1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include "opt_inet.h" 31 #include "opt_inet6.h" 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/kernel.h> 38 #include <sys/endian.h> 39 40 #include <sys/socket.h> 41 42 #include <net/bpf.h> 43 #include <net/ethernet.h> 44 #include <net/if.h> 45 #include <net/if_llc.h> 46 #include <net/if_media.h> 47 #include <net/if_vlan_var.h> 48 49 #include <net80211/ieee80211_var.h> 50 #include <net80211/ieee80211_regdomain.h> 51 #ifdef IEEE80211_SUPPORT_SUPERG 52 #include <net80211/ieee80211_superg.h> 53 #endif 54 #ifdef IEEE80211_SUPPORT_TDMA 55 #include <net80211/ieee80211_tdma.h> 56 #endif 57 #include <net80211/ieee80211_wds.h> 58 #include <net80211/ieee80211_mesh.h> 59 60 #if defined(INET) || defined(INET6) 61 #include <netinet/in.h> 62 #endif 63 64 #ifdef INET 65 #include <netinet/if_ether.h> 66 #include <netinet/in_systm.h> 67 #include <netinet/ip.h> 68 #endif 69 #ifdef INET6 70 #include <netinet/ip6.h> 71 #endif 72 73 #include <security/mac/mac_framework.h> 74 75 #define ETHER_HEADER_COPY(dst, src) \ 76 memcpy(dst, src, sizeof(struct ether_header)) 77 78 /* unalligned little endian access */ 79 #define LE_WRITE_2(p, v) do { \ 80 ((uint8_t *)(p))[0] = (v) & 0xff; \ 81 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 82 } while (0) 83 #define LE_WRITE_4(p, v) do { \ 84 ((uint8_t *)(p))[0] = (v) & 0xff; \ 85 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 86 ((uint8_t *)(p))[2] = ((v) >> 16) & 0xff; \ 87 ((uint8_t *)(p))[3] = ((v) >> 24) & 0xff; \ 88 } while (0) 89 90 static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 91 u_int hdrsize, u_int ciphdrsize, u_int mtu); 92 static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 93 94 #ifdef IEEE80211_DEBUG 95 /* 96 * Decide if an outbound management frame should be 97 * printed when debugging is enabled. This filters some 98 * of the less interesting frames that come frequently 99 * (e.g. beacons). 100 */ 101 static __inline int 102 doprint(struct ieee80211vap *vap, int subtype) 103 { 104 switch (subtype) { 105 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 106 return (vap->iv_opmode == IEEE80211_M_IBSS); 107 } 108 return 1; 109 } 110 #endif 111 112 /* 113 * Start method for vap's. All packets from the stack come 114 * through here. We handle common processing of the packets 115 * before dispatching them to the underlying device. 116 */ 117 void 118 ieee80211_start(struct ifnet *ifp) 119 { 120 #define IS_DWDS(vap) \ 121 (vap->iv_opmode == IEEE80211_M_WDS && \ 122 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 123 struct ieee80211vap *vap = ifp->if_softc; 124 struct ieee80211com *ic = vap->iv_ic; 125 struct ifnet *parent = ic->ic_ifp; 126 struct ieee80211_node *ni; 127 struct mbuf *m; 128 struct ether_header *eh; 129 int error; 130 131 /* NB: parent must be up and running */ 132 if (!IFNET_IS_UP_RUNNING(parent)) { 133 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 134 "%s: ignore queue, parent %s not up+running\n", 135 __func__, parent->if_xname); 136 /* XXX stat */ 137 return; 138 } 139 if (vap->iv_state == IEEE80211_S_SLEEP) { 140 /* 141 * In power save, wakeup device for transmit. 142 */ 143 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 144 return; 145 } 146 /* 147 * No data frames go out unless we're running. 148 * Note in particular this covers CAC and CSA 149 * states (though maybe we should check muting 150 * for CSA). 151 */ 152 if (vap->iv_state != IEEE80211_S_RUN) { 153 IEEE80211_LOCK(ic); 154 /* re-check under the com lock to avoid races */ 155 if (vap->iv_state != IEEE80211_S_RUN) { 156 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 157 "%s: ignore queue, in %s state\n", 158 __func__, ieee80211_state_name[vap->iv_state]); 159 vap->iv_stats.is_tx_badstate++; 160 IEEE80211_UNLOCK(ic); 161 IFQ_LOCK(&ifp->if_snd); 162 ifp->if_drv_flags |= IFF_DRV_OACTIVE; 163 IFQ_UNLOCK(&ifp->if_snd); 164 return; 165 } 166 IEEE80211_UNLOCK(ic); 167 } 168 for (;;) { 169 IFQ_DEQUEUE(&ifp->if_snd, m); 170 if (m == NULL) 171 break; 172 /* 173 * Sanitize mbuf flags for net80211 use. We cannot 174 * clear M_PWR_SAV or M_MORE_DATA because these may 175 * be set for frames that are re-submitted from the 176 * power save queue. 177 * 178 * NB: This must be done before ieee80211_classify as 179 * it marks EAPOL in frames with M_EAPOL. 180 */ 181 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 182 /* 183 * Cancel any background scan. 184 */ 185 if (ic->ic_flags & IEEE80211_F_SCAN) 186 ieee80211_cancel_anyscan(vap); 187 /* 188 * Find the node for the destination so we can do 189 * things like power save and fast frames aggregation. 190 * 191 * NB: past this point various code assumes the first 192 * mbuf has the 802.3 header present (and contiguous). 193 */ 194 ni = NULL; 195 if (m->m_len < sizeof(struct ether_header) && 196 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 197 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 198 "discard frame, %s\n", "m_pullup failed"); 199 vap->iv_stats.is_tx_nobuf++; /* XXX */ 200 ifp->if_oerrors++; 201 continue; 202 } 203 eh = mtod(m, struct ether_header *); 204 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 205 if (IS_DWDS(vap)) { 206 /* 207 * Only unicast frames from the above go out 208 * DWDS vaps; multicast frames are handled by 209 * dispatching the frame as it comes through 210 * the AP vap (see below). 211 */ 212 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 213 eh->ether_dhost, "mcast", "%s", "on DWDS"); 214 vap->iv_stats.is_dwds_mcast++; 215 m_freem(m); 216 continue; 217 } 218 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 219 /* 220 * Spam DWDS vap's w/ multicast traffic. 221 */ 222 /* XXX only if dwds in use? */ 223 ieee80211_dwds_mcast(vap, m); 224 } 225 } 226 #ifdef IEEE80211_SUPPORT_MESH 227 if (vap->iv_opmode != IEEE80211_M_MBSS) { 228 #endif 229 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 230 if (ni == NULL) { 231 /* NB: ieee80211_find_txnode does stat+msg */ 232 ifp->if_oerrors++; 233 m_freem(m); 234 continue; 235 } 236 if (ni->ni_associd == 0 && 237 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 238 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 239 eh->ether_dhost, NULL, 240 "sta not associated (type 0x%04x)", 241 htons(eh->ether_type)); 242 vap->iv_stats.is_tx_notassoc++; 243 ifp->if_oerrors++; 244 m_freem(m); 245 ieee80211_free_node(ni); 246 continue; 247 } 248 #ifdef IEEE80211_SUPPORT_MESH 249 } else { 250 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) { 251 /* 252 * Proxy station only if configured. 253 */ 254 if (!ieee80211_mesh_isproxyena(vap)) { 255 IEEE80211_DISCARD_MAC(vap, 256 IEEE80211_MSG_OUTPUT | 257 IEEE80211_MSG_MESH, 258 eh->ether_dhost, NULL, 259 "%s", "proxy not enabled"); 260 vap->iv_stats.is_mesh_notproxy++; 261 ifp->if_oerrors++; 262 m_freem(m); 263 continue; 264 } 265 ieee80211_mesh_proxy_check(vap, eh->ether_shost); 266 } 267 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 268 if (ni == NULL) { 269 /* 270 * NB: ieee80211_mesh_discover holds/disposes 271 * frame (e.g. queueing on path discovery). 272 */ 273 ifp->if_oerrors++; 274 continue; 275 } 276 } 277 #endif 278 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 279 (m->m_flags & M_PWR_SAV) == 0) { 280 /* 281 * Station in power save mode; pass the frame 282 * to the 802.11 layer and continue. We'll get 283 * the frame back when the time is right. 284 * XXX lose WDS vap linkage? 285 */ 286 (void) ieee80211_pwrsave(ni, m); 287 ieee80211_free_node(ni); 288 continue; 289 } 290 /* calculate priority so drivers can find the tx queue */ 291 if (ieee80211_classify(ni, m)) { 292 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 293 eh->ether_dhost, NULL, 294 "%s", "classification failure"); 295 vap->iv_stats.is_tx_classify++; 296 ifp->if_oerrors++; 297 m_freem(m); 298 ieee80211_free_node(ni); 299 continue; 300 } 301 /* 302 * Stash the node pointer. Note that we do this after 303 * any call to ieee80211_dwds_mcast because that code 304 * uses any existing value for rcvif to identify the 305 * interface it (might have been) received on. 306 */ 307 m->m_pkthdr.rcvif = (void *)ni; 308 309 BPF_MTAP(ifp, m); /* 802.3 tx */ 310 311 /* 312 * Check if A-MPDU tx aggregation is setup or if we 313 * should try to enable it. The sta must be associated 314 * with HT and A-MPDU enabled for use. When the policy 315 * routine decides we should enable A-MPDU we issue an 316 * ADDBA request and wait for a reply. The frame being 317 * encapsulated will go out w/o using A-MPDU, or possibly 318 * it might be collected by the driver and held/retransmit. 319 * The default ic_ampdu_enable routine handles staggering 320 * ADDBA requests in case the receiver NAK's us or we are 321 * otherwise unable to establish a BA stream. 322 */ 323 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 324 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX) && 325 (m->m_flags & M_EAPOL) == 0) { 326 int tid = WME_AC_TO_TID(M_WME_GETAC(m)); 327 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[tid]; 328 329 ieee80211_txampdu_count_packet(tap); 330 if (IEEE80211_AMPDU_RUNNING(tap)) { 331 /* 332 * Operational, mark frame for aggregation. 333 * 334 * XXX do tx aggregation here 335 */ 336 m->m_flags |= M_AMPDU_MPDU; 337 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 338 ic->ic_ampdu_enable(ni, tap)) { 339 /* 340 * Not negotiated yet, request service. 341 */ 342 ieee80211_ampdu_request(ni, tap); 343 /* XXX hold frame for reply? */ 344 } 345 } 346 #ifdef IEEE80211_SUPPORT_SUPERG 347 else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)) { 348 m = ieee80211_ff_check(ni, m); 349 if (m == NULL) { 350 /* NB: any ni ref held on stageq */ 351 continue; 352 } 353 } 354 #endif /* IEEE80211_SUPPORT_SUPERG */ 355 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 356 /* 357 * Encapsulate the packet in prep for transmission. 358 */ 359 m = ieee80211_encap(vap, ni, m); 360 if (m == NULL) { 361 /* NB: stat+msg handled in ieee80211_encap */ 362 ieee80211_free_node(ni); 363 continue; 364 } 365 } 366 error = parent->if_transmit(parent, m); 367 if (error != 0) { 368 /* NB: IFQ_HANDOFF reclaims mbuf */ 369 ieee80211_free_node(ni); 370 } else { 371 ifp->if_opackets++; 372 } 373 ic->ic_lastdata = ticks; 374 } 375 #undef IS_DWDS 376 } 377 378 /* 379 * 802.11 output routine. This is (currently) used only to 380 * connect bpf write calls to the 802.11 layer for injecting 381 * raw 802.11 frames. 382 */ 383 int 384 ieee80211_output(struct ifnet *ifp, struct mbuf *m, 385 struct sockaddr *dst, struct route *ro) 386 { 387 #define senderr(e) do { error = (e); goto bad;} while (0) 388 struct ieee80211_node *ni = NULL; 389 struct ieee80211vap *vap; 390 struct ieee80211_frame *wh; 391 int error; 392 393 IFQ_LOCK(&ifp->if_snd); 394 if (ifp->if_drv_flags & IFF_DRV_OACTIVE) { 395 IFQ_UNLOCK(&ifp->if_snd); 396 /* 397 * Short-circuit requests if the vap is marked OACTIVE 398 * as this can happen because a packet came down through 399 * ieee80211_start before the vap entered RUN state in 400 * which case it's ok to just drop the frame. This 401 * should not be necessary but callers of if_output don't 402 * check OACTIVE. 403 */ 404 senderr(ENETDOWN); 405 } 406 IFQ_UNLOCK(&ifp->if_snd); 407 vap = ifp->if_softc; 408 /* 409 * Hand to the 802.3 code if not tagged as 410 * a raw 802.11 frame. 