1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> 30#include "opt_inet.h" 31#include "opt_inet6.h" 32#include "opt_wlan.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/kernel.h> 37#include <sys/malloc.h> 38#include <sys/mbuf.h> 39#include <sys/endian.h> 40 41#include <sys/socket.h> 42 43#include <net/bpf.h> 44#include <net/ethernet.h> 45#include <net/if.h> 46#include <net/if_var.h> 47#include <net/if_llc.h> 48#include <net/if_media.h> 49#include <net/if_private.h> 50#include <net/if_vlan_var.h> 51 52#include <net80211/ieee80211_var.h> 53#include <net80211/ieee80211_regdomain.h> 54#ifdef IEEE80211_SUPPORT_SUPERG 55#include <net80211/ieee80211_superg.h> 56#endif 57#ifdef IEEE80211_SUPPORT_TDMA 58#include <net80211/ieee80211_tdma.h> 59#endif 60#include <net80211/ieee80211_wds.h> 61#include <net80211/ieee80211_mesh.h> 62#include <net80211/ieee80211_vht.h> 63 64#if defined(INET) || defined(INET6) 65#include <netinet/in.h> 66#endif 67 68#ifdef INET 69#include <netinet/if_ether.h> 70#include <netinet/in_systm.h> 71#include <netinet/ip.h> 72#endif 73#ifdef INET6 74#include <netinet/ip6.h> 75#endif 76 77#include <security/mac/mac_framework.h> 78 79#define ETHER_HEADER_COPY(dst, src) \ 80 memcpy(dst, src, sizeof(struct ether_header)) 81 82static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 83 u_int hdrsize, u_int ciphdrsize, u_int mtu); 84static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 85 86#ifdef IEEE80211_DEBUG 87/* 88 * Decide if an outbound management frame should be 89 * printed when debugging is enabled. This filters some 90 * of the less interesting frames that come frequently 91 * (e.g. beacons). 92 */ 93static __inline int 94doprint(struct ieee80211vap *vap, int subtype) 95{ 96 switch (subtype) { 97 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 98 return (vap->iv_opmode == IEEE80211_M_IBSS); 99 } 100 return 1; 101} 102#endif 103 104/* 105 * Transmit a frame to the given destination on the given VAP. 106 * 107 * It's up to the caller to figure out the details of who this 108 * is going to and resolving the node. 109 * 110 * This routine takes care of queuing it for power save, 111 * A-MPDU state stuff, fast-frames state stuff, encapsulation 112 * if required, then passing it up to the driver layer. 113 * 114 * This routine (for now) consumes the mbuf and frees the node 115 * reference; it ideally will return a TX status which reflects 116 * whether the mbuf was consumed or not, so the caller can 117 * free the mbuf (if appropriate) and the node reference (again, 118 * if appropriate.) 119 */ 120int 121ieee80211_vap_pkt_send_dest(struct ieee80211vap *vap, struct mbuf *m, 122 struct ieee80211_node *ni) 123{ 124 struct ieee80211com *ic = vap->iv_ic; 125 struct ifnet *ifp = vap->iv_ifp; 126 int mcast; 127 int do_ampdu = 0; 128#ifdef IEEE80211_SUPPORT_SUPERG 129 int do_amsdu = 0; 130 int do_ampdu_amsdu = 0; 131 int no_ampdu = 1; /* Will be set to 0 if ampdu is active */ 132 int do_ff = 0; 133#endif 134 135 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 136 (m->m_flags & M_PWR_SAV) == 0) { 137 /* 138 * Station in power save mode; pass the frame 139 * to the 802.11 layer and continue. We'll get 140 * the frame back when the time is right. 141 * XXX lose WDS vap linkage? 142 */ 143 if (ieee80211_pwrsave(ni, m) != 0) 144 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 145 ieee80211_free_node(ni); 146 147 /* 148 * We queued it fine, so tell the upper layer 149 * that we consumed it. 150 */ 151 return (0); 152 } 153 /* calculate priority so drivers can find the tx queue */ 154 if (ieee80211_classify(ni, m)) { 155 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 156 ni->ni_macaddr, NULL, 157 "%s", "classification failure"); 158 vap->iv_stats.is_tx_classify++; 159 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 160 m_freem(m); 161 ieee80211_free_node(ni); 162 163 /* XXX better status? */ 164 return (0); 165 } 166 /* 167 * Stash the node pointer. Note that we do this after 168 * any call to ieee80211_dwds_mcast because that code 169 * uses any existing value for rcvif to identify the 170 * interface it (might have been) received on. 171 */ 172 MPASS((m->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0); 173 m->m_pkthdr.rcvif = (void *)ni; 174 mcast = (m->m_flags & (M_MCAST | M_BCAST)) ? 1: 0; 175 176 BPF_MTAP(ifp, m); /* 802.3 tx */ 177 178 /* 179 * Figure out if we can do A-MPDU, A-MSDU or FF. 180 * 181 * A-MPDU depends upon vap/node config. 182 * A-MSDU depends upon vap/node config. 183 * FF depends upon vap config, IE and whether 184 * it's 11abg (and not 11n/11ac/etc.) 185 * 186 * Note that these flags indiciate whether we can do 187 * it at all, rather than the situation (eg traffic type.) 188 */ 189 do_ampdu = ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 190 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX)); 191#ifdef IEEE80211_SUPPORT_SUPERG 192 do_amsdu = ((ni->ni_flags & IEEE80211_NODE_AMSDU_TX) && 193 (vap->iv_flags_ht & IEEE80211_FHT_AMSDU_TX)); 194 do_ff = 195 ((ni->ni_flags & IEEE80211_NODE_HT) == 0) && 196 ((ni->ni_flags & IEEE80211_NODE_VHT) == 0) && 197 (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)); 198#endif 199 200 /* 201 * Check if A-MPDU tx aggregation is setup or if we 202 * should try to enable it. The sta must be associated 203 * with HT and A-MPDU enabled for use. When the policy 204 * routine decides we should enable A-MPDU we issue an 205 * ADDBA request and wait for a reply. The frame being 206 * encapsulated will go out w/o using A-MPDU, or possibly 207 * it might be collected by the driver and held/retransmit. 208 * The default ic_ampdu_enable routine handles staggering 209 * ADDBA requests in case the receiver NAK's us or we are 210 * otherwise unable to establish a BA stream. 211 * 212 * Don't treat group-addressed frames as candidates for aggregation; 213 * net80211 doesn't support 802.11aa-2012 and so group addressed 214 * frames will always have sequence numbers allocated from the NON_QOS 215 * TID. 216 */ 217 if (do_ampdu) { 218 if ((m->m_flags & M_EAPOL) == 0 && (! mcast)) { 219 int tid = WME_AC_TO_TID(M_WME_GETAC(m)); 220 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[tid]; 221 222 ieee80211_txampdu_count_packet(tap); 223 if (IEEE80211_AMPDU_RUNNING(tap)) { 224 /* 225 * Operational, mark frame for aggregation. 226 * 227 * XXX do tx aggregation here 228 */ 229 m->m_flags |= M_AMPDU_MPDU; 230 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 231 ic->ic_ampdu_enable(ni, tap)) { 232 /* 233 * Not negotiated yet, request service. 234 */ 235 ieee80211_ampdu_request(ni, tap); 236 /* XXX hold frame for reply? */ 237 } 238 /* 239 * Now update the no-ampdu flag. A-MPDU may have been 240 * started or administratively disabled above; so now we 241 * know whether we're running yet or not. 242 * 243 * This will let us know whether we should be doing A-MSDU 244 * at this point. We only do A-MSDU if we're either not 245 * doing A-MPDU, or A-MPDU is NACKed, or A-MPDU + A-MSDU 246 * is available. 247 * 248 * Whilst here, update the amsdu-ampdu flag. The above may 249 * have also set or cleared the amsdu-in-ampdu txa_flags 250 * combination so we can correctly do A-MPDU + A-MSDU. 251 */ 252#ifdef IEEE80211_SUPPORT_SUPERG 253 no_ampdu = (! IEEE80211_AMPDU_RUNNING(tap) 254 || (IEEE80211_AMPDU_NACKED(tap))); 255 do_ampdu_amsdu = IEEE80211_AMPDU_RUNNING_AMSDU(tap); 256#endif 257 } 258 } 259 260#ifdef IEEE80211_SUPPORT_SUPERG 261 /* 262 * Check for AMSDU/FF; queue for aggregation 263 * 264 * Note: we don't bother trying to do fast frames or 265 * A-MSDU encapsulation for 802.3 drivers. Now, we 266 * likely could do it for FF (because it's a magic 267 * atheros tunnel LLC type) but I don't think we're going 268 * to really need to. For A-MSDU we'd have to set the 269 * A-MSDU QoS bit in the wifi header, so we just plain 270 * can't do it. 271 */ 272 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 273 if ((! mcast) && 274 (do_ampdu_amsdu || (no_ampdu && do_amsdu)) && 275 ieee80211_amsdu_tx_ok(ni)) { 276 m = ieee80211_amsdu_check(ni, m); 277 if (m == NULL) { 278 /* NB: any ni ref held on stageq */ 279 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, 280 "%s: amsdu_check queued frame\n", 281 __func__); 282 return (0); 283 } 284 } else if ((! mcast) && do_ff) { 285 m = ieee80211_ff_check(ni, m); 286 if (m == NULL) { 287 /* NB: any ni ref held on stageq */ 288 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, 289 "%s: ff_check queued frame\n", 290 __func__); 291 return (0); 292 } 293 } 294 } 295#endif /* IEEE80211_SUPPORT_SUPERG */ 296 297 /* 298 * Grab the TX lock - serialise the TX process from this 299 * point (where TX state is being checked/modified) 300 * through to driver queue. 301 */ 302 IEEE80211_TX_LOCK(ic); 303 304 /* 305 * XXX make the encap and transmit code a separate function 306 * so things like the FF (and later A-MSDU) path can just call 307 * it for flushed frames. 308 */ 309 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 310 /* 311 * Encapsulate the packet in prep for transmission. 312 */ 313 m = ieee80211_encap(vap, ni, m); 314 if (m == NULL) { 315 /* NB: stat+msg handled in ieee80211_encap */ 316 IEEE80211_TX_UNLOCK(ic); 317 ieee80211_free_node(ni); 318 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 319 return (ENOBUFS); 320 } 321 } 322 (void) ieee80211_parent_xmitpkt(ic, m); 323 324 /* 325 * Unlock at this point - no need to hold it across 326 * ieee80211_free_node() (ie, the comlock) 327 */ 328 IEEE80211_TX_UNLOCK(ic); 329 ic->ic_lastdata = ticks; 330 331 return (0); 332} 333 334/* 335 * Send the given mbuf through the given vap. 336 * 337 * This consumes the mbuf regardless of whether the transmit 338 * was successful or not. 339 * 340 * This does none of the initial checks that ieee80211_start() 341 * does (eg CAC timeout, interface wakeup) - the caller must 342 * do this first. 343 */ 344static int 345ieee80211_start_pkt(struct ieee80211vap *vap, struct mbuf *m) 346{ 347#define IS_DWDS(vap) \ 348 (vap->iv_opmode == IEEE80211_M_WDS && \ 349 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 350 struct ieee80211com *ic = vap->iv_ic; 351 struct ifnet *ifp = vap->iv_ifp; 352 struct ieee80211_node *ni; 353 struct ether_header *eh; 354 355 /* 356 * Cancel any background scan. 357 */ 358 if (ic->ic_flags & IEEE80211_F_SCAN) 359 ieee80211_cancel_anyscan(vap); 360 /* 361 * Find the node for the destination so we can do 362 * things like power save and fast frames aggregation. 363 * 364 * NB: past this point various code assumes the first 365 * mbuf has the 802.3 header present (and contiguous). 366 */ 367 ni = NULL; 368 if (m->m_len < sizeof(struct ether_header) && 369 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 370 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 371 "discard frame, %s\n", "m_pullup failed"); 372 vap->iv_stats.is_tx_nobuf++; /* XXX */ 373 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 374 return (ENOBUFS); 375 } 376 eh = mtod(m, struct ether_header *); 377 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 378 if (IS_DWDS(vap)) { 379 /* 380 * Only unicast frames from the above go out 381 * DWDS vaps; multicast frames are handled by 382 * dispatching the frame as it comes through 383 * the AP vap (see below). 384 */ 385 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 386 eh->ether_dhost, "mcast", "%s", "on DWDS"); 387 vap->iv_stats.is_dwds_mcast++; 388 m_freem(m); 389 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 390 /* XXX better status? */ 391 return (ENOBUFS); 392 } 393 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 394 /* 395 * Spam DWDS vap's w/ multicast traffic. 396 */ 397 /* XXX only if dwds in use? */ 398 ieee80211_dwds_mcast(vap, m); 399 } 400 } 401#ifdef IEEE80211_SUPPORT_MESH 402 if (vap->iv_opmode != IEEE80211_M_MBSS) { 403#endif 404 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 405 if (ni == NULL) { 406 /* NB: ieee80211_find_txnode does stat+msg */ 407 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 408 m_freem(m); 409 /* XXX better status? */ 410 return (ENOBUFS); 411 } 412 if (ni->ni_associd == 0 && 413 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 414 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 415 eh->ether_dhost, NULL, 416 "sta not associated (type 0x%04x)", 417 htons(eh->ether_type)); 418 vap->iv_stats.is_tx_notassoc++; 419 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 420 m_freem(m); 421 ieee80211_free_node(ni); 422 /* XXX better status? */ 423 return (ENOBUFS); 424 } 425#ifdef IEEE80211_SUPPORT_MESH 426 } else { 427 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) { 428 /* 429 * Proxy station only if configured. 430 */ 431 if (!ieee80211_mesh_isproxyena(vap)) { 432 IEEE80211_DISCARD_MAC(vap, 433 IEEE80211_MSG_OUTPUT | 434 IEEE80211_MSG_MESH, 435 eh->ether_dhost, NULL, 436 "%s", "proxy not enabled"); 437 vap->iv_stats.is_mesh_notproxy++; 438 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 439 m_freem(m); 440 /* XXX better status? */ 441 return (ENOBUFS); 442 } 443 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 444 "forward frame from DS SA(%6D), DA(%6D)\n", 445 eh->ether_shost, ":", 446 eh->ether_dhost, ":"); 447 ieee80211_mesh_proxy_check(vap, eh->ether_shost); 448 } 449 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 450 if (ni == NULL) { 451 /* 452 * NB: ieee80211_mesh_discover holds/disposes 453 * frame (e.g. queueing on path discovery). 454 */ 455 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 456 /* XXX better status? */ 457 return (ENOBUFS); 458 } 459 } 460#endif 461 462 /* 463 * We've resolved the sender, so attempt to transmit it. 464 */ 465 466 if (vap->iv_state == IEEE80211_S_SLEEP) { 467 /* 468 * In power save; queue frame and then wakeup device 469 * for transmit. 470 */ 471 ic->ic_lastdata = ticks; 472 if (ieee80211_pwrsave(ni, m) != 0) 473 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 474 ieee80211_free_node(ni); 475 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 476 return (0); 477 } 478 479 if (ieee80211_vap_pkt_send_dest(vap, m, ni) != 0) 480 return (ENOBUFS); 481 return (0); 482#undef IS_DWDS 483} 484 485/* 486 * Start method for vap's. All packets from the stack come 487 * through here. We handle common processing of the packets 488 * before dispatching them to the underlying device. 489 * 490 * if_transmit() requires that the mbuf be consumed by this call 491 * regardless of the return condition. 492 */ 493int 494ieee80211_vap_transmit(struct ifnet *ifp, struct mbuf *m) 495{ 496 struct ieee80211vap *vap = ifp->if_softc; 497 struct ieee80211com *ic = vap->iv_ic; 498 499 /* 500 * No data frames go out unless we're running. 501 * Note in particular this covers CAC and CSA 502 * states (though maybe we should check muting 503 * for CSA). 504 */ 505 if (vap->iv_state != IEEE80211_S_RUN && 506 vap->iv_state != IEEE80211_S_SLEEP) { 507 IEEE80211_LOCK(ic); 508 /* re-check under the com lock to avoid races */ 509 if (vap->iv_state != IEEE80211_S_RUN && 510 vap->iv_state != IEEE80211_S_SLEEP) { 511 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 512 "%s: ignore queue, in %s state\n", 513 __func__, ieee80211_state_name[vap->iv_state]); 514 vap->iv_stats.is_tx_badstate++; 515 IEEE80211_UNLOCK(ic); 516 ifp->if_drv_flags |= IFF_DRV_OACTIVE; 517 m_freem(m); 518 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 519 return (ENETDOWN); 520 } 521 IEEE80211_UNLOCK(ic); 522 } 523 524 /* 525 * Sanitize mbuf flags for net80211 use. We cannot 526 * clear M_PWR_SAV or M_MORE_DATA because these may 527 * be set for frames that are re-submitted from the 528 * power save queue. 529 * 530 * NB: This must be done before ieee80211_classify as 531 * it marks EAPOL in frames with M_EAPOL. 532 */ 533 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 534 535 /* 536 * Bump to the packet transmission path. 537 * The mbuf will be consumed here. 538 */ 539 return (ieee80211_start_pkt(vap, m)); 540} 541 542void 543ieee80211_vap_qflush(struct ifnet *ifp) 544{ 545 546 /* Empty for now */ 547} 548 549/* 550 * 802.11 raw output routine. 551 * 552 * XXX TODO: this (and other send routines) should correctly 553 * XXX keep the pwr mgmt bit set if it decides to call into the 554 * XXX driver to send a frame whilst the state is SLEEP. 555 * 556 * Otherwise the peer may decide that we're awake and flood us 557 * with traffic we are still too asleep to receive! 558 */ 559int 560ieee80211_raw_output(struct ieee80211vap *vap, struct ieee80211_node *ni, 561 struct mbuf *m, const struct ieee80211_bpf_params *params) 562{ 563 struct ieee80211com *ic = vap->iv_ic; 564 int error; 565 566 /* 567 * Set node - the caller has taken a reference, so ensure 568 * that the mbuf has the same node value that 569 * it would if it were going via the normal path. 570 */ 571 MPASS((m->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0); 572 m->m_pkthdr.rcvif = (void *)ni; 573 574 /* 575 * Attempt to add bpf transmit parameters. 