1/* $OpenBSD: ieee80211_output.c,v 1.139 2024/05/08 14:02:59 stsp Exp $ */ 2/* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */ 3 4/*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include "bpfilter.h" 34#include "vlan.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/mbuf.h> 39#include <sys/kernel.h> 40#include <sys/socket.h> 41#include <sys/sockio.h> 42#include <sys/endian.h> 43#include <sys/errno.h> 44#include <sys/sysctl.h> 45 46#include <net/if.h> 47#include <net/if_dl.h> 48#include <net/if_media.h> 49#include <net/if_llc.h> 50#include <net/bpf.h> 51 52#include <netinet/in.h> 53#include <netinet/if_ether.h> 54#include <netinet/ip.h> 55#ifdef INET6 56#include <netinet/ip6.h> 57#endif 58 59#if NVLAN > 0 60#include <net/if_vlan_var.h> 61#endif 62 63#include <net80211/ieee80211_var.h> 64#include <net80211/ieee80211_priv.h> 65 66int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *, 67 struct mbuf *, int); 68int ieee80211_can_use_ampdu(struct ieee80211com *, 69 struct ieee80211_node *); 70u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *, 71 const struct ieee80211_node *, int); 72struct mbuf *ieee80211_getmgmt(int, int, u_int); 73struct mbuf *ieee80211_get_probe_req(struct ieee80211com *, 74 struct ieee80211_node *); 75#ifndef IEEE80211_STA_ONLY 76struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *); 77#endif 78struct mbuf *ieee80211_get_auth(struct ieee80211com *, 79 struct ieee80211_node *, u_int16_t, u_int16_t); 80struct mbuf *ieee80211_get_deauth(struct ieee80211com *, 81 struct ieee80211_node *, u_int16_t); 82struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *, 83 struct ieee80211_node *, int); 84#ifndef IEEE80211_STA_ONLY 85struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *, 86 struct ieee80211_node *, u_int16_t); 87#endif 88struct mbuf *ieee80211_get_disassoc(struct ieee80211com *, 89 struct ieee80211_node *, u_int16_t); 90struct mbuf *ieee80211_get_addba_req(struct ieee80211com *, 91 struct ieee80211_node *, u_int8_t); 92struct mbuf *ieee80211_get_addba_resp(struct ieee80211com *, 93 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 94struct mbuf *ieee80211_get_delba(struct ieee80211com *, 95 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 96uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *); 97#ifndef IEEE80211_STA_ONLY 98uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *); 99#endif 100struct mbuf *ieee80211_get_sa_query(struct ieee80211com *, 101 struct ieee80211_node *, u_int8_t); 102struct mbuf *ieee80211_get_action(struct ieee80211com *, 103 struct ieee80211_node *, u_int8_t, u_int8_t, int); 104 105/* 106 * IEEE 802.11 output routine. Normally this will directly call the 107 * Ethernet output routine because 802.11 encapsulation is called 108 * later by the driver. This function can be used to send raw frames 109 * if the mbuf has been tagged with a 802.11 data link type. 110 */ 111int 112ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 113 struct rtentry *rt) 114{ 115 struct ieee80211_frame *wh; 116 struct m_tag *mtag; 117 int error = 0; 118 119 /* Interface has to be up and running */ 120 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 121 (IFF_UP | IFF_RUNNING)) { 122 error = ENETDOWN; 123 goto bad; 124 } 125 126 /* Try to get the DLT from a mbuf tag */ 127 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 128 struct ieee80211com *ic = (void *)ifp; 129 u_int dlt = *(u_int *)(mtag + 1); 130 131 /* Fallback to ethernet for non-802.11 linktypes */ 132 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 133 goto fallback; 134 135 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 136 return (EINVAL); 137 wh = mtod(m, struct ieee80211_frame *); 138 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 139 IEEE80211_FC0_VERSION_0) 140 return (EINVAL); 141 if (!(ic->ic_caps & IEEE80211_C_RAWCTL) && 142 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 143 IEEE80211_FC0_TYPE_CTL) 144 return (EINVAL); 145 146 return (if_enqueue(ifp, m)); 147 } 148 149 fallback: 150 return (ether_output(ifp, m, dst, rt)); 151 152 bad: 153 m_freem(m); 154 return (error); 155} 156 157const char * 158ieee80211_action_name(struct ieee80211_frame *wh) 159{ 160 const u_int8_t *frm = (const uint8_t *)&wh[1]; 161 const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" }; 162 163 if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name)) 164 return categ_ba_name[frm[1]]; 165 166 return "action"; 167} 168 169/* 170 * Send a management frame to the specified node. The node pointer 171 * must have a reference as the pointer will be passed to the driver 172 * and potentially held for a long time. If the frame is successfully 173 * dispatched to the driver, then it is responsible for freeing the 174 * reference (and potentially free'ing up any associated storage). 175 */ 176int 177ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni, 178 struct mbuf *m, int type) 179{ 180 struct ieee80211com *ic = (void *)ifp; 181 struct ieee80211_frame *wh; 182 183 if (ni == NULL) 184 panic("null node"); 185 ni->ni_inact = 0; 186 187 /* 188 * We want to pass the node down to the driver's start 189 * routine. We could stick this in an m_tag and tack that 190 * on to the mbuf. However that's rather expensive to do 191 * for every frame so instead we stuff it in a special pkthdr 192 * field. 193 */ 194 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 195 if (m == NULL) 196 return ENOMEM; 197 m->m_pkthdr.ph_cookie = ni; 198 199 wh = mtod(m, struct ieee80211_frame *); 200 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type; 201 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 202 *(u_int16_t *)&wh->i_dur[0] = 0; 203 *(u_int16_t *)&wh->i_seq[0] = 204 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 205 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 206 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 207 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 208 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 209 210 /* check if protection is required for this mgmt frame */ 211 if ((ic->ic_caps & IEEE80211_C_MFP) && 212 (type == IEEE80211_FC0_SUBTYPE_DISASSOC || 213 type == IEEE80211_FC0_SUBTYPE_DEAUTH || 214 type == IEEE80211_FC0_SUBTYPE_ACTION)) { 215 /* 216 * Hack: we should not set the Protected bit in outgoing 217 * group management frames, however it is used as an 218 * indication to the drivers that they must encrypt the 219 * frame. Drivers should clear this bit from group 220 * management frames (software crypto code will do it). 221 * XXX could use an mbuf flag.. 222 */ 223 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 224 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT)) 225 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 226 } 227 228 if (ifp->if_flags & IFF_DEBUG) { 229 /* avoid to print too many frames */ 230 if ( 231#ifndef IEEE80211_STA_ONLY 232 ic->ic_opmode == IEEE80211_M_IBSS || 233#endif 234#ifdef IEEE80211_DEBUG 235 ieee80211_debug > 1 || 236#endif 237 (type & IEEE80211_FC0_SUBTYPE_MASK) != 238 IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 239 const char *subtype_name; 240 if ((type & IEEE80211_FC0_SUBTYPE_MASK) == 241 IEEE80211_FC0_SUBTYPE_ACTION) 242 subtype_name = ieee80211_action_name(wh); 243 else 244 subtype_name = ieee80211_mgt_subtype_name[ 245 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 246 IEEE80211_FC0_SUBTYPE_SHIFT]; 247 printf("%s: sending %s to %s on channel %u mode %s\n", 248 ifp->if_xname, subtype_name, 249 ether_sprintf(ni->ni_macaddr), 250 ieee80211_chan2ieee(ic, ni->ni_chan), 251 ieee80211_phymode_name[ic->ic_curmode]); 252 } 253 } 254 255#ifndef IEEE80211_STA_ONLY 256 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 257 ieee80211_pwrsave(ic, m, ni) != 0) 258 return 0; 259#endif 260 mq_enqueue(&ic->ic_mgtq, m); 261 ifp->if_timer = 1; 262 if_start(ifp); 263 return 0; 264} 265 266/*- 267 * EDCA tables are computed using the following formulas: 268 * 269 * 1) EDCATable (non-AP QSTA) 270 * 271 * AC CWmin CWmax AIFSN TXOP limit(ms) 272 * ------------------------------------------------------------- 273 * AC_BK aCWmin aCWmax 7 0 274 * AC_BE aCWmin aCWmax 3 0 275 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0 