411 */ 412 if (dst->sa_family != AF_IEEE80211) 413 return vap->iv_output(ifp, m, dst, ro); 414 #ifdef MAC 415 error = mac_ifnet_check_transmit(ifp, m); 416 if (error) 417 senderr(error); 418 #endif 419 if (ifp->if_flags & IFF_MONITOR) 420 senderr(ENETDOWN); 421 if (!IFNET_IS_UP_RUNNING(ifp)) 422 senderr(ENETDOWN); 423 if (vap->iv_state == IEEE80211_S_CAC) { 424 IEEE80211_DPRINTF(vap, 425 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 426 "block %s frame in CAC state\n", "raw data"); 427 vap->iv_stats.is_tx_badstate++; 428 senderr(EIO); /* XXX */ 429 } else if (vap->iv_state == IEEE80211_S_SCAN) 430 senderr(EIO); 431 /* XXX bypass bridge, pfil, carp, etc. */ 432 433 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 434 senderr(EIO); /* XXX */ 435 wh = mtod(m, struct ieee80211_frame *); 436 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 437 IEEE80211_FC0_VERSION_0) 438 senderr(EIO); /* XXX */ 439 440 /* locate destination node */ 441 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 442 case IEEE80211_FC1_DIR_NODS: 443 case IEEE80211_FC1_DIR_FROMDS: 444 ni = ieee80211_find_txnode(vap, wh->i_addr1); 445 break; 446 case IEEE80211_FC1_DIR_TODS: 447 case IEEE80211_FC1_DIR_DSTODS: 448 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) 449 senderr(EIO); /* XXX */ 450 ni = ieee80211_find_txnode(vap, wh->i_addr3); 451 break; 452 default: 453 senderr(EIO); /* XXX */ 454 } 455 if (ni == NULL) { 456 /* 457 * Permit packets w/ bpf params through regardless 458 * (see below about sa_len). 459 */ 460 if (dst->sa_len == 0) 461 senderr(EHOSTUNREACH); 462 ni = ieee80211_ref_node(vap->iv_bss); 463 } 464 465 /* 466 * Sanitize mbuf for net80211 flags leaked from above. 467 * 468 * NB: This must be done before ieee80211_classify as 469 * it marks EAPOL in frames with M_EAPOL. 470 */ 471 m->m_flags &= ~M_80211_TX; 472 473 /* calculate priority so drivers can find the tx queue */ 474 /* XXX assumes an 802.3 frame */ 475 if (ieee80211_classify(ni, m)) 476 senderr(EIO); /* XXX */ 477 478 ifp->if_opackets++; 479 IEEE80211_NODE_STAT(ni, tx_data); 480 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 481 IEEE80211_NODE_STAT(ni, tx_mcast); 482 m->m_flags |= M_MCAST; 483 } else 484 IEEE80211_NODE_STAT(ni, tx_ucast); 485 /* NB: ieee80211_encap does not include 802.11 header */ 486 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len); 487 488 /* 489 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 490 * present by setting the sa_len field of the sockaddr (yes, 491 * this is a hack). 492 * NB: we assume sa_data is suitably aligned to cast. 493 */ 494 return vap->iv_ic->ic_raw_xmit(ni, m, 495 (const struct ieee80211_bpf_params *)(dst->sa_len ? 496 dst->sa_data : NULL)); 497 bad: 498 if (m != NULL) 499 m_freem(m); 500 if (ni != NULL) 501 ieee80211_free_node(ni); 502 ifp->if_oerrors++; 503 return error; 504 #undef senderr 505 } 506 507 /* 508 * Set the direction field and address fields of an outgoing 509 * frame. Note this should be called early on in constructing 510 * a frame as it sets i_fc[1]; other bits can then be or'd in. 511 */ 512 void 513 ieee80211_send_setup( 514 struct ieee80211_node *ni, 515 struct mbuf *m, 516 int type, int tid, 517 const uint8_t sa[IEEE80211_ADDR_LEN], 518 const uint8_t da[IEEE80211_ADDR_LEN], 519 const uint8_t bssid[IEEE80211_ADDR_LEN]) 520 { 521 #define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 522 struct ieee80211vap *vap = ni->ni_vap; 523 struct ieee80211_tx_ampdu *tap; 524 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 525 ieee80211_seq seqno; 526 527 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 528 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 529 switch (vap->iv_opmode) { 530 case IEEE80211_M_STA: 531 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 532 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 533 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 534 IEEE80211_ADDR_COPY(wh->i_addr3, da); 535 break; 536 case IEEE80211_M_IBSS: 537 case IEEE80211_M_AHDEMO: 538 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 539 IEEE80211_ADDR_COPY(wh->i_addr1, da); 540 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 541 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 542 break; 543 case IEEE80211_M_HOSTAP: 544 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 545 IEEE80211_ADDR_COPY(wh->i_addr1, da); 546 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 547 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 548 break; 549 case IEEE80211_M_WDS: 550 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 551 IEEE80211_ADDR_COPY(wh->i_addr1, da); 552 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 553 IEEE80211_ADDR_COPY(wh->i_addr3, da); 554 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 555 break; 556 case IEEE80211_M_MBSS: 557 #ifdef IEEE80211_SUPPORT_MESH 558 if (IEEE80211_IS_MULTICAST(da)) { 559 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 560 /* XXX next hop */ 561 IEEE80211_ADDR_COPY(wh->i_addr1, da); 562 IEEE80211_ADDR_COPY(wh->i_addr2, 563 vap->iv_myaddr); 564 } else { 565 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 566 IEEE80211_ADDR_COPY(wh->i_addr1, da); 567 IEEE80211_ADDR_COPY(wh->i_addr2, 568 vap->iv_myaddr); 569 IEEE80211_ADDR_COPY(wh->i_addr3, da); 570 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 571 } 572 #endif 573 break; 574 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 575 break; 576 } 577 } else { 578 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 579 IEEE80211_ADDR_COPY(wh->i_addr1, da); 580 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 581 #ifdef IEEE80211_SUPPORT_MESH 582 if (vap->iv_opmode == IEEE80211_M_MBSS) 583 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 584 else 585 #endif 586 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 587 } 588 *(uint16_t *)&wh->i_dur[0] = 0; 589 590 tap = &ni->ni_tx_ampdu[tid]; 591 if (tid != IEEE80211_NONQOS_TID && IEEE80211_AMPDU_RUNNING(tap)) 592 m->m_flags |= M_AMPDU_MPDU; 593 else { 594 seqno = ni->ni_txseqs[tid]++; 595 *(uint16_t *)&wh->i_seq[0] = 596 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 597 M_SEQNO_SET(m, seqno); 598 } 599 600 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 601 m->m_flags |= M_MCAST; 602 #undef WH4 603 } 604 605 /* 606 * Send a management frame to the specified node. The node pointer 607 * must have a reference as the pointer will be passed to the driver 608 * and potentially held for a long time. If the frame is successfully 609 * dispatched to the driver, then it is responsible for freeing the 610 * reference (and potentially free'ing up any associated storage); 611 * otherwise deal with reclaiming any reference (on error). 612 */ 613 int 614 ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 615 struct ieee80211_bpf_params *params) 616 { 617 struct ieee80211vap *vap = ni->ni_vap; 618 struct ieee80211com *ic = ni->ni_ic; 619 struct ieee80211_frame *wh; 620 621 KASSERT(ni != NULL, ("null node")); 622 623 if (vap->iv_state == IEEE80211_S_CAC) { 624 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 625 ni, "block %s frame in CAC state", 626 ieee80211_mgt_subtype_name[ 627 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 628 IEEE80211_FC0_SUBTYPE_SHIFT]); 629 vap->iv_stats.is_tx_badstate++; 630 ieee80211_free_node(ni); 631 m_freem(m); 632 return EIO; /* XXX */ 633 } 634 635 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 636 if (m == NULL) { 637 ieee80211_free_node(ni); 638 return ENOMEM; 639 } 640 641 wh = mtod(m, struct ieee80211_frame *); 642 ieee80211_send_setup(ni, m, 643 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 644 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 645 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 646 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 647 "encrypting frame (%s)", __func__); 648 wh->i_fc[1] |= IEEE80211_FC1_WEP; 649 } 650 m->m_flags |= M_ENCAP; /* mark encapsulated */ 651 652 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 653 M_WME_SETAC(m, params->ibp_pri); 654 655 #ifdef IEEE80211_DEBUG 656 /* avoid printing too many frames */ 657 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 658 ieee80211_msg_dumppkts(vap)) { 659 printf("[%s] send %s on channel %u\n", 660 ether_sprintf(wh->i_addr1), 661 ieee80211_mgt_subtype_name[ 662 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 663 IEEE80211_FC0_SUBTYPE_SHIFT], 664 ieee80211_chan2ieee(ic, ic->ic_curchan)); 665 } 666 #endif 667 IEEE80211_NODE_STAT(ni, tx_mgmt); 668 669 return ic->ic_raw_xmit(ni, m, params); 670 } 671 672 /* 673 * Send a null data frame to the specified node. If the station 674 * is setup for QoS then a QoS Null Data frame is constructed. 675 * If this is a WDS station then a 4-address frame is constructed. 676 * 677 * NB: the caller is assumed to have setup a node reference 678 * for use; this is necessary to deal with a race condition 679 * when probing for inactive stations. Like ieee80211_mgmt_output 680 * we must cleanup any node reference on error; however we 681 * can safely just unref it as we know it will never be the 682 * last reference to the node. 683 */ 684 int 685 ieee80211_send_nulldata(struct ieee80211_node *ni) 686 { 687 struct ieee80211vap *vap = ni->ni_vap; 688 struct ieee80211com *ic = ni->ni_ic; 689 struct mbuf *m; 690 struct ieee80211_frame *wh; 691 int hdrlen; 692 uint8_t *frm; 693 694 if (vap->iv_state == IEEE80211_S_CAC) { 695 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 696 ni, "block %s frame in CAC state", "null data"); 697 ieee80211_unref_node(&ni); 698 vap->iv_stats.is_tx_badstate++; 699 return EIO; /* XXX */ 700 } 701 702 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 703 hdrlen = sizeof(struct ieee80211_qosframe); 704 else 705 hdrlen = sizeof(struct ieee80211_frame); 706 /* NB: only WDS vap's get 4-address frames */ 707 if (vap->iv_opmode == IEEE80211_M_WDS) 708 hdrlen += IEEE80211_ADDR_LEN; 709 if (ic->ic_flags & IEEE80211_F_DATAPAD) 710 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 711 712 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 713 if (m == NULL) { 714 /* XXX debug msg */ 715 ieee80211_unref_node(&ni); 716 vap->iv_stats.is_tx_nobuf++; 717 return ENOMEM; 718 } 719 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 720 ("leading space %zd", M_LEADINGSPACE(m))); 721 M_PREPEND(m, hdrlen, M_NOWAIT); 722 if (m == NULL) { 723 /* NB: cannot happen */ 724 ieee80211_free_node(ni); 725 return ENOMEM; 726 } 727 728 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 729 if (ni->ni_flags & IEEE80211_NODE_QOS) { 730 const int tid = WME_AC_TO_TID(WME_AC_BE); 731 uint8_t *qos; 732 733 ieee80211_send_setup(ni, m, 734 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 735 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 736 737 if (vap->iv_opmode == IEEE80211_M_WDS) 738 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 739 else 740 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 741 qos[0] = tid & IEEE80211_QOS_TID; 742 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 743 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 744 qos[1] = 0; 745 } else { 746 ieee80211_send_setup(ni, m, 747 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 748 IEEE80211_NONQOS_TID, 749 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 750 } 751 if (vap->iv_opmode != IEEE80211_M_WDS) { 752 /* NB: power management bit is never sent by an AP */ 753 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 754 vap->iv_opmode != IEEE80211_M_HOSTAP) 755 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 756 } 757 m->m_len = m->m_pkthdr.len = hdrlen; 758 m->m_flags |= M_ENCAP; /* mark encapsulated */ 759 760 M_WME_SETAC(m, WME_AC_BE); 761 762 IEEE80211_NODE_STAT(ni, tx_data); 763 764 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 765 "send %snull data frame on channel %u, pwr mgt %s", 766 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 767 ieee80211_chan2ieee(ic, ic->ic_curchan), 768 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 769 770 return ic->ic_raw_xmit(ni, m, NULL); 771 } 772 773 /* 774 * Assign priority to a frame based on any vlan tag assigned 775 * to the station and/or any Diffserv setting in an IP header. 776 * Finally, if an ACM policy is setup (in station mode) it's 777 * applied. 778 */ 779 int 780 ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 781 { 782 const struct ether_header *eh = mtod(m, struct ether_header *); 783 int v_wme_ac, d_wme_ac, ac; 784 785 /* 786 * Always promote PAE/EAPOL frames to high priority. 