576 * 577 * For now it's ok to fail; the raw_xmit api still takes 578 * them as an option. 579 * 580 * Later on when ic_raw_xmit() has params removed, 581 * they'll have to be added - so fail the transmit if 582 * they can't be. 583 */ 584 if (params) 585 (void) ieee80211_add_xmit_params(m, params); 586 587 error = ic->ic_raw_xmit(ni, m, params); 588 if (error) { 589 if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS, 1); 590 ieee80211_free_node(ni); 591 } 592 return (error); 593} 594 595static int 596ieee80211_validate_frame(struct mbuf *m, 597 const struct ieee80211_bpf_params *params) 598{ 599 struct ieee80211_frame *wh; 600 int type; 601 602 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 603 return (EINVAL); 604 605 wh = mtod(m, struct ieee80211_frame *); 606 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 607 IEEE80211_FC0_VERSION_0) 608 return (EINVAL); 609 610 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 611 if (type != IEEE80211_FC0_TYPE_DATA) { 612 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != 613 IEEE80211_FC1_DIR_NODS) 614 return (EINVAL); 615 616 if (type != IEEE80211_FC0_TYPE_MGT && 617 (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) != 0) 618 return (EINVAL); 619 620 /* XXX skip other field checks? */ 621 } 622 623 if ((params && (params->ibp_flags & IEEE80211_BPF_CRYPTO) != 0) || 624 (IEEE80211_IS_PROTECTED(wh))) { 625 int subtype; 626 627 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 628 629 /* 630 * See IEEE Std 802.11-2012, 631 * 8.2.4.1.9 'Protected Frame field' 632 */ 633 /* XXX no support for robust management frames yet. */ 634 if (!(type == IEEE80211_FC0_TYPE_DATA || 635 (type == IEEE80211_FC0_TYPE_MGT && 636 subtype == IEEE80211_FC0_SUBTYPE_AUTH))) 637 return (EINVAL); 638 639 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 640 } 641 642 if (m->m_pkthdr.len < ieee80211_anyhdrsize(wh)) 643 return (EINVAL); 644 645 return (0); 646} 647 648static int 649ieee80211_validate_rate(struct ieee80211_node *ni, uint8_t rate) 650{ 651 struct ieee80211com *ic = ni->ni_ic; 652 653 if (IEEE80211_IS_HT_RATE(rate)) { 654 if ((ic->ic_htcaps & IEEE80211_HTC_HT) == 0) 655 return (EINVAL); 656 657 rate = IEEE80211_RV(rate); 658 if (rate <= 31) { 659 if (rate > ic->ic_txstream * 8 - 1) 660 return (EINVAL); 661 662 return (0); 663 } 664 665 if (rate == 32) { 666 if ((ic->ic_htcaps & IEEE80211_HTC_TXMCS32) == 0) 667 return (EINVAL); 668 669 return (0); 670 } 671 672 if ((ic->ic_htcaps & IEEE80211_HTC_TXUNEQUAL) == 0) 673 return (EINVAL); 674 675 switch (ic->ic_txstream) { 676 case 0: 677 case 1: 678 return (EINVAL); 679 case 2: 680 if (rate > 38) 681 return (EINVAL); 682 683 return (0); 684 case 3: 685 if (rate > 52) 686 return (EINVAL); 687 688 return (0); 689 case 4: 690 default: 691 if (rate > 76) 692 return (EINVAL); 693 694 return (0); 695 } 696 } 697 698 if (!ieee80211_isratevalid(ic->ic_rt, rate)) 699 return (EINVAL); 700 701 return (0); 702} 703 704static int 705ieee80211_sanitize_rates(struct ieee80211_node *ni, struct mbuf *m, 706 const struct ieee80211_bpf_params *params) 707{ 708 int error; 709 710 if (!params) 711 return (0); /* nothing to do */ 712 713 /* NB: most drivers assume that ibp_rate0 is set (!= 0). */ 714 if (params->ibp_rate0 != 0) { 715 error = ieee80211_validate_rate(ni, params->ibp_rate0); 716 if (error != 0) 717 return (error); 718 } else { 719 /* XXX pre-setup some default (e.g., mgmt / mcast) rate */ 720 /* XXX __DECONST? */ 721 (void) m; 722 } 723 724 if (params->ibp_rate1 != 0 && 725 (error = ieee80211_validate_rate(ni, params->ibp_rate1)) != 0) 726 return (error); 727 728 if (params->ibp_rate2 != 0 && 729 (error = ieee80211_validate_rate(ni, params->ibp_rate2)) != 0) 730 return (error); 731 732 if (params->ibp_rate3 != 0 && 733 (error = ieee80211_validate_rate(ni, params->ibp_rate3)) != 0) 734 return (error); 735 736 return (0); 737} 738 739/* 740 * 802.11 output routine. This is (currently) used only to 741 * connect bpf write calls to the 802.11 layer for injecting 742 * raw 802.11 frames. 743 */ 744int 745ieee80211_output(struct ifnet *ifp, struct mbuf *m, 746 const struct sockaddr *dst, struct route *ro) 747{ 748#define senderr(e) do { error = (e); goto bad;} while (0) 749 const struct ieee80211_bpf_params *params = NULL; 750 struct ieee80211_node *ni = NULL; 751 struct ieee80211vap *vap; 752 struct ieee80211_frame *wh; 753 struct ieee80211com *ic = NULL; 754 int error; 755 int ret; 756 757 if (ifp->if_drv_flags & IFF_DRV_OACTIVE) { 758 /* 759 * Short-circuit requests if the vap is marked OACTIVE 760 * as this can happen because a packet came down through 761 * ieee80211_start before the vap entered RUN state in 762 * which case it's ok to just drop the frame. This 763 * should not be necessary but callers of if_output don't 764 * check OACTIVE. 765 */ 766 senderr(ENETDOWN); 767 } 768 vap = ifp->if_softc; 769 ic = vap->iv_ic; 770 /* 771 * Hand to the 802.3 code if not tagged as 772 * a raw 802.11 frame. 773 */ 774 if (dst->sa_family != AF_IEEE80211) 775 return vap->iv_output(ifp, m, dst, ro); 776#ifdef MAC 777 error = mac_ifnet_check_transmit(ifp, m); 778 if (error) 779 senderr(error); 780#endif 781 if (ifp->if_flags & IFF_MONITOR) 782 senderr(ENETDOWN); 783 if (!IFNET_IS_UP_RUNNING(ifp)) 784 senderr(ENETDOWN); 785 if (vap->iv_state == IEEE80211_S_CAC) { 786 IEEE80211_DPRINTF(vap, 787 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 788 "block %s frame in CAC state\n", "raw data"); 789 vap->iv_stats.is_tx_badstate++; 790 senderr(EIO); /* XXX */ 791 } else if (vap->iv_state == IEEE80211_S_SCAN) 792 senderr(EIO); 793 /* XXX bypass bridge, pfil, carp, etc. */ 794 795 /* 796 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 797 * present by setting the sa_len field of the sockaddr (yes, 798 * this is a hack). 799 * NB: we assume sa_data is suitably aligned to cast. 800 */ 801 if (dst->sa_len != 0) 802 params = (const struct ieee80211_bpf_params *)dst->sa_data; 803 804 error = ieee80211_validate_frame(m, params); 805 if (error != 0) 806 senderr(error); 807 808 wh = mtod(m, struct ieee80211_frame *); 809 810 /* locate destination node */ 811 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 812 case IEEE80211_FC1_DIR_NODS: 813 case IEEE80211_FC1_DIR_FROMDS: 814 ni = ieee80211_find_txnode(vap, wh->i_addr1); 815 break; 816 case IEEE80211_FC1_DIR_TODS: 817 case IEEE80211_FC1_DIR_DSTODS: 818 ni = ieee80211_find_txnode(vap, wh->i_addr3); 819 break; 820 default: 821 senderr(EDOOFUS); 822 } 823 if (ni == NULL) { 824 /* 825 * Permit packets w/ bpf params through regardless 826 * (see below about sa_len). 827 */ 828 if (dst->sa_len == 0) 829 senderr(EHOSTUNREACH); 830 ni = ieee80211_ref_node(vap->iv_bss); 831 } 832 833 /* 834 * Sanitize mbuf for net80211 flags leaked from above. 835 * 836 * NB: This must be done before ieee80211_classify as 837 * it marks EAPOL in frames with M_EAPOL. 838 */ 839 m->m_flags &= ~M_80211_TX; 840 m->m_flags |= M_ENCAP; /* mark encapsulated */ 841 842 if (IEEE80211_IS_DATA(wh)) { 843 /* calculate priority so drivers can find the tx queue */ 844 if (ieee80211_classify(ni, m)) 845 senderr(EIO); /* XXX */ 846 847 /* NB: ieee80211_encap does not include 802.11 header */ 848 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, 849 m->m_pkthdr.len - ieee80211_hdrsize(wh)); 850 } else 851 M_WME_SETAC(m, WME_AC_BE); 852 853 error = ieee80211_sanitize_rates(ni, m, params); 854 if (error != 0) 855 senderr(error); 856 857 IEEE80211_NODE_STAT(ni, tx_data); 858 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 859 IEEE80211_NODE_STAT(ni, tx_mcast); 860 m->m_flags |= M_MCAST; 861 } else 862 IEEE80211_NODE_STAT(ni, tx_ucast); 863 864 IEEE80211_TX_LOCK(ic); 865 ret = ieee80211_raw_output(vap, ni, m, params); 866 IEEE80211_TX_UNLOCK(ic); 867 return (ret); 868bad: 869 if (m != NULL) 870 m_freem(m); 871 if (ni != NULL) 872 ieee80211_free_node(ni); 873 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 874 return error; 875#undef senderr 876} 877 878/* 879 * Set the direction field and address fields of an outgoing 880 * frame. Note this should be called early on in constructing 881 * a frame as it sets i_fc[1]; other bits can then be or'd in. 882 */ 883void 884ieee80211_send_setup( 885 struct ieee80211_node *ni, 886 struct mbuf *m, 887 int type, int tid, 888 const uint8_t sa[IEEE80211_ADDR_LEN], 889 const uint8_t da[IEEE80211_ADDR_LEN], 890 const uint8_t bssid[IEEE80211_ADDR_LEN]) 891{ 892#define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 893 struct ieee80211vap *vap = ni->ni_vap; 894 struct ieee80211_tx_ampdu *tap; 895 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 896 ieee80211_seq seqno; 897 898 IEEE80211_TX_LOCK_ASSERT(ni->ni_ic); 899 900 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 901 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 902 switch (vap->iv_opmode) { 903 case IEEE80211_M_STA: 904 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 905 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 906 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 907 IEEE80211_ADDR_COPY(wh->i_addr3, da); 908 break; 909 case IEEE80211_M_IBSS: 910 case IEEE80211_M_AHDEMO: 911 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 912 IEEE80211_ADDR_COPY(wh->i_addr1, da); 913 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 914 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 915 break; 916 case IEEE80211_M_HOSTAP: 917 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 918 IEEE80211_ADDR_COPY(wh->i_addr1, da); 919 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 920 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 921 break; 922 case IEEE80211_M_WDS: 923 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 924 IEEE80211_ADDR_COPY(wh->i_addr1, da); 925 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 926 IEEE80211_ADDR_COPY(wh->i_addr3, da); 927 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 928 break; 929 case IEEE80211_M_MBSS: 930#ifdef IEEE80211_SUPPORT_MESH 931 if (IEEE80211_IS_MULTICAST(da)) { 932 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 933 /* XXX next hop */ 934 IEEE80211_ADDR_COPY(wh->i_addr1, da); 935 IEEE80211_ADDR_COPY(wh->i_addr2, 936 vap->iv_myaddr); 937 } else { 938 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 939 IEEE80211_ADDR_COPY(wh->i_addr1, da); 940 IEEE80211_ADDR_COPY(wh->i_addr2, 941 vap->iv_myaddr); 942 IEEE80211_ADDR_COPY(wh->i_addr3, da); 943 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 944 } 945#endif 946 break; 947 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 948 break; 949 } 950 } else { 951 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 952 IEEE80211_ADDR_COPY(wh->i_addr1, da); 953 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 954#ifdef IEEE80211_SUPPORT_MESH 955 if (vap->iv_opmode == IEEE80211_M_MBSS) 956 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 957 else 958#endif 959 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 960 } 961 *(uint16_t *)&wh->i_dur[0] = 0; 962 963 /* 964 * XXX TODO: this is what the TX lock is for. 965 * Here we're incrementing sequence numbers, and they 966 * need to be in lock-step with what the driver is doing 967 * both in TX ordering and crypto encap (IV increment.) 968 * 969 * If the driver does seqno itself, then we can skip 970 * assigning sequence numbers here, and we can avoid 971 * requiring the TX lock. 972 */ 973 tap = &ni->ni_tx_ampdu[tid]; 974 if (tid != IEEE80211_NONQOS_TID && IEEE80211_AMPDU_RUNNING(tap)) { 975 m->m_flags |= M_AMPDU_MPDU; 976 977 /* NB: zero out i_seq field (for s/w encryption etc) */ 978 *(uint16_t *)&wh->i_seq[0] = 0; 979 } else { 980 if (IEEE80211_HAS_SEQ(type & IEEE80211_FC0_TYPE_MASK, 981 type & IEEE80211_FC0_SUBTYPE_MASK)) 982 /* 983 * 802.11-2012 9.3.2.10 - QoS multicast frames 984 * come out of a different seqno space. 985 */ 986 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 987 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 988 } else { 989 seqno = ni->ni_txseqs[tid]++; 990 } 991 else 992 seqno = 0; 993 994 *(uint16_t *)&wh->i_seq[0] = 995 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 996 M_SEQNO_SET(m, seqno); 997 } 998 999 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 1000 m->m_flags |= M_MCAST; 1001#undef WH4 1002} 1003 1004/* 1005 * Send a management frame to the specified node. The node pointer 1006 * must have a reference as the pointer will be passed to the driver 1007 * and potentially held for a long time. If the frame is successfully 1008 * dispatched to the driver, then it is responsible for freeing the 1009 * reference (and potentially free'ing up any associated storage); 1010 * otherwise deal with reclaiming any reference (on error). 1011 */ 1012int 1013ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 1014 struct ieee80211_bpf_params *params) 1015{ 1016 struct ieee80211vap *vap = ni->ni_vap; 1017 struct ieee80211com *ic = ni->ni_ic; 1018 struct ieee80211_frame *wh; 1019 int ret; 1020 1021 KASSERT(ni != NULL, ("null node")); 1022 1023 if (vap->iv_state == IEEE80211_S_CAC) { 1024 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 1025 ni, "block %s frame in CAC state", 1026 ieee80211_mgt_subtype_name(type)); 1027 vap->iv_stats.is_tx_badstate++; 1028 ieee80211_free_node(ni); 1029 m_freem(m); 1030 return EIO; /* XXX */ 1031 } 1032 1033 M_PREPEND(m, sizeof(struct ieee80211_frame), IEEE80211_M_NOWAIT); 1034 if (m == NULL) { 1035 ieee80211_free_node(ni); 1036 return ENOMEM; 1037 } 1038 1039 IEEE80211_TX_LOCK(ic); 1040 1041 wh = mtod(m, struct ieee80211_frame *); 1042 ieee80211_send_setup(ni, m, 1043 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 1044 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 1045 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 1046 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 1047 "encrypting frame (%s)", __func__); 1048 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 1049 } 1050 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1051 1052 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 1053 M_WME_SETAC(m, params->ibp_pri); 1054 1055#ifdef IEEE80211_DEBUG 1056 /* avoid printing too many frames */ 1057 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 1058 ieee80211_msg_dumppkts(vap)) { 1059 ieee80211_note(vap, "[%s] send %s on channel %u\n", 1060 ether_sprintf(wh->i_addr1), 1061 ieee80211_mgt_subtype_name(type), 1062 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1063 } 1064#endif 1065 IEEE80211_NODE_STAT(ni, tx_mgmt); 1066 1067 ret = ieee80211_raw_output(vap, ni, m, params); 1068 IEEE80211_TX_UNLOCK(ic); 1069 return (ret); 1070} 1071 1072static void 1073ieee80211_nulldata_transmitted(struct ieee80211_node *ni, void *arg, 1074 int status) 1075{ 1076 struct ieee80211vap *vap = ni->ni_vap; 1077 1078 wakeup(vap); 1079} 1080 1081/* 1082 * Send a null data frame to the specified node. If the station 1083 * is setup for QoS then a QoS Null Data frame is constructed. 1084 * If this is a WDS station then a 4-address frame is constructed. 