276 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0 277 * 278 * 2) QAPEDCATable (QAP) 279 * 280 * AC CWmin CWmax AIFSN TXOP limit(ms) 281 * ------------------------------------------------------------- 282 * AC_BK aCWmin aCWmax 7 0 283 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0 284 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0 285 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0 286 * 287 * and the following aCWmin/aCWmax values: 288 * 289 * PHY aCWmin aCWmax 290 * --------------------------- 291 * 11A 15 1023 292 * 11B 31 1023 293 * 11G 15* 1023 (*) aCWmin(1) 294 * 11N 15 1023 295 */ 296const struct ieee80211_edca_ac_params 297 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 298 [IEEE80211_MODE_11B] = { 299 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 300 [EDCA_AC_BE] = { 5, 10, 3, 0 }, 301 [EDCA_AC_VI] = { 4, 5, 2, 188 }, 302 [EDCA_AC_VO] = { 3, 4, 2, 102 } 303 }, 304 [IEEE80211_MODE_11A] = { 305 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 306 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 307 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 308 [EDCA_AC_VO] = { 2, 3, 2, 47 } 309 }, 310 [IEEE80211_MODE_11G] = { 311 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 312 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 313 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 314 [EDCA_AC_VO] = { 2, 3, 2, 47 } 315 }, 316 [IEEE80211_MODE_11N] = { 317 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 318 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 319 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 320 [EDCA_AC_VO] = { 2, 3, 2, 47 } 321 }, 322 [IEEE80211_MODE_11AC] = { 323 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 324 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 325 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 326 [EDCA_AC_VO] = { 2, 3, 2, 47 } 327 }, 328}; 329 330#ifndef IEEE80211_STA_ONLY 331const struct ieee80211_edca_ac_params 332 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 333 [IEEE80211_MODE_11B] = { 334 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 335 [EDCA_AC_BE] = { 5, 7, 3, 0 }, 336 [EDCA_AC_VI] = { 4, 5, 1, 188 }, 337 [EDCA_AC_VO] = { 3, 4, 1, 102 } 338 }, 339 [IEEE80211_MODE_11A] = { 340 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 341 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 342 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 343 [EDCA_AC_VO] = { 2, 3, 1, 47 } 344 }, 345 [IEEE80211_MODE_11G] = { 346 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 347 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 348 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 349 [EDCA_AC_VO] = { 2, 3, 1, 47 } 350 }, 351 [IEEE80211_MODE_11N] = { 352 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 353 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 354 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 355 [EDCA_AC_VO] = { 2, 3, 1, 47 } 356 }, 357 [IEEE80211_MODE_11AC] = { 358 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 359 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 360 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 361 [EDCA_AC_VO] = { 2, 3, 1, 47 } 362 }, 363}; 364#endif /* IEEE80211_STA_ONLY */ 365 366/* 367 * Return the EDCA Access Category to be used for transmitting a frame with 368 * user-priority `up'. 369 */ 370enum ieee80211_edca_ac 371ieee80211_up_to_ac(struct ieee80211com *ic, int up) 372{ 373 /* see Table 9-1 */ 374 static const enum ieee80211_edca_ac up_to_ac[] = { 375 EDCA_AC_BE, /* BE */ 376 EDCA_AC_BK, /* BK */ 377 EDCA_AC_BK, /* -- */ 378 EDCA_AC_BE, /* EE */ 379 EDCA_AC_VI, /* CL */ 380 EDCA_AC_VI, /* VI */ 381 EDCA_AC_VO, /* VO */ 382 EDCA_AC_VO /* NC */ 383 }; 384 enum ieee80211_edca_ac ac; 385 386 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE; 387 388#ifndef IEEE80211_STA_ONLY 389 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 390 return ac; 391#endif 392 /* 393 * We do not support the admission control procedure defined in 394 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that 395 * non-AP QSTAs that don't support this procedure shall use EDCA 396 * parameters of a lower priority AC that does not require 397 * admission control. 398 */ 399 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) { 400 switch (ac) { 401 case EDCA_AC_BK: 402 /* can't get there */ 403 break; 404 case EDCA_AC_BE: 405 /* BE shouldn't require admission control */ 406 ac = EDCA_AC_BK; 407 break; 408 case EDCA_AC_VI: 409 ac = EDCA_AC_BE; 410 break; 411 case EDCA_AC_VO: 412 ac = EDCA_AC_VI; 413 break; 414 } 415 } 416 return ac; 417} 418 419/* 420 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority 421 * based on the DSCP (Differentiated Services Codepoint) field. 422 */ 423int 424ieee80211_classify(struct ieee80211com *ic, struct mbuf *m) 425{ 426 struct ether_header eh; 427 u_int8_t ds_field; 428#if NVLAN > 0 429 if (m->m_flags & M_VLANTAG) /* use VLAN 802.1D user-priority */ 430 return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag); 431#endif 432 m_copydata(m, 0, sizeof(eh), (caddr_t)&eh); 433 if (eh.ether_type == htons(ETHERTYPE_IP)) { 434 struct ip ip; 435 m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip); 436 if (ip.ip_v != 4) 437 return 0; 438 ds_field = ip.ip_tos; 439 } 440#ifdef INET6 441 else if (eh.ether_type == htons(ETHERTYPE_IPV6)) { 442 struct ip6_hdr ip6; 443 u_int32_t flowlabel; 444 m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6); 445 flowlabel = ntohl(ip6.ip6_flow); 446 if ((flowlabel >> 28) != 6) 447 return 0; 448 ds_field = (flowlabel >> 20) & 0xff; 449 } 450#endif /* INET6 */ 451 else /* neither IPv4 nor IPv6 */ 452 return 0; 453 454 /* 455 * Map Differentiated Services Codepoint field (see RFC2474). 456 * Preserves backward compatibility with IP Precedence field. 457 */ 458 switch (ds_field & 0xfc) { 459 case IPTOS_PREC_PRIORITY: 460 return EDCA_AC_VI; 461 case IPTOS_PREC_IMMEDIATE: 462 return EDCA_AC_BK; 463 case IPTOS_PREC_FLASH: 464 case IPTOS_PREC_FLASHOVERRIDE: 465 case IPTOS_PREC_CRITIC_ECP: 466 case IPTOS_PREC_INTERNETCONTROL: 467 case IPTOS_PREC_NETCONTROL: 468 return EDCA_AC_VO; 469 default: 470 return EDCA_AC_BE; 471 } 472} 473 474int 475ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni) 476{ 477 return (ni->ni_flags & IEEE80211_NODE_HT) && 478 (ic->ic_caps & IEEE80211_C_TX_AMPDU) && 479 !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) && 480 /* 481 * Don't use A-MPDU on non-encrypted networks. There are devices 482 * with buggy firmware which allow an attacker to inject 802.11 483 * frames into a wifi network by embedding rogue A-MPDU subframes 484 * in an arbitrary data payload (e.g. PNG images) which may end 485 * up appearing as actual frames after de-aggregation by a buggy 486 * device; see https://github.com/rpp0/aggr-inject for details. 487 * WPA2 prevents this injection attack since the attacker would 488 * need to inject frames which get decrypted correctly. 489 */ 490 ((ic->ic_flags & IEEE80211_F_RSNON) && 491 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)); 492} 493 494void 495ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni, 496 int tid, uint16_t ssn) 497{ 498 struct ifnet *ifp = &ic->ic_if; 499 struct mbuf *m; 500 501 m = ieee80211_get_compressed_bar(ic, ni, tid, ssn); 502 if (m == NULL) 503 return; 504 505 ieee80211_ref_node(ni); 506 if (mq_enqueue(&ic->ic_mgtq, m) == 0) 507 if_start(ifp); 508 else 509 ieee80211_release_node(ic, ni); 510} 511 512/* 513 * Encapsulate an outbound data frame. The mbuf chain is updated and 514 * a reference to the destination node is returned. If an error is 515 * encountered NULL is returned and the node reference will also be NULL. 516 * 517 * NB: The caller is responsible for free'ing a returned node reference. 