787 */ 788 if (eh->ether_type == htons(ETHERTYPE_PAE)) { 789 /* NB: mark so others don't need to check header */ 790 m->m_flags |= M_EAPOL; 791 ac = WME_AC_VO; 792 goto done; 793 } 794 /* 795 * Non-qos traffic goes to BE. 796 */ 797 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 798 ac = WME_AC_BE; 799 goto done; 800 } 801 802 /* 803 * If node has a vlan tag then all traffic 804 * to it must have a matching tag. 805 */ 806 v_wme_ac = 0; 807 if (ni->ni_vlan != 0) { 808 if ((m->m_flags & M_VLANTAG) == 0) { 809 IEEE80211_NODE_STAT(ni, tx_novlantag); 810 return 1; 811 } 812 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) != 813 EVL_VLANOFTAG(ni->ni_vlan)) { 814 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 815 return 1; 816 } 817 /* map vlan priority to AC */ 818 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 819 } 820 821 /* XXX m_copydata may be too slow for fast path */ 822 #ifdef INET 823 if (eh->ether_type == htons(ETHERTYPE_IP)) { 824 uint8_t tos; 825 /* 826 * IP frame, map the DSCP bits from the TOS field. 827 */ 828 /* NB: ip header may not be in first mbuf */ 829 m_copydata(m, sizeof(struct ether_header) + 830 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 831 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 832 d_wme_ac = TID_TO_WME_AC(tos); 833 } else { 834 #endif /* INET */ 835 #ifdef INET6 836 if (eh->ether_type == htons(ETHERTYPE_IPV6)) { 837 uint32_t flow; 838 uint8_t tos; 839 /* 840 * IPv6 frame, map the DSCP bits from the traffic class field. 841 */ 842 m_copydata(m, sizeof(struct ether_header) + 843 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 844 (caddr_t) &flow); 845 tos = (uint8_t)(ntohl(flow) >> 20); 846 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 847 d_wme_ac = TID_TO_WME_AC(tos); 848 } else { 849 #endif /* INET6 */ 850 d_wme_ac = WME_AC_BE; 851 #ifdef INET6 852 } 853 #endif 854 #ifdef INET 855 } 856 #endif 857 /* 858 * Use highest priority AC. 859 */ 860 if (v_wme_ac > d_wme_ac) 861 ac = v_wme_ac; 862 else 863 ac = d_wme_ac; 864 865 /* 866 * Apply ACM policy. 867 */ 868 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 869 static const int acmap[4] = { 870 WME_AC_BK, /* WME_AC_BE */ 871 WME_AC_BK, /* WME_AC_BK */ 872 WME_AC_BE, /* WME_AC_VI */ 873 WME_AC_VI, /* WME_AC_VO */ 874 }; 875 struct ieee80211com *ic = ni->ni_ic; 876 877 while (ac != WME_AC_BK && 878 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 879 ac = acmap[ac]; 880 } 881 done: 882 M_WME_SETAC(m, ac); 883 return 0; 884 } 885 886 /* 887 * Insure there is sufficient contiguous space to encapsulate the 888 * 802.11 data frame. If room isn't already there, arrange for it. 889 * Drivers and cipher modules assume we have done the necessary work 890 * and fail rudely if they don't find the space they need. 891 */ 892 struct mbuf * 893 ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 894 struct ieee80211_key *key, struct mbuf *m) 895 { 896 #define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 897 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 898 899 if (key != NULL) { 900 /* XXX belongs in crypto code? */ 901 needed_space += key->wk_cipher->ic_header; 902 /* XXX frags */ 903 /* 904 * When crypto is being done in the host we must insure 905 * the data are writable for the cipher routines; clone 906 * a writable mbuf chain. 907 * XXX handle SWMIC specially 908 */ 909 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 910 m = m_unshare(m, M_NOWAIT); 911 if (m == NULL) { 912 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 913 "%s: cannot get writable mbuf\n", __func__); 914 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 915 return NULL; 916 } 917 } 918 } 919 /* 920 * We know we are called just before stripping an Ethernet 921 * header and prepending an LLC header. This means we know 922 * there will be 923 * sizeof(struct ether_header) - sizeof(struct llc) 924 * bytes recovered to which we need additional space for the 925 * 802.11 header and any crypto header. 926 */ 927 /* XXX check trailing space and copy instead? */ 928 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 929 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type); 930 if (n == NULL) { 931 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 932 "%s: cannot expand storage\n", __func__); 933 vap->iv_stats.is_tx_nobuf++; 934 m_freem(m); 935 return NULL; 936 } 937 KASSERT(needed_space <= MHLEN, 938 ("not enough room, need %u got %zu\n", needed_space, MHLEN)); 939 /* 940 * Setup new mbuf to have leading space to prepend the 941 * 802.11 header and any crypto header bits that are 942 * required (the latter are added when the driver calls 943 * back to ieee80211_crypto_encap to do crypto encapsulation). 944 */ 945 /* NB: must be first 'cuz it clobbers m_data */ 946 m_move_pkthdr(n, m); 947 n->m_len = 0; /* NB: m_gethdr does not set */ 948 n->m_data += needed_space; 949 /* 950 * Pull up Ethernet header to create the expected layout. 951 * We could use m_pullup but that's overkill (i.e. we don't 952 * need the actual data) and it cannot fail so do it inline 953 * for speed. 954 */ 955 /* NB: struct ether_header is known to be contiguous */ 956 n->m_len += sizeof(struct ether_header); 957 m->m_len -= sizeof(struct ether_header); 958 m->m_data += sizeof(struct ether_header); 959 /* 960 * Replace the head of the chain. 961 */ 962 n->m_next = m; 963 m = n; 964 } 965 return m; 966 #undef TO_BE_RECLAIMED 967 } 968 969 /* 970 * Return the transmit key to use in sending a unicast frame. 971 * If a unicast key is set we use that. When no unicast key is set 972 * we fall back to the default transmit key. 973 */ 974 static __inline struct ieee80211_key * 975 ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 976 struct ieee80211_node *ni) 977 { 978 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 979 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 980 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 981 return NULL; 982 return &vap->iv_nw_keys[vap->iv_def_txkey]; 983 } else { 984 return &ni->ni_ucastkey; 985 } 986 } 987 988 /* 989 * Return the transmit key to use in sending a multicast frame. 990 * Multicast traffic always uses the group key which is installed as 991 * the default tx key. 992 */ 993 static __inline struct ieee80211_key * 994 ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 995 struct ieee80211_node *ni) 996 { 997 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 998 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 999 return NULL; 1000 return &vap->iv_nw_keys[vap->iv_def_txkey]; 1001 } 1002 1003 /* 1004 * Encapsulate an outbound data frame. The mbuf chain is updated. 1005 * If an error is encountered NULL is returned. The caller is required 1006 * to provide a node reference and pullup the ethernet header in the 1007 * first mbuf. 1008 * 1009 * NB: Packet is assumed to be processed by ieee80211_classify which 1010 * marked EAPOL frames w/ M_EAPOL. 1011 */ 1012 struct mbuf * 1013 ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 1014 struct mbuf *m) 1015 { 1016 #define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 1017 #define MC01(mc) ((struct ieee80211_meshcntl_ae01 *)mc) 1018 struct ieee80211com *ic = ni->ni_ic; 1019 #ifdef IEEE80211_SUPPORT_MESH 1020 struct ieee80211_mesh_state *ms = vap->iv_mesh; 1021 struct ieee80211_meshcntl_ae10 *mc; 1022 struct ieee80211_mesh_route *rt = NULL; 1023 int dir = -1; 1024 #endif 1025 struct ether_header eh; 1026 struct ieee80211_frame *wh; 1027 struct ieee80211_key *key; 1028 struct llc *llc; 1029 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr; 1030 ieee80211_seq seqno; 1031 int meshhdrsize, meshae; 1032 uint8_t *qos; 1033 1034 /* 1035 * Copy existing Ethernet header to a safe place. The 1036 * rest of the code assumes it's ok to strip it when 1037 * reorganizing state for the final encapsulation. 1038 */ 1039 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1040 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1041 1042 /* 1043 * Insure space for additional headers. First identify 1044 * transmit key to use in calculating any buffer adjustments 1045 * required. This is also used below to do privacy 1046 * encapsulation work. Then calculate the 802.11 header 1047 * size and any padding required by the driver. 1048 * 1049 * Note key may be NULL if we fall back to the default 1050 * transmit key and that is not set. In that case the 1051 * buffer may not be expanded as needed by the cipher 1052 * routines, but they will/should discard it. 1053 */ 1054 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1055 if (vap->iv_opmode == IEEE80211_M_STA || 1056 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1057 (vap->iv_opmode == IEEE80211_M_WDS && 1058 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) 1059 key = ieee80211_crypto_getucastkey(vap, ni); 1060 else 1061 key = ieee80211_crypto_getmcastkey(vap, ni); 1062 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1063 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1064 eh.ether_dhost, 1065 "no default transmit key (%s) deftxkey %u", 1066 __func__, vap->iv_def_txkey); 1067 vap->iv_stats.is_tx_nodefkey++; 1068 goto bad; 1069 } 1070 } else 1071 key = NULL; 1072 /* 1073 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1074 * frames so suppress use. This may be an issue if other 1075 * ap's require all data frames to be QoS-encapsulated 1076 * once negotiated in which case we'll need to make this 1077 * configurable. 1078 * NB: mesh data frames are QoS. 1079 */ 1080 addqos = ((ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) || 1081 (vap->iv_opmode == IEEE80211_M_MBSS)) && 1082 (m->m_flags & M_EAPOL) == 0; 1083 if (addqos) 1084 hdrsize = sizeof(struct ieee80211_qosframe); 1085 else 1086 hdrsize = sizeof(struct ieee80211_frame); 1087 #ifdef IEEE80211_SUPPORT_MESH 1088 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1089 /* 1090 * Mesh data frames are encapsulated according to the 1091 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1092 * o Group Addressed data (aka multicast) originating 1093 * at the local sta are sent w/ 3-address format and 1094 * address extension mode 00 1095 * o Individually Addressed data (aka unicast) originating 1096 * at the local sta are sent w/ 4-address format and 1097 * address extension mode 00 1098 * o Group Addressed data forwarded from a non-mesh sta are 1099 * sent w/ 3-address format and address extension mode 01 1100 * o Individually Address data from another sta are sent 1101 * w/ 4-address format and address extension mode 10 1102 */ 1103 is4addr = 0; /* NB: don't use, disable */ 1104 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1105 rt = ieee80211_mesh_rt_find(vap, eh.ether_dhost); 1106 KASSERT(rt != NULL, ("route is NULL")); 1107 dir = IEEE80211_FC1_DIR_DSTODS; 1108 hdrsize += IEEE80211_ADDR_LEN; 1109 if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY) { 1110 if (IEEE80211_ADDR_EQ(rt->rt_mesh_gate, 1111 vap->iv_myaddr)) { 1112 IEEE80211_NOTE_MAC(vap, 1113 IEEE80211_MSG_MESH, 1114 eh.ether_dhost, 1115 "%s", "trying to send to ourself"); 1116 goto bad; 1117 } 1118 meshae = IEEE80211_MESH_AE_10; 1119 meshhdrsize = 1120 sizeof(struct ieee80211_meshcntl_ae10); 1121 } else { 1122 meshae = IEEE80211_MESH_AE_00; 1123 meshhdrsize = 1124 sizeof(struct ieee80211_meshcntl); 1125 } 1126 } else { 1127 dir = IEEE80211_FC1_DIR_FROMDS; 1128 if (!IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1129 /* proxy group */ 1130 meshae = IEEE80211_MESH_AE_01; 1131 meshhdrsize = 1132 sizeof(struct ieee80211_meshcntl_ae01); 1133 } else { 1134 /* group */ 1135 meshae = IEEE80211_MESH_AE_00; 1136 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1137 } 1138 } 1139 } else { 1140 #endif 1141 /* 1142 * 4-address frames need to be generated for: 1143 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1144 * o packets sent through a vap marked for relaying 1145 * (e.g. a station operating with dynamic WDS) 1146 */ 1147 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1148 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1149 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1150 if (is4addr) 1151 hdrsize += IEEE80211_ADDR_LEN; 1152 meshhdrsize = meshae = 0; 1153 #ifdef IEEE80211_SUPPORT_MESH 1154 } 1155 #endif 1156 /* 1157 * Honor driver DATAPAD requirement. 