1085 * 1086 * NB: the caller is assumed to have setup a node reference 1087 * for use; this is necessary to deal with a race condition 1088 * when probing for inactive stations. Like ieee80211_mgmt_output 1089 * we must cleanup any node reference on error; however we 1090 * can safely just unref it as we know it will never be the 1091 * last reference to the node. 1092 */ 1093int 1094ieee80211_send_nulldata(struct ieee80211_node *ni) 1095{ 1096 struct ieee80211vap *vap = ni->ni_vap; 1097 struct ieee80211com *ic = ni->ni_ic; 1098 struct mbuf *m; 1099 struct ieee80211_frame *wh; 1100 int hdrlen; 1101 uint8_t *frm; 1102 int ret; 1103 1104 if (vap->iv_state == IEEE80211_S_CAC) { 1105 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 1106 ni, "block %s frame in CAC state", "null data"); 1107 ieee80211_node_decref(ni); 1108 vap->iv_stats.is_tx_badstate++; 1109 return EIO; /* XXX */ 1110 } 1111 1112 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 1113 hdrlen = sizeof(struct ieee80211_qosframe); 1114 else 1115 hdrlen = sizeof(struct ieee80211_frame); 1116 /* NB: only WDS vap's get 4-address frames */ 1117 if (vap->iv_opmode == IEEE80211_M_WDS) 1118 hdrlen += IEEE80211_ADDR_LEN; 1119 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1120 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 1121 1122 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 1123 if (m == NULL) { 1124 /* XXX debug msg */ 1125 ieee80211_node_decref(ni); 1126 vap->iv_stats.is_tx_nobuf++; 1127 return ENOMEM; 1128 } 1129 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 1130 ("leading space %zd", M_LEADINGSPACE(m))); 1131 M_PREPEND(m, hdrlen, IEEE80211_M_NOWAIT); 1132 if (m == NULL) { 1133 /* NB: cannot happen */ 1134 ieee80211_free_node(ni); 1135 return ENOMEM; 1136 } 1137 1138 IEEE80211_TX_LOCK(ic); 1139 1140 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 1141 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1142 const int tid = WME_AC_TO_TID(WME_AC_BE); 1143 uint8_t *qos; 1144 1145 ieee80211_send_setup(ni, m, 1146 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 1147 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 1148 1149 if (vap->iv_opmode == IEEE80211_M_WDS) 1150 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1151 else 1152 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1153 qos[0] = tid & IEEE80211_QOS_TID; 1154 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 1155 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1156 qos[1] = 0; 1157 } else { 1158 ieee80211_send_setup(ni, m, 1159 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 1160 IEEE80211_NONQOS_TID, 1161 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 1162 } 1163 if (vap->iv_opmode != IEEE80211_M_WDS) { 1164 /* NB: power management bit is never sent by an AP */ 1165 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 1166 vap->iv_opmode != IEEE80211_M_HOSTAP) 1167 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 1168 } 1169 if ((ic->ic_flags & IEEE80211_F_SCAN) && 1170 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)) { 1171 ieee80211_add_callback(m, ieee80211_nulldata_transmitted, 1172 NULL); 1173 } 1174 m->m_len = m->m_pkthdr.len = hdrlen; 1175 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1176 1177 M_WME_SETAC(m, WME_AC_BE); 1178 1179 IEEE80211_NODE_STAT(ni, tx_data); 1180 1181 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 1182 "send %snull data frame on channel %u, pwr mgt %s", 1183 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 1184 ieee80211_chan2ieee(ic, ic->ic_curchan), 1185 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 1186 1187 ret = ieee80211_raw_output(vap, ni, m, NULL); 1188 IEEE80211_TX_UNLOCK(ic); 1189 return (ret); 1190} 1191 1192/* 1193 * Assign priority to a frame based on any vlan tag assigned 1194 * to the station and/or any Diffserv setting in an IP header. 1195 * Finally, if an ACM policy is setup (in station mode) it's 1196 * applied. 1197 */ 1198int 1199ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 1200{ 1201 const struct ether_header *eh = NULL; 1202 uint16_t ether_type; 1203 int v_wme_ac, d_wme_ac, ac; 1204 1205 if (__predict_false(m->m_flags & M_ENCAP)) { 1206 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 1207 struct llc *llc; 1208 int hdrlen, subtype; 1209 1210 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 1211 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 1212 ac = WME_AC_BE; 1213 goto done; 1214 } 1215 1216 hdrlen = ieee80211_hdrsize(wh); 1217 if (m->m_pkthdr.len < hdrlen + sizeof(*llc)) 1218 return 1; 1219 1220 llc = (struct llc *)mtodo(m, hdrlen); 1221 if (llc->llc_dsap != LLC_SNAP_LSAP || 1222 llc->llc_ssap != LLC_SNAP_LSAP || 1223 llc->llc_control != LLC_UI || 1224 llc->llc_snap.org_code[0] != 0 || 1225 llc->llc_snap.org_code[1] != 0 || 1226 llc->llc_snap.org_code[2] != 0) 1227 return 1; 1228 1229 ether_type = llc->llc_snap.ether_type; 1230 } else { 1231 eh = mtod(m, struct ether_header *); 1232 ether_type = eh->ether_type; 1233 } 1234 1235 /* 1236 * Always promote PAE/EAPOL frames to high priority. 1237 */ 1238 if (ether_type == htons(ETHERTYPE_PAE)) { 1239 /* NB: mark so others don't need to check header */ 1240 m->m_flags |= M_EAPOL; 1241 ac = WME_AC_VO; 1242 goto done; 1243 } 1244 /* 1245 * Non-qos traffic goes to BE. 1246 */ 1247 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 1248 ac = WME_AC_BE; 1249 goto done; 1250 } 1251 1252 /* 1253 * If node has a vlan tag then all traffic 1254 * to it must have a matching tag. 1255 */ 1256 v_wme_ac = 0; 1257 if (ni->ni_vlan != 0) { 1258 if ((m->m_flags & M_VLANTAG) == 0) { 1259 IEEE80211_NODE_STAT(ni, tx_novlantag); 1260 return 1; 1261 } 1262 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) != 1263 EVL_VLANOFTAG(ni->ni_vlan)) { 1264 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 1265 return 1; 1266 } 1267 /* map vlan priority to AC */ 1268 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 1269 } 1270 1271 if (eh == NULL) 1272 goto no_eh; 1273 1274 /* XXX m_copydata may be too slow for fast path */ 1275 switch (ntohs(eh->ether_type)) { 1276#ifdef INET 1277 case ETHERTYPE_IP: 1278 { 1279 uint8_t tos; 1280 /* 1281 * IP frame, map the DSCP bits from the TOS field. 1282 */ 1283 /* NB: ip header may not be in first mbuf */ 1284 m_copydata(m, sizeof(struct ether_header) + 1285 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 1286 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 1287 d_wme_ac = TID_TO_WME_AC(tos); 1288 break; 1289 } 1290#endif 1291#ifdef INET6 1292 case ETHERTYPE_IPV6: 1293 { 1294 uint32_t flow; 1295 uint8_t tos; 1296 /* 1297 * IPv6 frame, map the DSCP bits from the traffic class field. 1298 */ 1299 m_copydata(m, sizeof(struct ether_header) + 1300 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 1301 (caddr_t) &flow); 1302 tos = (uint8_t)(ntohl(flow) >> 20); 1303 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 1304 d_wme_ac = TID_TO_WME_AC(tos); 1305 break; 1306 } 1307#endif 1308 default: 1309no_eh: 1310 d_wme_ac = WME_AC_BE; 1311 break; 1312 } 1313 1314 /* 1315 * Use highest priority AC. 1316 */ 1317 if (v_wme_ac > d_wme_ac) 1318 ac = v_wme_ac; 1319 else 1320 ac = d_wme_ac; 1321 1322 /* 1323 * Apply ACM policy. 1324 */ 1325 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 1326 static const int acmap[4] = { 1327 WME_AC_BK, /* WME_AC_BE */ 1328 WME_AC_BK, /* WME_AC_BK */ 1329 WME_AC_BE, /* WME_AC_VI */ 1330 WME_AC_VI, /* WME_AC_VO */ 1331 }; 1332 struct ieee80211com *ic = ni->ni_ic; 1333 1334 while (ac != WME_AC_BK && 1335 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 1336 ac = acmap[ac]; 1337 } 1338done: 1339 M_WME_SETAC(m, ac); 1340 return 0; 1341} 1342 1343/* 1344 * Insure there is sufficient contiguous space to encapsulate the 1345 * 802.11 data frame. If room isn't already there, arrange for it. 1346 * Drivers and cipher modules assume we have done the necessary work 1347 * and fail rudely if they don't find the space they need. 1348 */ 1349struct mbuf * 1350ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 1351 struct ieee80211_key *key, struct mbuf *m) 1352{ 1353#define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 1354 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 1355 1356 if (key != NULL) { 1357 /* XXX belongs in crypto code? */ 1358 needed_space += key->wk_cipher->ic_header; 1359 /* XXX frags */ 1360 /* 1361 * When crypto is being done in the host we must insure 1362 * the data are writable for the cipher routines; clone 1363 * a writable mbuf chain. 1364 * XXX handle SWMIC specially 1365 */ 1366 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 1367 m = m_unshare(m, IEEE80211_M_NOWAIT); 1368 if (m == NULL) { 1369 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 1370 "%s: cannot get writable mbuf\n", __func__); 1371 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 1372 return NULL; 1373 } 1374 } 1375 } 1376 /* 1377 * We know we are called just before stripping an Ethernet 1378 * header and prepending an LLC header. This means we know 1379 * there will be 1380 * sizeof(struct ether_header) - sizeof(struct llc) 1381 * bytes recovered to which we need additional space for the 1382 * 802.11 header and any crypto header. 1383 */ 1384 /* XXX check trailing space and copy instead? */ 1385 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 1386 struct mbuf *n = m_gethdr(IEEE80211_M_NOWAIT, m->m_type); 1387 if (n == NULL) { 1388 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 1389 "%s: cannot expand storage\n", __func__); 1390 vap->iv_stats.is_tx_nobuf++; 1391 m_freem(m); 1392 return NULL; 1393 } 1394 KASSERT(needed_space <= MHLEN, 1395 ("not enough room, need %u got %d\n", needed_space, MHLEN)); 1396 /* 1397 * Setup new mbuf to have leading space to prepend the 1398 * 802.11 header and any crypto header bits that are 1399 * required (the latter are added when the driver calls 1400 * back to ieee80211_crypto_encap to do crypto encapsulation). 1401 */ 1402 /* NB: must be first 'cuz it clobbers m_data */ 1403 m_move_pkthdr(n, m); 1404 n->m_len = 0; /* NB: m_gethdr does not set */ 1405 n->m_data += needed_space; 1406 /* 1407 * Pull up Ethernet header to create the expected layout. 1408 * We could use m_pullup but that's overkill (i.e. we don't 1409 * need the actual data) and it cannot fail so do it inline 1410 * for speed. 1411 */ 1412 /* NB: struct ether_header is known to be contiguous */ 1413 n->m_len += sizeof(struct ether_header); 1414 m->m_len -= sizeof(struct ether_header); 1415 m->m_data += sizeof(struct ether_header); 1416 /* 1417 * Replace the head of the chain. 1418 */ 1419 n->m_next = m; 1420 m = n; 1421 } 1422 return m; 1423#undef TO_BE_RECLAIMED 1424} 1425 1426/* 1427 * Return the transmit key to use in sending a unicast frame. 1428 * If a unicast key is set we use that. When no unicast key is set 1429 * we fall back to the default transmit key. 1430 */ 1431static __inline struct ieee80211_key * 1432ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 1433 struct ieee80211_node *ni) 1434{ 1435 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 1436 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 1437 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 1438 return NULL; 1439 return &vap->iv_nw_keys[vap->iv_def_txkey]; 1440 } else { 1441 return &ni->ni_ucastkey; 1442 } 1443} 1444 1445/* 1446 * Return the transmit key to use in sending a multicast frame. 1447 * Multicast traffic always uses the group key which is installed as 1448 * the default tx key. 1449 */ 1450static __inline struct ieee80211_key * 1451ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 1452 struct ieee80211_node *ni) 1453{ 1454 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 1455 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 1456 return NULL; 1457 return &vap->iv_nw_keys[vap->iv_def_txkey]; 1458} 1459 1460/* 1461 * Encapsulate an outbound data frame. The mbuf chain is updated. 1462 * If an error is encountered NULL is returned. The caller is required 1463 * to provide a node reference and pullup the ethernet header in the 1464 * first mbuf. 1465 * 1466 * NB: Packet is assumed to be processed by ieee80211_classify which 1467 * marked EAPOL frames w/ M_EAPOL. 1468 */ 1469struct mbuf * 1470ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 1471 struct mbuf *m) 1472{ 1473#define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 1474#define MC01(mc) ((struct ieee80211_meshcntl_ae01 *)mc) 1475 struct ieee80211com *ic = ni->ni_ic; 1476#ifdef IEEE80211_SUPPORT_MESH 1477 struct ieee80211_mesh_state *ms = vap->iv_mesh; 1478 struct ieee80211_meshcntl_ae10 *mc; 1479 struct ieee80211_mesh_route *rt = NULL; 1480 int dir = -1; 1481#endif 1482 struct ether_header eh; 1483 struct ieee80211_frame *wh; 1484 struct ieee80211_key *key; 1485 struct llc *llc; 1486 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr, is_mcast; 1487 ieee80211_seq seqno; 1488 int meshhdrsize, meshae; 1489 uint8_t *qos; 1490 int is_amsdu = 0; 1491 1492 IEEE80211_TX_LOCK_ASSERT(ic); 1493 1494 is_mcast = !! (m->m_flags & (M_MCAST | M_BCAST)); 1495 1496 /* 1497 * Copy existing Ethernet header to a safe place. The 1498 * rest of the code assumes it's ok to strip it when 1499 * reorganizing state for the final encapsulation. 1500 */ 1501 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1502 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1503 1504 /* 1505 * Insure space for additional headers. First identify 1506 * transmit key to use in calculating any buffer adjustments 1507 * required. This is also used below to do privacy 1508 * encapsulation work. Then calculate the 802.11 header 1509 * size and any padding required by the driver. 1510 * 1511 * Note key may be NULL if we fall back to the default 1512 * transmit key and that is not set. In that case the 1513 * buffer may not be expanded as needed by the cipher 1514 * routines, but they will/should discard it. 1515 */ 1516 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1517 if (vap->iv_opmode == IEEE80211_M_STA || 1518 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1519 (vap->iv_opmode == IEEE80211_M_WDS && 1520 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) { 1521 key = ieee80211_crypto_getucastkey(vap, ni); 1522 } else if ((vap->iv_opmode == IEEE80211_M_WDS) && 1523 (! (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) { 1524 /* 1525 * Use ucastkey for DWDS transmit nodes, multicast 1526 * or otherwise. 1527 * 1528 * This is required to ensure that multicast frames 1529 * from a DWDS AP to a DWDS STA is encrypted with 1530 * a key that can actually work. 1531 * 1532 * There's no default key for multicast traffic 1533 * on a DWDS WDS VAP node (note NOT the DWDS enabled 1534 * AP VAP, the dynamically created per-STA WDS node) 1535 * so encap fails and transmit fails. 1536 */ 1537 key = ieee80211_crypto_getucastkey(vap, ni); 1538 } else { 1539 key = ieee80211_crypto_getmcastkey(vap, ni); 1540 } 1541 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1542 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1543 eh.ether_dhost, 1544 "no default transmit key (%s) deftxkey %u", 1545 __func__, vap->iv_def_txkey); 1546 vap->iv_stats.is_tx_nodefkey++; 1547 goto bad; 1548 } 1549 } else 1550 key = NULL; 1551 /* 1552 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1553 * frames so suppress use. This may be an issue if other 1554 * ap's require all data frames to be QoS-encapsulated 1555 * once negotiated in which case we'll need to make this 1556 * configurable. 1557 * 1558 * Don't send multicast QoS frames. 1559 * Technically multicast frames can be QoS if all stations in the 1560 * BSS are also QoS. 1561 * 1562 * NB: mesh data frames are QoS, including multicast frames. 1563 */ 1564 addqos = 1565 (((is_mcast == 0) && (ni->ni_flags & 1566 (IEEE80211_NODE_QOS|IEEE80211_NODE_HT))) || 1567 (vap->iv_opmode == IEEE80211_M_MBSS)) && 1568 (m->m_flags & M_EAPOL) == 0; 1569 1570 if (addqos) 1571 hdrsize = sizeof(struct ieee80211_qosframe); 1572 else 1573 hdrsize = sizeof(struct ieee80211_frame); 1574#ifdef IEEE80211_SUPPORT_MESH 1575 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1576 /* 1577 * Mesh data frames are encapsulated according to the 1578 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1579 * o Group Addressed data (aka multicast) originating 1580 * at the local sta are sent w/ 3-address format and 1581 * address extension mode 00 1582 * o Individually Addressed data (aka unicast) originating 1583 * at the local sta are sent w/ 4-address format and 1584 * address extension mode 00 1585 * o Group Addressed data forwarded from a non-mesh sta are 1586 * sent w/ 3-address format and address extension mode 01 1587 * o Individually Address data from another sta are sent 1588 * w/ 4-address format and address extension mode 10 1589 */ 1590 is4addr = 0; /* NB: don't use, disable */ 1591 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1592 rt = ieee80211_mesh_rt_find(vap, eh.ether_dhost); 1593 KASSERT(rt != NULL, ("route is NULL")); 1594 dir = IEEE80211_FC1_DIR_DSTODS; 1595 hdrsize += IEEE80211_ADDR_LEN; 1596 if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY) { 1597 if (IEEE80211_ADDR_EQ(rt->rt_mesh_gate, 1598 vap->iv_myaddr)) { 1599 IEEE80211_NOTE_MAC(vap, 1600 IEEE80211_MSG_MESH, 1601 eh.ether_dhost, 1602 "%s", "trying to send to ourself"); 1603 goto bad; 1604 } 1605 meshae = IEEE80211_MESH_AE_10; 1606 meshhdrsize = 1607 sizeof(struct ieee80211_meshcntl_ae10); 1608 } else { 1609 meshae = IEEE80211_MESH_AE_00; 1610 meshhdrsize = 1611 sizeof(struct ieee80211_meshcntl); 1612 } 1613 } else { 1614 dir = IEEE80211_FC1_DIR_FROMDS; 1615 if (!IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1616 /* proxy group */ 1617 meshae = IEEE80211_MESH_AE_01; 1618 meshhdrsize = 1619 sizeof(struct ieee80211_meshcntl_ae01); 1620 } else { 1621 /* group */ 1622 meshae = IEEE80211_MESH_AE_00; 1623 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1624 } 1625 } 1626 } else { 1627#endif 1628 /* 1629 * 4-address frames need to be generated for: 1630 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1631 * o packets sent through a vap marked for relaying 1632 * (e.g. a station operating with dynamic WDS) 1633 */ 1634 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1635 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1636 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1637 if (is4addr) 1638 hdrsize += IEEE80211_ADDR_LEN; 1639 meshhdrsize = meshae = 0; 1640#ifdef IEEE80211_SUPPORT_MESH 1641 } 1642#endif 1643 /* 1644 * Honor driver DATAPAD requirement. 1645 */ 1646 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1647 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1648 else 1649 hdrspace = hdrsize; 1650 1651 if (__predict_true((m->m_flags & M_FF) == 0)) { 1652 /* 1653 * Normal frame. 