518 * The convention is ic_bss is not reference counted; the caller must 519 * maintain that. 520 */ 521struct mbuf * 522ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni) 523{ 524 struct ieee80211com *ic = (void *)ifp; 525 struct ether_header eh; 526 struct ieee80211_frame *wh; 527 struct ieee80211_node *ni = NULL; 528 struct llc *llc; 529 struct m_tag *mtag; 530 u_int8_t *addr; 531 u_int dlt, hdrlen; 532 int addqos, tid; 533 534 /* Handle raw frames if mbuf is tagged as 802.11 */ 535 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 536 dlt = *(u_int *)(mtag + 1); 537 538 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 539 goto fallback; 540 541 wh = mtod(m, struct ieee80211_frame *); 542 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 543 case IEEE80211_FC1_DIR_NODS: 544 case IEEE80211_FC1_DIR_FROMDS: 545 addr = wh->i_addr1; 546 break; 547 case IEEE80211_FC1_DIR_DSTODS: 548 case IEEE80211_FC1_DIR_TODS: 549 addr = wh->i_addr3; 550 break; 551 default: 552 goto bad; 553 } 554 555 ni = ieee80211_find_txnode(ic, addr); 556 if (ni == NULL) 557 ni = ieee80211_ref_node(ic->ic_bss); 558 if (ni == NULL) { 559 printf("%s: no node for dst %s, " 560 "discard raw tx frame\n", ifp->if_xname, 561 ether_sprintf(addr)); 562 ic->ic_stats.is_tx_nonode++; 563 goto bad; 564 } 565 ni->ni_inact = 0; 566 567 *pni = ni; 568 return (m); 569 } 570 571 fallback: 572 if (ic->ic_opmode == IEEE80211_M_MONITOR) 573 goto bad; 574 575 if (m->m_len < sizeof(struct ether_header)) { 576 m = m_pullup(m, sizeof(struct ether_header)); 577 if (m == NULL) { 578 ic->ic_stats.is_tx_nombuf++; 579 goto bad; 580 } 581 } 582 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 583 584 ni = ieee80211_find_txnode(ic, eh.ether_dhost); 585 if (ni == NULL) { 586 DPRINTF(("no node for dst %s, discard frame\n", 587 ether_sprintf(eh.ether_dhost))); 588 ic->ic_stats.is_tx_nonode++; 589 goto bad; 590 } 591 592#ifndef IEEE80211_STA_ONLY 593 if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss && 594 ni->ni_state != IEEE80211_STA_ASSOC) { 595 ic->ic_stats.is_tx_nonode++; 596 goto bad; 597 } 598#endif 599 600 if ((ic->ic_flags & IEEE80211_F_RSNON) && 601 !ni->ni_port_valid && 602 eh.ether_type != htons(ETHERTYPE_EAPOL)) { 603 DPRINTF(("port not valid: %s\n", 604 ether_sprintf(eh.ether_dhost))); 605 ic->ic_stats.is_tx_noauth++; 606 goto bad; 607 } 608 609 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 610 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP) 611 /* XXX TKIP countermeasures! */; 612 613 ni->ni_inact = 0; 614 615 if ((ic->ic_flags & IEEE80211_F_QOS) && 616 (ni->ni_flags & IEEE80211_NODE_QOS) && 617 /* do not QoS-encapsulate EAPOL frames */ 618 eh.ether_type != htons(ETHERTYPE_EAPOL)) { 619 struct ieee80211_tx_ba *ba; 620 tid = ieee80211_classify(ic, m); 621 ba = &ni->ni_tx_ba[tid]; 622 /* We use QoS data frames for aggregation only. */ 623 if (ba->ba_state != IEEE80211_BA_AGREED) { 624 hdrlen = sizeof(struct ieee80211_frame); 625 addqos = 0; 626 if (ieee80211_can_use_ampdu(ic, ni)) 627 ieee80211_node_trigger_addba_req(ni, tid); 628 } else { 629 hdrlen = sizeof(struct ieee80211_qosframe); 630 addqos = 1; 631 } 632 } else { 633 hdrlen = sizeof(struct ieee80211_frame); 634 addqos = 0; 635 } 636 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN); 637 llc = mtod(m, struct llc *); 638 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 639 llc->llc_control = LLC_UI; 640 llc->llc_snap.org_code[0] = 0; 641 llc->llc_snap.org_code[1] = 0; 642 llc->llc_snap.org_code[2] = 0; 643 llc->llc_snap.ether_type = eh.ether_type; 644 M_PREPEND(m, hdrlen, M_DONTWAIT); 645 if (m == NULL) { 646 ic->ic_stats.is_tx_nombuf++; 647 goto bad; 648 } 649 wh = mtod(m, struct ieee80211_frame *); 650 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 651 *(u_int16_t *)&wh->i_dur[0] = 0; 652 if (addqos) { 653 struct ieee80211_qosframe *qwh = 654 (struct ieee80211_qosframe *)wh; 655 u_int16_t qos = tid; 656 657 if (ic->ic_tid_noack & (1 << tid)) 658 qos |= IEEE80211_QOS_ACK_POLICY_NOACK; 659 else { 660 /* Use HT immediate block-ack. */ 661 qos |= IEEE80211_QOS_ACK_POLICY_NORMAL; 662 } 663 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 664 *(u_int16_t *)qwh->i_qos = htole16(qos); 665 *(u_int16_t *)qwh->i_seq = 666 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 667 ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff; 668 } else { 669 *(u_int16_t *)&wh->i_seq[0] = 670 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 671 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 672 } 673 switch (ic->ic_opmode) { 674 case IEEE80211_M_STA: 675 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 676 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 677 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 678 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 679 break; 680#ifndef IEEE80211_STA_ONLY 681 case IEEE80211_M_IBSS: 682 case IEEE80211_M_AHDEMO: 683 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 684 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 685 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 686 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 687 break; 688 case IEEE80211_M_HOSTAP: 689 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 690 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 691 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 692 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 693 break; 694#endif 695 default: 696 /* should not get there */ 697 goto bad; 698 } 699 700 if ((ic->ic_flags & IEEE80211_F_WEPON) || 701 ((ic->ic_flags & IEEE80211_F_RSNON) && 702 (ni->ni_flags & IEEE80211_NODE_TXPROT))) 703 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 704 705#ifndef IEEE80211_STA_ONLY 706 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 707 ieee80211_pwrsave(ic, m, ni) != 0) { 708 *pni = NULL; 709 return NULL; 710 } 711#endif 712 *pni = ni; 713 return m; 714bad: 715 m_freem(m); 716 if (ni != NULL) 717 ieee80211_release_node(ic, ni); 718 *pni = NULL; 719 return NULL; 720} 721 722/* 723 * Add a Capability Information field to a frame (see 7.3.1.4). 724 */ 725u_int8_t * 726ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic, 727 const struct ieee80211_node *ni) 728{ 729 u_int16_t capinfo; 730 731#ifndef IEEE80211_STA_ONLY 732 if (ic->ic_opmode == IEEE80211_M_IBSS) 733 capinfo = IEEE80211_CAPINFO_IBSS; 734 else if (ic->ic_opmode == IEEE80211_M_HOSTAP) 735 capinfo = IEEE80211_CAPINFO_ESS; 736 else 737#endif 738 capinfo = 0; 739#ifndef IEEE80211_STA_ONLY 740 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 741 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON))) 742 capinfo |= IEEE80211_CAPINFO_PRIVACY; 743#endif 744 /* NB: some 11a AP's reject the request when short preamble is set */ 745 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 746 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 747 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 748 if (ic->ic_flags & IEEE80211_F_SHSLOT) 749 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 750 LE_WRITE_2(frm, capinfo); 751 return frm + 2; 752} 753 754/* 755 * Add an SSID element to a frame (see 7.3.2.1). 756 */ 757u_int8_t * 758ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 759{ 760 *frm++ = IEEE80211_ELEMID_SSID; 761 *frm++ = len; 762 memcpy(frm, ssid, len); 763 return frm + len; 764} 765 766/* 767 * Add a supported rates element to a frame (see 7.3.2.2). 768 */ 769u_int8_t * 770ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 771{ 772 int nrates; 773 774 *frm++ = IEEE80211_ELEMID_RATES; 775 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE); 776 *frm++ = nrates; 777 memcpy(frm, rs->rs_rates, nrates); 778 return frm + nrates; 779} 780 781#ifndef IEEE80211_STA_ONLY 782/* 783 * Add a DS Parameter Set element to a frame (see 7.3.2.4). 784 */ 785u_int8_t * 786ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic, 787 const struct ieee80211_node *ni) 788{ 789 *frm++ = IEEE80211_ELEMID_DSPARMS; 790 *frm++ = 1; 791 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 792 return frm; 793} 794 795/* 796 * Add a TIM element to a frame (see 7.3.2.6 and Annex L). 