->ni_state != IEEE80211_STA_ASSOC) { 580 ic->ic_stats.is_tx_nonode++; 581 goto bad; 582 } 583 #endif 584 585 if ((ic->ic_flags & IEEE80211_F_RSNON) && 586 !ni->ni_port_valid && 587 eh.ether_type != htons(ETHERTYPE_PAE)) { 588 DPRINTF(("port not valid: %s\n", 589 ether_sprintf(eh.ether_dhost))); 590 ic->ic_stats.is_tx_noauth++; 591 goto bad; 592 } 593 594 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 595 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP) 596 /* XXX TKIP countermeasures! */; 597 598 ni->ni_inact = 0; 599 600 if ((ic->ic_flags & IEEE80211_F_QOS) && 601 (ni->ni_flags & IEEE80211_NODE_QOS) && 602 /* do not QoS-encapsulate EAPOL frames */ 603 eh.ether_type != htons(ETHERTYPE_PAE)) { 604 struct ieee80211_tx_ba *ba; 605 tid = ieee80211_classify(ic, m); 606 ba = &ni->ni_tx_ba[tid]; 607 /* We use QoS data frames for aggregation only. */ 608 if (ba->ba_state != IEEE80211_BA_AGREED) { 609 hdrlen = sizeof(struct ieee80211_frame); 610 addqos = 0; 611 if (ieee80211_can_use_ampdu(ic, ni)) 612 ieee80211_node_trigger_addba_req(ni, tid); 613 } else { 614 hdrlen = sizeof(struct ieee80211_qosframe); 615 addqos = 1; 616 } 617 } else { 618 hdrlen = sizeof(struct ieee80211_frame); 619 addqos = 0; 620 } 621 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN); 622 llc = mtod(m, struct llc *); 623 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 624 llc->llc_control = LLC_UI; 625 llc->llc_snap.org_code[0] = 0; 626 llc->llc_snap.org_code[1] = 0; 627 llc->llc_snap.org_code[2] = 0; 628 llc->llc_snap.ether_type = eh.ether_type; 629 M_PREPEND(m, hdrlen, M_DONTWAIT); 630 if (m == NULL) { 631 ic->ic_stats.is_tx_nombuf++; 632 goto bad; 633 } 634 wh = mtod(m, struct ieee80211_frame *); 635 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 636 *(u_int16_t *)&wh->i_dur[0] = 0; 637 if (addqos) { 638 struct ieee80211_qosframe *qwh = 639 (struct ieee80211_qosframe *)wh; 640 u_int16_t qos = tid; 641 642 if (ic->ic_tid_noack & (1 << tid)) 643 qos |= IEEE80211_QOS_ACK_POLICY_NOACK; 644 else { 645 /* Use HT immediate block-ack. */ 646 qos |= IEEE80211_QOS_ACK_POLICY_NORMAL; 647 } 648 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 649 *(u_int16_t *)qwh->i_qos = htole16(qos); 650 *(u_int16_t *)qwh->i_seq = 651 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 652 ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff; 653 } else { 654 *(u_int16_t *)&wh->i_seq[0] = 655 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 656 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 657 } 658 switch (ic->ic_opmode) { 659 case IEEE80211_M_STA: 660 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 661 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 662 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 663 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 664 break; 665 #ifndef IEEE80211_STA_ONLY 666 case IEEE80211_M_IBSS: 667 case IEEE80211_M_AHDEMO: 668 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 669 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 670 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 671 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 672 break; 673 case IEEE80211_M_HOSTAP: 674 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 675 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 676 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 677 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 678 break; 679 #endif 680 default: 681 /* should not get there */ 682 goto bad; 683 } 684 685 if ((ic->ic_flags & IEEE80211_F_WEPON) || 686 ((ic->ic_flags & IEEE80211_F_RSNON) && 687 (ni->ni_flags & IEEE80211_NODE_TXPROT))) 688 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 689 690 #ifndef IEEE80211_STA_ONLY 691 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 692 ieee80211_pwrsave(ic, m, ni) != 0) { 693 *pni = NULL; 694 return NULL; 695 } 696 #endif 697 *pni = ni; 698 return m; 699 bad: 700 m_freem(m); 701 if (ni != NULL) 702 ieee80211_release_node(ic, ni); 703 *pni = NULL; 704 return NULL; 705 } 706 707 /* 708 * Add a Capability Information field to a frame (see 7.3.1.4). 709 */ 710 u_int8_t * 711 ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic, 712 const struct ieee80211_node *ni) 713 { 714 u_int16_t capinfo; 715 716 #ifndef IEEE80211_STA_ONLY 717 if (ic->ic_opmode == IEEE80211_M_IBSS) 718 capinfo = IEEE80211_CAPINFO_IBSS; 719 else if (ic->ic_opmode == IEEE80211_M_HOSTAP) 720 capinfo = IEEE80211_CAPINFO_ESS; 721 else 722 #endif 723 capinfo = 0; 724 #ifndef IEEE80211_STA_ONLY 725 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 726 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON))) 727 capinfo |= IEEE80211_CAPINFO_PRIVACY; 728 #endif 729 /* NB: some 11a AP's reject the request when short preamble is set */ 730 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 731 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 732 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 733 if (ic->ic_flags & IEEE80211_F_SHSLOT) 734 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 735 LE_WRITE_2(frm, capinfo); 736 return frm + 2; 737 } 738 739 /* 740 * Add an SSID element to a frame (see 7.3.2.1). 741 */ 742 u_int8_t * 743 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 744 { 745 *frm++ = IEEE80211_ELEMID_SSID; 746 *frm++ = len; 747 memcpy(frm, ssid, len); 748 return frm + len; 749 } 750 751 /* 752 * Add a supported rates element to a frame (see 7.3.2.2). 753 */ 754 u_int8_t * 755 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 756 { 757 int nrates; 758 759 *frm++ = IEEE80211_ELEMID_RATES; 760 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE); 761 *frm++ = nrates; 762 memcpy(frm, rs->rs_rates, nrates); 763 return frm + nrates; 764 } 765 766 #ifndef IEEE80211_STA_ONLY 767 /* 768 * Add a DS Parameter Set element to a frame (see 7.3.2.4). 