1654 */ 1655 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1656 if (m == NULL) { 1657 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1658 goto bad; 1659 } 1660 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1661 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1662 llc = mtod(m, struct llc *); 1663 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1664 llc->llc_control = LLC_UI; 1665 llc->llc_snap.org_code[0] = 0; 1666 llc->llc_snap.org_code[1] = 0; 1667 llc->llc_snap.org_code[2] = 0; 1668 llc->llc_snap.ether_type = eh.ether_type; 1669 } else { 1670#ifdef IEEE80211_SUPPORT_SUPERG 1671 /* 1672 * Aggregated frame. Check if it's for AMSDU or FF. 1673 * 1674 * XXX TODO: IEEE80211_NODE_AMSDU* isn't implemented 1675 * anywhere for some reason. But, since 11n requires 1676 * AMSDU RX, we can just assume "11n" == "AMSDU". 1677 */ 1678 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, "%s: called; M_FF\n", __func__); 1679 if (ieee80211_amsdu_tx_ok(ni)) { 1680 m = ieee80211_amsdu_encap(vap, m, hdrspace + meshhdrsize, key); 1681 is_amsdu = 1; 1682 } else { 1683 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1684 } 1685 if (m == NULL) 1686#endif 1687 goto bad; 1688 } 1689 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1690 1691 M_PREPEND(m, hdrspace + meshhdrsize, IEEE80211_M_NOWAIT); 1692 if (m == NULL) { 1693 vap->iv_stats.is_tx_nobuf++; 1694 goto bad; 1695 } 1696 wh = mtod(m, struct ieee80211_frame *); 1697 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1698 *(uint16_t *)wh->i_dur = 0; 1699 qos = NULL; /* NB: quiet compiler */ 1700 if (is4addr) { 1701 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1702 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1703 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1704 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1705 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1706 } else switch (vap->iv_opmode) { 1707 case IEEE80211_M_STA: 1708 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1709 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1710 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1711 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1712 break; 1713 case IEEE80211_M_IBSS: 1714 case IEEE80211_M_AHDEMO: 1715 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1716 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1717 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1718 /* 1719 * NB: always use the bssid from iv_bss as the 1720 * neighbor's may be stale after an ibss merge 1721 */ 1722 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1723 break; 1724 case IEEE80211_M_HOSTAP: 1725 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1726 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1727 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1728 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1729 break; 1730#ifdef IEEE80211_SUPPORT_MESH 1731 case IEEE80211_M_MBSS: 1732 /* NB: offset by hdrspace to deal with DATAPAD */ 1733 mc = (struct ieee80211_meshcntl_ae10 *) 1734 (mtod(m, uint8_t *) + hdrspace); 1735 wh->i_fc[1] = dir; 1736 switch (meshae) { 1737 case IEEE80211_MESH_AE_00: /* no proxy */ 1738 mc->mc_flags = 0; 1739 if (dir == IEEE80211_FC1_DIR_DSTODS) { /* ucast */ 1740 IEEE80211_ADDR_COPY(wh->i_addr1, 1741 ni->ni_macaddr); 1742 IEEE80211_ADDR_COPY(wh->i_addr2, 1743 vap->iv_myaddr); 1744 IEEE80211_ADDR_COPY(wh->i_addr3, 1745 eh.ether_dhost); 1746 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, 1747 eh.ether_shost); 1748 qos =((struct ieee80211_qosframe_addr4 *) 1749 wh)->i_qos; 1750 } else if (dir == IEEE80211_FC1_DIR_FROMDS) { 1751 /* mcast */ 1752 IEEE80211_ADDR_COPY(wh->i_addr1, 1753 eh.ether_dhost); 1754 IEEE80211_ADDR_COPY(wh->i_addr2, 1755 vap->iv_myaddr); 1756 IEEE80211_ADDR_COPY(wh->i_addr3, 1757 eh.ether_shost); 1758 qos = ((struct ieee80211_qosframe *) 1759 wh)->i_qos; 1760 } 1761 break; 1762 case IEEE80211_MESH_AE_01: /* mcast, proxy */ 1763 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1764 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1765 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1766 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr); 1767 mc->mc_flags = 1; 1768 IEEE80211_ADDR_COPY(MC01(mc)->mc_addr4, 1769 eh.ether_shost); 1770 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1771 break; 1772 case IEEE80211_MESH_AE_10: /* ucast, proxy */ 1773 KASSERT(rt != NULL, ("route is NULL")); 1774 IEEE80211_ADDR_COPY(wh->i_addr1, rt->rt_nexthop); 1775 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1776 IEEE80211_ADDR_COPY(wh->i_addr3, rt->rt_mesh_gate); 1777 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr); 1778 mc->mc_flags = IEEE80211_MESH_AE_10; 1779 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_dhost); 1780 IEEE80211_ADDR_COPY(mc->mc_addr6, eh.ether_shost); 1781 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1782 break; 1783 default: 1784 KASSERT(0, ("meshae %d", meshae)); 1785 break; 1786 } 1787 mc->mc_ttl = ms->ms_ttl; 1788 ms->ms_seq++; 1789 le32enc(mc->mc_seq, ms->ms_seq); 1790 break; 1791#endif 1792 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1793 default: 1794 goto bad; 1795 } 1796 if (m->m_flags & M_MORE_DATA) 1797 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1798 if (addqos) { 1799 int ac, tid; 1800 1801 if (is4addr) { 1802 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1803 /* NB: mesh case handled earlier */ 1804 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1805 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1806 ac = M_WME_GETAC(m); 1807 /* map from access class/queue to 11e header priorty value */ 1808 tid = WME_AC_TO_TID(ac); 1809 qos[0] = tid & IEEE80211_QOS_TID; 1810 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1811 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1812#ifdef IEEE80211_SUPPORT_MESH 1813 if (vap->iv_opmode == IEEE80211_M_MBSS) 1814 qos[1] = IEEE80211_QOS_MC; 1815 else 1816#endif 1817 qos[1] = 0; 1818 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS_DATA; 1819 1820 /* 1821 * If this is an A-MSDU then ensure we set the 1822 * relevant field. 1823 */ 1824 if (is_amsdu) 1825 qos[0] |= IEEE80211_QOS_AMSDU; 1826 1827 /* 1828 * XXX TODO TX lock is needed for atomic updates of sequence 1829 * numbers. If the driver does it, then don't do it here; 1830 * and we don't need the TX lock held. 1831 */ 1832 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1833 /* 1834 * 802.11-2012 9.3.2.10 - 1835 * 1836 * If this is a multicast frame then we need 1837 * to ensure that the sequence number comes from 1838 * a separate seqno space and not the TID space. 1839 * 1840 * Otherwise multicast frames may actually cause 1841 * holes in the TX blockack window space and 1842 * upset various things. 1843 */ 1844 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 1845 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1846 else 1847 seqno = ni->ni_txseqs[tid]++; 1848 1849 /* 1850 * NB: don't assign a sequence # to potential 1851 * aggregates; we expect this happens at the 1852 * point the frame comes off any aggregation q 1853 * as otherwise we may introduce holes in the 1854 * BA sequence space and/or make window accouting 1855 * more difficult. 1856 * 1857 * XXX may want to control this with a driver 1858 * capability; this may also change when we pull 1859 * aggregation up into net80211 1860 */ 1861 *(uint16_t *)wh->i_seq = 1862 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1863 M_SEQNO_SET(m, seqno); 1864 } else { 1865 /* NB: zero out i_seq field (for s/w encryption etc) */ 1866 *(uint16_t *)wh->i_seq = 0; 1867 } 1868 } else { 1869 /* 1870 * XXX TODO TX lock is needed for atomic updates of sequence 1871 * numbers. If the driver does it, then don't do it here; 1872 * and we don't need the TX lock held. 1873 */ 1874 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1875 *(uint16_t *)wh->i_seq = 1876 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1877 M_SEQNO_SET(m, seqno); 1878 1879 /* 1880 * XXX TODO: we shouldn't allow EAPOL, etc that would 1881 * be forced to be non-QoS traffic to be A-MSDU encapsulated. 1882 */ 1883 if (is_amsdu) 1884 printf("%s: XXX ERROR: is_amsdu set; not QoS!\n", 1885 __func__); 1886 } 1887 1888 /* 1889 * Check if xmit fragmentation is required. 1890 * 1891 * If the hardware does fragmentation offload, then don't bother 1892 * doing it here. 1893 */ 1894 if (IEEE80211_CONF_FRAG_OFFLOAD(ic)) 1895 txfrag = 0; 1896 else 1897 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1898 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1899 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1900 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1901 1902 if (key != NULL) { 1903 /* 1904 * IEEE 802.1X: send EAPOL frames always in the clear. 1905 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1906 */ 1907 if ((m->m_flags & M_EAPOL) == 0 || 1908 ((vap->iv_flags & IEEE80211_F_WPA) && 1909 (vap->iv_opmode == IEEE80211_M_STA ? 1910 !IEEE80211_KEY_UNDEFINED(key) : 1911 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1912 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 1913 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1914 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1915 eh.ether_dhost, 1916 "%s", "enmic failed, discard frame"); 1917 vap->iv_stats.is_crypto_enmicfail++; 1918 goto bad; 1919 } 1920 } 1921 } 1922 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1923 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1924 goto bad; 1925 1926 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1927 1928 IEEE80211_NODE_STAT(ni, tx_data); 1929 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1930 IEEE80211_NODE_STAT(ni, tx_mcast); 1931 m->m_flags |= M_MCAST; 1932 } else 1933 IEEE80211_NODE_STAT(ni, tx_ucast); 1934 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1935 1936 return m; 1937bad: 1938 if (m != NULL) 1939 m_freem(m); 1940 return NULL; 1941#undef WH4 1942#undef MC01 1943} 1944 1945void 1946ieee80211_free_mbuf(struct mbuf *m) 1947{ 1948 struct mbuf *next; 1949 1950 if (m == NULL) 1951 return; 1952 1953 do { 1954 next = m->m_nextpkt; 1955 m->m_nextpkt = NULL; 1956 m_freem(m); 1957 } while ((m = next) != NULL); 1958} 1959 1960/* 1961 * Fragment the frame according to the specified mtu. 1962 * The size of the 802.11 header (w/o padding) is provided 1963 * so we don't need to recalculate it. We create a new 1964 * mbuf for each fragment and chain it through m_nextpkt; 1965 * we might be able to optimize this by reusing the original 1966 * packet's mbufs but that is significantly more complicated. 1967 */ 1968static int 1969ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1970 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1971{ 1972 struct ieee80211com *ic = vap->iv_ic; 1973 struct ieee80211_frame *wh, *whf; 1974 struct mbuf *m, *prev; 1975 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1976 u_int hdrspace; 1977 1978 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1979 KASSERT(m0->m_pkthdr.len > mtu, 1980 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1981 1982 /* 1983 * Honor driver DATAPAD requirement. 1984 */ 1985 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1986 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1987 else 1988 hdrspace = hdrsize; 1989 1990 wh = mtod(m0, struct ieee80211_frame *); 1991 /* NB: mark the first frag; it will be propagated below */ 1992 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1993 totalhdrsize = hdrspace + ciphdrsize; 1994 fragno = 1; 1995 off = mtu - ciphdrsize; 1996 remainder = m0->m_pkthdr.len - off; 1997 prev = m0; 1998 do { 1999 fragsize = MIN(totalhdrsize + remainder, mtu); 2000 m = m_get2(fragsize, IEEE80211_M_NOWAIT, MT_DATA, M_PKTHDR); 2001 if (m == NULL) 2002 goto bad; 2003 /* leave room to prepend any cipher header */ 2004 m_align(m, fragsize - ciphdrsize); 2005 2006 /* 2007 * Form the header in the fragment. Note that since 2008 * we mark the first fragment with the MORE_FRAG bit 2009 * it automatically is propagated to each fragment; we 2010 * need only clear it on the last fragment (done below). 2011 * NB: frag 1+ dont have Mesh Control field present. 2012 */ 2013 whf = mtod(m, struct ieee80211_frame *); 2014 memcpy(whf, wh, hdrsize); 2015#ifdef IEEE80211_SUPPORT_MESH 2016 if (vap->iv_opmode == IEEE80211_M_MBSS) 2017 ieee80211_getqos(wh)[1] &= ~IEEE80211_QOS_MC; 2018#endif 2019 *(uint16_t *)&whf->i_seq[0] |= htole16( 2020 (fragno & IEEE80211_SEQ_FRAG_MASK) << 2021 IEEE80211_SEQ_FRAG_SHIFT); 2022 fragno++; 2023 2024 payload = fragsize - totalhdrsize; 2025 /* NB: destination is known to be contiguous */ 2026 2027 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrspace); 2028 m->m_len = hdrspace + payload; 2029 m->m_pkthdr.len = hdrspace + payload; 2030 m->m_flags |= M_FRAG; 2031 2032 /* chain up the fragment */ 2033 prev->m_nextpkt = m; 2034 prev = m; 2035 2036 /* deduct fragment just formed */ 2037 remainder -= payload; 2038 off += payload; 2039 } while (remainder != 0); 2040 2041 /* set the last fragment */ 2042 m->m_flags |= M_LASTFRAG; 2043 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 2044 2045 /* strip first mbuf now that everything has been copied */ 2046 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 2047 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 2048 2049 vap->iv_stats.is_tx_fragframes++; 2050 vap->iv_stats.is_tx_frags += fragno-1; 2051 2052 return 1; 2053bad: 2054 /* reclaim fragments but leave original frame for caller to free */ 2055 ieee80211_free_mbuf(m0->m_nextpkt); 2056 m0->m_nextpkt = NULL; 2057 return 0; 2058} 2059 2060/* 2061 * Add a supported rates element id to a frame. 2062 */ 2063uint8_t * 2064ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 2065{ 2066 int nrates; 2067 2068 *frm++ = IEEE80211_ELEMID_RATES; 2069 nrates = rs->rs_nrates; 2070 if (nrates > IEEE80211_RATE_SIZE) 2071 nrates = IEEE80211_RATE_SIZE; 2072 *frm++ = nrates; 2073 memcpy(frm, rs->rs_rates, nrates); 2074 return frm + nrates; 2075} 2076 2077/* 2078 * Add an extended supported rates element id to a frame. 2079 */ 2080uint8_t * 2081ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 2082{ 2083 /* 2084 * Add an extended supported rates element if operating in 11g mode. 2085 */ 2086 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 2087 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 2088 *frm++ = IEEE80211_ELEMID_XRATES; 2089 *frm++ = nrates; 2090 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 2091 frm += nrates; 2092 } 2093 return frm; 2094} 2095 2096/* 2097 * Add an ssid element to a frame. 2098 */ 2099uint8_t * 2100ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 2101{ 2102 *frm++ = IEEE80211_ELEMID_SSID; 2103 *frm++ = len; 2104 memcpy(frm, ssid, len); 2105 return frm + len; 2106} 2107 2108/* 2109 * Add an erp element to a frame. 2110 */ 2111static uint8_t * 2112ieee80211_add_erp(uint8_t *frm, struct ieee80211vap *vap) 2113{ 2114 struct ieee80211com *ic = vap->iv_ic; 2115 uint8_t erp; 2116 2117 *frm++ = IEEE80211_ELEMID_ERP; 2118 *frm++ = 1; 2119 erp = 0; 2120 2121 /* 2122 * TODO: This uses the global flags for now because 2123 * the per-VAP flags are fine for per-VAP, but don't 2124 * take into account which VAPs share the same channel 2125 * and which are on different channels. 2126 * 2127 * ERP and HT/VHT protection mode is a function of 2128 * how many stations are on a channel, not specifically 2129 * the VAP or global. But, until we grow that status, 2130 * the global flag will have to do. 2131 */ 2132 if (ic->ic_flags_ext & IEEE80211_FEXT_NONERP_PR) 2133 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 2134 2135 /* 2136 * TODO: same as above; these should be based not 2137 * on the vap or ic flags, but instead on a combination 2138 * of per-VAP and channels. 2139 */ 2140 if (ic->ic_flags & IEEE80211_F_USEPROT) 2141 erp |= IEEE80211_ERP_USE_PROTECTION; 2142 if (ic->ic_flags & IEEE80211_F_USEBARKER) 2143 erp |= IEEE80211_ERP_LONG_PREAMBLE; 2144 *frm++ = erp; 2145 return frm; 2146} 2147 2148/* 2149 * Add a CFParams element to a frame. 2150 */ 2151static uint8_t * 2152ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 2153{ 2154#define ADDSHORT(frm, v) do { \ 2155 le16enc(frm, v); \ 2156 frm += 2; \ 2157} while (0) 2158 *frm++ = IEEE80211_ELEMID_CFPARMS; 2159 *frm++ = 6; 2160 *frm++ = 0; /* CFP count */ 2161 *frm++ = 2; /* CFP period */ 2162 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 2163 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 2164 return frm; 2165#undef ADDSHORT 2166} 2167 2168static __inline uint8_t * 2169add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 2170{ 2171 memcpy(frm, ie->ie_data, ie->ie_len); 2172 return frm + ie->ie_len; 2173} 2174 2175static __inline uint8_t * 2176add_ie(uint8_t *frm, const uint8_t *ie) 2177{ 2178 memcpy(frm, ie, 2 + ie[1]); 2179 return frm + 2 + ie[1]; 2180} 2181 2182#define WME_OUI_BYTES 0x00, 0x50, 0xf2 2183/* 2184 * Add a WME information element to a frame. 