1158 */ 1159 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1160 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1161 else 1162 hdrspace = hdrsize; 1163 1164 if (__predict_true((m->m_flags & M_FF) == 0)) { 1165 /* 1166 * Normal frame. 1167 */ 1168 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1169 if (m == NULL) { 1170 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1171 goto bad; 1172 } 1173 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1174 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1175 llc = mtod(m, struct llc *); 1176 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1177 llc->llc_control = LLC_UI; 1178 llc->llc_snap.org_code[0] = 0; 1179 llc->llc_snap.org_code[1] = 0; 1180 llc->llc_snap.org_code[2] = 0; 1181 llc->llc_snap.ether_type = eh.ether_type; 1182 } else { 1183 #ifdef IEEE80211_SUPPORT_SUPERG 1184 /* 1185 * Aggregated frame. 1186 */ 1187 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1188 if (m == NULL) 1189 #endif 1190 goto bad; 1191 } 1192 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1193 1194 M_PREPEND(m, hdrspace + meshhdrsize, M_NOWAIT); 1195 if (m == NULL) { 1196 vap->iv_stats.is_tx_nobuf++; 1197 goto bad; 1198 } 1199 wh = mtod(m, struct ieee80211_frame *); 1200 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1201 *(uint16_t *)wh->i_dur = 0; 1202 qos = NULL; /* NB: quiet compiler */ 1203 if (is4addr) { 1204 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1205 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1206 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1207 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1208 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1209 } else switch (vap->iv_opmode) { 1210 case IEEE80211_M_STA: 1211 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1212 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1213 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1214 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1215 break; 1216 case IEEE80211_M_IBSS: 1217 case IEEE80211_M_AHDEMO: 1218 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1219 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1220 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1221 /* 1222 * NB: always use the bssid from iv_bss as the 1223 * neighbor's may be stale after an ibss merge 1224 */ 1225 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1226 break; 1227 case IEEE80211_M_HOSTAP: 1228 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1229 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1230 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1231 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1232 break; 1233 #ifdef IEEE80211_SUPPORT_MESH 1234 case IEEE80211_M_MBSS: 1235 /* NB: offset by hdrspace to deal with DATAPAD */ 1236 mc = (struct ieee80211_meshcntl_ae10 *) 1237 (mtod(m, uint8_t *) + hdrspace); 1238 wh->i_fc[1] = dir; 1239 switch (meshae) { 1240 case IEEE80211_MESH_AE_00: /* no proxy */ 1241 mc->mc_flags = 0; 1242 if (dir == IEEE80211_FC1_DIR_DSTODS) { /* ucast */ 1243 IEEE80211_ADDR_COPY(wh->i_addr1, 1244 ni->ni_macaddr); 1245 IEEE80211_ADDR_COPY(wh->i_addr2, 1246 vap->iv_myaddr); 1247 IEEE80211_ADDR_COPY(wh->i_addr3, 1248 eh.ether_dhost); 1249 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, 1250 eh.ether_shost); 1251 qos =((struct ieee80211_qosframe_addr4 *) 1252 wh)->i_qos; 1253 } else if (dir == IEEE80211_FC1_DIR_FROMDS) { 1254 /* mcast */ 1255 IEEE80211_ADDR_COPY(wh->i_addr1, 1256 eh.ether_dhost); 1257 IEEE80211_ADDR_COPY(wh->i_addr2, 1258 vap->iv_myaddr); 1259 IEEE80211_ADDR_COPY(wh->i_addr3, 1260 eh.ether_shost); 1261 qos = ((struct ieee80211_qosframe *) 1262 wh)->i_qos; 1263 } 1264 break; 1265 case IEEE80211_MESH_AE_01: /* mcast, proxy */ 1266 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1267 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1268 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1269 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr); 1270 mc->mc_flags = 1; 1271 IEEE80211_ADDR_COPY(MC01(mc)->mc_addr4, 1272 eh.ether_shost); 1273 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1274 break; 1275 case IEEE80211_MESH_AE_10: /* ucast, proxy */ 1276 KASSERT(rt != NULL, ("route is NULL")); 1277 IEEE80211_ADDR_COPY(wh->i_addr1, rt->rt_nexthop); 1278 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1279 IEEE80211_ADDR_COPY(wh->i_addr3, rt->rt_mesh_gate); 1280 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr); 1281 mc->mc_flags = IEEE80211_MESH_AE_10; 1282 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_dhost); 1283 IEEE80211_ADDR_COPY(mc->mc_addr6, eh.ether_shost); 1284 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1285 break; 1286 default: 1287 KASSERT(0, ("meshae %d", meshae)); 1288 break; 1289 } 1290 mc->mc_ttl = ms->ms_ttl; 1291 ms->ms_seq++; 1292 LE_WRITE_4(mc->mc_seq, ms->ms_seq); 1293 break; 1294 #endif 1295 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1296 default: 1297 goto bad; 1298 } 1299 if (m->m_flags & M_MORE_DATA) 1300 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1301 if (addqos) { 1302 int ac, tid; 1303 1304 if (is4addr) { 1305 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1306 /* NB: mesh case handled earlier */ 1307 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1308 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1309 ac = M_WME_GETAC(m); 1310 /* map from access class/queue to 11e header priorty value */ 1311 tid = WME_AC_TO_TID(ac); 1312 qos[0] = tid & IEEE80211_QOS_TID; 1313 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1314 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1315 #ifdef IEEE80211_SUPPORT_MESH 1316 if (vap->iv_opmode == IEEE80211_M_MBSS) 1317 qos[1] = IEEE80211_QOS_MC; 1318 else 1319 #endif 1320 qos[1] = 0; 1321 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 1322 1323 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1324 /* 1325 * NB: don't assign a sequence # to potential 1326 * aggregates; we expect this happens at the 1327 * point the frame comes off any aggregation q 1328 * as otherwise we may introduce holes in the 1329 * BA sequence space and/or make window accouting 1330 * more difficult. 1331 * 1332 * XXX may want to control this with a driver 1333 * capability; this may also change when we pull 1334 * aggregation up into net80211 1335 */ 1336 seqno = ni->ni_txseqs[tid]++; 1337 *(uint16_t *)wh->i_seq = 1338 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1339 M_SEQNO_SET(m, seqno); 1340 } 1341 } else { 1342 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1343 *(uint16_t *)wh->i_seq = 1344 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1345 M_SEQNO_SET(m, seqno); 1346 } 1347 1348 1349 /* check if xmit fragmentation is required */ 1350 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1351 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1352 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1353 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1354 if (key != NULL) { 1355 /* 1356 * IEEE 802.1X: send EAPOL frames always in the clear. 1357 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1358 */ 1359 if ((m->m_flags & M_EAPOL) == 0 || 1360 ((vap->iv_flags & IEEE80211_F_WPA) && 1361 (vap->iv_opmode == IEEE80211_M_STA ? 1362 !IEEE80211_KEY_UNDEFINED(key) : 1363 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1364 wh->i_fc[1] |= IEEE80211_FC1_WEP; 1365 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1366 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1367 eh.ether_dhost, 1368 "%s", "enmic failed, discard frame"); 1369 vap->iv_stats.is_crypto_enmicfail++; 1370 goto bad; 1371 } 1372 } 1373 } 1374 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1375 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1376 goto bad; 1377 1378 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1379 1380 IEEE80211_NODE_STAT(ni, tx_data); 1381 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1382 IEEE80211_NODE_STAT(ni, tx_mcast); 1383 m->m_flags |= M_MCAST; 1384 } else 1385 IEEE80211_NODE_STAT(ni, tx_ucast); 1386 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1387 1388 return m; 1389 bad: 1390 if (m != NULL) 1391 m_freem(m); 1392 return NULL; 1393 #undef WH4 1394 #undef MC01 1395 } 1396 1397 /* 1398 * Fragment the frame according to the specified mtu. 1399 * The size of the 802.11 header (w/o padding) is provided 1400 * so we don't need to recalculate it. We create a new 1401 * mbuf for each fragment and chain it through m_nextpkt; 1402 * we might be able to optimize this by reusing the original 1403 * packet's mbufs but that is significantly more complicated. 1404 */ 1405 static int 1406 ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1407 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1408 { 1409 struct ieee80211_frame *wh, *whf; 1410 struct mbuf *m, *prev, *next; 1411 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1412 1413 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1414 KASSERT(m0->m_pkthdr.len > mtu, 1415 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1416 1417 wh = mtod(m0, struct ieee80211_frame *); 1418 /* NB: mark the first frag; it will be propagated below */ 1419 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1420 totalhdrsize = hdrsize + ciphdrsize; 1421 fragno = 1; 1422 off = mtu - ciphdrsize; 1423 remainder = m0->m_pkthdr.len - off; 1424 prev = m0; 1425 do { 1426 fragsize = totalhdrsize + remainder; 1427 if (fragsize > mtu) 1428 fragsize = mtu; 1429 /* XXX fragsize can be >2048! */ 1430 KASSERT(fragsize < MCLBYTES, 1431 ("fragment size %u too big!", fragsize)); 1432 if (fragsize > MHLEN) 1433 m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR); 1434 else 1435 m = m_gethdr(M_NOWAIT, MT_DATA); 1436 if (m == NULL) 1437 goto bad; 1438 /* leave room to prepend any cipher header */ 1439 m_align(m, fragsize - ciphdrsize); 1440 1441 /* 1442 * Form the header in the fragment. Note that since 1443 * we mark the first fragment with the MORE_FRAG bit 1444 * it automatically is propagated to each fragment; we 1445 * need only clear it on the last fragment (done below). 1446 * NB: frag 1+ dont have Mesh Control field present. 1447 */ 1448 whf = mtod(m, struct ieee80211_frame *); 1449 memcpy(whf, wh, hdrsize); 1450 #ifdef IEEE80211_SUPPORT_MESH 1451 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1452 if (IEEE80211_IS_DSTODS(wh)) 1453 ((struct ieee80211_qosframe_addr4 *) 1454 whf)->i_qos[1] &= ~IEEE80211_QOS_MC; 1455 else 1456 ((struct ieee80211_qosframe *) 1457 whf)->i_qos[1] &= ~IEEE80211_QOS_MC; 1458 } 1459 #endif 1460 *(uint16_t *)&whf->i_seq[0] |= htole16( 1461 (fragno & IEEE80211_SEQ_FRAG_MASK) << 1462 IEEE80211_SEQ_FRAG_SHIFT); 1463 fragno++; 1464 1465 payload = fragsize - totalhdrsize; 1466 /* NB: destination is known to be contiguous */ 1467 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize); 1468 m->m_len = hdrsize + payload; 1469 m->m_pkthdr.len = hdrsize + payload; 1470 m->m_flags |= M_FRAG; 1471 1472 /* chain up the fragment */ 1473 prev->m_nextpkt = m; 1474 prev = m; 1475 1476 /* deduct fragment just formed */ 1477 remainder -= payload; 1478 off += payload; 1479 } while (remainder != 0); 1480 1481 /* set the last fragment */ 1482 m->m_flags |= M_LASTFRAG; 1483 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 1484 1485 /* strip first mbuf now that everything has been copied */ 1486 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 1487 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 1488 1489 vap->iv_stats.is_tx_fragframes++; 1490 vap->iv_stats.is_tx_frags += fragno-1; 1491 1492 return 1; 1493 bad: 1494 /* reclaim fragments but leave original frame for caller to free */ 1495 for (m = m0->m_nextpkt; m != NULL; m = next) { 1496 next = m->m_nextpkt; 1497 m->m_nextpkt = NULL; /* XXX paranoid */ 1498 m_freem(m); 1499 } 1500 m0->m_nextpkt = NULL; 1501 return 0; 1502 } 1503 1504 /* 1505 * Add a supported rates element id to a frame. 