797 */ 798u_int8_t * 799ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic) 800{ 801 u_int i, offset = 0, len; 802 803 /* find first non-zero octet in the virtual bit map */ 804 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++) 805 ; 806 807 /* clear the lsb as it is reserved for the broadcast indication bit */ 808 if (i < ic->ic_tim_len) 809 offset = i & ~1; 810 811 /* find last non-zero octet in the virtual bit map */ 812 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--) 813 ; 814 815 len = i - offset + 1; 816 817 *frm++ = IEEE80211_ELEMID_TIM; 818 *frm++ = len + 3; /* length */ 819 *frm++ = ic->ic_dtim_count; /* DTIM count */ 820 *frm++ = ic->ic_dtim_period; /* DTIM period */ 821 822 /* Bitmap Control */ 823 *frm = offset; 824 /* set broadcast/multicast indication bit if necessary */ 825 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending) 826 *frm |= 0x01; 827 frm++; 828 829 /* Partial Virtual Bitmap */ 830 memcpy(frm, &ic->ic_tim_bitmap[offset], len); 831 return frm + len; 832} 833 834/* 835 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7). 836 */ 837u_int8_t * 838ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni) 839{ 840 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 841 *frm++ = 2; 842 LE_WRITE_2(frm, 0); /* TODO: ATIM window */ 843 return frm + 2; 844} 845 846/* 847 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29). 848 */ 849u_int8_t * 850ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic) 851{ 852 const struct ieee80211_edca_ac_params *edca; 853 int aci; 854 855 *frm++ = IEEE80211_ELEMID_EDCAPARMS; 856 *frm++ = 18; /* length */ 857 *frm++ = 0; /* QoS Info */ 858 *frm++ = 0; /* reserved */ 859 860 /* setup AC Parameter Records */ 861 edca = ieee80211_edca_table[ic->ic_curmode]; 862 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 863 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 864 865 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 866 (ac->ac_aifsn & 0xf); 867 *frm++ = (ac->ac_ecwmax << 4) | 868 (ac->ac_ecwmin & 0xf); 869 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 870 } 871 return frm; 872} 873 874/* 875 * Add an ERP element to a frame (see 7.3.2.13). 876 */ 877u_int8_t * 878ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 879{ 880 u_int8_t erp; 881 int nonerpsta = 0; 882 883 *frm++ = IEEE80211_ELEMID_ERP; 884 *frm++ = 1; 885 erp = 0; 886 /* 887 * The NonERP_Present bit shall be set to 1 when a NonERP STA 888 * is associated with the BSS. 889 */ 890 ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta); 891 if (nonerpsta != 0) 892 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 893 /* 894 * If one or more NonERP STAs are associated in the BSS, the 895 * Use_Protection bit shall be set to 1 in transmitted ERP 896 * Information Elements. 897 */ 898 if (ic->ic_flags & IEEE80211_F_USEPROT) 899 erp |= IEEE80211_ERP_USE_PROTECTION; 900 /* 901 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP 902 * Information Element sender if one or more associated NonERP 903 * STAs are not short preamble capable. 904 */ 905 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) 906 erp |= IEEE80211_ERP_BARKER_MODE; 907 *frm++ = erp; 908 return frm; 909} 910#endif /* IEEE80211_STA_ONLY */ 911 912/* 913 * Add a QoS Capability element to a frame (see 7.3.2.35). 914 */ 915u_int8_t * 916ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic) 917{ 918 *frm++ = IEEE80211_ELEMID_QOS_CAP; 919 *frm++ = 1; 920 *frm++ = 0; /* QoS Info */ 921 return frm; 922} 923 924/* 925 * Add a Wifi-Alliance WME (aka WMM) info element to a frame. 926 * WME is a requirement for Wifi-Alliance compliance and some 927 * 11n APs will not negotiate HT if this element is missing. 928 */ 929uint8_t * 930ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic) 931{ 932 *frm++ = IEEE80211_ELEMID_VENDOR; 933 *frm++ = 7; 934 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 935 *frm++ = 2; /* OUI type */ 936 *frm++ = 0; /* OUI subtype */ 937 *frm++ = 1; /* version */ 938 *frm++ = 0; /* info */ 939 940 return frm; 941} 942 943#ifndef IEEE80211_STA_ONLY 944/* 945 * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame. 946 */ 947uint8_t * 948ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic) 949{ 950 const struct ieee80211_edca_ac_params *edca; 951 int aci; 952 953 *frm++ = IEEE80211_ELEMID_VENDOR; 954 *frm++ = 24; 955 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 956 *frm++ = 2; /* OUI type */ 957 *frm++ = 1; /* OUI subtype */ 958 *frm++ = 1; /* version */ 959 *frm++ = 0; /* info */ 960 *frm++ = 0; /* reserved */ 961 962 /* setup AC Parameter Records */ 963 edca = ieee80211_edca_table[ic->ic_curmode]; 964 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 965 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 966 967 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 968 (ac->ac_aifsn & 0xf); 969 *frm++ = (ac->ac_ecwmax << 4) | 970 (ac->ac_ecwmin & 0xf); 971 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 972 } 973 974 return frm; 975} 976#endif 977 978/* 979 * Add an RSN element to a frame (see 802.11-2012 8.4.2.27) 980 */ 981u_int8_t * 982ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic, 983 const struct ieee80211_node *ni, int wpa) 984{ 985 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI; 986 u_int8_t *pcount; 987 u_int16_t count, rsncaps; 988 989 /* write Version field */ 990 LE_WRITE_2(frm, 1); frm += 2; 991 992 /* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */ 993 memcpy(frm, oui, 3); frm += 3; 994 switch (ni->ni_rsngroupcipher) { 995 case IEEE80211_CIPHER_WEP40: 996 *frm++ = 1; 997 break; 998 case IEEE80211_CIPHER_TKIP: 999 *frm++ = 2; 1000 break; 1001 case IEEE80211_CIPHER_CCMP: 1002 *frm++ = 4; 1003 break; 1004 case IEEE80211_CIPHER_WEP104: 1005 *frm++ = 5; 1006 break; 1007 default: 1008 /* can't get there */ 1009 panic("invalid group data cipher!"); 1010 } 1011 1012 pcount = frm; frm += 2; 1013 count = 0; 1014 /* write Pairwise Cipher Suite List */ 1015 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) { 1016 memcpy(frm, oui, 3); frm += 3; 1017 *frm++ = 0; 1018 count++; 1019 } 1020 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) { 1021 memcpy(frm, oui, 3); frm += 3; 1022 *frm++ = 2; 1023 count++; 1024 } 1025 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) { 1026 memcpy(frm, oui, 3); frm += 3; 1027 *frm++ = 4; 1028 count++; 1029 } 1030 /* write Pairwise Cipher Suite Count field */ 1031 LE_WRITE_2(pcount, count); 1032 1033 pcount = frm; frm += 2; 1034 count = 0; 1035 /* write AKM Suite List (see Table 20dc) */ 1036 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) { 1037 memcpy(frm, oui, 3); frm += 3; 1038 *frm++ = 1; 1039 count++; 1040 } 1041 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) { 1042 memcpy(frm, oui, 3); frm += 3; 1043 *frm++ = 2; 1044 count++; 1045 } 1046 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) { 1047 memcpy(frm, oui, 3); frm += 3; 1048 *frm++ = 5; 1049 count++; 1050 } 1051 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) { 1052 memcpy(frm, oui, 3); frm += 3; 1053 *frm++ = 6; 1054 count++; 1055 } 1056 /* write AKM Suite List Count field */ 1057 LE_WRITE_2(pcount, count); 1058 1059 if (wpa) 1060 return frm; 1061 1062 /* write RSN Capabilities field */ 1063 rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK | 1064 IEEE80211_RSNCAP_GTKSA_RCNT_MASK)); 1065 if (ic->ic_caps & IEEE80211_C_MFP) { 1066 rsncaps |= IEEE80211_RSNCAP_MFPC; 1067 if (ic->ic_flags & IEEE80211_F_MFPR) 1068 rsncaps |= IEEE80211_RSNCAP_MFPR; 1069 } 1070 if (ic->ic_flags & IEEE80211_F_PBAR) 1071 rsncaps |= IEEE80211_RSNCAP_PBAC; 1072 LE_WRITE_2(frm, rsncaps); frm += 2; 1073 1074 if (ni->ni_flags & IEEE80211_NODE_PMKID) { 1075 /* write PMKID Count field */ 1076 LE_WRITE_2(frm, 1); frm += 2; 1077 /* write PMKID List (only 1) */ 1078 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN); 1079 frm += IEEE80211_PMKID_LEN; 1080 } 1081 1082 if (!(ic->ic_caps & IEEE80211_C_MFP)) 1083 return frm; 1084 1085 if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) { 1086 /* no PMKID (PMKID Count=0) */ 1087 LE_WRITE_2(frm, 0); frm += 2; 1088 } 1089 1090 /* write Group Integrity Cipher Suite field */ 1091 memcpy(frm, oui, 3); frm += 3; 1092 switch (ic->ic_rsngroupmgmtcipher) { 1093 case IEEE80211_CIPHER_BIP: 1094 *frm++ = 6; 1095 break; 1096 default: 1097 /* can't get there */ 1098 panic("invalid integrity group cipher!"); 1099 } 1100 return frm; 1101} 1102 1103u_int8_t * 1104ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic, 1105 const struct ieee80211_node *ni) 1106{ 1107 u_int8_t *plen; 1108 1109 *frm++ = IEEE80211_ELEMID_RSN; 1110 plen = frm++; /* length filled in later */ 1111 frm = ieee80211_add_rsn_body(frm, ic, ni, 0); 1112 1113 /* write length field */ 1114 *plen = frm - plen - 1; 1115 return frm; 1116} 1117 1118/* 1119 * Add a vendor-specific WPA element to a frame. 