769 */ 770 u_int8_t * 771 ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic, 772 const struct ieee80211_node *ni) 773 { 774 *frm++ = IEEE80211_ELEMID_DSPARMS; 775 *frm++ = 1; 776 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 777 return frm; 778 } 779 780 /* 781 * Add a TIM element to a frame (see 7.3.2.6 and Annex L). 782 */ 783 u_int8_t * 784 ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic) 785 { 786 u_int i, offset = 0, len; 787 788 /* find first non-zero octet in the virtual bit map */ 789 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++); 790 791 /* clear the lsb as it is reserved for the broadcast indication bit */ 792 if (i < ic->ic_tim_len) 793 offset = i & ~1; 794 795 /* find last non-zero octet in the virtual bit map */ 796 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--); 797 798 len = i - offset + 1; 799 800 *frm++ = IEEE80211_ELEMID_TIM; 801 *frm++ = len + 3; /* length */ 802 *frm++ = ic->ic_dtim_count; /* DTIM count */ 803 *frm++ = ic->ic_dtim_period; /* DTIM period */ 804 805 /* Bitmap Control */ 806 *frm = offset; 807 /* set broadcast/multicast indication bit if necessary */ 808 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending) 809 *frm |= 0x01; 810 frm++; 811 812 /* Partial Virtual Bitmap */ 813 memcpy(frm, &ic->ic_tim_bitmap[offset], len); 814 return frm + len; 815 } 816 817 /* 818 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7). 819 */ 820 u_int8_t * 821 ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni) 822 { 823 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 824 *frm++ = 2; 825 LE_WRITE_2(frm, 0); /* TODO: ATIM window */ 826 return frm + 2; 827 } 828 829 /* 830 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29). 831 */ 832 u_int8_t * 833 ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic) 834 { 835 const struct ieee80211_edca_ac_params *edca; 836 int aci; 837 838 *frm++ = IEEE80211_ELEMID_EDCAPARMS; 839 *frm++ = 18; /* length */ 840 *frm++ = 0; /* QoS Info */ 841 *frm++ = 0; /* reserved */ 842 843 /* setup AC Parameter Records */ 844 edca = ieee80211_edca_table[ic->ic_curmode]; 845 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 846 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 847 848 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 849 (ac->ac_aifsn & 0xf); 850 *frm++ = (ac->ac_ecwmax << 4) | 851 (ac->ac_ecwmin & 0xf); 852 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 853 } 854 return frm; 855 } 856 857 /* 858 * Add an ERP element to a frame (see 7.3.2.13). 859 */ 860 u_int8_t * 861 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 862 { 863 u_int8_t erp; 864 int nonerpsta = 0; 865 866 *frm++ = IEEE80211_ELEMID_ERP; 867 *frm++ = 1; 868 erp = 0; 869 /* 870 * The NonERP_Present bit shall be set to 1 when a NonERP STA 871 * is associated with the BSS. 872 */ 873 ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta); 874 if (nonerpsta != 0) 875 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 876 /* 877 * If one or more NonERP STAs are associated in the BSS, the 878 * Use_Protection bit shall be set to 1 in transmitted ERP 879 * Information Elements. 880 */ 881 if (ic->ic_flags & IEEE80211_F_USEPROT) 882 erp |= IEEE80211_ERP_USE_PROTECTION; 883 /* 884 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP 885 * Information Element sender if one or more associated NonERP 886 * STAs are not short preamble capable. 887 */ 888 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) 889 erp |= IEEE80211_ERP_BARKER_MODE; 890 *frm++ = erp; 891 return frm; 892 } 893 #endif /* IEEE80211_STA_ONLY */ 894 895 /* 896 * Add a QoS Capability element to a frame (see 7.3.2.35). 897 */ 898 u_int8_t * 899 ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic) 900 { 901 *frm++ = IEEE80211_ELEMID_QOS_CAP; 902 *frm++ = 1; 903 *frm++ = 0; /* QoS Info */ 904 return frm; 905 } 906 907 /* 908 * Add a Wifi-Alliance WME (aka WMM) info element to a frame. 909 * WME is a requirement for Wifi-Alliance compliance and some 910 * 11n APs will not negotiate HT if this element is missing. 911 */ 912 uint8_t * 913 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic) 914 { 915 *frm++ = IEEE80211_ELEMID_VENDOR; 916 *frm++ = 7; 917 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 918 *frm++ = 2; /* OUI type */ 919 *frm++ = 0; /* OUI subtype */ 920 *frm++ = 1; /* version */ 921 *frm++ = 0; /* info */ 922 923 return frm; 924 } 925 926 #ifndef IEEE80211_STA_ONLY 927 /* 928 * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame. 929 */ 930 uint8_t * 931 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic) 932 { 933 const struct ieee80211_edca_ac_params *edca; 934 int aci; 935 936 *frm++ = IEEE80211_ELEMID_VENDOR; 937 *frm++ = 24; 938 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 939 *frm++ = 2; /* OUI type */ 940 *frm++ = 1; /* OUI subtype */ 941 *frm++ = 1; /* version */ 942 *frm++ = 0; /* info */ 943 *frm++ = 0; /* reserved */ 944 945 /* setup AC Parameter Records */ 946 edca = ieee80211_edca_table[ic->ic_curmode]; 947 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 948 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 949 950 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 951 (ac->ac_aifsn & 0xf); 952 *frm++ = (ac->ac_ecwmax << 4) | 953 (ac->ac_ecwmin & 0xf); 954 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 955 } 956 957 return frm; 958 } 959 #endif 960 961 /* 962 * Add an RSN element to a frame (see 802.11-2012 8.4.2.27) 963 */ 964 u_int8_t * 965 ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic, 966 const struct ieee80211_node *ni, int wpa) 967 { 968 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI; 969 u_int8_t *pcount; 970 u_int16_t count, rsncaps; 971 972 /* write Version field */ 973 LE_WRITE_2(frm, 1); frm += 2; 974 975 /* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */ 976 memcpy(frm, oui, 3); frm += 3; 977 switch (ni->ni_rsngroupcipher) { 978 case IEEE80211_CIPHER_WEP40: 