1506 */ 1507 uint8_t * 1508 ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 1509 { 1510 int nrates; 1511 1512 *frm++ = IEEE80211_ELEMID_RATES; 1513 nrates = rs->rs_nrates; 1514 if (nrates > IEEE80211_RATE_SIZE) 1515 nrates = IEEE80211_RATE_SIZE; 1516 *frm++ = nrates; 1517 memcpy(frm, rs->rs_rates, nrates); 1518 return frm + nrates; 1519 } 1520 1521 /* 1522 * Add an extended supported rates element id to a frame. 1523 */ 1524 uint8_t * 1525 ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 1526 { 1527 /* 1528 * Add an extended supported rates element if operating in 11g mode. 1529 */ 1530 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 1531 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1532 *frm++ = IEEE80211_ELEMID_XRATES; 1533 *frm++ = nrates; 1534 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1535 frm += nrates; 1536 } 1537 return frm; 1538 } 1539 1540 /* 1541 * Add an ssid element to a frame. 1542 */ 1543 static uint8_t * 1544 ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 1545 { 1546 *frm++ = IEEE80211_ELEMID_SSID; 1547 *frm++ = len; 1548 memcpy(frm, ssid, len); 1549 return frm + len; 1550 } 1551 1552 /* 1553 * Add an erp element to a frame. 1554 */ 1555 static uint8_t * 1556 ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic) 1557 { 1558 uint8_t erp; 1559 1560 *frm++ = IEEE80211_ELEMID_ERP; 1561 *frm++ = 1; 1562 erp = 0; 1563 if (ic->ic_nonerpsta != 0) 1564 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1565 if (ic->ic_flags & IEEE80211_F_USEPROT) 1566 erp |= IEEE80211_ERP_USE_PROTECTION; 1567 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1568 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1569 *frm++ = erp; 1570 return frm; 1571 } 1572 1573 /* 1574 * Add a CFParams element to a frame. 1575 */ 1576 static uint8_t * 1577 ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 1578 { 1579 #define ADDSHORT(frm, v) do { \ 1580 LE_WRITE_2(frm, v); \ 1581 frm += 2; \ 1582 } while (0) 1583 *frm++ = IEEE80211_ELEMID_CFPARMS; 1584 *frm++ = 6; 1585 *frm++ = 0; /* CFP count */ 1586 *frm++ = 2; /* CFP period */ 1587 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 1588 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 1589 return frm; 1590 #undef ADDSHORT 1591 } 1592 1593 static __inline uint8_t * 1594 add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 1595 { 1596 memcpy(frm, ie->ie_data, ie->ie_len); 1597 return frm + ie->ie_len; 1598 } 1599 1600 static __inline uint8_t * 1601 add_ie(uint8_t *frm, const uint8_t *ie) 1602 { 1603 memcpy(frm, ie, 2 + ie[1]); 1604 return frm + 2 + ie[1]; 1605 } 1606 1607 #define WME_OUI_BYTES 0x00, 0x50, 0xf2 1608 /* 1609 * Add a WME information element to a frame. 1610 */ 1611 static uint8_t * 1612 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme) 1613 { 1614 static const struct ieee80211_wme_info info = { 1615 .wme_id = IEEE80211_ELEMID_VENDOR, 1616 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1617 .wme_oui = { WME_OUI_BYTES }, 1618 .wme_type = WME_OUI_TYPE, 1619 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1620 .wme_version = WME_VERSION, 1621 .wme_info = 0, 1622 }; 1623 memcpy(frm, &info, sizeof(info)); 1624 return frm + sizeof(info); 1625 } 1626 1627 /* 1628 * Add a WME parameters element to a frame. 1629 */ 1630 static uint8_t * 1631 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme) 1632 { 1633 #define SM(_v, _f) (((_v) << _f##_S) & _f) 1634 #define ADDSHORT(frm, v) do { \ 1635 LE_WRITE_2(frm, v); \ 1636 frm += 2; \ 1637 } while (0) 1638 /* NB: this works 'cuz a param has an info at the front */ 1639 static const struct ieee80211_wme_info param = { 1640 .wme_id = IEEE80211_ELEMID_VENDOR, 1641 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1642 .wme_oui = { WME_OUI_BYTES }, 1643 .wme_type = WME_OUI_TYPE, 1644 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1645 .wme_version = WME_VERSION, 1646 }; 1647 int i; 1648 1649 memcpy(frm, ¶m, sizeof(param)); 1650 frm += __offsetof(struct ieee80211_wme_info, wme_info); 1651 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1652 *frm++ = 0; /* reserved field */ 1653 for (i = 0; i < WME_NUM_AC; i++) { 1654 const struct wmeParams *ac = 1655 &wme->wme_bssChanParams.cap_wmeParams[i]; 1656 *frm++ = SM(i, WME_PARAM_ACI) 1657 | SM(ac->wmep_acm, WME_PARAM_ACM) 1658 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1659 ; 1660 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1661 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1662 ; 1663 ADDSHORT(frm, ac->wmep_txopLimit); 1664 } 1665 return frm; 1666 #undef SM 1667 #undef ADDSHORT 1668 } 1669 #undef WME_OUI_BYTES 1670 1671 /* 1672 * Add an 11h Power Constraint element to a frame. 1673 */ 1674 static uint8_t * 1675 ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 1676 { 1677 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 1678 /* XXX per-vap tx power limit? */ 1679 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 1680 1681 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 1682 frm[1] = 1; 1683 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 1684 return frm + 3; 1685 } 1686 1687 /* 1688 * Add an 11h Power Capability element to a frame. 1689 */ 1690 static uint8_t * 1691 ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 1692 { 1693 frm[0] = IEEE80211_ELEMID_PWRCAP; 1694 frm[1] = 2; 1695 frm[2] = c->ic_minpower; 1696 frm[3] = c->ic_maxpower; 1697 return frm + 4; 1698 } 1699 1700 /* 1701 * Add an 11h Supported Channels element to a frame. 1702 */ 1703 static uint8_t * 1704 ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 1705 { 1706 static const int ielen = 26; 1707 1708 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 1709 frm[1] = ielen; 1710 /* XXX not correct */ 1711 memcpy(frm+2, ic->ic_chan_avail, ielen); 1712 return frm + 2 + ielen; 1713 } 1714 1715 /* 1716 * Add an 11h Quiet time element to a frame. 1717 */ 1718 static uint8_t * 1719 ieee80211_add_quiet(uint8_t *frm, struct ieee80211vap *vap) 1720 { 1721 struct ieee80211_quiet_ie *quiet = (struct ieee80211_quiet_ie *) frm; 1722 1723 quiet->quiet_ie = IEEE80211_ELEMID_QUIET; 1724 quiet->len = 6; 1725 if (vap->iv_quiet_count_value == 1) 1726 vap->iv_quiet_count_value = vap->iv_quiet_count; 1727 else if (vap->iv_quiet_count_value > 1) 1728 vap->iv_quiet_count_value--; 1729 1730 if (vap->iv_quiet_count_value == 0) { 1731 /* value 0 is reserved as per 802.11h standerd */ 1732 vap->iv_quiet_count_value = 1; 1733 } 1734 1735 quiet->tbttcount = vap->iv_quiet_count_value; 1736 quiet->period = vap->iv_quiet_period; 1737 quiet->duration = htole16(vap->iv_quiet_duration); 1738 quiet->offset = htole16(vap->iv_quiet_offset); 1739 return frm + sizeof(*quiet); 1740 } 1741 1742 /* 1743 * Add an 11h Channel Switch Announcement element to a frame. 1744 * Note that we use the per-vap CSA count to adjust the global 1745 * counter so we can use this routine to form probe response 1746 * frames and get the current count. 1747 */ 1748 static uint8_t * 1749 ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 1750 { 1751 struct ieee80211com *ic = vap->iv_ic; 1752 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 1753 1754 csa->csa_ie = IEEE80211_ELEMID_CSA; 1755 csa->csa_len = 3; 1756 csa->csa_mode = 1; /* XXX force quiet on channel */ 1757 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 1758 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 1759 return frm + sizeof(*csa); 1760 } 1761 1762 /* 1763 * Add an 11h country information element to a frame. 1764 */ 1765 static uint8_t * 1766 ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 1767 { 1768 1769 if (ic->ic_countryie == NULL || 1770 ic->ic_countryie_chan != ic->ic_bsschan) { 1771 /* 1772 * Handle lazy construction of ie. This is done on 1773 * first use and after a channel change that requires 1774 * re-calculation. 1775 */ 1776 if (ic->ic_countryie != NULL) 1777 free(ic->ic_countryie, M_80211_NODE_IE); 1778 ic->ic_countryie = ieee80211_alloc_countryie(ic); 1779 if (ic->ic_countryie == NULL) 1780 return frm; 1781 ic->ic_countryie_chan = ic->ic_bsschan; 1782 } 1783 return add_appie(frm, ic->ic_countryie); 1784 } 1785 1786 /* 1787 * Send a probe request frame with the specified ssid 1788 * and any optional information element data. 1789 */ 1790 int 1791 ieee80211_send_probereq(struct ieee80211_node *ni, 1792 const uint8_t sa[IEEE80211_ADDR_LEN], 1793 const uint8_t da[IEEE80211_ADDR_LEN], 1794 const uint8_t bssid[IEEE80211_ADDR_LEN], 1795 const uint8_t *ssid, size_t ssidlen) 1796 { 1797 struct ieee80211vap *vap = ni->ni_vap; 1798 struct ieee80211com *ic = ni->ni_ic; 1799 const struct ieee80211_txparam *tp; 1800 struct ieee80211_bpf_params params; 1801 struct ieee80211_frame *wh; 1802 const struct ieee80211_rateset *rs; 1803 struct mbuf *m; 1804 uint8_t *frm; 1805 1806 if (vap->iv_state == IEEE80211_S_CAC) { 1807 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 1808 "block %s frame in CAC state", "probe request"); 1809 vap->iv_stats.is_tx_badstate++; 1810 return EIO; /* XXX */ 1811 } 1812 1813 /* 1814 * Hold a reference on the node so it doesn't go away until after 1815 * the xmit is complete all the way in the driver. On error we 1816 * will remove our reference. 1817 */ 1818 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1819 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1820 __func__, __LINE__, 1821 ni, ether_sprintf(ni->ni_macaddr), 1822 ieee80211_node_refcnt(ni)+1); 1823 ieee80211_ref_node(ni); 1824 1825 /* 1826 * prreq frame format 1827 * [tlv] ssid 1828 * [tlv] supported rates 1829 * [tlv] RSN (optional) 1830 * [tlv] extended supported rates 1831 * [tlv] WPA (optional) 1832 * [tlv] user-specified ie's 1833 */ 1834 m = ieee80211_getmgtframe(&frm, 1835 ic->ic_headroom + sizeof(struct ieee80211_frame), 1836 2 + IEEE80211_NWID_LEN 1837 + 2 + IEEE80211_RATE_SIZE 1838 + sizeof(struct ieee80211_ie_wpa) 1839 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1840 + sizeof(struct ieee80211_ie_wpa) 1841 + (vap->iv_appie_probereq != NULL ? 1842 vap->iv_appie_probereq->ie_len : 0) 1843 ); 1844 if (m == NULL) { 1845 vap->iv_stats.is_tx_nobuf++; 1846 ieee80211_free_node(ni); 1847 return ENOMEM; 1848 } 1849 1850 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1851 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1852 frm = ieee80211_add_rates(frm, rs); 1853 if (vap->iv_flags & IEEE80211_F_WPA2) { 1854 if (vap->iv_rsn_ie != NULL) 1855 frm = add_ie(frm, vap->iv_rsn_ie); 1856 /* XXX else complain? */ 1857 } 1858 frm = ieee80211_add_xrates(frm, rs); 1859 if (vap->iv_flags & IEEE80211_F_WPA1) { 1860 if (vap->iv_wpa_ie != NULL) 1861 frm = add_ie(frm, vap->iv_wpa_ie); 1862 /* XXX else complain? */ 1863 } 1864 if (vap->iv_appie_probereq != NULL) 1865 frm = add_appie(frm, vap->iv_appie_probereq); 1866 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1867 1868 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 1869 ("leading space %zd", M_LEADINGSPACE(m))); 1870 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 1871 if (m == NULL) { 1872 /* NB: cannot happen */ 1873 ieee80211_free_node(ni); 1874 return ENOMEM; 1875 } 1876 1877 wh = mtod(m, struct ieee80211_frame *); 1878 ieee80211_send_setup(ni, m, 1879 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1880 IEEE80211_NONQOS_TID, sa, da, bssid); 1881 /* XXX power management? */ 1882 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1883 1884 M_WME_SETAC(m, WME_AC_BE); 1885 1886 IEEE80211_NODE_STAT(ni, tx_probereq); 1887 IEEE80211_NODE_STAT(ni, tx_mgmt); 1888 1889 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1890 "send probe req on channel %u bssid %s ssid \"%.