1120 * This is required for compatibility with Wi-Fi Alliance WPA. 1121 */ 1122u_int8_t * 1123ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic, 1124 const struct ieee80211_node *ni) 1125{ 1126 u_int8_t *plen; 1127 1128 *frm++ = IEEE80211_ELEMID_VENDOR; 1129 plen = frm++; /* length filled in later */ 1130 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 1131 *frm++ = 1; /* WPA */ 1132 frm = ieee80211_add_rsn_body(frm, ic, ni, 1); 1133 1134 /* write length field */ 1135 *plen = frm - plen - 1; 1136 return frm; 1137} 1138 1139/* 1140 * Add an extended supported rates element to a frame (see 7.3.2.14). 1141 */ 1142u_int8_t * 1143ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 1144{ 1145 int nrates; 1146 1147 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE); 1148 1149 *frm++ = IEEE80211_ELEMID_XRATES; 1150 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1151 *frm++ = nrates; 1152 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1153 return frm + nrates; 1154} 1155 1156/* 1157 * Add an HT Capabilities element to a frame (see 7.3.2.57). 1158 */ 1159u_int8_t * 1160ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic) 1161{ 1162 *frm++ = IEEE80211_ELEMID_HTCAPS; 1163 *frm++ = 26; 1164 LE_WRITE_2(frm, ic->ic_htcaps); frm += 2; 1165 *frm++ = ic->ic_ampdu_params; 1166 memcpy(frm, ic->ic_sup_mcs, 10); frm += 10; 1167 LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH)); 1168 frm += 2; 1169 *frm++ = ic->ic_tx_mcs_set; 1170 *frm++ = 0; /* reserved */ 1171 *frm++ = 0; /* reserved */ 1172 *frm++ = 0; /* reserved */ 1173 LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2; 1174 LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4; 1175 *frm++ = ic->ic_aselcaps; 1176 return frm; 1177} 1178 1179#ifndef IEEE80211_STA_ONLY 1180/* 1181 * Add an HT Operation element to a frame (see 7.3.2.58). 1182 */ 1183u_int8_t * 1184ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic) 1185{ 1186 *frm++ = IEEE80211_ELEMID_HTOP; 1187 *frm++ = 22; 1188 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1189 *frm++ = ic->ic_bss->ni_htop0; 1190 LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2; 1191 LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2; 1192 memset(frm, 0, 16); frm += 16; 1193 return frm; 1194} 1195#endif /* !IEEE80211_STA_ONLY */ 1196 1197/* 1198 * Add a VHT Capabilities element to a frame (see 802.11ac-2013 8.4.2.160.2). 1199 */ 1200u_int8_t * 1201ieee80211_add_vhtcaps(u_int8_t *frm, struct ieee80211com *ic) 1202{ 1203 *frm++ = IEEE80211_ELEMID_VHTCAPS; 1204 *frm++ = 12; 1205 LE_WRITE_4(frm, ic->ic_vhtcaps); frm += 4; 1206 LE_WRITE_2(frm, ic->ic_vht_rxmcs); frm += 2; 1207 LE_WRITE_2(frm, ic->ic_vht_rx_max_lgi_mbit_s); frm += 2; 1208 LE_WRITE_2(frm, ic->ic_vht_txmcs); frm += 2; 1209 LE_WRITE_2(frm, ic->ic_vht_tx_max_lgi_mbit_s); frm += 2; 1210 return frm; 1211} 1212 1213#ifndef IEEE80211_STA_ONLY 1214/* 1215 * Add a Timeout Interval element to a frame (see 7.3.2.49). 1216 */ 1217u_int8_t * 1218ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value) 1219{ 1220 *frm++ = IEEE80211_ELEMID_TIE; 1221 *frm++ = 5; /* length */ 1222 *frm++ = type; /* Timeout Interval type */ 1223 LE_WRITE_4(frm, value); 1224 return frm + 4; 1225} 1226#endif 1227 1228struct mbuf * 1229ieee80211_getmgmt(int flags, int type, u_int pktlen) 1230{ 1231 struct mbuf *m; 1232 1233 /* reserve space for 802.11 header */ 1234 pktlen += sizeof(struct ieee80211_frame); 1235 1236 if (pktlen > MCLBYTES) 1237 panic("management frame too large: %u", pktlen); 1238 MGETHDR(m, flags, type); 1239 if (m == NULL) 1240 return NULL; 1241 if (pktlen > MHLEN) { 1242 MCLGET(m, flags); 1243 if (!(m->m_flags & M_EXT)) 1244 return m_free(m); 1245 } 1246 m->m_data += sizeof(struct ieee80211_frame); 1247 return m; 1248} 1249 1250/*- 1251 * Probe request frame format: 1252 * [tlv] SSID 1253 * [tlv] Supported rates 1254 * [tlv] Extended Supported Rates (802.11g) 1255 * [tlv] HT Capabilities (802.11n) 1256 */ 1257struct mbuf * 1258ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni) 1259{ 1260 const struct ieee80211_rateset *rs = 1261 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 1262 struct mbuf *m; 1263 u_int8_t *frm; 1264 1265 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1266 2 + ic->ic_des_esslen + 1267 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1268 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1269 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1270 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) + 1271 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0)); 1272 if (m == NULL) 1273 return NULL; 1274 1275 frm = mtod(m, u_int8_t *); 1276 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen); 1277 frm = ieee80211_add_rates(frm, rs); 1278 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1279 frm = ieee80211_add_xrates(frm, rs); 1280 if (ic->ic_flags & IEEE80211_F_HTON) { 1281 frm = ieee80211_add_htcaps(frm, ic); 1282 frm = ieee80211_add_wme_info(frm, ic); 1283 } 1284 if (ic->ic_flags & IEEE80211_F_VHTON) 1285 frm = ieee80211_add_htcaps(frm, ic); 1286 1287 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1288 1289 return m; 1290} 1291 1292#ifndef IEEE80211_STA_ONLY 1293/*- 1294 * Probe response frame format: 1295 * [8] Timestamp 1296 * [2] Beacon interval 1297 * [2] Capability 1298 * [tlv] Service Set Identifier (SSID) 1299 * [tlv] Supported rates 1300 * [tlv] DS Parameter Set (802.11g) 1301 * [tlv] ERP Information (802.11g) 1302 * [tlv] Extended Supported Rates (802.11g) 1303 * [tlv] RSN (802.11i) 1304 * [tlv] EDCA Parameter Set (802.11e) 1305 * [tlv] HT Capabilities (802.11n) 1306 * [tlv] HT Operation (802.11n) 1307 */ 1308struct mbuf * 1309ieee80211_get_probe_resp(struct ieee80211com *ic) 1310{ 1311 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates; 1312 struct mbuf *m; 1313 u_int8_t *frm; 1314 1315 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1316 8 + 2 + 2 + 1317 2 + ic->ic_bss->ni_esslen + 1318 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1319 2 + 1 + 1320 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) + 1321 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1322 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1323 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1324 (((ic->ic_flags & IEEE80211_F_RSNON) && 1325 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1326 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1327 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1328 (((ic->ic_flags & IEEE80211_F_RSNON) && 1329 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1330 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1331 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1332 if (m == NULL) 1333 return NULL; 1334 1335 frm = mtod(m, u_int8_t *); 1336 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1337 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2; 1338 frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss); 1339 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1340 ic->ic_bss->ni_esslen); 1341 frm = ieee80211_add_rates(frm, rs); 1342 frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss); 1343 if (ic->ic_opmode == IEEE80211_M_IBSS) 1344 frm = ieee80211_add_ibss_params(frm, ic->ic_bss); 1345 if (ic->ic_curmode == IEEE80211_MODE_11G) 1346 frm = ieee80211_add_erp(frm, ic); 1347 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1348 frm = ieee80211_add_xrates(frm, rs); 1349 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1350 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1351 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); 1352 if (ic->ic_flags & IEEE80211_F_QOS) 1353 frm = ieee80211_add_edca_params(frm, ic); 1354 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1355 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1356 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); 1357 if (ic->ic_flags & IEEE80211_F_HTON) { 1358 frm = ieee80211_add_htcaps(frm, ic); 1359 frm = ieee80211_add_htop(frm, ic); 1360 frm = ieee80211_add_wme_param(frm, ic); 1361 } 1362 1363 