979 *frm++ = 1; 980 break; 981 case IEEE80211_CIPHER_TKIP: 982 *frm++ = 2; 983 break; 984 case IEEE80211_CIPHER_CCMP: 985 *frm++ = 4; 986 break; 987 case IEEE80211_CIPHER_WEP104: 988 *frm++ = 5; 989 break; 990 default: 991 /* can't get there */ 992 panic("invalid group data cipher!"); 993 } 994 995 pcount = frm; frm += 2; 996 count = 0; 997 /* write Pairwise Cipher Suite List */ 998 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) { 999 memcpy(frm, oui, 3); frm += 3; 1000 *frm++ = 0; 1001 count++; 1002 } 1003 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) { 1004 memcpy(frm, oui, 3); frm += 3; 1005 *frm++ = 2; 1006 count++; 1007 } 1008 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) { 1009 memcpy(frm, oui, 3); frm += 3; 1010 *frm++ = 4; 1011 count++; 1012 } 1013 /* write Pairwise Cipher Suite Count field */ 1014 LE_WRITE_2(pcount, count); 1015 1016 pcount = frm; frm += 2; 1017 count = 0; 1018 /* write AKM Suite List (see Table 20dc) */ 1019 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) { 1020 memcpy(frm, oui, 3); frm += 3; 1021 *frm++ = 1; 1022 count++; 1023 } 1024 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) { 1025 memcpy(frm, oui, 3); frm += 3; 1026 *frm++ = 2; 1027 count++; 1028 } 1029 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) { 1030 memcpy(frm, oui, 3); frm += 3; 1031 *frm++ = 5; 1032 count++; 1033 } 1034 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) { 1035 memcpy(frm, oui, 3); frm += 3; 1036 *frm++ = 6; 1037 count++; 1038 } 1039 /* write AKM Suite List Count field */ 1040 LE_WRITE_2(pcount, count); 1041 1042 if (wpa) 1043 return frm; 1044 1045 /* write RSN Capabilities field */ 1046 rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK | 1047 IEEE80211_RSNCAP_GTKSA_RCNT_MASK)); 1048 if (ic->ic_caps & IEEE80211_C_MFP) { 1049 rsncaps |= IEEE80211_RSNCAP_MFPC; 1050 if (ic->ic_flags & IEEE80211_F_MFPR) 1051 rsncaps |= IEEE80211_RSNCAP_MFPR; 1052 } 1053 if (ic->ic_flags & IEEE80211_F_PBAR) 1054 rsncaps |= IEEE80211_RSNCAP_PBAC; 1055 LE_WRITE_2(frm, rsncaps); frm += 2; 1056 1057 if (ni->ni_flags & IEEE80211_NODE_PMKID) { 1058 /* write PMKID Count field */ 1059 LE_WRITE_2(frm, 1); frm += 2; 1060 /* write PMKID List (only 1) */ 1061 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN); 1062 frm += IEEE80211_PMKID_LEN; 1063 } 1064 1065 if (!(ic->ic_caps & IEEE80211_C_MFP)) 1066 return frm; 1067 1068 if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) { 1069 /* no PMKID (PMKID Count=0) */ 1070 LE_WRITE_2(frm, 0); frm += 2; 1071 } 1072 1073 /* write Group Integrity Cipher Suite field */ 1074 memcpy(frm, oui, 3); frm += 3; 1075 switch (ic->ic_rsngroupmgmtcipher) { 1076 case IEEE80211_CIPHER_BIP: 1077 *frm++ = 6; 1078 break; 1079 default: 1080 /* can't get there */ 1081 panic("invalid integrity group cipher!"); 1082 } 1083 return frm; 1084 } 1085 1086 u_int8_t * 1087 ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic, 1088 const struct ieee80211_node *ni) 1089 { 1090 u_int8_t *plen; 1091 1092 *frm++ = IEEE80211_ELEMID_RSN; 1093 plen = frm++; /* length filled in later */ 1094 frm = ieee80211_add_rsn_body(frm, ic, ni, 0); 1095 1096 /* write length field */ 1097 *plen = frm - plen - 1; 1098 return frm; 1099 } 1100 1101 /* 1102 * Add a vendor-specific WPA element to a frame. 1103 * This is required for compatibility with Wi-Fi Alliance WPA. 1104 */ 1105 u_int8_t * 1106 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic, 1107 const struct ieee80211_node *ni) 1108 { 1109 u_int8_t *plen; 1110 1111 *frm++ = IEEE80211_ELEMID_VENDOR; 1112 plen = frm++; /* length filled in later */ 1113 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 1114 *frm++ = 1; /* WPA */ 1115 frm = ieee80211_add_rsn_body(frm, ic, ni, 1); 1116 1117 /* write length field */ 1118 *plen = frm - plen - 1; 1119 return frm; 1120 } 1121 1122 /* 1123 * Add an extended supported rates element to a frame (see 7.3.2.14). 1124 */ 1125 u_int8_t * 1126 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 1127 { 1128 int nrates; 1129 1130 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE); 1131 1132 *frm++ = IEEE80211_ELEMID_XRATES; 1133 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1134 *frm++ = nrates; 1135 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1136 return frm + nrates; 1137 } 1138 1139 /* 1140 * Add an HT Capabilities element to a frame (see 7.3.2.57). 1141 */ 1142 u_int8_t * 1143 ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic) 1144 { 1145 *frm++ = IEEE80211_ELEMID_HTCAPS; 1146 *frm++ = 26; 1147 LE_WRITE_2(frm, ic->ic_htcaps); frm += 2; 1148 *frm++ = ic->ic_ampdu_params; 1149 memcpy(frm, ic->ic_sup_mcs, 10); frm += 10; 1150 LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH)); 1151 frm += 2; 1152 *frm++ = ic->ic_tx_mcs_set; 1153 *frm++ = 0; /* reserved */ 1154 *frm++ = 0; /* reserved */ 1155 *frm++ = 0; /* reserved */ 1156 LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2; 1157 LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4; 1158 *frm++ = ic->ic_aselcaps; 1159 return frm; 1160 } 1161 1162 #ifndef IEEE80211_STA_ONLY 1163 /* 1164 * Add an HT Operation element to a frame (see 7.3.2.58). 1165 */ 1166 u_int8_t * 1167 ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic) 1168 { 1169 *frm++ = IEEE80211_ELEMID_HTOP; 1170 *frm++ = 22; 1171 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1172 *frm++ = ic->ic_bss->ni_htop0; 1173 LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2; 1174 LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2; 1175 memset(frm, 0, 16); frm += 16; 1176 return frm; 1177 } 1178 #endif /* !IEEE80211_STA_ONLY */ 1179 1180 #ifndef IEEE80211_STA_ONLY 1181 /* 1182 * Add a Timeout Interval element to a frame (see 7.3.2.49). 