2185 */ 2186uint8_t * 2187ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme, 2188 struct ieee80211_node *ni) 2189{ 2190 static const uint8_t oui[4] = { WME_OUI_BYTES, WME_OUI_TYPE }; 2191 struct ieee80211vap *vap = ni->ni_vap; 2192 2193 *frm++ = IEEE80211_ELEMID_VENDOR; 2194 *frm++ = sizeof(struct ieee80211_wme_info) - 2; 2195 memcpy(frm, oui, sizeof(oui)); 2196 frm += sizeof(oui); 2197 *frm++ = WME_INFO_OUI_SUBTYPE; 2198 *frm++ = WME_VERSION; 2199 2200 /* QoS info field depends upon operating mode */ 2201 switch (vap->iv_opmode) { 2202 case IEEE80211_M_HOSTAP: 2203 *frm = wme->wme_bssChanParams.cap_info; 2204 if (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD) 2205 *frm |= WME_CAPINFO_UAPSD_EN; 2206 frm++; 2207 break; 2208 case IEEE80211_M_STA: 2209 /* 2210 * NB: UAPSD drivers must set this up in their 2211 * VAP creation method. 2212 */ 2213 *frm++ = vap->iv_uapsdinfo; 2214 break; 2215 default: 2216 *frm++ = 0; 2217 break; 2218 } 2219 2220 return frm; 2221} 2222 2223/* 2224 * Add a WME parameters element to a frame. 2225 */ 2226static uint8_t * 2227ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme, 2228 int uapsd_enable) 2229{ 2230#define ADDSHORT(frm, v) do { \ 2231 le16enc(frm, v); \ 2232 frm += 2; \ 2233} while (0) 2234 /* NB: this works 'cuz a param has an info at the front */ 2235 static const struct ieee80211_wme_info param = { 2236 .wme_id = IEEE80211_ELEMID_VENDOR, 2237 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 2238 .wme_oui = { WME_OUI_BYTES }, 2239 .wme_type = WME_OUI_TYPE, 2240 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 2241 .wme_version = WME_VERSION, 2242 }; 2243 int i; 2244 2245 memcpy(frm, ¶m, sizeof(param)); 2246 frm += __offsetof(struct ieee80211_wme_info, wme_info); 2247 *frm = wme->wme_bssChanParams.cap_info; /* AC info */ 2248 if (uapsd_enable) 2249 *frm |= WME_CAPINFO_UAPSD_EN; 2250 frm++; 2251 *frm++ = 0; /* reserved field */ 2252 /* XXX TODO - U-APSD bits - SP, flags below */ 2253 for (i = 0; i < WME_NUM_AC; i++) { 2254 const struct wmeParams *ac = 2255 &wme->wme_bssChanParams.cap_wmeParams[i]; 2256 *frm++ = _IEEE80211_SHIFTMASK(i, WME_PARAM_ACI) 2257 | _IEEE80211_SHIFTMASK(ac->wmep_acm, WME_PARAM_ACM) 2258 | _IEEE80211_SHIFTMASK(ac->wmep_aifsn, WME_PARAM_AIFSN) 2259 ; 2260 *frm++ = _IEEE80211_SHIFTMASK(ac->wmep_logcwmax, 2261 WME_PARAM_LOGCWMAX) 2262 | _IEEE80211_SHIFTMASK(ac->wmep_logcwmin, 2263 WME_PARAM_LOGCWMIN) 2264 ; 2265 ADDSHORT(frm, ac->wmep_txopLimit); 2266 } 2267 return frm; 2268#undef ADDSHORT 2269} 2270#undef WME_OUI_BYTES 2271 2272/* 2273 * Add an 11h Power Constraint element to a frame. 2274 */ 2275static uint8_t * 2276ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 2277{ 2278 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 2279 /* XXX per-vap tx power limit? */ 2280 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 2281 2282 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 2283 frm[1] = 1; 2284 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 2285 return frm + 3; 2286} 2287 2288/* 2289 * Add an 11h Power Capability element to a frame. 2290 */ 2291static uint8_t * 2292ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 2293{ 2294 frm[0] = IEEE80211_ELEMID_PWRCAP; 2295 frm[1] = 2; 2296 frm[2] = c->ic_minpower; 2297 frm[3] = c->ic_maxpower; 2298 return frm + 4; 2299} 2300 2301/* 2302 * Add an 11h Supported Channels element to a frame. 2303 */ 2304static uint8_t * 2305ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 2306{ 2307 static const int ielen = 26; 2308 2309 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 2310 frm[1] = ielen; 2311 /* XXX not correct */ 2312 memcpy(frm+2, ic->ic_chan_avail, ielen); 2313 return frm + 2 + ielen; 2314} 2315 2316/* 2317 * Add an 11h Quiet time element to a frame. 2318 */ 2319static uint8_t * 2320ieee80211_add_quiet(uint8_t *frm, struct ieee80211vap *vap, int update) 2321{ 2322 struct ieee80211_quiet_ie *quiet = (struct ieee80211_quiet_ie *) frm; 2323 2324 quiet->quiet_ie = IEEE80211_ELEMID_QUIET; 2325 quiet->len = 6; 2326 2327 /* 2328 * Only update every beacon interval - otherwise probe responses 2329 * would update the quiet count value. 2330 */ 2331 if (update) { 2332 if (vap->iv_quiet_count_value == 1) 2333 vap->iv_quiet_count_value = vap->iv_quiet_count; 2334 else if (vap->iv_quiet_count_value > 1) 2335 vap->iv_quiet_count_value--; 2336 } 2337 2338 if (vap->iv_quiet_count_value == 0) { 2339 /* value 0 is reserved as per 802.11h standerd */ 2340 vap->iv_quiet_count_value = 1; 2341 } 2342 2343 quiet->tbttcount = vap->iv_quiet_count_value; 2344 quiet->period = vap->iv_quiet_period; 2345 quiet->duration = htole16(vap->iv_quiet_duration); 2346 quiet->offset = htole16(vap->iv_quiet_offset); 2347 return frm + sizeof(*quiet); 2348} 2349 2350/* 2351 * Add an 11h Channel Switch Announcement element to a frame. 2352 * Note that we use the per-vap CSA count to adjust the global 2353 * counter so we can use this routine to form probe response 2354 * frames and get the current count. 2355 */ 2356static uint8_t * 2357ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 2358{ 2359 struct ieee80211com *ic = vap->iv_ic; 2360 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 2361 2362 csa->csa_ie = IEEE80211_ELEMID_CSA; 2363 csa->csa_len = 3; 2364 csa->csa_mode = 1; /* XXX force quiet on channel */ 2365 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 2366 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 2367 return frm + sizeof(*csa); 2368} 2369 2370/* 2371 * Add an 11h country information element to a frame. 2372 */ 2373static uint8_t * 2374ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 2375{ 2376 2377 if (ic->ic_countryie == NULL || 2378 ic->ic_countryie_chan != ic->ic_bsschan) { 2379 /* 2380 * Handle lazy construction of ie. This is done on 2381 * first use and after a channel change that requires 2382 * re-calculation. 2383 */ 2384 if (ic->ic_countryie != NULL) 2385 IEEE80211_FREE(ic->ic_countryie, M_80211_NODE_IE); 2386 ic->ic_countryie = ieee80211_alloc_countryie(ic); 2387 if (ic->ic_countryie == NULL) 2388 return frm; 2389 ic->ic_countryie_chan = ic->ic_bsschan; 2390 } 2391 return add_appie(frm, ic->ic_countryie); 2392} 2393 2394uint8_t * 2395ieee80211_add_wpa(uint8_t *frm, const struct ieee80211vap *vap) 2396{ 2397 if (vap->iv_flags & IEEE80211_F_WPA1 && vap->iv_wpa_ie != NULL) 2398 return (add_ie(frm, vap->iv_wpa_ie)); 2399 else { 2400 /* XXX else complain? */ 2401 return (frm); 2402 } 2403} 2404 2405uint8_t * 2406ieee80211_add_rsn(uint8_t *frm, const struct ieee80211vap *vap) 2407{ 2408 if (vap->iv_flags & IEEE80211_F_WPA2 && vap->iv_rsn_ie != NULL) 2409 return (add_ie(frm, vap->iv_rsn_ie)); 2410 else { 2411 /* XXX else complain? */ 2412 return (frm); 2413 } 2414} 2415 2416uint8_t * 2417ieee80211_add_qos(uint8_t *frm, const struct ieee80211_node *ni) 2418{ 2419 if (ni->ni_flags & IEEE80211_NODE_QOS) { 2420 *frm++ = IEEE80211_ELEMID_QOS; 2421 *frm++ = 1; 2422 *frm++ = 0; 2423 } 2424 2425 return (frm); 2426} 2427 2428/* 2429 * ieee80211_send_probereq(): send a probe request frame with the specified ssid 2430 * and any optional information element data; some helper functions as FW based 2431 * HW scans need some of that information passed too. 2432 */ 2433static uint32_t 2434ieee80211_probereq_ie_len(struct ieee80211vap *vap, struct ieee80211com *ic) 2435{ 2436 const struct ieee80211_rateset *rs; 2437 2438 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 2439 2440 /* 2441 * prreq frame format 2442 * [tlv] ssid 2443 * [tlv] supported rates 2444 * [tlv] extended supported rates (if needed) 2445 * [tlv] HT cap (optional) 2446 * [tlv] VHT cap (optional) 2447 * [tlv] WPA (optional) 2448 * [tlv] user-specified ie's 2449 */ 2450 return ( 2 + IEEE80211_NWID_LEN 2451 + 2 + IEEE80211_RATE_SIZE 2452 + ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 2453 2 + (rs->rs_nrates - IEEE80211_RATE_SIZE) : 0) 2454 + (((vap->iv_opmode == IEEE80211_M_IBSS) && 2455 (vap->iv_flags_ht & IEEE80211_FHT_HT)) ? 2456 sizeof(struct ieee80211_ie_htcap) : 0) 2457#ifdef notyet 2458 + sizeof(struct ieee80211_ie_htinfo) /* XXX not needed? */ 2459 + 2 + sizeof(struct ieee80211_vht_cap) 2460#endif 2461 + ((vap->iv_flags & IEEE80211_F_WPA1 && vap->iv_wpa_ie != NULL) ? 2462 vap->iv_wpa_ie[1] : 0) 2463 + (vap->iv_appie_probereq != NULL ? 2464 vap->iv_appie_probereq->ie_len : 0) 2465 ); 2466} 2467 2468int 2469ieee80211_probereq_ie(struct ieee80211vap *vap, struct ieee80211com *ic, 2470 uint8_t **frmp, uint32_t *frmlen, const uint8_t *ssid, size_t ssidlen, 2471 bool alloc) 2472{ 2473 const struct ieee80211_rateset *rs; 2474 uint8_t *frm; 2475 uint32_t len; 2476 2477 if (!alloc && (frmp == NULL || frmlen == NULL)) 2478 return (EINVAL); 2479 2480 len = ieee80211_probereq_ie_len(vap, ic); 2481 if (!alloc && len > *frmlen) 2482 return (ENOBUFS); 2483 2484 /* For HW scans we usually do not pass in the SSID as IE. */ 2485 if (ssidlen == -1) 2486 len -= (2 + IEEE80211_NWID_LEN); 2487 2488 if (alloc) { 2489 frm = IEEE80211_MALLOC(len, M_80211_VAP, 2490 IEEE80211_M_WAITOK | IEEE80211_M_ZERO); 2491 *frmp = frm; 2492 *frmlen = len; 2493 } else 2494 frm = *frmp; 2495 2496 if (ssidlen != -1) 2497 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 2498 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 2499 frm = ieee80211_add_rates(frm, rs); 2500 frm = ieee80211_add_xrates(frm, rs); 2501 2502 /* 2503 * Note: we can't use bss; we don't have one yet. 2504 * 2505 * So, we should announce our capabilities 2506 * in this channel mode (2g/5g), not the 2507 * channel details itself. 2508 */ 2509 if ((vap->iv_opmode == IEEE80211_M_IBSS) && 2510 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 2511 struct ieee80211_channel *c; 2512 2513 /* 2514 * Get the HT channel that we should try upgrading to. 2515 * If we can do 40MHz then this'll upgrade it appropriately. 2516 */ 2517 c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 2518 vap->iv_flags_ht); 2519 frm = ieee80211_add_htcap_ch(frm, vap, c); 2520 } 2521 2522 /* 2523 * XXX TODO: need to figure out what/how to update the 2524 * VHT channel. 2525 */ 2526#ifdef notyet 2527 if (vap->iv_vht_flags & IEEE80211_FVHT_VHT) { 2528 struct ieee80211_channel *c; 2529 2530 c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 2531 vap->iv_flags_ht); 2532 c = ieee80211_vht_adjust_channel(ic, c, vap->iv_vht_flags); 2533 frm = ieee80211_add_vhtcap_ch(frm, vap, c); 2534 } 2535#endif 2536 2537 frm = ieee80211_add_wpa(frm, vap); 2538 if (vap->iv_appie_probereq != NULL) 2539 frm = add_appie(frm, vap->iv_appie_probereq); 2540 2541 if (!alloc) { 2542 *frmp = frm; 2543 *frmlen = len; 2544 } 2545 2546 return (0); 2547} 2548 2549int 2550ieee80211_send_probereq(struct ieee80211_node *ni, 2551 const uint8_t sa[IEEE80211_ADDR_LEN], 2552 const uint8_t da[IEEE80211_ADDR_LEN], 2553 const uint8_t bssid[IEEE80211_ADDR_LEN], 2554 const uint8_t *ssid, size_t ssidlen) 2555{ 2556 struct ieee80211vap *vap = ni->ni_vap; 2557 struct ieee80211com *ic = ni->ni_ic; 2558 struct ieee80211_node *bss; 2559 const struct ieee80211_txparam *tp; 2560 struct ieee80211_bpf_params params; 2561 struct mbuf *m; 2562 uint8_t *frm; 2563 uint32_t frmlen; 2564 int ret; 2565 2566 bss = ieee80211_ref_node(vap->iv_bss); 2567 2568 if (vap->iv_state == IEEE80211_S_CAC) { 2569 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 2570 "block %s frame in CAC state", "probe request"); 2571 vap->iv_stats.is_tx_badstate++; 2572 ieee80211_free_node(bss); 2573 return EIO; /* XXX */ 2574 } 2575 2576 /* 2577 * Hold a reference on the node so it doesn't go away until after 2578 * the xmit is complete all the way in the driver. On error we 2579 * will remove our reference. 2580 */ 2581 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2582 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2583 __func__, __LINE__, 2584 ni, ether_sprintf(ni->ni_macaddr), 2585 ieee80211_node_refcnt(ni)+1); 2586 ieee80211_ref_node(ni); 2587 2588 /* See comments above for entire frame format. */ 2589 frmlen = ieee80211_probereq_ie_len(vap, ic); 2590 m = ieee80211_getmgtframe(&frm, 2591 ic->ic_headroom + sizeof(struct ieee80211_frame), frmlen); 2592 if (m == NULL) { 2593 vap->iv_stats.is_tx_nobuf++; 2594 ieee80211_free_node(ni); 2595 ieee80211_free_node(bss); 2596 return ENOMEM; 2597 } 2598 2599 ret = ieee80211_probereq_ie(vap, ic, &frm, &frmlen, ssid, ssidlen, 2600 false); 2601 KASSERT(ret == 0, 2602 ("%s: ieee80211_probereq_ie failed: %d\n", __func__, ret)); 2603 2604 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2605 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 2606 ("leading space %zd", M_LEADINGSPACE(m))); 2607 M_PREPEND(m, sizeof(struct ieee80211_frame), IEEE80211_M_NOWAIT); 2608 if (m == NULL) { 2609 /* NB: cannot happen */ 2610 ieee80211_free_node(ni); 2611 ieee80211_free_node(bss); 2612 return ENOMEM; 2613 } 2614 2615 IEEE80211_TX_LOCK(ic); 2616 ieee80211_send_setup(ni, m, 2617 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 2618 IEEE80211_NONQOS_TID, sa, da, bssid); 2619 /* XXX power management? */ 2620 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2621 2622 M_WME_SETAC(m, WME_AC_BE); 2623 2624 IEEE80211_NODE_STAT(ni, tx_probereq); 2625 IEEE80211_NODE_STAT(ni, tx_mgmt); 2626 2627 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2628 "send probe req on channel %u bssid %s sa %6D da %6D ssid \"%.*s\"\n", 2629 ieee80211_chan2ieee(ic, ic->ic_curchan), 2630 ether_sprintf(bssid), 2631 sa, ":", 2632 da, ":", 2633 ssidlen, ssid); 2634 2635 memset(¶ms, 0, sizeof(params)); 2636 params.ibp_pri = M_WME_GETAC(m); 2637 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 2638 params.ibp_rate0 = tp->mgmtrate; 2639 if (IEEE80211_IS_MULTICAST(da)) { 2640 params.ibp_flags |= IEEE80211_BPF_NOACK; 2641 params.ibp_try0 = 1; 2642 } else 2643 params.ibp_try0 = tp->maxretry; 2644 params.ibp_power = ni->ni_txpower; 2645 ret = ieee80211_raw_output(vap, ni, m, ¶ms); 2646 IEEE80211_TX_UNLOCK(ic); 2647 ieee80211_free_node(bss); 2648 return (ret); 2649} 2650 2651/* 2652 * Calculate capability information for mgt frames. 2653 */ 2654uint16_t 2655ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 2656{ 2657 uint16_t capinfo; 2658 2659 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 2660 2661 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 2662 capinfo = IEEE80211_CAPINFO_ESS; 2663 else if (vap->iv_opmode == IEEE80211_M_IBSS) 2664 capinfo = IEEE80211_CAPINFO_IBSS; 2665 else 2666 capinfo = 0; 2667 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2668 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2669 if ((vap->iv_flags & IEEE80211_F_SHPREAMBLE) && 2670 IEEE80211_IS_CHAN_2GHZ(chan)) 2671 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2672 if (vap->iv_flags & IEEE80211_F_SHSLOT) 2673 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2674 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 2675 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2676 return capinfo; 2677} 2678 2679/* 2680 * Send a management frame. The node is for the destination (or ic_bss 2681 * when in station mode). Nodes other than ic_bss have their reference 2682 * count bumped to reflect our use for an indeterminant time. 2683 */ 2684int 2685ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 2686{ 2687#define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 2688#define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 2689 struct ieee80211vap *vap = ni->ni_vap; 2690 struct ieee80211com *ic = ni->ni_ic; 2691 struct ieee80211_node *bss = vap->iv_bss; 2692 struct ieee80211_bpf_params params; 2693 struct mbuf *m; 2694 uint8_t *frm; 2695 uint16_t capinfo; 2696 int has_challenge, is_shared_key, ret, status; 2697 2698 KASSERT(ni != NULL, ("null node")); 2699 2700 /* 2701 * Hold a reference on the node so it doesn't go away until after 2702 * the xmit is complete all the way in the driver. On error we 2703 * will remove our reference. 