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1364 1365 return m; 1366} 1367#endif /* IEEE80211_STA_ONLY */ 1368 1369/*- 1370 * Authentication frame format: 1371 * [2] Authentication algorithm number 1372 * [2] Authentication transaction sequence number 1373 * [2] Status code 1374 */ 1375struct mbuf * 1376ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni, 1377 u_int16_t status, u_int16_t seq) 1378{ 1379 struct mbuf *m; 1380 u_int8_t *frm; 1381 1382 MGETHDR(m, M_DONTWAIT, MT_DATA); 1383 if (m == NULL) 1384 return NULL; 1385 m_align(m, 2 * 3); 1386 m->m_pkthdr.len = m->m_len = 2 * 3; 1387 1388 frm = mtod(m, u_int8_t *); 1389 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2; 1390 LE_WRITE_2(frm, seq); frm += 2; 1391 LE_WRITE_2(frm, status); 1392 1393 return m; 1394} 1395 1396/*- 1397 * Deauthentication frame format: 1398 * [2] Reason code 1399 */ 1400struct mbuf * 1401ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni, 1402 u_int16_t reason) 1403{ 1404 struct mbuf *m; 1405 1406 MGETHDR(m, M_DONTWAIT, MT_DATA); 1407 if (m == NULL) 1408 return NULL; 1409 m_align(m, 2); 1410 m->m_pkthdr.len = m->m_len = 2; 1411 1412 *mtod(m, u_int16_t *) = htole16(reason); 1413 1414 return m; 1415} 1416 1417/*- 1418 * (Re)Association request frame format: 1419 * [2] Capability information 1420 * [2] Listen interval 1421 * [6*] Current AP address (Reassociation only) 1422 * [tlv] SSID 1423 * [tlv] Supported rates 1424 * [tlv] Extended Supported Rates (802.11g) 1425 * [tlv] RSN (802.11i) 1426 * [tlv] QoS Capability (802.11e) 1427 * [tlv] HT Capabilities (802.11n) 1428 */ 1429struct mbuf * 1430ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1431 int type) 1432{ 1433 const struct ieee80211_rateset *rs = &ni->ni_rates; 1434 struct mbuf *m; 1435 u_int8_t *frm; 1436 u_int16_t capinfo; 1437 1438 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1439 2 + 2 + 1440 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ? 1441 IEEE80211_ADDR_LEN : 0) + 1442 2 + ni->ni_esslen + 1443 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1444 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1445 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1446 (((ic->ic_flags & IEEE80211_F_RSNON) && 1447 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1448 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1449 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) + 1450 (((ic->ic_flags & IEEE80211_F_RSNON) && 1451 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1452 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1453 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) + 1454 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0)); 1455 if (m == NULL) 1456 return NULL; 1457 1458 frm = mtod(m, u_int8_t *); 1459 capinfo = IEEE80211_CAPINFO_ESS; 1460 if (ic->ic_flags & IEEE80211_F_WEPON) 1461 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1462 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1463 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1464 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1465 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1466 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1467 LE_WRITE_2(frm, capinfo); frm += 2; 1468 LE_WRITE_2(frm, ic->ic_lintval); frm += 2; 1469 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1470 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1471 frm += IEEE80211_ADDR_LEN; 1472 } 1473 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1474 frm = ieee80211_add_rates(frm, rs); 1475 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1476 frm = ieee80211_add_xrates(frm, rs); 1477 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1478 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1479 frm = ieee80211_add_rsn(frm, ic, ni); 1480 if (ni->ni_flags & IEEE80211_NODE_QOS) 1481 frm = ieee80211_add_qos_capability(frm, ic); 1482 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1483 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1484 frm = ieee80211_add_wpa(frm, ic, ni); 1485 if (ic->ic_flags & IEEE80211_F_HTON) { 1486 frm = ieee80211_add_htcaps(frm, ic); 1487 frm = ieee80211_add_wme_info(frm, ic); 1488 } 1489 if (ic->ic_flags & IEEE80211_F_VHTON) 1490 frm = ieee80211_add_vhtcaps(frm, ic); 1491 1492 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1493 1494 return m; 1495} 1496 1497#ifndef IEEE80211_STA_ONLY 1498/*- 1499 * (Re)Association response frame format: 1500 * [2] Capability information 1501 * [2] Status code 1502 * [2] Association ID (AID) 1503 * [tlv] Supported rates 1504 * [tlv] Extended Supported Rates (802.11g) 1505 * [tlv] EDCA Parameter Set (802.11e) 1506 * [tlv] Timeout Interval (802.11w) 1507 * [tlv] HT Capabilities (802.11n) 1508 * [tlv] HT Operation (802.11n) 1509 */ 1510struct mbuf * 1511ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1512 u_int16_t status) 1513{ 1514 const struct ieee80211_rateset *rs = &ni->ni_rates; 1515 struct mbuf *m; 1516 u_int8_t *frm; 1517 1518 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1519 2 + 2 + 2 + 1520 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1521 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1522 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1523 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) + 1524 ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) + 1525 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1526 if (m == NULL) 1527 return NULL; 1528 1529 frm = mtod(m, u_int8_t *); 1530 frm = ieee80211_add_capinfo(frm, ic, ni); 1531 LE_WRITE_2(frm, status); frm += 2; 1532 if (status == IEEE80211_STATUS_SUCCESS) 1533 LE_WRITE_2(frm, ni->ni_associd); 1534 else 1535 LE_WRITE_2(frm, 0); 1536 frm += 2; 1537 frm = ieee80211_add_rates(frm, rs); 1538 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1539 frm = ieee80211_add_xrates(frm, rs); 1540 if (ni->ni_flags & IEEE80211_NODE_QOS) 1541 frm = ieee80211_add_edca_params(frm, ic); 1542 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 1543 status == IEEE80211_STATUS_TRY_AGAIN_LATER) { 1544 /* Association Comeback Time */ 1545 frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */); 1546 } 1547 if (ic->ic_flags & IEEE80211_F_HTON) { 1548 frm = ieee80211_add_htcaps(frm, ic); 1549 frm = ieee80211_add_htop(frm, ic); 1550 frm = ieee80211_add_wme_param(frm, ic); 1551 } 1552 1553 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1554 1555 return m; 1556} 1557#endif /* IEEE80211_STA_ONLY */ 1558 1559/*- 1560 * Disassociation frame format: 1561 * [2] Reason code 1562 */ 1563struct mbuf * 1564ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni, 1565 u_int16_t reason) 1566{ 1567 struct mbuf *m; 1568 1569 MGETHDR(m, M_DONTWAIT, MT_DATA); 1570 if (m == NULL) 1571 return NULL; 1572 m_align(m, 2); 1573 m->m_pkthdr.len = m->m_len = 2; 1574 1575 *mtod(m, u_int16_t *) = htole16(reason); 1576 1577 return m; 1578} 1579 1580/*- 1581 * ADDBA Request frame format: 1582 * [1] Category 1583 * [1] Action 1584 * [1] Dialog Token 1585 * [2] Block Ack Parameter Set 1586 * [2] Block Ack Timeout Value 1587 * [2] Block Ack Starting Sequence Control 1588 */ 1589struct mbuf * 1590ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1591 u_int8_t tid) 1592{ 1593 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1594 struct mbuf *m; 1595 u_int8_t *frm; 1596 1597 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1598 if (m == NULL) 1599 return m; 1600 1601 frm = mtod(m, u_int8_t *); 1602 *frm++ = IEEE80211_CATEG_BA; 1603 *frm++ = IEEE80211_ACTION_ADDBA_REQ; 1604 *frm++ = ba->ba_token; 1605 LE_WRITE_2(frm, ba->ba_params); frm += 2; 1606 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2; 1607 LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2; 1608 1609 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1610 1611 return m; 1612} 1613 1614/* Move Tx BA window forward to the specified SSN. */ 1615void 1616ieee80211_output_ba_move_window(struct ieee80211com *ic, 1617 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1618{ 1619 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1620 uint16_t s = ba->ba_winstart; 1621 1622 while (SEQ_LT(s, ssn) && ba->ba_bitmap) { 1623 s = (s + 1) % 0xfff; 1624 ba->ba_bitmap >>= 1; 1625 } 1626 1627 ba->ba_winstart = (ssn & 0xfff); 1628 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1629} 1630 1631/* 1632 * Move Tx BA window forward up to the first hole in the bitmap 1633 * or up to the specified SSN, whichever comes first. 