1183 */ 1184 u_int8_t * 1185 ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value) 1186 { 1187 *frm++ = IEEE80211_ELEMID_TIE; 1188 *frm++ = 5; /* length */ 1189 *frm++ = type; /* Timeout Interval type */ 1190 LE_WRITE_4(frm, value); 1191 return frm + 4; 1192 } 1193 #endif 1194 1195 struct mbuf * 1196 ieee80211_getmgmt(int flags, int type, u_int pktlen) 1197 { 1198 struct mbuf *m; 1199 1200 /* reserve space for 802.11 header */ 1201 pktlen += sizeof(struct ieee80211_frame); 1202 1203 if (pktlen > MCLBYTES) 1204 panic("management frame too large: %u", pktlen); 1205 MGETHDR(m, flags, type); 1206 if (m == NULL) 1207 return NULL; 1208 if (pktlen > MHLEN) { 1209 MCLGET(m, flags); 1210 if (!(m->m_flags & M_EXT)) 1211 return m_free(m); 1212 } 1213 m->m_data += sizeof(struct ieee80211_frame); 1214 return m; 1215 } 1216 1217 /*- 1218 * Probe request frame format: 1219 * [tlv] SSID 1220 * [tlv] Supported rates 1221 * [tlv] Extended Supported Rates (802.11g) 1222 * [tlv] HT Capabilities (802.11n) 1223 */ 1224 struct mbuf * 1225 ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni) 1226 { 1227 const struct ieee80211_rateset *rs = 1228 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 1229 struct mbuf *m; 1230 u_int8_t *frm; 1231 1232 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1233 2 + ic->ic_des_esslen + 1234 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1235 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1236 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1237 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0)); 1238 if (m == NULL) 1239 return NULL; 1240 1241 frm = mtod(m, u_int8_t *); 1242 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen); 1243 frm = ieee80211_add_rates(frm, rs); 1244 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1245 frm = ieee80211_add_xrates(frm, rs); 1246 if (ic->ic_flags & IEEE80211_F_HTON) { 1247 frm = ieee80211_add_htcaps(frm, ic); 1248 frm = ieee80211_add_wme_info(frm, ic); 1249 } 1250 1251 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1252 1253 return m; 1254 } 1255 1256 #ifndef IEEE80211_STA_ONLY 1257 /*- 1258 * Probe response frame format: 1259 * [8] Timestamp 1260 * [2] Beacon interval 1261 * [2] Capability 1262 * [tlv] Service Set Identifier (SSID) 1263 * [tlv] Supported rates 1264 * [tlv] DS Parameter Set (802.11g) 1265 * [tlv] ERP Information (802.11g) 1266 * [tlv] Extended Supported Rates (802.11g) 1267 * [tlv] RSN (802.11i) 1268 * [tlv] EDCA Parameter Set (802.11e) 1269 * [tlv] HT Capabilities (802.11n) 1270 * [tlv] HT Operation (802.11n) 1271 */ 1272 struct mbuf * 1273 ieee80211_get_probe_resp(struct ieee80211com *ic) 1274 { 1275 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates; 1276 struct mbuf *m; 1277 u_int8_t *frm; 1278 1279 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1280 8 + 2 + 2 + 1281 2 + ic->ic_bss->ni_esslen + 1282 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1283 2 + 1 + 1284 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) + 1285 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1286 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1287 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1288 (((ic->ic_flags & IEEE80211_F_RSNON) && 1289 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1290 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1291 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1292 (((ic->ic_flags & IEEE80211_F_RSNON) && 1293 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1294 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1295 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1296 if (m == NULL) 1297 return NULL; 1298 1299 frm = mtod(m, u_int8_t *); 1300 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1301 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2; 1302 frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss); 1303 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1304 ic->ic_bss->ni_esslen); 1305 frm = ieee80211_add_rates(frm, rs); 1306 frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss); 1307 if (ic->ic_opmode == IEEE80211_M_IBSS) 1308 frm = ieee80211_add_ibss_params(frm, ic->ic_bss); 1309 if (ic->ic_curmode == IEEE80211_MODE_11G) 1310 frm = ieee80211_add_erp(frm, ic); 1311 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1312 frm = ieee80211_add_xrates(frm, rs); 1313 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1314 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1315 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); 1316 if (ic->ic_flags & IEEE80211_F_QOS) 1317 frm = ieee80211_add_edca_params(frm, ic); 1318 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1319 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1320 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); 1321 if (ic->ic_flags & IEEE80211_F_HTON) { 1322 frm = ieee80211_add_htcaps(frm, ic); 1323 frm = ieee80211_add_htop(frm, ic); 1324 frm = ieee80211_add_wme_param(frm, ic); 1325 } 1326 1327 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1328 1329 return m; 1330 } 1331 #endif /* IEEE80211_STA_ONLY */ 1332 1333 /*- 1334 * Authentication frame format: 1335 * [2] Authentication algorithm number 1336 * [2] Authentication transaction sequence number 1337 * [2] Status code 1338 */ 1339 struct mbuf * 1340 ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni, 1341 u_int16_t status, u_int16_t seq) 1342 { 1343 struct mbuf *m; 1344 u_int8_t *frm; 1345 1346 MGETHDR(m, M_DONTWAIT, MT_DATA); 1347 if (m == NULL) 1348 return NULL; 1349 m_align(m, 2 * 3); 1350 m->m_pkthdr.len = m->m_len = 2 * 3; 1351 1352 frm = mtod(m, u_int8_t *); 1353 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2; 1354 LE_WRITE_2(frm, seq); frm += 2; 1355 LE_WRITE_2(frm, status); 1356 1357 return m; 1358 } 1359 1360 /*- 1361 * Deauthentication frame format: 1362 * [2] Reason code 1363 */ 1364 struct mbuf * 1365 ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni, 1366 u_int16_t reason) 1367 { 1368 struct mbuf *m; 1369 1370 MGETHDR(m, M_DONTWAIT, MT_DATA); 1371 if (m == NULL) 