*s\"\n", 1891 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(bssid), 1892 ssidlen, ssid); 1893 1894 memset(¶ms, 0, sizeof(params)); 1895 params.ibp_pri = M_WME_GETAC(m); 1896 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 1897 params.ibp_rate0 = tp->mgmtrate; 1898 if (IEEE80211_IS_MULTICAST(da)) { 1899 params.ibp_flags |= IEEE80211_BPF_NOACK; 1900 params.ibp_try0 = 1; 1901 } else 1902 params.ibp_try0 = tp->maxretry; 1903 params.ibp_power = ni->ni_txpower; 1904 return ic->ic_raw_xmit(ni, m, ¶ms); 1905 } 1906 1907 /* 1908 * Calculate capability information for mgt frames. 1909 */ 1910 uint16_t 1911 ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 1912 { 1913 struct ieee80211com *ic = vap->iv_ic; 1914 uint16_t capinfo; 1915 1916 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 1917 1918 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 1919 capinfo = IEEE80211_CAPINFO_ESS; 1920 else if (vap->iv_opmode == IEEE80211_M_IBSS) 1921 capinfo = IEEE80211_CAPINFO_IBSS; 1922 else 1923 capinfo = 0; 1924 if (vap->iv_flags & IEEE80211_F_PRIVACY) 1925 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1926 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1927 IEEE80211_IS_CHAN_2GHZ(chan)) 1928 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1929 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1930 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1931 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 1932 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 1933 return capinfo; 1934 } 1935 1936 /* 1937 * Send a management frame. The node is for the destination (or ic_bss 1938 * when in station mode). Nodes other than ic_bss have their reference 1939 * count bumped to reflect our use for an indeterminant time. 1940 */ 1941 int 1942 ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 1943 { 1944 #define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 1945 #define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 1946 struct ieee80211vap *vap = ni->ni_vap; 1947 struct ieee80211com *ic = ni->ni_ic; 1948 struct ieee80211_node *bss = vap->iv_bss; 1949 struct ieee80211_bpf_params params; 1950 struct mbuf *m; 1951 uint8_t *frm; 1952 uint16_t capinfo; 1953 int has_challenge, is_shared_key, ret, status; 1954 1955 KASSERT(ni != NULL, ("null node")); 1956 1957 /* 1958 * Hold a reference on the node so it doesn't go away until after 1959 * the xmit is complete all the way in the driver. On error we 1960 * will remove our reference. 1961 */ 1962 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1963 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1964 __func__, __LINE__, 1965 ni, ether_sprintf(ni->ni_macaddr), 1966 ieee80211_node_refcnt(ni)+1); 1967 ieee80211_ref_node(ni); 1968 1969 memset(¶ms, 0, sizeof(params)); 1970 switch (type) { 1971 1972 case IEEE80211_FC0_SUBTYPE_AUTH: 1973 status = arg >> 16; 1974 arg &= 0xffff; 1975 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1976 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1977 ni->ni_challenge != NULL); 1978 1979 /* 1980 * Deduce whether we're doing open authentication or 1981 * shared key authentication. We do the latter if 1982 * we're in the middle of a shared key authentication 1983 * handshake or if we're initiating an authentication 1984 * request and configured to use shared key. 1985 */ 1986 is_shared_key = has_challenge || 1987 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1988 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1989 bss->ni_authmode == IEEE80211_AUTH_SHARED); 1990 1991 m = ieee80211_getmgtframe(&frm, 1992 ic->ic_headroom + sizeof(struct ieee80211_frame), 1993 3 * sizeof(uint16_t) 1994 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1995 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 1996 ); 1997 if (m == NULL) 1998 senderr(ENOMEM, is_tx_nobuf); 1999 2000 ((uint16_t *)frm)[0] = 2001 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 2002 : htole16(IEEE80211_AUTH_ALG_OPEN); 2003 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 2004 ((uint16_t *)frm)[2] = htole16(status);/* status */ 2005 2006 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 2007 ((uint16_t *)frm)[3] = 2008 htole16((IEEE80211_CHALLENGE_LEN << 8) | 2009 IEEE80211_ELEMID_CHALLENGE); 2010 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 2011 IEEE80211_CHALLENGE_LEN); 2012 m->m_pkthdr.len = m->m_len = 2013 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 2014 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 2015 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2016 "request encrypt frame (%s)", __func__); 2017 /* mark frame for encryption */ 2018 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 2019 } 2020 } else 2021 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 2022 2023 /* XXX not right for shared key */ 2024 if (status == IEEE80211_STATUS_SUCCESS) 2025 IEEE80211_NODE_STAT(ni, tx_auth); 2026 else 2027 IEEE80211_NODE_STAT(ni, tx_auth_fail); 2028 2029 if (vap->iv_opmode == IEEE80211_M_STA) 2030 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2031 (void *) vap->iv_state); 2032 break; 2033 2034 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2035 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2036 "send station deauthenticate (reason %d)", arg); 2037 m = ieee80211_getmgtframe(&frm, 2038 ic->ic_headroom + sizeof(struct ieee80211_frame), 2039 sizeof(uint16_t)); 2040 if (m == NULL) 2041 senderr(ENOMEM, is_tx_nobuf); 2042 *(uint16_t *)frm = htole16(arg); /* reason */ 2043 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2044 2045 IEEE80211_NODE_STAT(ni, tx_deauth); 2046 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 2047 2048 ieee80211_node_unauthorize(ni); /* port closed */ 2049 break; 2050 2051 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2052 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2053 /* 2054 * asreq frame format 2055 * [2] capability information 2056 * [2] listen interval 2057 * [6*] current AP address (reassoc only) 2058 * [tlv] ssid 2059 * [tlv] supported rates 2060 * [tlv] extended supported rates 2061 * [4] power capability (optional) 2062 * [28] supported channels (optional) 2063 * [tlv] HT capabilities 2064 * [tlv] WME (optional) 2065 * [tlv] Vendor OUI HT capabilities (optional) 2066 * [tlv] Atheros capabilities (if negotiated) 2067 * [tlv] AppIE's (optional) 2068 */ 2069 m = ieee80211_getmgtframe(&frm, 2070 ic->ic_headroom + sizeof(struct ieee80211_frame), 2071 sizeof(uint16_t) 2072 + sizeof(uint16_t) 2073 + IEEE80211_ADDR_LEN 2074 + 2 + IEEE80211_NWID_LEN 2075 + 2 + IEEE80211_RATE_SIZE 2076 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2077 + 4 2078 + 2 + 26 2079 + sizeof(struct ieee80211_wme_info) 2080 + sizeof(struct ieee80211_ie_htcap) 2081 + 4 + sizeof(struct ieee80211_ie_htcap) 2082 #ifdef IEEE80211_SUPPORT_SUPERG 2083 + sizeof(struct ieee80211_ath_ie) 2084 #endif 2085 + (vap->iv_appie_wpa != NULL ? 2086 vap->iv_appie_wpa->ie_len : 0) 2087 + (vap->iv_appie_assocreq != NULL ? 2088 vap->iv_appie_assocreq->ie_len : 0) 2089 ); 2090 if (m == NULL) 2091 senderr(ENOMEM, is_tx_nobuf); 2092 2093 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 2094 ("wrong mode %u", vap->iv_opmode)); 2095 capinfo = IEEE80211_CAPINFO_ESS; 2096 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2097 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2098 /* 2099 * NB: Some 11a AP's reject the request when 2100 * short premable is set. 2101 */ 2102 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 2103 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 2104 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2105 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2106 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2107 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2108 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2109 (vap->iv_flags & IEEE80211_F_DOTH)) 2110 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2111 *(uint16_t *)frm = htole16(capinfo); 2112 frm += 2; 2113 2114 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2115 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2116 bss->ni_intval)); 2117 frm += 2; 2118 2119 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2120 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2121 frm += IEEE80211_ADDR_LEN; 2122 } 2123 2124 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2125 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2126 if (vap->iv_flags & IEEE80211_F_WPA2) { 2127 if (vap->iv_rsn_ie != NULL) 2128 frm = add_ie(frm, vap->iv_rsn_ie); 2129 /* XXX else complain? */ 2130 } 2131 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2132 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2133 frm = ieee80211_add_powercapability(frm, 2134 ic->ic_curchan); 2135 frm = ieee80211_add_supportedchannels(frm, ic); 2136 } 2137 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2138 ni->ni_ies.htcap_ie != NULL && 2139 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) 2140 frm = ieee80211_add_htcap(frm, ni); 2141 if (vap->iv_flags & IEEE80211_F_WPA1) { 2142 if (vap->iv_wpa_ie != NULL) 2143 frm = add_ie(frm, vap->iv_wpa_ie); 2144 /* XXX else complain */ 2145 } 2146 if ((ic->ic_flags & IEEE80211_F_WME) && 2147 ni->ni_ies.wme_ie != NULL) 2148 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 2149 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2150 ni->ni_ies.htcap_ie != NULL && 2151 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) 2152 frm = ieee80211_add_htcap_vendor(frm, ni); 2153 #ifdef IEEE80211_SUPPORT_SUPERG 2154 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2155 frm = ieee80211_add_ath(frm, 2156 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2157 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2158 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2159 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2160 } 2161 #endif /* IEEE80211_SUPPORT_SUPERG */ 2162 if (vap->iv_appie_assocreq != NULL) 2163 frm = add_appie(frm, vap->iv_appie_assocreq); 2164 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2165 2166 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2167 (void *) vap->iv_state); 2168 break; 2169 2170 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2171 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2172 /* 2173 * asresp frame format 2174 * [2] capability information 2175 * [2] status 2176 * [2] association ID 2177 * [tlv] supported rates 2178 * [tlv] extended supported rates 2179 * [tlv] HT capabilities (standard, if STA enabled) 2180 * [tlv] HT information (standard, if STA enabled) 2181 * [tlv] WME (if configured and STA enabled) 2182 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2183 * [tlv] HT information (vendor OUI, if STA enabled) 2184 * [tlv] Atheros capabilities (if STA enabled) 2185 * [tlv] AppIE's (optional) 2186 */ 2187 m = ieee80211_getmgtframe(&frm, 2188 ic->ic_headroom + sizeof(struct ieee80211_frame), 2189 sizeof(uint16_t) 2190 + sizeof(uint16_t) 2191 + sizeof(uint16_t) 2192 + 2 + IEEE80211_RATE_SIZE 2193 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2194 + sizeof(struct ieee80211_ie_htcap) + 4 2195 + sizeof(struct ieee80211_ie_htinfo) + 4 2196 + sizeof(struct ieee80211_wme_param) 2197 #ifdef IEEE80211_SUPPORT_SUPERG 2198 + sizeof(struct ieee80211_ath_ie) 2199 #endif 2200 + (vap->iv_appie_assocresp != NULL ? 