1634 * After calling this function, frames before the start of the 1635 * potentially changed BA window should be discarded. 1636 */ 1637void 1638ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic, 1639 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1640{ 1641 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1642 uint16_t s = ba->ba_winstart; 1643 uint64_t bitmap = ba->ba_bitmap; 1644 int can_move_window = 0; 1645 1646 while (bitmap && SEQ_LT(s, ssn)) { 1647 if ((bitmap & 1) == 0) 1648 break; 1649 s = (s + 1) % 0xfff; 1650 bitmap >>= 1; 1651 can_move_window = 1; 1652 } 1653 1654 if (can_move_window) 1655 ieee80211_output_ba_move_window(ic, ni, tid, s); 1656} 1657 1658/* Record an ACK for a frame with a given SSN within the Tx BA window. */ 1659void 1660ieee80211_output_ba_record_ack(struct ieee80211com *ic, 1661 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1662{ 1663 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1664 int i = 0; 1665 uint16_t s = ba->ba_winstart; 1666 1667 KASSERT(!SEQ_LT(ssn, ba->ba_winstart)); 1668 KASSERT(!SEQ_LT(ba->ba_winend, ssn)); 1669 1670 while (SEQ_LT(s, ssn)) { 1671 s = (s + 1) % 0xfff; 1672 i++; 1673 } 1674 if (i < ba->ba_winsize) 1675 ba->ba_bitmap |= (1 << i); 1676} 1677 1678/*- 1679 * ADDBA Response frame format: 1680 * [1] Category 1681 * [1] Action 1682 * [1] Dialog Token 1683 * [2] Status Code 1684 * [2] Block Ack Parameter Set 1685 * [2] Block Ack Timeout Value 1686 */ 1687struct mbuf * 1688ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1689 u_int8_t tid, u_int8_t token, u_int16_t status) 1690{ 1691 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1692 struct mbuf *m; 1693 u_int8_t *frm; 1694 u_int16_t params; 1695 1696 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1697 if (m == NULL) 1698 return m; 1699 1700 frm = mtod(m, u_int8_t *); 1701 *frm++ = IEEE80211_CATEG_BA; 1702 *frm++ = IEEE80211_ACTION_ADDBA_RESP; 1703 *frm++ = token; 1704 LE_WRITE_2(frm, status); frm += 2; 1705 if (status == 0) 1706 params = ba->ba_params; 1707 else 1708 params = tid << IEEE80211_ADDBA_TID_SHIFT; 1709 LE_WRITE_2(frm, params); frm += 2; 1710 if (status == 0) 1711 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); 1712 else 1713 LE_WRITE_2(frm, 0); 1714 frm += 2; 1715 1716 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1717 1718 return m; 1719} 1720 1721/*- 1722 * DELBA frame format: 1723 * [1] Category 1724 * [1] Action 1725 * [2] DELBA Parameter Set 1726 * [2] Reason Code 1727 */ 1728struct mbuf * 1729ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni, 1730 u_int8_t tid, u_int8_t dir, u_int16_t reason) 1731{ 1732 struct mbuf *m; 1733 u_int8_t *frm; 1734 u_int16_t params; 1735 1736 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6); 1737 if (m == NULL) 1738 return m; 1739 1740 frm = mtod(m, u_int8_t *); 1741 *frm++ = IEEE80211_CATEG_BA; 1742 *frm++ = IEEE80211_ACTION_DELBA; 1743 params = tid << 12; 1744 if (dir) 1745 params |= IEEE80211_DELBA_INITIATOR; 1746 LE_WRITE_2(frm, params); frm += 2; 1747 LE_WRITE_2(frm, reason); frm += 2; 1748 1749 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1750 1751 return m; 1752} 1753 1754/*- 1755 * SA Query Request/Response frame format: 1756 * [1] Category 1757 * [1] Action 1758 * [16] Transaction Identifier 1759 */ 1760struct mbuf * 1761ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni, 1762 u_int8_t action) 1763{ 1764 struct mbuf *m; 1765 u_int8_t *frm; 1766 1767 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4); 1768 if (m == NULL) 1769 return NULL; 1770 1771 frm = mtod(m, u_int8_t *); 1772 *frm++ = IEEE80211_CATEG_SA_QUERY; 1773 *frm++ = action; /* ACTION_SA_QUERY_REQ/RESP */ 1774 LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2; 1775 1776 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1777 1778 return m; 1779} 1780 1781struct mbuf * 1782ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni, 1783 u_int8_t categ, u_int8_t action, int arg) 1784{ 1785 struct mbuf *m = NULL; 1786 1787 switch (categ) { 1788 case IEEE80211_CATEG_BA: 1789 switch (action) { 1790 case IEEE80211_ACTION_ADDBA_REQ: 1791 m = ieee80211_get_addba_req(ic, ni, arg & 0xffff); 1792 break; 1793 case IEEE80211_ACTION_ADDBA_RESP: 1794 m = ieee80211_get_addba_resp(ic, ni, arg & 0xff, 1795 arg >> 8, arg >> 16); 1796 break; 1797 case IEEE80211_ACTION_DELBA: 1798 m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8, 1799 arg >> 16); 1800 break; 1801 } 1802 break; 1803 case IEEE80211_CATEG_SA_QUERY: 1804 switch (action) { 1805#ifndef IEEE80211_STA_ONLY 1806 case IEEE80211_ACTION_SA_QUERY_REQ: 1807#endif 1808 case IEEE80211_ACTION_SA_QUERY_RESP: 1809 m = ieee80211_get_sa_query(ic, ni, action); 1810 break; 1811 } 1812 break; 1813 } 1814 return m; 1815} 1816 1817/* 1818 * Send a management frame. The node is for the destination (or ic_bss 1819 * when in station mode). Nodes other than ic_bss have their reference 1820 * count bumped to reflect our use for an indeterminant time. 1821 */ 1822int 1823ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1824 int type, int arg1, int arg2) 1825{ 1826#define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1827 struct ifnet *ifp = &ic->ic_if; 1828 struct mbuf *m; 1829 int ret, timer; 1830 1831 if (ni == NULL) 1832 panic("null node"); 1833 1834 /* 1835 * Hold a reference on the node so it doesn't go away until after 1836 * the xmit is complete all the way in the driver. On error we 1837 * will remove our reference. 1838 */ 1839 ieee80211_ref_node(ni); 1840 timer = 0; 1841 switch (type) { 1842 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1843 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL) 1844 senderr(ENOMEM, is_tx_nombuf); 1845 1846 timer = IEEE80211_TRANS_WAIT; 1847 break; 1848#ifndef IEEE80211_STA_ONLY 1849 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1850 if ((m = ieee80211_get_probe_resp(ic)) == NULL) 1851 senderr(ENOMEM, is_tx_nombuf); 1852 break; 1853#endif 1854 case IEEE80211_FC0_SUBTYPE_AUTH: 1855 m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff); 1856 if (m == NULL) 1857 senderr(ENOMEM, is_tx_nombuf); 1858 1859 if (ic->ic_opmode == IEEE80211_M_STA) 1860 timer = IEEE80211_TRANS_WAIT; 1861 break; 1862 1863 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1864 if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL) 1865 senderr(ENOMEM, is_tx_nombuf); 1866#ifndef IEEE80211_STA_ONLY 1867 if ((ifp->if_flags & IFF_DEBUG) && 1868 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1869 ic->ic_opmode == IEEE80211_M_IBSS)) 1870 printf("%s: station %s deauthenticate (reason %d)\n", 1871 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1872 arg1); 1873#endif 1874 break; 1875 1876 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1877 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1878 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL) 1879 senderr(ENOMEM, is_tx_nombuf); 1880 1881 timer = IEEE80211_TRANS_WAIT; 1882 break; 1883#ifndef IEEE80211_STA_ONLY 1884 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1885 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1886 if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL) 1887 senderr(ENOMEM, is_tx_nombuf); 1888 break; 1889#endif 1890 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1891 if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL) 1892 senderr(ENOMEM, is_tx_nombuf); 1893#ifndef IEEE80211_STA_ONLY 1894 if ((ifp->if_flags & IFF_DEBUG) && 1895 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1896 ic->ic_opmode == IEEE80211_M_IBSS)) 1897 printf("%s: station %s disassociate (reason %d)\n", 1898 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1899 arg1); 1900#endif 1901 break; 1902 1903 case IEEE80211_FC0_SUBTYPE_ACTION: 1904 m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff, 1905 arg2); 1906 if (m == NULL) 1907 senderr(ENOMEM, is_tx_nombuf); 1908 break; 1909 1910 default: 1911 DPRINTF(("invalid mgmt frame type %u\n", type)); 1912 senderr(EINVAL, is_tx_unknownmgt); 1913 /* NOTREACHED */ 1914 } 1915 1916 ret = ieee80211_mgmt_output(ifp, ni, m, type); 1917 if (ret == 0) { 1918 if (timer) 1919 ic->ic_mgt_timer = timer; 1920 } else { 1921bad: 1922 ieee80211_release_node(ic, ni); 1923 } 1924 return ret; 1925#undef senderr 1926} 1927 1928/* 1929 * Build a RTS (Request To Send) control frame (see 7.2.1.1). 