1372 return NULL; 1373 m_align(m, 2); 1374 m->m_pkthdr.len = m->m_len = 2; 1375 1376 *mtod(m, u_int16_t *) = htole16(reason); 1377 1378 return m; 1379 } 1380 1381 /*- 1382 * (Re)Association request frame format: 1383 * [2] Capability information 1384 * [2] Listen interval 1385 * [6*] Current AP address (Reassociation only) 1386 * [tlv] SSID 1387 * [tlv] Supported rates 1388 * [tlv] Extended Supported Rates (802.11g) 1389 * [tlv] RSN (802.11i) 1390 * [tlv] QoS Capability (802.11e) 1391 * [tlv] HT Capabilities (802.11n) 1392 */ 1393 struct mbuf * 1394 ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1395 int type) 1396 { 1397 const struct ieee80211_rateset *rs = &ni->ni_rates; 1398 struct mbuf *m; 1399 u_int8_t *frm; 1400 u_int16_t capinfo; 1401 1402 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1403 2 + 2 + 1404 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ? 1405 IEEE80211_ADDR_LEN : 0) + 1406 2 + ni->ni_esslen + 1407 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1408 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1409 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1410 (((ic->ic_flags & IEEE80211_F_RSNON) && 1411 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1412 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1413 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) + 1414 (((ic->ic_flags & IEEE80211_F_RSNON) && 1415 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1416 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1417 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0)); 1418 if (m == NULL) 1419 return NULL; 1420 1421 frm = mtod(m, u_int8_t *); 1422 capinfo = IEEE80211_CAPINFO_ESS; 1423 if (ic->ic_flags & IEEE80211_F_WEPON) 1424 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1425 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1426 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1427 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1428 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1429 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1430 LE_WRITE_2(frm, capinfo); frm += 2; 1431 LE_WRITE_2(frm, ic->ic_lintval); frm += 2; 1432 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1433 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1434 frm += IEEE80211_ADDR_LEN; 1435 } 1436 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1437 frm = ieee80211_add_rates(frm, rs); 1438 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1439 frm = ieee80211_add_xrates(frm, rs); 1440 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1441 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1442 frm = ieee80211_add_rsn(frm, ic, ni); 1443 if (ni->ni_flags & IEEE80211_NODE_QOS) 1444 frm = ieee80211_add_qos_capability(frm, ic); 1445 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1446 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1447 frm = ieee80211_add_wpa(frm, ic, ni); 1448 if (ic->ic_flags & IEEE80211_F_HTON) { 1449 frm = ieee80211_add_htcaps(frm, ic); 1450 frm = ieee80211_add_wme_info(frm, ic); 1451 } 1452 1453 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1454 1455 return m; 1456 } 1457 1458 #ifndef IEEE80211_STA_ONLY 1459 /*- 1460 * (Re)Association response frame format: 1461 * [2] Capability information 1462 * [2] Status code 1463 * [2] Association ID (AID) 1464 * [tlv] Supported rates 1465 * [tlv] Extended Supported Rates (802.11g) 1466 * [tlv] EDCA Parameter Set (802.11e) 1467 * [tlv] Timeout Interval (802.11w) 1468 * [tlv] HT Capabilities (802.11n) 1469 * [tlv] HT Operation (802.11n) 1470 */ 1471 struct mbuf * 1472 ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1473 u_int16_t status) 1474 { 1475 const struct ieee80211_rateset *rs = &ni->ni_rates; 1476 struct mbuf *m; 1477 u_int8_t *frm; 1478 1479 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1480 2 + 2 + 2 + 1481 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1482 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1483 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1484 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) + 1485 ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) + 1486 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1487 if (m == NULL) 1488 return NULL; 1489 1490 frm = mtod(m, u_int8_t *); 1491 frm = ieee80211_add_capinfo(frm, ic, ni); 1492 LE_WRITE_2(frm, status); frm += 2; 1493 if (status == IEEE80211_STATUS_SUCCESS) 1494 LE_WRITE_2(frm, ni->ni_associd); 1495 else 1496 LE_WRITE_2(frm, 0); 1497 frm += 2; 1498 frm = ieee80211_add_rates(frm, rs); 1499 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1500 frm = ieee80211_add_xrates(frm, rs); 1501 if (ni->ni_flags & IEEE80211_NODE_QOS) 1502 frm = ieee80211_add_edca_params(frm, ic); 1503 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 1504 status == IEEE80211_STATUS_TRY_AGAIN_LATER) { 1505 /* Association Comeback Time */ 1506 frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */); 1507 } 1508 if (ic->ic_flags & IEEE80211_F_HTON) { 1509 frm = ieee80211_add_htcaps(frm, ic); 1510 frm = ieee80211_add_htop(frm, ic); 1511 frm = ieee80211_add_wme_param(frm, ic); 1512 } 1513 1514 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1515 1516 return m; 1517 } 1518 #endif /* IEEE80211_STA_ONLY */ 1519 1520 /*- 1521 * Disassociation frame format: 1522 * [2] Reason code 1523 */ 1524 struct mbuf * 1525 ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni, 1526 u_int16_t reason) 1527 { 1528 struct mbuf *m; 1529 1530 MGETHDR(m, M_DONTWAIT, MT_DATA); 1531 if (m == NULL) 1532 return NULL; 1533 m_align(m, 2); 1534 m->m_pkthdr.len = m->m_len = 2; 1535 1536 *mtod(m, u_int16_t *) = htole16(reason); 1537 1538 return m; 1539 } 1540 1541 /*- 1542 * ADDBA Request frame format: 1543 * [1] Category 1544 * [1] Action 1545 * [1] Dialog Token 1546 * [2] Block Ack Parameter Set 1547 * [2] Block Ack Timeout Value 1548 * [2] Block Ack