2201 vap->iv_appie_assocresp->ie_len : 0) 2202 ); 2203 if (m == NULL) 2204 senderr(ENOMEM, is_tx_nobuf); 2205 2206 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2207 *(uint16_t *)frm = htole16(capinfo); 2208 frm += 2; 2209 2210 *(uint16_t *)frm = htole16(arg); /* status */ 2211 frm += 2; 2212 2213 if (arg == IEEE80211_STATUS_SUCCESS) { 2214 *(uint16_t *)frm = htole16(ni->ni_associd); 2215 IEEE80211_NODE_STAT(ni, tx_assoc); 2216 } else 2217 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2218 frm += 2; 2219 2220 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2221 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2222 /* NB: respond according to what we received */ 2223 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2224 frm = ieee80211_add_htcap(frm, ni); 2225 frm = ieee80211_add_htinfo(frm, ni); 2226 } 2227 if ((vap->iv_flags & IEEE80211_F_WME) && 2228 ni->ni_ies.wme_ie != NULL) 2229 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2230 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2231 frm = ieee80211_add_htcap_vendor(frm, ni); 2232 frm = ieee80211_add_htinfo_vendor(frm, ni); 2233 } 2234 #ifdef IEEE80211_SUPPORT_SUPERG 2235 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 2236 frm = ieee80211_add_ath(frm, 2237 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2238 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2239 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2240 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2241 #endif /* IEEE80211_SUPPORT_SUPERG */ 2242 if (vap->iv_appie_assocresp != NULL) 2243 frm = add_appie(frm, vap->iv_appie_assocresp); 2244 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2245 break; 2246 2247 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2248 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2249 "send station disassociate (reason %d)", arg); 2250 m = ieee80211_getmgtframe(&frm, 2251 ic->ic_headroom + sizeof(struct ieee80211_frame), 2252 sizeof(uint16_t)); 2253 if (m == NULL) 2254 senderr(ENOMEM, is_tx_nobuf); 2255 *(uint16_t *)frm = htole16(arg); /* reason */ 2256 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2257 2258 IEEE80211_NODE_STAT(ni, tx_disassoc); 2259 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 2260 break; 2261 2262 default: 2263 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 2264 "invalid mgmt frame type %u", type); 2265 senderr(EINVAL, is_tx_unknownmgt); 2266 /* NOTREACHED */ 2267 } 2268 2269 /* NB: force non-ProbeResp frames to the highest queue */ 2270 params.ibp_pri = WME_AC_VO; 2271 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 2272 /* NB: we know all frames are unicast */ 2273 params.ibp_try0 = bss->ni_txparms->maxretry; 2274 params.ibp_power = bss->ni_txpower; 2275 return ieee80211_mgmt_output(ni, m, type, ¶ms); 2276 bad: 2277 ieee80211_free_node(ni); 2278 return ret; 2279 #undef senderr 2280 #undef HTFLAGS 2281 } 2282 2283 /* 2284 * Return an mbuf with a probe response frame in it. 2285 * Space is left to prepend and 802.11 header at the 2286 * front but it's left to the caller to fill in. 2287 */ 2288 struct mbuf * 2289 ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 2290 { 2291 struct ieee80211vap *vap = bss->ni_vap; 2292 struct ieee80211com *ic = bss->ni_ic; 2293 const struct ieee80211_rateset *rs; 2294 struct mbuf *m; 2295 uint16_t capinfo; 2296 uint8_t *frm; 2297 2298 /* 2299 * probe response frame format 2300 * [8] time stamp 2301 * [2] beacon interval 2302 * [2] cabability information 2303 * [tlv] ssid 2304 * [tlv] supported rates 2305 * [tlv] parameter set (FH/DS) 2306 * [tlv] parameter set (IBSS) 2307 * [tlv] country (optional) 2308 * [3] power control (optional) 2309 * [5] channel switch announcement (CSA) (optional) 2310 * [tlv] extended rate phy (ERP) 2311 * [tlv] extended supported rates 2312 * [tlv] RSN (optional) 2313 * [tlv] HT capabilities 2314 * [tlv] HT information 2315 * [tlv] WPA (optional) 2316 * [tlv] WME (optional) 2317 * [tlv] Vendor OUI HT capabilities (optional) 2318 * [tlv] Vendor OUI HT information (optional) 2319 * [tlv] Atheros capabilities 2320 * [tlv] AppIE's (optional) 2321 * [tlv] Mesh ID (MBSS) 2322 * [tlv] Mesh Conf (MBSS) 2323 */ 2324 m = ieee80211_getmgtframe(&frm, 2325 ic->ic_headroom + sizeof(struct ieee80211_frame), 2326 8 2327 + sizeof(uint16_t) 2328 + sizeof(uint16_t) 2329 + 2 + IEEE80211_NWID_LEN 2330 + 2 + IEEE80211_RATE_SIZE 2331 + 7 /* max(7,3) */ 2332 + IEEE80211_COUNTRY_MAX_SIZE 2333 + 3 2334 + sizeof(struct ieee80211_csa_ie) 2335 + sizeof(struct ieee80211_quiet_ie) 2336 + 3 2337 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2338 + sizeof(struct ieee80211_ie_wpa) 2339 + sizeof(struct ieee80211_ie_htcap) 2340 + sizeof(struct ieee80211_ie_htinfo) 2341 + sizeof(struct ieee80211_ie_wpa) 2342 + sizeof(struct ieee80211_wme_param) 2343 + 4 + sizeof(struct ieee80211_ie_htcap) 2344 + 4 + sizeof(struct ieee80211_ie_htinfo) 2345 #ifdef IEEE80211_SUPPORT_SUPERG 2346 + sizeof(struct ieee80211_ath_ie) 2347 #endif 2348 #ifdef IEEE80211_SUPPORT_MESH 2349 + 2 + IEEE80211_MESHID_LEN 2350 + sizeof(struct ieee80211_meshconf_ie) 2351 #endif 2352 + (vap->iv_appie_proberesp != NULL ? 2353 vap->iv_appie_proberesp->ie_len : 0) 2354 ); 2355 if (m == NULL) { 2356 vap->iv_stats.is_tx_nobuf++; 2357 return NULL; 2358 } 2359 2360 memset(frm, 0, 8); /* timestamp should be filled later */ 2361 frm += 8; 2362 *(uint16_t *)frm = htole16(bss->ni_intval); 2363 frm += 2; 2364 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2365 *(uint16_t *)frm = htole16(capinfo); 2366 frm += 2; 2367 2368 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 2369 rs = ieee80211_get_suprates(ic, bss->ni_chan); 2370 frm = ieee80211_add_rates(frm, rs); 2371 2372 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 2373 *frm++ = IEEE80211_ELEMID_FHPARMS; 2374 *frm++ = 5; 2375 *frm++ = bss->ni_fhdwell & 0x00ff; 2376 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 2377 *frm++ = IEEE80211_FH_CHANSET( 2378 ieee80211_chan2ieee(ic, bss->ni_chan)); 2379 *frm++ = IEEE80211_FH_CHANPAT( 2380 ieee80211_chan2ieee(ic, bss->ni_chan)); 2381 *frm++ = bss->ni_fhindex; 2382 } else { 2383 *frm++ = IEEE80211_ELEMID_DSPARMS; 2384 *frm++ = 1; 2385 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 2386 } 2387 2388 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2389 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2390 *frm++ = 2; 2391 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2392 } 2393 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2394 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2395 frm = ieee80211_add_countryie(frm, ic); 2396 if (vap->iv_flags & IEEE80211_F_DOTH) { 2397 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 2398 frm = ieee80211_add_powerconstraint(frm, vap); 2399 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2400 frm = ieee80211_add_csa(frm, vap); 2401 } 2402 if (vap->iv_flags & IEEE80211_F_DOTH) { 2403 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 2404 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) { 2405 if (vap->iv_quiet) 2406 frm = ieee80211_add_quiet(frm, vap); 2407 } 2408 } 2409 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 2410 frm = ieee80211_add_erp(frm, ic); 2411 frm = ieee80211_add_xrates(frm, rs); 2412 if (vap->iv_flags & IEEE80211_F_WPA2) { 2413 if (vap->iv_rsn_ie != NULL) 2414 frm = add_ie(frm, vap->iv_rsn_ie); 2415 /* XXX else complain? */ 2416 } 2417 /* 2418 * NB: legacy 11b clients do not get certain ie's. 2419 * The caller identifies such clients by passing 2420 * a token in legacy to us. Could expand this to be 2421 * any legacy client for stuff like HT ie's. 2422 */ 2423 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2424 legacy != IEEE80211_SEND_LEGACY_11B) { 2425 frm = ieee80211_add_htcap(frm, bss); 2426 frm = ieee80211_add_htinfo(frm, bss); 2427 } 2428 if (vap->iv_flags & IEEE80211_F_WPA1) { 2429 if (vap->iv_wpa_ie != NULL) 2430 frm = add_ie(frm, vap->iv_wpa_ie); 2431 /* XXX else complain? */ 2432 } 2433 if (vap->iv_flags & IEEE80211_F_WME) 2434 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2435 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2436 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 2437 legacy != IEEE80211_SEND_LEGACY_11B) { 2438 frm = ieee80211_add_htcap_vendor(frm, bss); 2439 frm = ieee80211_add_htinfo_vendor(frm, bss); 2440 } 2441 #ifdef IEEE80211_SUPPORT_SUPERG 2442 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 2443 legacy != IEEE80211_SEND_LEGACY_11B) 2444 frm = ieee80211_add_athcaps(frm, bss); 2445 #endif 2446 if (vap->iv_appie_proberesp != NULL) 2447 frm = add_appie(frm, vap->iv_appie_proberesp); 2448 #ifdef IEEE80211_SUPPORT_MESH 2449 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2450 frm = ieee80211_add_meshid(frm, vap); 2451 frm = ieee80211_add_meshconf(frm, vap); 2452 } 2453 #endif 2454 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2455 2456 return m; 2457 } 2458 2459 /* 2460 * Send a probe response frame to the specified mac address. 2461 * This does not go through the normal mgt frame api so we 2462 * can specify the destination address and re-use the bss node 2463 * for the sta reference. 2464 */ 2465 int 2466 ieee80211_send_proberesp(struct ieee80211vap *vap, 2467 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 2468 { 2469 struct ieee80211_node *bss = vap->iv_bss; 2470 struct ieee80211com *ic = vap->iv_ic; 2471 struct ieee80211_frame *wh; 2472 struct mbuf *m; 2473 2474 if (vap->iv_state == IEEE80211_S_CAC) { 2475 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 2476 "block %s frame in CAC state", "probe response"); 2477 vap->iv_stats.is_tx_badstate++; 2478 return EIO; /* XXX */ 2479 } 2480 2481 /* 2482 * Hold a reference on the node so it doesn't go away until after 2483 * the xmit is complete all the way in the driver. On error we 2484 * will remove our reference. 2485 */ 2486 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2487 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2488 __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr), 2489 ieee80211_node_refcnt(bss)+1); 2490 ieee80211_ref_node(bss); 2491 2492 m = ieee80211_alloc_proberesp(bss, legacy); 2493 if (m == NULL) { 2494 ieee80211_free_node(bss); 2495 return ENOMEM; 2496 } 2497 2498 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 2499 KASSERT(m != NULL, ("no room for header")); 2500 2501 wh = mtod(m, struct ieee80211_frame *); 2502 ieee80211_send_setup(bss, m, 2503 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 2504 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 2505 /* XXX power management? */ 2506 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2507 2508 M_WME_SETAC(m, WME_AC_BE); 2509 2510 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2511 "send probe resp on channel %u to %s%s\n", 2512 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da), 2513 legacy ? " <legacy>" : ""); 2514 IEEE80211_NODE_STAT(bss, tx_mgmt); 2515 2516 return ic->ic_raw_xmit(bss, m, NULL); 2517 } 2518 2519 /* 2520 * Allocate and build a RTS (Request To Send) control frame. 2521 */ 2522 struct mbuf * 2523 ieee80211_alloc_rts(struct ieee80211com *ic, 2524 const uint8_t ra[IEEE80211_ADDR_LEN], 2525 const uint8_t ta[IEEE80211_ADDR_LEN], 2526 uint16_t dur) 2527 { 2528 struct ieee80211_frame_rts *rts; 2529 struct mbuf *m; 2530 2531 /* XXX honor ic_headroom */ 2532 m = m_gethdr(M_NOWAIT, MT_DATA); 2533 if (m != NULL) { 2534 rts = mtod(m, struct ieee80211_frame_rts *); 2535 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2536 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 2537 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2538 *(u_int16_t *)rts->i_dur = htole16(dur); 2539 IEEE80211_ADDR_COPY(rts->i_ra, ra); 2540 IEEE80211_ADDR_COPY(rts->i_ta, ta); 2541 2542 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 2543 } 2544 return m; 2545 } 2546 2547 /* 2548 * Allocate and build a CTS (Clear To Send) control frame. 