2704 */ 2705 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2706 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2707 __func__, __LINE__, 2708 ni, ether_sprintf(ni->ni_macaddr), 2709 ieee80211_node_refcnt(ni)+1); 2710 ieee80211_ref_node(ni); 2711 2712 memset(¶ms, 0, sizeof(params)); 2713 switch (type) { 2714 case IEEE80211_FC0_SUBTYPE_AUTH: 2715 status = arg >> 16; 2716 arg &= 0xffff; 2717 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 2718 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 2719 ni->ni_challenge != NULL); 2720 2721 /* 2722 * Deduce whether we're doing open authentication or 2723 * shared key authentication. We do the latter if 2724 * we're in the middle of a shared key authentication 2725 * handshake or if we're initiating an authentication 2726 * request and configured to use shared key. 2727 */ 2728 is_shared_key = has_challenge || 2729 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 2730 (arg == IEEE80211_AUTH_SHARED_REQUEST && 2731 bss->ni_authmode == IEEE80211_AUTH_SHARED); 2732 2733 m = ieee80211_getmgtframe(&frm, 2734 ic->ic_headroom + sizeof(struct ieee80211_frame), 2735 3 * sizeof(uint16_t) 2736 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 2737 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0)); 2738 if (m == NULL) 2739 senderr(ENOMEM, is_tx_nobuf); 2740 2741 ((uint16_t *)frm)[0] = 2742 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 2743 : htole16(IEEE80211_AUTH_ALG_OPEN); 2744 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 2745 ((uint16_t *)frm)[2] = htole16(status);/* status */ 2746 2747 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 2748 ((uint16_t *)frm)[3] = 2749 htole16((IEEE80211_CHALLENGE_LEN << 8) | 2750 IEEE80211_ELEMID_CHALLENGE); 2751 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 2752 IEEE80211_CHALLENGE_LEN); 2753 m->m_pkthdr.len = m->m_len = 2754 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 2755 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 2756 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2757 "request encrypt frame (%s)", __func__); 2758 /* mark frame for encryption */ 2759 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 2760 } 2761 } else 2762 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 2763 2764 /* XXX not right for shared key */ 2765 if (status == IEEE80211_STATUS_SUCCESS) 2766 IEEE80211_NODE_STAT(ni, tx_auth); 2767 else 2768 IEEE80211_NODE_STAT(ni, tx_auth_fail); 2769 2770 if (vap->iv_opmode == IEEE80211_M_STA) 2771 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2772 (void *) vap->iv_state); 2773 break; 2774 2775 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2776 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2777 "send station deauthenticate (reason: %d (%s))", arg, 2778 ieee80211_reason_to_string(arg)); 2779 m = ieee80211_getmgtframe(&frm, 2780 ic->ic_headroom + sizeof(struct ieee80211_frame), 2781 sizeof(uint16_t)); 2782 if (m == NULL) 2783 senderr(ENOMEM, is_tx_nobuf); 2784 *(uint16_t *)frm = htole16(arg); /* reason */ 2785 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2786 2787 IEEE80211_NODE_STAT(ni, tx_deauth); 2788 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 2789 2790 ieee80211_node_unauthorize(ni); /* port closed */ 2791 break; 2792 2793 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2794 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2795 /* 2796 * asreq frame format 2797 * [2] capability information 2798 * [2] listen interval 2799 * [6*] current AP address (reassoc only) 2800 * [tlv] ssid 2801 * [tlv] supported rates 2802 * [tlv] extended supported rates 2803 * [4] power capability (optional) 2804 * [28] supported channels (optional) 2805 * [tlv] HT capabilities 2806 * [tlv] VHT capabilities 2807 * [tlv] WME (optional) 2808 * [tlv] Vendor OUI HT capabilities (optional) 2809 * [tlv] Atheros capabilities (if negotiated) 2810 * [tlv] AppIE's (optional) 2811 */ 2812 m = ieee80211_getmgtframe(&frm, 2813 ic->ic_headroom + sizeof(struct ieee80211_frame), 2814 sizeof(uint16_t) 2815 + sizeof(uint16_t) 2816 + IEEE80211_ADDR_LEN 2817 + 2 + IEEE80211_NWID_LEN 2818 + 2 + IEEE80211_RATE_SIZE 2819 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2820 + 4 2821 + 2 + 26 2822 + sizeof(struct ieee80211_wme_info) 2823 + sizeof(struct ieee80211_ie_htcap) 2824 + 2 + sizeof(struct ieee80211_vht_cap) 2825 + 4 + sizeof(struct ieee80211_ie_htcap) 2826#ifdef IEEE80211_SUPPORT_SUPERG 2827 + sizeof(struct ieee80211_ath_ie) 2828#endif 2829 + (vap->iv_appie_wpa != NULL ? 2830 vap->iv_appie_wpa->ie_len : 0) 2831 + (vap->iv_appie_assocreq != NULL ? 2832 vap->iv_appie_assocreq->ie_len : 0) 2833 ); 2834 if (m == NULL) 2835 senderr(ENOMEM, is_tx_nobuf); 2836 2837 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 2838 ("wrong mode %u", vap->iv_opmode)); 2839 capinfo = IEEE80211_CAPINFO_ESS; 2840 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2841 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2842 /* 2843 * NB: Some 11a AP's reject the request when 2844 * short preamble is set. 2845 */ 2846 if ((vap->iv_flags & IEEE80211_F_SHPREAMBLE) && 2847 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 2848 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2849 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2850 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2851 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2852 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2853 (vap->iv_flags & IEEE80211_F_DOTH)) 2854 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2855 *(uint16_t *)frm = htole16(capinfo); 2856 frm += 2; 2857 2858 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2859 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2860 bss->ni_intval)); 2861 frm += 2; 2862 2863 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2864 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2865 frm += IEEE80211_ADDR_LEN; 2866 } 2867 2868 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2869 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2870 frm = ieee80211_add_rsn(frm, vap); 2871 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2872 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2873 frm = ieee80211_add_powercapability(frm, 2874 ic->ic_curchan); 2875 frm = ieee80211_add_supportedchannels(frm, ic); 2876 } 2877 2878 /* 2879 * Check the channel - we may be using an 11n NIC with an 2880 * 11n capable station, but we're configured to be an 11b 2881 * channel. 2882 */ 2883 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2884 IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2885 ni->ni_ies.htcap_ie != NULL && 2886 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) { 2887 frm = ieee80211_add_htcap(frm, ni); 2888 } 2889 2890 if ((vap->iv_vht_flags & IEEE80211_FVHT_VHT) && 2891 IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2892 ni->ni_ies.vhtcap_ie != NULL && 2893 ni->ni_ies.vhtcap_ie[0] == IEEE80211_ELEMID_VHT_CAP) { 2894 frm = ieee80211_add_vhtcap(frm, ni); 2895 } 2896 2897 frm = ieee80211_add_wpa(frm, vap); 2898 if ((vap->iv_flags & IEEE80211_F_WME) && 2899 ni->ni_ies.wme_ie != NULL) 2900 frm = ieee80211_add_wme_info(frm, &ic->ic_wme, ni); 2901 2902 /* 2903 * Same deal - only send HT info if we're on an 11n 2904 * capable channel. 2905 */ 2906 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2907 IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2908 ni->ni_ies.htcap_ie != NULL && 2909 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) { 2910 frm = ieee80211_add_htcap_vendor(frm, ni); 2911 } 2912#ifdef IEEE80211_SUPPORT_SUPERG 2913 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2914 frm = ieee80211_add_ath(frm, 2915 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2916 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2917 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2918 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2919 } 2920#endif /* IEEE80211_SUPPORT_SUPERG */ 2921 if (vap->iv_appie_assocreq != NULL) 2922 frm = add_appie(frm, vap->iv_appie_assocreq); 2923 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2924 2925 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2926 (void *) vap->iv_state); 2927 break; 2928 2929 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2930 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2931 /* 2932 * asresp frame format 2933 * [2] capability information 2934 * [2] status 2935 * [2] association ID 2936 * [tlv] supported rates 2937 * [tlv] extended supported rates 2938 * [tlv] HT capabilities (standard, if STA enabled) 2939 * [tlv] HT information (standard, if STA enabled) 2940 * [tlv] VHT capabilities (standard, if STA enabled) 2941 * [tlv] VHT information (standard, if STA enabled) 2942 * [tlv] WME (if configured and STA enabled) 2943 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2944 * [tlv] HT information (vendor OUI, if STA enabled) 2945 * [tlv] Atheros capabilities (if STA enabled) 2946 * [tlv] AppIE's (optional) 2947 */ 2948 m = ieee80211_getmgtframe(&frm, 2949 ic->ic_headroom + sizeof(struct ieee80211_frame), 2950 sizeof(uint16_t) 2951 + sizeof(uint16_t) 2952 + sizeof(uint16_t) 2953 + 2 + IEEE80211_RATE_SIZE 2954 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2955 + sizeof(struct ieee80211_ie_htcap) + 4 2956 + sizeof(struct ieee80211_ie_htinfo) + 4 2957 + 2 + sizeof(struct ieee80211_vht_cap) 2958 + 2 + sizeof(struct ieee80211_vht_operation) 2959 + sizeof(struct ieee80211_wme_param) 2960#ifdef IEEE80211_SUPPORT_SUPERG 2961 + sizeof(struct ieee80211_ath_ie) 2962#endif 2963 + (vap->iv_appie_assocresp != NULL ? 2964 vap->iv_appie_assocresp->ie_len : 0) 2965 ); 2966 if (m == NULL) 2967 senderr(ENOMEM, is_tx_nobuf); 2968 2969 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2970 *(uint16_t *)frm = htole16(capinfo); 2971 frm += 2; 2972 2973 *(uint16_t *)frm = htole16(arg); /* status */ 2974 frm += 2; 2975 2976 if (arg == IEEE80211_STATUS_SUCCESS) { 2977 *(uint16_t *)frm = htole16(ni->ni_associd); 2978 IEEE80211_NODE_STAT(ni, tx_assoc); 2979 } else 2980 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2981 frm += 2; 2982 2983 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2984 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2985 /* NB: respond according to what we received */ 2986 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2987 frm = ieee80211_add_htcap(frm, ni); 2988 frm = ieee80211_add_htinfo(frm, ni); 2989 } 2990 if ((vap->iv_flags & IEEE80211_F_WME) && 2991 ni->ni_ies.wme_ie != NULL) 2992 frm = ieee80211_add_wme_param(frm, &ic->ic_wme, 2993 !! (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD)); 2994 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2995 frm = ieee80211_add_htcap_vendor(frm, ni); 2996 frm = ieee80211_add_htinfo_vendor(frm, ni); 2997 } 2998 if (ni->ni_flags & IEEE80211_NODE_VHT) { 2999 frm = ieee80211_add_vhtcap(frm, ni); 3000 frm = ieee80211_add_vhtinfo(frm, ni); 3001 } 3002#ifdef IEEE80211_SUPPORT_SUPERG 3003 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 3004 frm = ieee80211_add_ath(frm, 3005 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 3006 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 3007 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 3008 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 3009#endif /* IEEE80211_SUPPORT_SUPERG */ 3010 if (vap->iv_appie_assocresp != NULL) 3011 frm = add_appie(frm, vap->iv_appie_assocresp); 3012 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 3013 break; 3014 3015 case IEEE80211_FC0_SUBTYPE_DISASSOC: 3016 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 3017 "send station disassociate (reason: %d (%s))", arg, 3018 ieee80211_reason_to_string(arg)); 3019 m = ieee80211_getmgtframe(&frm, 3020 ic->ic_headroom + sizeof(struct ieee80211_frame), 3021 sizeof(uint16_t)); 3022 if (m == NULL) 3023 senderr(ENOMEM, is_tx_nobuf); 3024 *(uint16_t *)frm = htole16(arg); /* reason */ 3025 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 3026 3027 IEEE80211_NODE_STAT(ni, tx_disassoc); 3028 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 3029 break; 3030 3031 default: 3032 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 3033 "invalid mgmt frame type %u", type); 3034 senderr(EINVAL, is_tx_unknownmgt); 3035 /* NOTREACHED */ 3036 } 3037 3038 /* NB: force non-ProbeResp frames to the highest queue */ 3039 params.ibp_pri = WME_AC_VO; 3040 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 3041 /* NB: we know all frames are unicast */ 3042 params.ibp_try0 = bss->ni_txparms->maxretry; 3043 params.ibp_power = bss->ni_txpower; 3044 return ieee80211_mgmt_output(ni, m, type, ¶ms); 3045bad: 3046 ieee80211_free_node(ni); 3047 return ret; 3048#undef senderr 3049#undef HTFLAGS 3050} 3051 3052/* 3053 * Return an mbuf with a probe response frame in it. 3054 * Space is left to prepend and 802.11 header at the 3055 * front but it's left to the caller to fill in. 3056 */ 3057struct mbuf * 3058ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 3059{ 3060 struct ieee80211vap *vap = bss->ni_vap; 3061 struct ieee80211com *ic = bss->ni_ic; 3062 const struct ieee80211_rateset *rs; 3063 struct mbuf *m; 3064 uint16_t capinfo; 3065 uint8_t *frm; 3066 3067 /* 3068 * probe response frame format 3069 * [8] time stamp 3070 * [2] beacon interval 3071 * [2] cabability information 3072 * [tlv] ssid 3073 * [tlv] supported rates 3074 * [tlv] parameter set (FH/DS) 3075 * [tlv] parameter set (IBSS) 3076 * [tlv] country (optional) 3077 * [3] power control (optional) 3078 * [5] channel switch announcement (CSA) (optional) 3079 * [tlv] extended rate phy (ERP) 3080 * [tlv] extended supported rates 3081 * [tlv] RSN (optional) 3082 * [tlv] HT capabilities 3083 * [tlv] HT information 3084 * [tlv] VHT capabilities 3085 * [tlv] VHT information 3086 * [tlv] WPA (optional) 3087 * [tlv] WME (optional) 3088 * [tlv] Vendor OUI HT capabilities (optional) 3089 * [tlv] Vendor OUI HT information (optional) 3090 * [tlv] Atheros capabilities 3091 * [tlv] AppIE's (optional) 3092 * [tlv] Mesh ID (MBSS) 3093 * [tlv] Mesh Conf (MBSS) 3094 */ 3095 m = ieee80211_getmgtframe(&frm, 3096 ic->ic_headroom + sizeof(struct ieee80211_frame), 3097 8 3098 + sizeof(uint16_t) 3099 + sizeof(uint16_t) 3100 + 2 + IEEE80211_NWID_LEN 3101 + 2 + IEEE80211_RATE_SIZE 3102 + 7 /* max(7,3) */ 3103 + IEEE80211_COUNTRY_MAX_SIZE 3104 + 3 3105 + sizeof(struct ieee80211_csa_ie) 3106 + sizeof(struct ieee80211_quiet_ie) 3107 + 3 3108 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 3109 + sizeof(struct ieee80211_ie_wpa) 3110 + sizeof(struct ieee80211_ie_htcap) 3111 + sizeof(struct ieee80211_ie_htinfo) 3112 + sizeof(struct ieee80211_ie_wpa) 3113 + sizeof(struct ieee80211_wme_param) 3114 + 4 + sizeof(struct ieee80211_ie_htcap) 3115 + 4 + sizeof(struct ieee80211_ie_htinfo) 3116 + 2 + sizeof(struct ieee80211_vht_cap) 3117 + 2 + sizeof(struct ieee80211_vht_operation) 3118#ifdef IEEE80211_SUPPORT_SUPERG 3119 + sizeof(struct ieee80211_ath_ie) 3120#endif 3121#ifdef IEEE80211_SUPPORT_MESH 3122 + 2 + IEEE80211_MESHID_LEN 3123 + sizeof(struct ieee80211_meshconf_ie) 3124#endif 3125 + (vap->iv_appie_proberesp != NULL ? 3126 vap->iv_appie_proberesp->ie_len : 0) 3127 ); 3128 if (m == NULL) { 3129 vap->iv_stats.is_tx_nobuf++; 3130 return NULL; 3131 } 3132 3133 memset(frm, 0, 8); /* timestamp should be filled later */ 3134 frm += 8; 3135 *(uint16_t *)frm = htole16(bss->ni_intval); 3136 frm += 2; 3137 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 3138 *(uint16_t *)frm = htole16(capinfo); 3139 frm += 2; 3140 3141 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 3142 rs = ieee80211_get_suprates(ic, bss->ni_chan); 3143 frm = ieee80211_add_rates(frm, rs); 3144 3145 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 3146 *frm++ = IEEE80211_ELEMID_FHPARMS; 3147 *frm++ = 5; 3148 *frm++ = bss->ni_fhdwell & 0x00ff; 3149 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 3150 *frm++ = IEEE80211_FH_CHANSET( 3151 ieee80211_chan2ieee(ic, bss->ni_chan)); 3152 *frm++ = IEEE80211_FH_CHANPAT( 3153 ieee80211_chan2ieee(ic, bss->ni_chan)); 3154 *frm++ = bss->ni_fhindex; 3155 } else { 3156 *frm++ = IEEE80211_ELEMID_DSPARMS; 3157 *frm++ = 1; 3158 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 3159 } 3160 3161 if (vap->iv_opmode == IEEE80211_M_IBSS) { 3162 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 3163 *frm++ = 2; 3164 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 3165 } 3166 if ((vap->iv_flags & IEEE80211_F_DOTH) || 3167 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 3168 frm = ieee80211_add_countryie(frm, ic); 3169 if (vap->iv_flags & IEEE80211_F_DOTH) { 3170 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 3171 frm = ieee80211_add_powerconstraint(frm, vap); 3172 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 3173 frm = ieee80211_add_csa(frm, vap); 3174 } 3175 if (vap->iv_flags & IEEE80211_F_DOTH) { 3176 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 3177 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) { 3178 if (vap->iv_quiet) 3179 frm = ieee80211_add_quiet(frm, vap, 0); 3180 } 3181 } 3182 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 3183 frm = ieee80211_add_erp(frm, vap); 3184 frm = ieee80211_add_xrates(frm, rs); 3185 frm = ieee80211_add_rsn(frm, vap); 3186 /* 3187 * NB: legacy 11b clients do not get certain ie's. 3188 * The caller identifies such clients by passing 3189 * a token in legacy to us. Could expand this to be 3190 * any legacy client for stuff like HT ie's. 3191 */ 3192 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 3193 legacy != IEEE80211_SEND_LEGACY_11B) { 3194 frm = ieee80211_add_htcap(frm, bss); 3195 frm = ieee80211_add_htinfo(frm, bss); 3196 } 3197 if (IEEE80211_IS_CHAN_VHT(bss->ni_chan) && 3198 legacy != IEEE80211_SEND_LEGACY_11B) { 3199 frm = ieee80211_add_vhtcap(frm, bss); 3200 frm = ieee80211_add_vhtinfo(frm, bss); 3201 } 3202 frm = ieee80211_add_wpa(frm, vap); 3203 if (vap->iv_flags & IEEE80211_F_WME) 3204 frm = ieee80211_add_wme_param(frm, &ic->ic_wme, 3205 !! (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD)); 3206 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 3207 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 3208 legacy != IEEE80211_SEND_LEGACY_11B) { 3209 frm = ieee80211_add_htcap_vendor(frm, bss); 3210 frm = ieee80211_add_htinfo_vendor(frm, bss); 3211 } 3212#ifdef IEEE80211_SUPPORT_SUPERG 3213 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 3214 legacy != IEEE80211_SEND_LEGACY_11B) 3215 frm = ieee80211_add_athcaps(frm, bss); 3216#endif 3217 if (vap->iv_appie_proberesp != NULL) 3218 frm = add_appie(frm, vap->iv_appie_proberesp); 3219#ifdef IEEE80211_SUPPORT_MESH 3220 if (vap->iv_opmode == IEEE80211_M_MBSS) { 3221 frm = ieee80211_add_meshid(frm, vap); 3222 frm = ieee80211_add_meshconf(frm, vap); 3223 } 3224#endif 3225 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 3226 3227 return m; 3228} 3229 3230/* 3231 * Send a probe response frame to the specified mac address. 