Starting Sequence Control 1549 */ 1550 struct mbuf * 1551 ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1552 u_int8_t tid) 1553 { 1554 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1555 struct mbuf *m; 1556 u_int8_t *frm; 1557 1558 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1559 if (m == NULL) 1560 return m; 1561 1562 frm = mtod(m, u_int8_t *); 1563 *frm++ = IEEE80211_CATEG_BA; 1564 *frm++ = IEEE80211_ACTION_ADDBA_REQ; 1565 *frm++ = ba->ba_token; 1566 LE_WRITE_2(frm, ba->ba_params); frm += 2; 1567 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2; 1568 LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2; 1569 1570 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1571 1572 return m; 1573 } 1574 1575 /* Move Tx BA window forward to the specified SSN. */ 1576 void 1577 ieee80211_output_ba_move_window(struct ieee80211com *ic, 1578 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1579 { 1580 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1581 uint16_t s = ba->ba_winstart; 1582 1583 while (SEQ_LT(s, ssn) && ba->ba_bitmap) { 1584 s = (s + 1) % 0xfff; 1585 ba->ba_bitmap >>= 1; 1586 } 1587 1588 ba->ba_winstart = (ssn & 0xfff); 1589 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1590 } 1591 1592 /* 1593 * Move Tx BA window forward up to the first hole in the bitmap 1594 * or up to the specified SSN, whichever comes first. 1595 * After calling this function, frames before the start of the 1596 * potentially changed BA window should be discarded. 1597 */ 1598 void 1599 ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic, 1600 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1601 { 1602 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1603 uint16_t s = ba->ba_winstart; 1604 uint64_t bitmap = ba->ba_bitmap; 1605 int can_move_window = 0; 1606 1607 while (bitmap && SEQ_LT(s, ssn)) { 1608 if ((bitmap & 1) == 0) 1609 break; 1610 s = (s + 1) % 0xfff; 1611 bitmap >>= 1; 1612 can_move_window = 1; 1613 } 1614 1615 if (can_move_window) 1616 ieee80211_output_ba_move_window(ic, ni, tid, s); 1617 } 1618 1619 /* Record an ACK for a frame with a given SSN within the Tx BA window. */ 1620 void 1621 ieee80211_output_ba_record_ack(struct ieee80211com *ic, 1622 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1623 { 1624 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1625 int i = 0; 1626 uint16_t s = ba->ba_winstart; 1627 1628 KASSERT(!SEQ_LT(ssn, ba->ba_winstart)); 1629 KASSERT(!SEQ_LT(ba->ba_winend, ssn)); 1630 1631 while (SEQ_LT(s, ssn)) { 1632 s = (s + 1) % 0xfff; 1633 i++; 1634 } 1635 if (i < ba->ba_winsize) 1636 ba->ba_bitmap |= (1 << i); 1637 } 1638 1639 /*- 1640 * ADDBA Response frame format: 1641 * [1] Category 1642 * [1] Action 1643 * [1] Dialog Token 1644 * [2] Status Code 1645 * [2] Block Ack Parameter Set 1646 * [2] Block Ack Timeout Value 1647 */ 1648 struct mbuf * 1649 ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1650 u_int8_t tid, u_int8_t token, u_int16_t status) 1651 { 1652 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1653 struct mbuf *m; 1654 u_int8_t *frm; 1655 u_int16_t params; 1656 1657 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1658 if (m == NULL) 1659 return m; 1660 1661 frm = mtod(m, u_int8_t *); 1662 *frm++ = IEEE80211_CATEG_BA; 1663 *frm++ = IEEE80211_ACTION_ADDBA_RESP; 1664 *frm++ = token; 1665 LE_WRITE_2(frm, status); frm += 2; 1666 if (status == 0) 1667 params = ba->ba_params; 1668 else 1669 params = tid << IEEE80211_ADDBA_TID_SHIFT; 1670 LE_WRITE_2(frm, params); frm += 2; 1671 if (status == 0) 1672 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); 1673 else 1674 LE_WRITE_2(frm, 0); 1675 frm += 2; 1676 1677 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1678 1679 return m; 1680 } 1681 1682 /*- 1683 * DELBA frame format: 1684 * [1] Category 1685 * [1] Action 1686 * [2] DELBA Parameter Set 1687 * [2] Reason Code 1688 */ 1689 struct mbuf * 1690 ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni, 1691 u_int8_t tid, u_int8_t dir, u_int16_t reason) 1692 { 1693 struct mbuf *m; 1694 u_int8_t *frm; 1695 u_int16_t params; 1696 1697 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6); 1698 if (m == NULL) 1699 return m; 1700 1701 frm = mtod(m, u_int8_t *); 1702 *frm++ = IEEE80211_CATEG_BA; 1703 *frm++ = IEEE80211_ACTION_DELBA; 1704 params = tid << 12; 1705 if (dir) 1706 params |= IEEE80211_DELBA_INITIATOR; 1707 LE_WRITE_2(frm, params); frm += 2; 1708 LE_WRITE_2(frm, reason); frm += 2; 1709 1710 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1711 1712 return m; 1713 } 1714 1715 /*- 1716 * SA Query Request/Response frame format: 1717 * [1] Category 1718 * [1] Action 1719 * [16] Transaction Identifier 1720 */ 1721 struct mbuf * 1722 ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni, 1723 u_int8_t action) 1724 { 1725 struct mbuf *m; 1726 u_int8_t *frm; 1727 1728 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4); 1729 if (m == NULL) 1730 return NULL; 1731 1732 frm = mtod(m, u_int8_t *); 1733 *frm++ = IEEE80211_CATEG_SA_QUERY; 1734 *frm++ = action; /* ACTION_SA_QUERY_REQ/RESP */ 1735 LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2; 1736 1737 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1738 1739 return m; 1740 } 1741 1742 struct mbuf * 1743 ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni, 1744 u_int8_t categ, u_int8_t action, int arg) 1745 { 1746 struct mbuf *m = NULL; 1747 1748 switch (categ) { 1749 case IEEE80211_CATEG_BA: 1750 switch (action) { 1751 case IEEE80211_ACTION_ADDBA_REQ: 1752 m = ieee80211_get_addba_req(ic, ni, arg & 0xffff); 1753 break; 1754 case IEEE80211_ACTION_ADDBA_RESP: 1755 m = ieee80211_get_addba_resp(ic, ni, arg & 0xff, 1756 arg >> 8, arg >> 16); 1757 break; 1758 case IEEE80211_ACTION_DELBA: 1759 m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8, 1760 arg >> 16); 1761 break; 1762 } 1763 break; 1764 case IEEE80211_CATEG_SA_QUERY: 