1930 */ 1931struct mbuf * 1932ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1933 u_int16_t dur) 1934{ 1935 struct ieee80211_frame_rts *rts; 1936 struct mbuf *m; 1937 1938 MGETHDR(m, M_DONTWAIT, MT_DATA); 1939 if (m == NULL) 1940 return NULL; 1941 1942 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1943 1944 rts = mtod(m, struct ieee80211_frame_rts *); 1945 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1946 IEEE80211_FC0_SUBTYPE_RTS; 1947 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1948 *(u_int16_t *)rts->i_dur = htole16(dur); 1949 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1950 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1951 1952 return m; 1953} 1954 1955/* 1956 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2). 1957 */ 1958struct mbuf * 1959ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur) 1960{ 1961 struct ieee80211_frame_cts *cts; 1962 struct mbuf *m; 1963 1964 MGETHDR(m, M_DONTWAIT, MT_DATA); 1965 if (m == NULL) 1966 return NULL; 1967 1968 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1969 1970 cts = mtod(m, struct ieee80211_frame_cts *); 1971 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1972 IEEE80211_FC0_SUBTYPE_CTS; 1973 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1974 *(u_int16_t *)cts->i_dur = htole16(dur); 1975 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1976 1977 return m; 1978} 1979 1980/* 1981 * Build a compressed Block Ack Request control frame. 1982 */ 1983struct mbuf * 1984ieee80211_get_compressed_bar(struct ieee80211com *ic, 1985 struct ieee80211_node *ni, int tid, uint16_t ssn) 1986{ 1987 struct ieee80211_frame_min *wh; 1988 uint8_t *frm; 1989 uint16_t ctl; 1990 struct mbuf *m; 1991 1992 MGETHDR(m, M_DONTWAIT, MT_DATA); 1993 if (m == NULL) 1994 return NULL; 1995 1996 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) + 1997 sizeof(ctl) + sizeof(ssn); 1998 1999 wh = mtod(m, struct ieee80211_frame_min *); 2000 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 2001 IEEE80211_FC0_SUBTYPE_BAR; 2002 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2003 *(u_int16_t *)wh->i_dur = 0; 2004 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 2005 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2006 frm = (uint8_t *)&wh[1]; 2007 2008 ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT); 2009 LE_WRITE_2(frm, ctl); 2010 frm += 2; 2011 2012 LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT); 2013 frm += 2; 2014 2015 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2016 m->m_pkthdr.ph_cookie = ni; 2017 2018 return m; 2019} 2020 2021#ifndef IEEE80211_STA_ONLY 2022/*- 2023 * Beacon frame format: 2024 * [8] Timestamp 2025 * [2] Beacon interval 2026 * [2] Capability 2027 * [tlv] Service Set Identifier (SSID) 2028 * [tlv] Supported rates 2029 * [tlv] DS Parameter Set (802.11g) 2030 * [tlv] IBSS Parameter Set 2031 * [tlv] Traffic Indication Map (TIM) 2032 * [tlv] ERP Information (802.11g) 2033 * [tlv] Extended Supported Rates (802.11g) 2034 * [tlv] RSN (802.11i) 2035 * [tlv] EDCA Parameter Set (802.11e) 2036 * [tlv] HT Capabilities (802.11n) 2037 * [tlv] HT Operation (802.11n) 2038 */ 2039struct mbuf * 2040ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni) 2041{ 2042 const struct ieee80211_rateset *rs = &ni->ni_rates; 2043 struct ieee80211_frame *wh; 2044 struct mbuf *m; 2045 u_int8_t *frm; 2046 2047 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 2048 8 + 2 + 2 + 2049 2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ? 2050 0 : ni->ni_esslen) + 2051 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 2052 2 + 1 + 2053 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) + 2054 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 2055 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 2056 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 2057 (((ic->ic_flags & IEEE80211_F_RSNON) && 2058 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 2059 2 + IEEE80211_RSNIE_MAXLEN : 0) + 2060 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 2061 (((ic->ic_flags & IEEE80211_F_RSNON) && 2062 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 2063 2 + IEEE80211_WPAIE_MAXLEN : 0) + 2064 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 2065 if (m == NULL) 2066 return NULL; 2067 2068 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2069 if (m == NULL) 2070 return NULL; 2071 wh = mtod(m, struct ieee80211_frame *); 2072 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2073 IEEE80211_FC0_SUBTYPE_BEACON; 2074 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2075 *(u_int16_t *)wh->i_dur = 0; 2076 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr); 2077 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2078 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2079 *(u_int16_t *)wh->i_seq = 0; 2080 2081 frm = (u_int8_t *)&wh[1]; 2082 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 2083 LE_WRITE_2(frm, ni->ni_intval); frm += 2; 2084 frm = ieee80211_add_capinfo(frm, ic, ni); 2085 if (ic->ic_userflags & IEEE80211_F_HIDENWID) 2086 frm = ieee80211_add_ssid(frm, NULL, 0); 2087 else 2088 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2089 frm = ieee80211_add_rates(frm, rs); 2090 frm = ieee80211_add_ds_params(frm, ic, ni); 2091 if (ic->ic_opmode == IEEE80211_M_IBSS) 2092 frm = ieee80211_add_ibss_params(frm, ni); 2093 else 2094 frm = ieee80211_add_tim(frm, ic); 2095 if (ic->ic_curmode == IEEE80211_MODE_11G) 2096 frm = ieee80211_add_erp(frm, ic); 2097 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 2098 frm = ieee80211_add_xrates(frm, rs); 2099 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2100 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 2101 frm = ieee80211_add_rsn(frm, ic, ni); 2102 if (ic->ic_flags & IEEE80211_F_QOS) 2103 frm = ieee80211_add_edca_params(frm, ic); 2104 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2105 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 2106 frm = ieee80211_add_wpa(frm, ic, ni); 2107 if (ic->ic_flags & IEEE80211_F_HTON) { 2108 frm = ieee80211_add_htcaps(frm, ic); 2109 frm = ieee80211_add_htop(frm, ic); 2110 frm = ieee80211_add_wme_param(frm, ic); 2111 } 2112 2113 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2114 m->m_pkthdr.ph_cookie = ni; 2115 2116 return m; 2117} 2118 2119/* 2120 * Check if an outgoing MSDU or management frame should be buffered into 2121 * the AP for power management. Return 1 if the frame was buffered into 2122 * the AP, or 0 if the frame shall be transmitted immediately. 2123 */ 2124int 2125ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m, 2126 struct ieee80211_node *ni) 2127{ 2128 const struct ieee80211_frame *wh; 2129 int pssta = 0; 2130 2131 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 2132 if (!(ic->ic_caps & IEEE80211_C_APPMGT)) 2133 return 0; 2134 2135 wh = mtod(m, struct ieee80211_frame *); 2136 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2137 /* 2138 * Buffer group addressed MSDUs with the Order bit clear 2139 * if any associated STAs are in PS mode. 2140 */ 2141 ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta); 2142 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0) 2143 return 0; 2144 ic->ic_tim_mcast_pending = 1; 2145 } else { 2146 /* 2147 * Buffer MSDUs, A-MSDUs or management frames destined for 2148 * PS STAs. 2149 */ 2150 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE || 2151 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 2152 IEEE80211_FC0_TYPE_CTL) 2153 return 0; 2154 if (mq_empty(&ni->ni_savedq)) 2155 (*ic->ic_set_tim)(ic, ni->ni_associd, 1); 2156 } 2157 /* NB: ni == ic->ic_bss for broadcast/multicast */ 2158 /* 2159 * Similar to ieee80211_mgmt_output, store the node in a 2160 * special pkthdr field. 2161 */ 2162 m->m_pkthdr.ph_cookie = ni; 2163 mq_enqueue(&ni->ni_savedq, m); 2164 return 1; 2165} 2166#endif /* IEEE80211_STA_ONLY */ 2167