3232 * This does not go through the normal mgt frame api so we 3233 * can specify the destination address and re-use the bss node 3234 * for the sta reference. 3235 */ 3236int 3237ieee80211_send_proberesp(struct ieee80211vap *vap, 3238 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 3239{ 3240 struct ieee80211_node *bss = vap->iv_bss; 3241 struct ieee80211com *ic = vap->iv_ic; 3242 struct mbuf *m; 3243 int ret; 3244 3245 if (vap->iv_state == IEEE80211_S_CAC) { 3246 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 3247 "block %s frame in CAC state", "probe response"); 3248 vap->iv_stats.is_tx_badstate++; 3249 return EIO; /* XXX */ 3250 } 3251 3252 /* 3253 * Hold a reference on the node so it doesn't go away until after 3254 * the xmit is complete all the way in the driver. On error we 3255 * will remove our reference. 3256 */ 3257 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 3258 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 3259 __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr), 3260 ieee80211_node_refcnt(bss)+1); 3261 ieee80211_ref_node(bss); 3262 3263 m = ieee80211_alloc_proberesp(bss, legacy); 3264 if (m == NULL) { 3265 ieee80211_free_node(bss); 3266 return ENOMEM; 3267 } 3268 3269 M_PREPEND(m, sizeof(struct ieee80211_frame), IEEE80211_M_NOWAIT); 3270 KASSERT(m != NULL, ("no room for header")); 3271 3272 IEEE80211_TX_LOCK(ic); 3273 ieee80211_send_setup(bss, m, 3274 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 3275 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 3276 /* XXX power management? */ 3277 m->m_flags |= M_ENCAP; /* mark encapsulated */ 3278 3279 M_WME_SETAC(m, WME_AC_BE); 3280 3281 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 3282 "send probe resp on channel %u to %s%s\n", 3283 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da), 3284 legacy ? " <legacy>" : ""); 3285 IEEE80211_NODE_STAT(bss, tx_mgmt); 3286 3287 ret = ieee80211_raw_output(vap, bss, m, NULL); 3288 IEEE80211_TX_UNLOCK(ic); 3289 return (ret); 3290} 3291 3292/* 3293 * Allocate and build a RTS (Request To Send) control frame. 3294 */ 3295struct mbuf * 3296ieee80211_alloc_rts(struct ieee80211com *ic, 3297 const uint8_t ra[IEEE80211_ADDR_LEN], 3298 const uint8_t ta[IEEE80211_ADDR_LEN], 3299 uint16_t dur) 3300{ 3301 struct ieee80211_frame_rts *rts; 3302 struct mbuf *m; 3303 3304 /* XXX honor ic_headroom */ 3305 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 3306 if (m != NULL) { 3307 rts = mtod(m, struct ieee80211_frame_rts *); 3308 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 3309 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 3310 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 3311 *(u_int16_t *)rts->i_dur = htole16(dur); 3312 IEEE80211_ADDR_COPY(rts->i_ra, ra); 3313 IEEE80211_ADDR_COPY(rts->i_ta, ta); 3314 3315 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 3316 } 3317 return m; 3318} 3319 3320/* 3321 * Allocate and build a CTS (Clear To Send) control frame. 3322 */ 3323struct mbuf * 3324ieee80211_alloc_cts(struct ieee80211com *ic, 3325 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 3326{ 3327 struct ieee80211_frame_cts *cts; 3328 struct mbuf *m; 3329 3330 /* XXX honor ic_headroom */ 3331 m = m_gethdr(IEEE80211_M_NOWAIT, MT_DATA); 3332 if (m != NULL) { 3333 cts = mtod(m, struct ieee80211_frame_cts *); 3334 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 3335 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 3336 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 3337 *(u_int16_t *)cts->i_dur = htole16(dur); 3338 IEEE80211_ADDR_COPY(cts->i_ra, ra); 3339 3340 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 3341 } 3342 return m; 3343} 3344 3345/* 3346 * Wrapper for CTS/RTS frame allocation. 3347 */ 3348struct mbuf * 3349ieee80211_alloc_prot(struct ieee80211_node *ni, const struct mbuf *m, 3350 uint8_t rate, int prot) 3351{ 3352 struct ieee80211com *ic = ni->ni_ic; 3353 struct ieee80211vap *vap = ni->ni_vap; 3354 const struct ieee80211_frame *wh; 3355 struct mbuf *mprot; 3356 uint16_t dur; 3357 int pktlen, isshort; 3358 3359 KASSERT(prot == IEEE80211_PROT_RTSCTS || 3360 prot == IEEE80211_PROT_CTSONLY, 3361 ("wrong protection type %d", prot)); 3362 3363 wh = mtod(m, const struct ieee80211_frame *); 3364 pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN; 3365 isshort = (vap->iv_flags & IEEE80211_F_SHPREAMBLE) != 0; 3366 dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort) 3367 + ieee80211_ack_duration(ic->ic_rt, rate, isshort); 3368 3369 if (prot == IEEE80211_PROT_RTSCTS) { 3370 /* NB: CTS is the same size as an ACK */ 3371 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort); 3372 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur); 3373 } else 3374 mprot = ieee80211_alloc_cts(ic, vap->iv_myaddr, dur); 3375 3376 return (mprot); 3377} 3378 3379static void 3380ieee80211_tx_mgt_timeout(void *arg) 3381{ 3382 struct ieee80211vap *vap = arg; 3383 3384 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG, 3385 "vap %p mode %s state %s flags %#x & %#x\n", vap, 3386 ieee80211_opmode_name[vap->iv_opmode], 3387 ieee80211_state_name[vap->iv_state], 3388 vap->iv_ic->ic_flags, IEEE80211_F_SCAN); 3389 3390 IEEE80211_LOCK(vap->iv_ic); 3391 if (vap->iv_state != IEEE80211_S_INIT && 3392 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 3393 /* 3394 * NB: it's safe to specify a timeout as the reason here; 3395 * it'll only be used in the right state. 3396 */ 3397 ieee80211_new_state_locked(vap, IEEE80211_S_SCAN, 3398 IEEE80211_SCAN_FAIL_TIMEOUT); 3399 } 3400 IEEE80211_UNLOCK(vap->iv_ic); 3401} 3402 3403/* 3404 * This is the callback set on net80211-sourced transmitted 3405 * authentication request frames. 3406 * 3407 * This does a couple of things: 3408 * 3409 * + If the frame transmitted was a success, it schedules a future 3410 * event which will transition the interface to scan. 3411 * If a state transition _then_ occurs before that event occurs, 3412 * said state transition will cancel this callout. 3413 * 3414 * + If the frame transmit was a failure, it immediately schedules 3415 * the transition back to scan. 3416 */ 3417static void 3418ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 3419{ 3420 struct ieee80211vap *vap = ni->ni_vap; 3421 enum ieee80211_state ostate = (enum ieee80211_state)(uintptr_t)arg; 3422 3423 /* 3424 * Frame transmit completed; arrange timer callback. If 3425 * transmit was successfully we wait for response. Otherwise 3426 * we arrange an immediate callback instead of doing the 3427 * callback directly since we don't know what state the driver 3428 * is in (e.g. what locks it is holding). This work should 3429 * not be too time-critical and not happen too often so the 3430 * added overhead is acceptable. 3431 * 3432 * XXX what happens if !acked but response shows up before callback? 3433 */ 3434 if (vap->iv_state == ostate) { 3435 IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG, 3436 "ni %p mode %s state %s arg %p status %d\n", ni, 3437 ieee80211_opmode_name[vap->iv_opmode], 3438 ieee80211_state_name[vap->iv_state], arg, status); 3439 3440 callout_reset(&vap->iv_mgtsend, 3441 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 3442 ieee80211_tx_mgt_timeout, vap); 3443 } 3444} 3445 3446static void 3447ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 3448 struct ieee80211_node *ni) 3449{ 3450 struct ieee80211vap *vap = ni->ni_vap; 3451 struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off; 3452 struct ieee80211com *ic = ni->ni_ic; 3453 struct ieee80211_rateset *rs = &ni->ni_rates; 3454 uint16_t capinfo; 3455 3456 /* 3457 * beacon frame format 3458 * 3459 * TODO: update to 802.11-2012; a lot of stuff has changed; 3460 * vendor extensions should be at the end, etc. 3461 * 3462 * [8] time stamp 3463 * [2] beacon interval 3464 * [2] cabability information 3465 * [tlv] ssid 3466 * [tlv] supported rates 3467 * [3] parameter set (DS) 3468 * [8] CF parameter set (optional) 3469 * [tlv] parameter set (IBSS/TIM) 3470 * [tlv] country (optional) 3471 * [3] power control (optional) 3472 * [5] channel switch announcement (CSA) (optional) 3473 * XXX TODO: Quiet 3474 * XXX TODO: IBSS DFS 3475 * XXX TODO: TPC report 3476 * [tlv] extended rate phy (ERP) 3477 * [tlv] extended supported rates 3478 * [tlv] RSN parameters 3479 * XXX TODO: BSSLOAD 3480 * (XXX EDCA parameter set, QoS capability?) 3481 * XXX TODO: AP channel report 3482 * 3483 * [tlv] HT capabilities 3484 * [tlv] HT information 3485 * XXX TODO: 20/40 BSS coexistence 3486 * Mesh: 3487 * XXX TODO: Meshid 3488 * XXX TODO: mesh config 3489 * XXX TODO: mesh awake window 3490 * XXX TODO: beacon timing (mesh, etc) 3491 * XXX TODO: MCCAOP Advertisement Overview 3492 * XXX TODO: MCCAOP Advertisement 3493 * XXX TODO: Mesh channel switch parameters 3494 * VHT: 3495 * XXX TODO: VHT capabilities 3496 * XXX TODO: VHT operation 3497 * XXX TODO: VHT transmit power envelope 3498 * XXX TODO: channel switch wrapper element 3499 * XXX TODO: extended BSS load element 3500 * 3501 * XXX Vendor-specific OIDs (e.g. Atheros) 3502 * [tlv] WPA parameters 3503 * [tlv] WME parameters 3504 * [tlv] Vendor OUI HT capabilities (optional) 3505 * [tlv] Vendor OUI HT information (optional) 3506 * [tlv] Atheros capabilities (optional) 3507 * [tlv] TDMA parameters (optional) 3508 * [tlv] Mesh ID (MBSS) 3509 * [tlv] Mesh Conf (MBSS) 3510 * [tlv] application data (optional) 3511 */ 3512 3513 memset(bo, 0, sizeof(*bo)); 3514 3515 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 3516 frm += 8; 3517 *(uint16_t *)frm = htole16(ni->ni_intval); 3518 frm += 2; 3519 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 3520 bo->bo_caps = (uint16_t *)frm; 3521 *(uint16_t *)frm = htole16(capinfo); 3522 frm += 2; 3523 *frm++ = IEEE80211_ELEMID_SSID; 3524 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 3525 *frm++ = ni->ni_esslen; 3526 memcpy(frm, ni->ni_essid, ni->ni_esslen); 3527 frm += ni->ni_esslen; 3528 } else 3529 *frm++ = 0; 3530 frm = ieee80211_add_rates(frm, rs); 3531 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 3532 *frm++ = IEEE80211_ELEMID_DSPARMS; 3533 *frm++ = 1; 3534 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 3535 } 3536 if (ic->ic_flags & IEEE80211_F_PCF) { 3537 bo->bo_cfp = frm; 3538 frm = ieee80211_add_cfparms(frm, ic); 3539 } 3540 bo->bo_tim = frm; 3541 if (vap->iv_opmode == IEEE80211_M_IBSS) { 3542 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 3543 *frm++ = 2; 3544 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 3545 bo->bo_tim_len = 0; 3546 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 3547 vap->iv_opmode == IEEE80211_M_MBSS) { 3548 /* TIM IE is the same for Mesh and Hostap */ 3549 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 3550 3551 tie->tim_ie = IEEE80211_ELEMID_TIM; 3552 tie->tim_len = 4; /* length */ 3553 tie->tim_count = 0; /* DTIM count */ 3554 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 3555 tie->tim_bitctl = 0; /* bitmap control */ 3556 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 3557 frm += sizeof(struct ieee80211_tim_ie); 3558 bo->bo_tim_len = 1; 3559 } 3560 bo->bo_tim_trailer = frm; 3561 if ((vap->iv_flags & IEEE80211_F_DOTH) || 3562 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 3563 frm = ieee80211_add_countryie(frm, ic); 3564 if (vap->iv_flags & IEEE80211_F_DOTH) { 3565 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 3566 frm = ieee80211_add_powerconstraint(frm, vap); 3567 bo->bo_csa = frm; 3568 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 3569 frm = ieee80211_add_csa(frm, vap); 3570 } else 3571 bo->bo_csa = frm; 3572 3573 bo->bo_quiet = NULL; 3574 if (vap->iv_flags & IEEE80211_F_DOTH) { 3575 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 3576 (vap->iv_flags_ext & IEEE80211_FEXT_DFS) && 3577 (vap->iv_quiet == 1)) { 3578 /* 3579 * We only insert the quiet IE offset if 3580 * the quiet IE is enabled. Otherwise don't 3581 * put it here or we'll just overwrite 3582 * some other beacon contents. 3583 */ 3584 if (vap->iv_quiet) { 3585 bo->bo_quiet = frm; 3586 frm = ieee80211_add_quiet(frm,vap, 0); 3587 } 3588 } 3589 } 3590 3591 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 3592 bo->bo_erp = frm; 3593 frm = ieee80211_add_erp(frm, vap); 3594 } 3595 frm = ieee80211_add_xrates(frm, rs); 3596 frm = ieee80211_add_rsn(frm, vap); 3597 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 3598 frm = ieee80211_add_htcap(frm, ni); 3599 bo->bo_htinfo = frm; 3600 frm = ieee80211_add_htinfo(frm, ni); 3601 } 3602 3603 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan)) { 3604 frm = ieee80211_add_vhtcap(frm, ni); 3605 bo->bo_vhtinfo = frm; 3606 frm = ieee80211_add_vhtinfo(frm, ni); 3607 /* Transmit power envelope */ 3608 /* Channel switch wrapper element */ 3609 /* Extended bss load element */ 3610 } 3611 3612 frm = ieee80211_add_wpa(frm, vap); 3613 if (vap->iv_flags & IEEE80211_F_WME) { 3614 bo->bo_wme = frm; 3615 frm = ieee80211_add_wme_param(frm, &ic->ic_wme, 3616 !! (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD)); 3617 } 3618 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 3619 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 3620 frm = ieee80211_add_htcap_vendor(frm, ni); 3621 frm = ieee80211_add_htinfo_vendor(frm, ni); 3622 } 3623 3624#ifdef IEEE80211_SUPPORT_SUPERG 3625 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 3626 bo->bo_ath = frm; 3627 frm = ieee80211_add_athcaps(frm, ni); 3628 } 3629#endif 3630#ifdef IEEE80211_SUPPORT_TDMA 3631 if (vap->iv_caps & IEEE80211_C_TDMA) { 3632 bo->bo_tdma = frm; 3633 frm = ieee80211_add_tdma(frm, vap); 3634 } 3635#endif 3636 if (vap->iv_appie_beacon != NULL) { 3637 bo->bo_appie = frm; 3638 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 3639 frm = add_appie(frm, vap->iv_appie_beacon); 3640 } 3641 3642 /* XXX TODO: move meshid/meshconf up to before vendor extensions? */ 3643#ifdef IEEE80211_SUPPORT_MESH 3644 if (vap->iv_opmode == IEEE80211_M_MBSS) { 3645 frm = ieee80211_add_meshid(frm, vap); 3646 bo->bo_meshconf = frm; 3647 frm = ieee80211_add_meshconf(frm, vap); 3648 } 3649#endif 3650 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 3651 bo->bo_csa_trailer_len = frm - bo->bo_csa; 3652 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 3653} 3654 3655/* 3656 * Allocate a beacon frame and fillin the appropriate bits. 3657 */ 3658struct mbuf * 3659ieee80211_beacon_alloc(struct ieee80211_node *ni) 3660{ 3661 struct ieee80211vap *vap = ni->ni_vap; 3662 struct ieee80211com *ic = ni->ni_ic; 3663 struct ifnet *ifp = vap->iv_ifp; 3664 struct ieee80211_frame *wh; 3665 struct mbuf *m; 3666 int pktlen; 3667 uint8_t *frm; 3668 3669 /* 3670 * Update the "We're putting the quiet IE in the beacon" state. 3671 */ 3672 if (vap->iv_quiet == 1) 3673 vap->iv_flags_ext |= IEEE80211_FEXT_QUIET_IE; 3674 else if (vap->iv_quiet == 0) 3675 vap->iv_flags_ext &= ~IEEE80211_FEXT_QUIET_IE; 3676 3677 /* 3678 * beacon frame format 3679 * 3680 * Note: This needs updating for 802.11-2012. 3681 * 3682 * [8] time stamp 3683 * [2] beacon interval 3684 * [2] cabability information 3685 * [tlv] ssid 3686 * [tlv] supported rates 3687 * [3] parameter set (DS) 3688 * [8] CF parameter set (optional) 3689 * [tlv] parameter set (IBSS/TIM) 3690 * [tlv] country (optional) 3691 * [3] power control (optional) 3692 * [5] channel switch announcement (CSA) (optional) 3693 * [tlv] extended rate phy (ERP) 3694 * [tlv] extended supported rates 3695 * [tlv] RSN parameters 3696 * [tlv] HT capabilities 3697 * [tlv] HT information 3698 * [tlv] VHT capabilities 3699 * [tlv] VHT operation 3700 * [tlv] Vendor OUI HT capabilities (optional) 3701 * [tlv] Vendor OUI HT information (optional) 3702 * XXX Vendor-specific OIDs (e.g. Atheros) 3703 * [tlv] WPA parameters 3704 * [tlv] WME parameters 3705 * [tlv] TDMA parameters (optional) 3706 * [tlv] Mesh ID (MBSS) 3707 * [tlv] Mesh Conf (MBSS) 3708 * [tlv] application data (optional) 3709 * NB: we allocate the max space required for the TIM bitmap. 