1765 switch (action) { 1766 #ifndef IEEE80211_STA_ONLY 1767 case IEEE80211_ACTION_SA_QUERY_REQ: 1768 #endif 1769 case IEEE80211_ACTION_SA_QUERY_RESP: 1770 m = ieee80211_get_sa_query(ic, ni, action); 1771 break; 1772 } 1773 break; 1774 } 1775 return m; 1776 } 1777 1778 /* 1779 * Send a management frame. The node is for the destination (or ic_bss 1780 * when in station mode). Nodes other than ic_bss have their reference 1781 * count bumped to reflect our use for an indeterminant time. 1782 */ 1783 int 1784 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1785 int type, int arg1, int arg2) 1786 { 1787 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1788 struct ifnet *ifp = &ic->ic_if; 1789 struct mbuf *m; 1790 int ret, timer; 1791 1792 if (ni == NULL) 1793 panic("null node"); 1794 1795 /* 1796 * Hold a reference on the node so it doesn't go away until after 1797 * the xmit is complete all the way in the driver. On error we 1798 * will remove our reference. 1799 */ 1800 ieee80211_ref_node(ni); 1801 timer = 0; 1802 switch (type) { 1803 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1804 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL) 1805 senderr(ENOMEM, is_tx_nombuf); 1806 1807 timer = IEEE80211_TRANS_WAIT; 1808 break; 1809 #ifndef IEEE80211_STA_ONLY 1810 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1811 if ((m = ieee80211_get_probe_resp(ic)) == NULL) 1812 senderr(ENOMEM, is_tx_nombuf); 1813 break; 1814 #endif 1815 case IEEE80211_FC0_SUBTYPE_AUTH: 1816 m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff); 1817 if (m == NULL) 1818 senderr(ENOMEM, is_tx_nombuf); 1819 1820 if (ic->ic_opmode == IEEE80211_M_STA) 1821 timer = IEEE80211_TRANS_WAIT; 1822 break; 1823 1824 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1825 if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL) 1826 senderr(ENOMEM, is_tx_nombuf); 1827 #ifndef IEEE80211_STA_ONLY 1828 if ((ifp->if_flags & IFF_DEBUG) && 1829 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1830 ic->ic_opmode == IEEE80211_M_IBSS)) 1831 printf("%s: station %s deauthenticate (reason %d)\n", 1832 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1833 arg1); 1834 #endif 1835 break; 1836 1837 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1838 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1839 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL) 1840 senderr(ENOMEM, is_tx_nombuf); 1841 1842 timer = IEEE80211_TRANS_WAIT; 1843 break; 1844 #ifndef IEEE80211_STA_ONLY 1845 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1846 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1847 if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL) 1848 senderr(ENOMEM, is_tx_nombuf); 1849 break; 1850 #endif 1851 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1852 if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL) 1853 senderr(ENOMEM, is_tx_nombuf); 1854 #ifndef IEEE80211_STA_ONLY 1855 if ((ifp->if_flags & IFF_DEBUG) && 1856 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1857 ic->ic_opmode == IEEE80211_M_IBSS)) 1858 printf("%s: station %s disassociate (reason %d)\n", 1859 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1860 arg1); 1861 #endif 1862 break; 1863 1864 case IEEE80211_FC0_SUBTYPE_ACTION: 1865 m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff, 1866 arg2); 1867 if (m == NULL) 1868 senderr(ENOMEM, is_tx_nombuf); 1869 break; 1870 1871 default: 1872 DPRINTF(("invalid mgmt frame type %u\n", type)); 1873 senderr(EINVAL, is_tx_unknownmgt); 1874 /* NOTREACHED */ 1875 } 1876 1877 ret = ieee80211_mgmt_output(ifp, ni, m, type); 1878 if (ret == 0) { 1879 if (timer) 1880 ic->ic_mgt_timer = timer; 1881 } else { 1882 bad: 1883 ieee80211_release_node(ic, ni); 1884 } 1885 return ret; 1886 #undef senderr 1887 } 1888 1889 /* 1890 * Build a RTS (Request To Send) control frame (see 7.2.1.1). 1891 */ 1892 struct mbuf * 1893 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1894 u_int16_t dur) 1895 { 1896 struct ieee80211_frame_rts *rts; 1897 struct mbuf *m; 1898 1899 MGETHDR(m, M_DONTWAIT, MT_DATA); 1900 if (m == NULL) 1901 return NULL; 1902 1903 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1904 1905 rts = mtod(m, struct ieee80211_frame_rts *); 1906 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1907 IEEE80211_FC0_SUBTYPE_RTS; 1908 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1909 *(u_int16_t *)rts->i_dur = htole16(dur); 1910 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1911 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1912 1913 return m; 1914 } 1915 1916 /* 1917 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2). 1918 */ 1919 struct mbuf * 1920 ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur) 1921 { 1922 struct ieee80211_frame_cts *cts; 1923 struct mbuf *m; 1924 1925 MGETHDR(m, M_DONTWAIT, MT_DATA); 1926 if (m == NULL) 1927 return NULL; 1928 1929 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1930 1931 cts = mtod(m, struct ieee80211_frame_cts *); 1932 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1933 IEEE80211_FC0_SUBTYPE_CTS; 1934 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1935 *(u_int16_t *)cts->i_dur = htole16(dur); 1936 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1937 1938 return m; 1939 } 1940 1941 /* 1942 * Build a compressed Block Ack Request control frame. 