3710 * XXX how big is this? 3711 */ 3712 pktlen = 8 /* time stamp */ 3713 + sizeof(uint16_t) /* beacon interval */ 3714 + sizeof(uint16_t) /* capabilities */ 3715 + 2 + ni->ni_esslen /* ssid */ 3716 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 3717 + 2 + 1 /* DS parameters */ 3718 + 2 + 6 /* CF parameters */ 3719 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 3720 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 3721 + 2 + 1 /* power control */ 3722 + sizeof(struct ieee80211_csa_ie) /* CSA */ 3723 + sizeof(struct ieee80211_quiet_ie) /* Quiet */ 3724 + 2 + 1 /* ERP */ 3725 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 3726 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 3727 2*sizeof(struct ieee80211_ie_wpa) : 0) 3728 /* XXX conditional? */ 3729 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 3730 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 3731 + 2 + sizeof(struct ieee80211_vht_cap)/* VHT caps */ 3732 + 2 + sizeof(struct ieee80211_vht_operation)/* VHT info */ 3733 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 3734 sizeof(struct ieee80211_wme_param) : 0) 3735#ifdef IEEE80211_SUPPORT_SUPERG 3736 + sizeof(struct ieee80211_ath_ie) /* ATH */ 3737#endif 3738#ifdef IEEE80211_SUPPORT_TDMA 3739 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 3740 sizeof(struct ieee80211_tdma_param) : 0) 3741#endif 3742#ifdef IEEE80211_SUPPORT_MESH 3743 + 2 + ni->ni_meshidlen 3744 + sizeof(struct ieee80211_meshconf_ie) 3745#endif 3746 + IEEE80211_MAX_APPIE 3747 ; 3748 m = ieee80211_getmgtframe(&frm, 3749 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 3750 if (m == NULL) { 3751 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 3752 "%s: cannot get buf; size %u\n", __func__, pktlen); 3753 vap->iv_stats.is_tx_nobuf++; 3754 return NULL; 3755 } 3756 ieee80211_beacon_construct(m, frm, ni); 3757 3758 M_PREPEND(m, sizeof(struct ieee80211_frame), IEEE80211_M_NOWAIT); 3759 KASSERT(m != NULL, ("no space for 802.11 header?")); 3760 wh = mtod(m, struct ieee80211_frame *); 3761 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 3762 IEEE80211_FC0_SUBTYPE_BEACON; 3763 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 3764 *(uint16_t *)wh->i_dur = 0; 3765 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 3766 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 3767 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 3768 *(uint16_t *)wh->i_seq = 0; 3769 3770 return m; 3771} 3772 3773/* 3774 * Update the dynamic parts of a beacon frame based on the current state. 3775 */ 3776int 3777ieee80211_beacon_update(struct ieee80211_node *ni, struct mbuf *m, int mcast) 3778{ 3779 struct ieee80211vap *vap = ni->ni_vap; 3780 struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off; 3781 struct ieee80211com *ic = ni->ni_ic; 3782 int len_changed = 0; 3783 uint16_t capinfo; 3784 struct ieee80211_frame *wh; 3785 ieee80211_seq seqno; 3786 3787 IEEE80211_LOCK(ic); 3788 /* 3789 * Handle 11h channel change when we've reached the count. 3790 * We must recalculate the beacon frame contents to account 3791 * for the new channel. Note we do this only for the first 3792 * vap that reaches this point; subsequent vaps just update 3793 * their beacon state to reflect the recalculated channel. 3794 */ 3795 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 3796 vap->iv_csa_count == ic->ic_csa_count) { 3797 vap->iv_csa_count = 0; 3798 /* 3799 * Effect channel change before reconstructing the beacon 3800 * frame contents as many places reference ni_chan. 3801 */ 3802 if (ic->ic_csa_newchan != NULL) 3803 ieee80211_csa_completeswitch(ic); 3804 /* 3805 * NB: ieee80211_beacon_construct clears all pending 3806 * updates in bo_flags so we don't need to explicitly 3807 * clear IEEE80211_BEACON_CSA. 3808 */ 3809 ieee80211_beacon_construct(m, 3810 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni); 3811 3812 /* XXX do WME aggressive mode processing? */ 3813 IEEE80211_UNLOCK(ic); 3814 return 1; /* just assume length changed */ 3815 } 3816 3817 /* 3818 * Handle the quiet time element being added and removed. 3819 * Again, for now we just cheat and reconstruct the whole 3820 * beacon - that way the gap is provided as appropriate. 3821 * 3822 * So, track whether we have already added the IE versus 3823 * whether we want to be adding the IE. 3824 */ 3825 if ((vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE) && 3826 (vap->iv_quiet == 0)) { 3827 /* 3828 * Quiet time beacon IE enabled, but it's disabled; 3829 * recalc 3830 */ 3831 vap->iv_flags_ext &= ~IEEE80211_FEXT_QUIET_IE; 3832 ieee80211_beacon_construct(m, 3833 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni); 3834 /* XXX do WME aggressive mode processing? */ 3835 IEEE80211_UNLOCK(ic); 3836 return 1; /* just assume length changed */ 3837 } 3838 3839 if (((vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE) == 0) && 3840 (vap->iv_quiet == 1)) { 3841 /* 3842 * Quiet time beacon IE disabled, but it's now enabled; 3843 * recalc 3844 */ 3845 vap->iv_flags_ext |= IEEE80211_FEXT_QUIET_IE; 3846 ieee80211_beacon_construct(m, 3847 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni); 3848 /* XXX do WME aggressive mode processing? */ 3849 IEEE80211_UNLOCK(ic); 3850 return 1; /* just assume length changed */ 3851 } 3852 3853 wh = mtod(m, struct ieee80211_frame *); 3854 3855 /* 3856 * XXX TODO Strictly speaking this should be incremented with the TX 3857 * lock held so as to serialise access to the non-qos TID sequence 3858 * number space. 3859 * 3860 * If the driver identifies it does its own TX seqno management then 3861 * we can skip this (and still not do the TX seqno.) 3862 */ 3863 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 3864 *(uint16_t *)&wh->i_seq[0] = 3865 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 3866 M_SEQNO_SET(m, seqno); 3867 3868 /* XXX faster to recalculate entirely or just changes? */ 3869 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 3870 *bo->bo_caps = htole16(capinfo); 3871 3872 if (vap->iv_flags & IEEE80211_F_WME) { 3873 struct ieee80211_wme_state *wme = &ic->ic_wme; 3874 3875 /* 3876 * Check for aggressive mode change. When there is 3877 * significant high priority traffic in the BSS 3878 * throttle back BE traffic by using conservative 3879 * parameters. Otherwise BE uses aggressive params 3880 * to optimize performance of legacy/non-QoS traffic. 3881 */ 3882 if (wme->wme_flags & WME_F_AGGRMODE) { 3883 if (wme->wme_hipri_traffic > 3884 wme->wme_hipri_switch_thresh) { 3885 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 3886 "%s: traffic %u, disable aggressive mode\n", 3887 __func__, wme->wme_hipri_traffic); 3888 wme->wme_flags &= ~WME_F_AGGRMODE; 3889 ieee80211_wme_updateparams_locked(vap); 3890 wme->wme_hipri_traffic = 3891 wme->wme_hipri_switch_hysteresis; 3892 } else 3893 wme->wme_hipri_traffic = 0; 3894 } else { 3895 if (wme->wme_hipri_traffic <= 3896 wme->wme_hipri_switch_thresh) { 3897 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 3898 "%s: traffic %u, enable aggressive mode\n", 3899 __func__, wme->wme_hipri_traffic); 3900 wme->wme_flags |= WME_F_AGGRMODE; 3901 ieee80211_wme_updateparams_locked(vap); 3902 wme->wme_hipri_traffic = 0; 3903 } else 3904 wme->wme_hipri_traffic = 3905 wme->wme_hipri_switch_hysteresis; 3906 } 3907 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 3908 (void) ieee80211_add_wme_param(bo->bo_wme, wme, 3909 vap->iv_flags_ext & IEEE80211_FEXT_UAPSD); 3910 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 3911 } 3912 } 3913 3914 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 3915 ieee80211_ht_update_beacon(vap, bo); 3916 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 3917 } 3918#ifdef IEEE80211_SUPPORT_TDMA 3919 if (vap->iv_caps & IEEE80211_C_TDMA) { 3920 /* 3921 * NB: the beacon is potentially updated every TBTT. 3922 */ 3923 ieee80211_tdma_update_beacon(vap, bo); 3924 } 3925#endif 3926#ifdef IEEE80211_SUPPORT_MESH 3927 if (vap->iv_opmode == IEEE80211_M_MBSS) 3928 ieee80211_mesh_update_beacon(vap, bo); 3929#endif 3930 3931 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 3932 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 3933 struct ieee80211_tim_ie *tie = 3934 (struct ieee80211_tim_ie *) bo->bo_tim; 3935 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 3936 u_int timlen, timoff, i; 3937 /* 3938 * ATIM/DTIM needs updating. If it fits in the 3939 * current space allocated then just copy in the 3940 * new bits. Otherwise we need to move any trailing 3941 * data to make room. Note that we know there is 3942 * contiguous space because ieee80211_beacon_allocate 3943 * insures there is space in the mbuf to write a 3944 * maximal-size virtual bitmap (based on iv_max_aid). 3945 */ 3946 /* 3947 * Calculate the bitmap size and offset, copy any 3948 * trailer out of the way, and then copy in the 3949 * new bitmap and update the information element. 3950 * Note that the tim bitmap must contain at least 3951 * one byte and any offset must be even. 3952 */ 3953 if (vap->iv_ps_pending != 0) { 3954 timoff = 128; /* impossibly large */ 3955 for (i = 0; i < vap->iv_tim_len; i++) 3956 if (vap->iv_tim_bitmap[i]) { 3957 timoff = i &~ 1; 3958 break; 3959 } 3960 KASSERT(timoff != 128, ("tim bitmap empty!")); 3961 for (i = vap->iv_tim_len-1; i >= timoff; i--) 3962 if (vap->iv_tim_bitmap[i]) 3963 break; 3964 timlen = 1 + (i - timoff); 3965 } else { 3966 timoff = 0; 3967 timlen = 1; 3968 } 3969 3970 /* 3971 * TODO: validate this! 3972 */ 3973 if (timlen != bo->bo_tim_len) { 3974 /* copy up/down trailer */ 3975 int adjust = tie->tim_bitmap+timlen 3976 - bo->bo_tim_trailer; 3977 ovbcopy(bo->bo_tim_trailer, 3978 bo->bo_tim_trailer+adjust, 3979 bo->bo_tim_trailer_len); 3980 bo->bo_tim_trailer += adjust; 3981 bo->bo_erp += adjust; 3982 bo->bo_htinfo += adjust; 3983 bo->bo_vhtinfo += adjust; 3984#ifdef IEEE80211_SUPPORT_SUPERG 3985 bo->bo_ath += adjust; 3986#endif 3987#ifdef IEEE80211_SUPPORT_TDMA 3988 bo->bo_tdma += adjust; 3989#endif 3990#ifdef IEEE80211_SUPPORT_MESH 3991 bo->bo_meshconf += adjust; 3992#endif 3993 bo->bo_appie += adjust; 3994 bo->bo_wme += adjust; 3995 bo->bo_csa += adjust; 3996 bo->bo_quiet += adjust; 3997 bo->bo_tim_len = timlen; 3998 3999 /* update information element */ 4000 tie->tim_len = 3 + timlen; 4001 tie->tim_bitctl = timoff; 4002 len_changed = 1; 4003 } 4004 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 4005 bo->bo_tim_len); 4006 4007 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 4008 4009 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 4010 "%s: TIM updated, pending %u, off %u, len %u\n", 4011 __func__, vap->iv_ps_pending, timoff, timlen); 4012 } 4013 /* count down DTIM period */ 4014 if (tie->tim_count == 0) 4015 tie->tim_count = tie->tim_period - 1; 4016 else 4017 tie->tim_count--; 4018 /* update state for buffered multicast frames on DTIM */ 4019 if (mcast && tie->tim_count == 0) 4020 tie->tim_bitctl |= 1; 4021 else 4022 tie->tim_bitctl &= ~1; 4023 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 4024 struct ieee80211_csa_ie *csa = 4025 (struct ieee80211_csa_ie *) bo->bo_csa; 4026 4027 /* 4028 * Insert or update CSA ie. If we're just starting 4029 * to count down to the channel switch then we need 4030 * to insert the CSA ie. Otherwise we just need to 4031 * drop the count. The actual change happens above 4032 * when the vap's count reaches the target count. 4033 */ 4034 if (vap->iv_csa_count == 0) { 4035 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 4036 bo->bo_erp += sizeof(*csa); 4037 bo->bo_htinfo += sizeof(*csa); 4038 bo->bo_vhtinfo += sizeof(*csa); 4039 bo->bo_wme += sizeof(*csa); 4040#ifdef IEEE80211_SUPPORT_SUPERG 4041 bo->bo_ath += sizeof(*csa); 4042#endif 4043#ifdef IEEE80211_SUPPORT_TDMA 4044 bo->bo_tdma += sizeof(*csa); 4045#endif 4046#ifdef IEEE80211_SUPPORT_MESH 4047 bo->bo_meshconf += sizeof(*csa); 4048#endif 4049 bo->bo_appie += sizeof(*csa); 4050 bo->bo_csa_trailer_len += sizeof(*csa); 4051 bo->bo_quiet += sizeof(*csa); 4052 bo->bo_tim_trailer_len += sizeof(*csa); 4053 m->m_len += sizeof(*csa); 4054 m->m_pkthdr.len += sizeof(*csa); 4055 4056 ieee80211_add_csa(bo->bo_csa, vap); 4057 } else 4058 csa->csa_count--; 4059 vap->iv_csa_count++; 4060 /* NB: don't clear IEEE80211_BEACON_CSA */ 4061 } 4062 4063 /* 4064 * Only add the quiet time IE if we've enabled it 4065 * as appropriate. 4066 */ 4067 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 4068 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) { 4069 if (vap->iv_quiet && 4070 (vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE)) { 4071 ieee80211_add_quiet(bo->bo_quiet, vap, 1); 4072 } 4073 } 4074 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 4075 /* 4076 * ERP element needs updating. 4077 */ 4078 (void) ieee80211_add_erp(bo->bo_erp, vap); 4079 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 4080 } 4081#ifdef IEEE80211_SUPPORT_SUPERG 4082 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 4083 ieee80211_add_athcaps(bo->bo_ath, ni); 4084 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 4085 } 4086#endif 4087 } 4088 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 4089 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 4090 int aielen; 4091 uint8_t *frm; 4092 4093 aielen = 0; 4094 if (aie != NULL) 4095 aielen += aie->ie_len; 4096 if (aielen != bo->bo_appie_len) { 4097 /* copy up/down trailer */ 4098 int adjust = aielen - bo->bo_appie_len; 4099 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 4100 bo->bo_tim_trailer_len); 4101 bo->bo_tim_trailer += adjust; 4102 bo->bo_appie += adjust; 4103 bo->bo_appie_len = aielen; 4104 4105 len_changed = 1; 4106 } 4107 frm = bo->bo_appie; 4108 if (aie != NULL) 4109 frm = add_appie(frm, aie); 4110 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 4111 } 4112 IEEE80211_UNLOCK(ic); 4113 4114 return len_changed; 4115} 4116 4117/* 4118 * Do Ethernet-LLC encapsulation for each payload in a fast frame 4119 * tunnel encapsulation. The frame is assumed to have an Ethernet 4120 * header at the front that must be stripped before prepending the 4121 * LLC followed by the Ethernet header passed in (with an Ethernet 4122 * type that specifies the payload size). 4123 */ 4124struct mbuf * 4125ieee80211_ff_encap1(struct ieee80211vap *vap, struct mbuf *m, 4126 const struct ether_header *eh) 4127{ 4128 struct llc *llc; 4129 uint16_t payload; 4130 4131 /* XXX optimize by combining m_adj+M_PREPEND */ 4132 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 4133 llc = mtod(m, struct llc *); 4134 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 4135 llc->llc_control = LLC_UI; 4136 llc->llc_snap.org_code[0] = 0; 4137 llc->llc_snap.org_code[1] = 0; 4138 llc->llc_snap.org_code[2] = 0; 4139 llc->llc_snap.ether_type = eh->ether_type; 4140 payload = m->m_pkthdr.len; /* NB: w/o Ethernet header */ 4141 4142 M_PREPEND(m, sizeof(struct ether_header), IEEE80211_M_NOWAIT); 4143 if (m == NULL) { /* XXX cannot happen */ 4144 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, 4145 "%s: no space for ether_header\n", __func__); 4146 vap->iv_stats.is_tx_nobuf++; 4147 return NULL; 4148 } 4149 ETHER_HEADER_COPY(mtod(m, void *), eh); 4150 mtod(m, struct ether_header *)->ether_type = htons(payload); 4151 return m; 4152} 4153 4154/* 4155 * Complete an mbuf transmission. 4156 * 4157 * For now, this simply processes a completed frame after the 4158 * driver has completed it's transmission and/or retransmission. 4159 * It assumes the frame is an 802.11 encapsulated frame. 4160 * 4161 * Later on it will grow to become the exit path for a given frame 4162 * from the driver and, depending upon how it's been encapsulated 4163 * and already transmitted, it may end up doing A-MPDU retransmission, 4164 * power save requeuing, etc. 4165 * 4166 * In order for the above to work, the driver entry point to this 4167 * must not hold any driver locks. Thus, the driver needs to delay 4168 * any actual mbuf completion until it can release said locks. 4169 * 4170 * This frees the mbuf and if the mbuf has a node reference, 4171 * the node reference will be freed. 4172 */ 4173void 4174ieee80211_tx_complete(struct ieee80211_node *ni, struct mbuf *m, int status) 4175{ 4176 4177 if (ni != NULL) { 4178 struct ifnet *ifp = ni->ni_vap->iv_ifp; 4179 4180 if (status == 0) { 4181 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 4182 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 4183 if (m->m_flags & M_MCAST) 4184 if_inc_counter(ifp, IFCOUNTER_OMCASTS, 1); 4185 } else 4186 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 4187 if (m->m_flags & M_TXCB) { 4188 IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG, 4189 "ni %p vap %p mode %s state %s m %p status %d\n", ni, ni->ni_vap, 4190 ieee80211_opmode_name[ni->ni_vap->iv_opmode], 4191 ieee80211_state_name[ni->ni_vap->iv_state], m, status); 4192 ieee80211_process_callback(ni, m, status); 4193 } 4194 ieee80211_free_node(ni); 4195 } 4196 m_freem(m); 4197} 4198