1943 */ 1944 struct mbuf * 1945 ieee80211_get_compressed_bar(struct ieee80211com *ic, 1946 struct ieee80211_node *ni, int tid, uint16_t ssn) 1947 { 1948 struct ieee80211_frame_min *wh; 1949 uint8_t *frm; 1950 uint16_t ctl; 1951 struct mbuf *m; 1952 1953 MGETHDR(m, M_DONTWAIT, MT_DATA); 1954 if (m == NULL) 1955 return NULL; 1956 1957 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) + 1958 sizeof(ctl) + sizeof(ssn); 1959 1960 wh = mtod(m, struct ieee80211_frame_min *); 1961 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1962 IEEE80211_FC0_SUBTYPE_BAR; 1963 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1964 *(u_int16_t *)wh->i_dur = 0; 1965 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1966 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 1967 frm = (uint8_t *)&wh[1]; 1968 1969 ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT); 1970 LE_WRITE_2(frm, ctl); 1971 frm += 2; 1972 1973 LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT); 1974 frm += 2; 1975 1976 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1977 m->m_pkthdr.ph_cookie = ni; 1978 1979 return m; 1980 } 1981 1982 #ifndef IEEE80211_STA_ONLY 1983 /*- 1984 * Beacon frame format: 1985 * [8] Timestamp 1986 * [2] Beacon interval 1987 * [2] Capability 1988 * [tlv] Service Set Identifier (SSID) 1989 * [tlv] Supported rates 1990 * [tlv] DS Parameter Set (802.11g) 1991 * [tlv] IBSS Parameter Set 1992 * [tlv] Traffic Indication Map (TIM) 1993 * [tlv] ERP Information (802.11g) 1994 * [tlv] Extended Supported Rates (802.11g) 1995 * [tlv] RSN (802.11i) 1996 * [tlv] EDCA Parameter Set (802.11e) 1997 * [tlv] HT Capabilities (802.11n) 1998 * [tlv] HT Operation (802.11n) 1999 */ 2000 struct mbuf * 2001 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni) 2002 { 2003 const struct ieee80211_rateset *rs = &ni->ni_rates; 2004 struct ieee80211_frame *wh; 2005 struct mbuf *m; 2006 u_int8_t *frm; 2007 2008 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 2009 8 + 2 + 2 + 2010 2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ? 2011 0 : ni->ni_esslen) + 2012 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 2013 2 + 1 + 2014 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) + 2015 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 2016 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 2017 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 2018 (((ic->ic_flags & IEEE80211_F_RSNON) && 2019 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 2020 2 + IEEE80211_RSNIE_MAXLEN : 0) + 2021 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 2022 (((ic->ic_flags & IEEE80211_F_RSNON) && 2023 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 2024 2 + IEEE80211_WPAIE_MAXLEN : 0) + 2025 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 2026 if (m == NULL) 2027 return NULL; 2028 2029 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2030 if (m == NULL) 2031 return NULL; 2032 wh = mtod(m, struct ieee80211_frame *); 2033 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2034 IEEE80211_FC0_SUBTYPE_BEACON; 2035 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2036 *(u_int16_t *)wh->i_dur = 0; 2037 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr); 2038 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2039 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2040 *(u_int16_t *)wh->i_seq = 0; 2041 2042 frm = (u_int8_t *)&wh[1]; 2043 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 2044 LE_WRITE_2(frm, ni->ni_intval); frm += 2; 2045 frm = ieee80211_add_capinfo(frm, ic, ni); 2046 if (ic->ic_userflags & IEEE80211_F_HIDENWID) 2047 frm = ieee80211_add_ssid(frm, NULL, 0); 2048 else 2049 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2050 frm = ieee80211_add_rates(frm, rs); 2051 frm = ieee80211_add_ds_params(frm, ic, ni); 2052 if (ic->ic_opmode == IEEE80211_M_IBSS) 2053 frm = ieee80211_add_ibss_params(frm, ni); 2054 else 2055 frm = ieee80211_add_tim(frm, ic); 2056 if (ic->ic_curmode == IEEE80211_MODE_11G) 2057 frm = ieee80211_add_erp(frm, ic); 2058 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 2059 frm = ieee80211_add_xrates(frm, rs); 2060 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2061 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 2062 frm = ieee80211_add_rsn(frm, ic, ni); 2063 if (ic->ic_flags & IEEE80211_F_QOS) 2064 frm = ieee80211_add_edca_params(frm, ic); 2065 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2066 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 2067 frm = ieee80211_add_wpa(frm, ic, ni); 2068 if (ic->ic_flags & IEEE80211_F_HTON) { 2069 frm = ieee80211_add_htcaps(frm, ic); 2070 frm = ieee80211_add_htop(frm, ic); 2071 frm = ieee80211_add_wme_param(frm, ic); 2072 } 2073 2074 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2075 m->m_pkthdr.ph_cookie = ni; 2076 2077 return m; 2078 } 2079 2080 /* 2081 * Check if an outgoing MSDU or management frame should be buffered into 2082 * the AP for power management. Return 1 if the frame was buffered into 2083 * the AP, or 0 if the frame shall be transmitted immediately. 2084 */ 2085 int 2086 ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m, 2087 struct ieee80211_node *ni) 2088 { 2089 const struct ieee80211_frame *wh; 2090 int pssta = 0; 2091 2092 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 2093 if (!(ic->ic_caps & IEEE80211_C_APPMGT)) 2094 return 0; 2095 2096 wh = mtod(m, struct ieee80211_frame *); 2097 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2098 /* 2099 * Buffer group addressed MSDUs with the Order bit clear 2100 * if any associated STAs are in PS mode. 2101 */ 2102 ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta); 2103 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0) 2104 return 0; 2105 ic->ic_tim_mcast_pending = 1; 2106 } else { 2107 /* 2108 * Buffer MSDUs, A-MSDUs or management frames destined for 2109 * PS STAs. 2110 */ 2111 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE || 2112 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 2113 IEEE80211_FC0_TYPE_CTL) 2114 return 0; 2115 if (mq_empty(&ni->ni_savedq)) 2116 (*ic->ic_set_tim)(ic, ni->ni_associd, 1); 2117 } 2118 /* NB: ni == ic->ic_bss for broadcast/multicast */ 2119 /* 2120 * Similar to ieee80211_mgmt_output, store the node in a 2121 * special pkthdr field. 2122 */ 2123 m->m_pkthdr.ph_cookie = ni; 2124 mq_enqueue(&ni->ni_savedq, m); 2125 return 1; 2126 } 2127 #endif /* IEEE80211_STA_ONLY */ 2128