2549 */ 2550 struct mbuf * 2551 ieee80211_alloc_cts(struct ieee80211com *ic, 2552 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 2553 { 2554 struct ieee80211_frame_cts *cts; 2555 struct mbuf *m; 2556 2557 /* XXX honor ic_headroom */ 2558 m = m_gethdr(M_NOWAIT, MT_DATA); 2559 if (m != NULL) { 2560 cts = mtod(m, struct ieee80211_frame_cts *); 2561 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2562 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 2563 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2564 *(u_int16_t *)cts->i_dur = htole16(dur); 2565 IEEE80211_ADDR_COPY(cts->i_ra, ra); 2566 2567 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 2568 } 2569 return m; 2570 } 2571 2572 static void 2573 ieee80211_tx_mgt_timeout(void *arg) 2574 { 2575 struct ieee80211_node *ni = arg; 2576 struct ieee80211vap *vap = ni->ni_vap; 2577 2578 if (vap->iv_state != IEEE80211_S_INIT && 2579 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 2580 /* 2581 * NB: it's safe to specify a timeout as the reason here; 2582 * it'll only be used in the right state. 2583 */ 2584 ieee80211_new_state(vap, IEEE80211_S_SCAN, 2585 IEEE80211_SCAN_FAIL_TIMEOUT); 2586 } 2587 } 2588 2589 static void 2590 ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 2591 { 2592 struct ieee80211vap *vap = ni->ni_vap; 2593 enum ieee80211_state ostate = (enum ieee80211_state) arg; 2594 2595 /* 2596 * Frame transmit completed; arrange timer callback. If 2597 * transmit was successfuly we wait for response. Otherwise 2598 * we arrange an immediate callback instead of doing the 2599 * callback directly since we don't know what state the driver 2600 * is in (e.g. what locks it is holding). This work should 2601 * not be too time-critical and not happen too often so the 2602 * added overhead is acceptable. 2603 * 2604 * XXX what happens if !acked but response shows up before callback? 2605 */ 2606 if (vap->iv_state == ostate) 2607 callout_reset(&vap->iv_mgtsend, 2608 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 2609 ieee80211_tx_mgt_timeout, ni); 2610 } 2611 2612 static void 2613 ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 2614 struct ieee80211_beacon_offsets *bo, struct ieee80211_node *ni) 2615 { 2616 struct ieee80211vap *vap = ni->ni_vap; 2617 struct ieee80211com *ic = ni->ni_ic; 2618 struct ieee80211_rateset *rs = &ni->ni_rates; 2619 uint16_t capinfo; 2620 2621 /* 2622 * beacon frame format 2623 * [8] time stamp 2624 * [2] beacon interval 2625 * [2] cabability information 2626 * [tlv] ssid 2627 * [tlv] supported rates 2628 * [3] parameter set (DS) 2629 * [8] CF parameter set (optional) 2630 * [tlv] parameter set (IBSS/TIM) 2631 * [tlv] country (optional) 2632 * [3] power control (optional) 2633 * [5] channel switch announcement (CSA) (optional) 2634 * [tlv] extended rate phy (ERP) 2635 * [tlv] extended supported rates 2636 * [tlv] RSN parameters 2637 * [tlv] HT capabilities 2638 * [tlv] HT information 2639 * XXX Vendor-specific OIDs (e.g. Atheros) 2640 * [tlv] WPA parameters 2641 * [tlv] WME parameters 2642 * [tlv] Vendor OUI HT capabilities (optional) 2643 * [tlv] Vendor OUI HT information (optional) 2644 * [tlv] Atheros capabilities (optional) 2645 * [tlv] TDMA parameters (optional) 2646 * [tlv] Mesh ID (MBSS) 2647 * [tlv] Mesh Conf (MBSS) 2648 * [tlv] application data (optional) 2649 */ 2650 2651 memset(bo, 0, sizeof(*bo)); 2652 2653 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 2654 frm += 8; 2655 *(uint16_t *)frm = htole16(ni->ni_intval); 2656 frm += 2; 2657 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2658 bo->bo_caps = (uint16_t *)frm; 2659 *(uint16_t *)frm = htole16(capinfo); 2660 frm += 2; 2661 *frm++ = IEEE80211_ELEMID_SSID; 2662 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 2663 *frm++ = ni->ni_esslen; 2664 memcpy(frm, ni->ni_essid, ni->ni_esslen); 2665 frm += ni->ni_esslen; 2666 } else 2667 *frm++ = 0; 2668 frm = ieee80211_add_rates(frm, rs); 2669 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 2670 *frm++ = IEEE80211_ELEMID_DSPARMS; 2671 *frm++ = 1; 2672 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 2673 } 2674 if (ic->ic_flags & IEEE80211_F_PCF) { 2675 bo->bo_cfp = frm; 2676 frm = ieee80211_add_cfparms(frm, ic); 2677 } 2678 bo->bo_tim = frm; 2679 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2680 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2681 *frm++ = 2; 2682 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2683 bo->bo_tim_len = 0; 2684 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2685 vap->iv_opmode == IEEE80211_M_MBSS) { 2686 /* TIM IE is the same for Mesh and Hostap */ 2687 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 2688 2689 tie->tim_ie = IEEE80211_ELEMID_TIM; 2690 tie->tim_len = 4; /* length */ 2691 tie->tim_count = 0; /* DTIM count */ 2692 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 2693 tie->tim_bitctl = 0; /* bitmap control */ 2694 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 2695 frm += sizeof(struct ieee80211_tim_ie); 2696 bo->bo_tim_len = 1; 2697 } 2698 bo->bo_tim_trailer = frm; 2699 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2700 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2701 frm = ieee80211_add_countryie(frm, ic); 2702 if (vap->iv_flags & IEEE80211_F_DOTH) { 2703 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 2704 frm = ieee80211_add_powerconstraint(frm, vap); 2705 bo->bo_csa = frm; 2706 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2707 frm = ieee80211_add_csa(frm, vap); 2708 } else 2709 bo->bo_csa = frm; 2710 2711 if (vap->iv_flags & IEEE80211_F_DOTH) { 2712 bo->bo_quiet = frm; 2713 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 2714 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) { 2715 if (vap->iv_quiet) 2716 frm = ieee80211_add_quiet(frm,vap); 2717 } 2718 } else 2719 bo->bo_quiet = frm; 2720 2721 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 2722 bo->bo_erp = frm; 2723 frm = ieee80211_add_erp(frm, ic); 2724 } 2725 frm = ieee80211_add_xrates(frm, rs); 2726 if (vap->iv_flags & IEEE80211_F_WPA2) { 2727 if (vap->iv_rsn_ie != NULL) 2728 frm = add_ie(frm, vap->iv_rsn_ie); 2729 /* XXX else complain */ 2730 } 2731 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 2732 frm = ieee80211_add_htcap(frm, ni); 2733 bo->bo_htinfo = frm; 2734 frm = ieee80211_add_htinfo(frm, ni); 2735 } 2736 if (vap->iv_flags & IEEE80211_F_WPA1) { 2737 if (vap->iv_wpa_ie != NULL) 2738 frm = add_ie(frm, vap->iv_wpa_ie); 2739 /* XXX else complain */ 2740 } 2741 if (vap->iv_flags & IEEE80211_F_WME) { 2742 bo->bo_wme = frm; 2743 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2744 } 2745 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2746 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 2747 frm = ieee80211_add_htcap_vendor(frm, ni); 2748 frm = ieee80211_add_htinfo_vendor(frm, ni); 2749 } 2750 #ifdef IEEE80211_SUPPORT_SUPERG 2751 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 2752 bo->bo_ath = frm; 2753 frm = ieee80211_add_athcaps(frm, ni); 2754 } 2755 #endif 2756 #ifdef IEEE80211_SUPPORT_TDMA 2757 if (vap->iv_caps & IEEE80211_C_TDMA) { 2758 bo->bo_tdma = frm; 2759 frm = ieee80211_add_tdma(frm, vap); 2760 } 2761 #endif 2762 if (vap->iv_appie_beacon != NULL) { 2763 bo->bo_appie = frm; 2764 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 2765 frm = add_appie(frm, vap->iv_appie_beacon); 2766 } 2767 #ifdef IEEE80211_SUPPORT_MESH 2768 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2769 frm = ieee80211_add_meshid(frm, vap); 2770 bo->bo_meshconf = frm; 2771 frm = ieee80211_add_meshconf(frm, vap); 2772 } 2773 #endif 2774 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 2775 bo->bo_csa_trailer_len = frm - bo->bo_csa; 2776 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2777 } 2778 2779 /* 2780 * Allocate a beacon frame and fillin the appropriate bits. 2781 */ 2782 struct mbuf * 2783 ieee80211_beacon_alloc(struct ieee80211_node *ni, 2784 struct ieee80211_beacon_offsets *bo) 2785 { 2786 struct ieee80211vap *vap = ni->ni_vap; 2787 struct ieee80211com *ic = ni->ni_ic; 2788 struct ifnet *ifp = vap->iv_ifp; 2789 struct ieee80211_frame *wh; 2790 struct mbuf *m; 2791 int pktlen; 2792 uint8_t *frm; 2793 2794 /* 2795 * beacon frame format 2796 * [8] time stamp 2797 * [2] beacon interval 2798 * [2] cabability information 2799 * [tlv] ssid 2800 * [tlv] supported rates 2801 * [3] parameter set (DS) 2802 * [8] CF parameter set (optional) 2803 * [tlv] parameter set (IBSS/TIM) 2804 * [tlv] country (optional) 2805 * [3] power control (optional) 2806 * [5] channel switch announcement (CSA) (optional) 2807 * [tlv] extended rate phy (ERP) 2808 * [tlv] extended supported rates 2809 * [tlv] RSN parameters 2810 * [tlv] HT capabilities 2811 * [tlv] HT information 2812 * [tlv] Vendor OUI HT capabilities (optional) 2813 * [tlv] Vendor OUI HT information (optional) 2814 * XXX Vendor-specific OIDs (e.g. Atheros) 2815 * [tlv] WPA parameters 2816 * [tlv] WME parameters 2817 * [tlv] TDMA parameters (optional) 2818 * [tlv] Mesh ID (MBSS) 2819 * [tlv] Mesh Conf (MBSS) 2820 * [tlv] application data (optional) 2821 * NB: we allocate the max space required for the TIM bitmap. 2822 * XXX how big is this? 2823 */ 2824 pktlen = 8 /* time stamp */ 2825 + sizeof(uint16_t) /* beacon interval */ 2826 + sizeof(uint16_t) /* capabilities */ 2827 + 2 + ni->ni_esslen /* ssid */ 2828 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 2829 + 2 + 1 /* DS parameters */ 2830 + 2 + 6 /* CF parameters */ 2831 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 2832 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 2833 + 2 + 1 /* power control */ 2834 + sizeof(struct ieee80211_csa_ie) /* CSA */ 2835 + sizeof(struct ieee80211_quiet_ie) /* Quiet */ 2836 + 2 + 1 /* ERP */ 2837 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2838 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 2839 2*sizeof(struct ieee80211_ie_wpa) : 0) 2840 /* XXX conditional? */ 2841 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 2842 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 2843 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 2844 sizeof(struct ieee80211_wme_param) : 0) 2845 #ifdef IEEE80211_SUPPORT_SUPERG 2846 + sizeof(struct ieee80211_ath_ie) /* ATH */ 2847 #endif 2848 #ifdef IEEE80211_SUPPORT_TDMA 2849 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 2850 sizeof(struct ieee80211_tdma_param) : 0) 2851 #endif 2852 #ifdef IEEE80211_SUPPORT_MESH 2853 + 2 + ni->ni_meshidlen 2854 + sizeof(struct ieee80211_meshconf_ie) 2855 #endif 2856 + IEEE80211_MAX_APPIE 2857 ; 2858 m = ieee80211_getmgtframe(&frm, 2859 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 2860 if (m == NULL) { 2861 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 2862 "%s: cannot get buf; size %u\n", __func__, pktlen); 2863 vap->iv_stats.is_tx_nobuf++; 2864 return NULL; 2865 } 2866 ieee80211_beacon_construct(m, frm, bo, ni); 2867 2868 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 2869 KASSERT(m != NULL, ("no space for 802.11 header?")); 2870 wh = mtod(m, struct ieee80211_frame *); 2871 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2872 IEEE80211_FC0_SUBTYPE_BEACON; 2873 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2874 *(uint16_t *)wh->i_dur = 0; 2875 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 2876 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 2877 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2878 *(uint16_t *)wh->i_seq = 0; 2879 2880 return m; 2881 } 2882 2883 /* 2884 * Update the dynamic parts of a beacon frame based on the current state. 2885 */ 2886 int 2887 ieee80211_beacon_update(struct ieee80211_node *ni, 2888 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 2889 { 2890 struct ieee80211vap *vap = ni->ni_vap; 2891 struct ieee80211com *ic = ni->ni_ic; 2892 int len_changed = 0; 2893 uint16_t capinfo; 2894 struct ieee80211_frame *wh; 2895 ieee80211_seq seqno; 2896 2897 IEEE80211_LOCK(ic); 2898 /* 2899 * Handle 11h channel change when we've reached the count. 2900 * We must recalculate the beacon frame contents to account 2901 * for the new channel. Note we do this only for the first 2902 * vap that reaches this point; subsequent vaps just update 2903 * their beacon state to reflect the recalculated channel. 2904 */ 2905 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 2906 vap->iv_csa_count == ic->ic_csa_count) { 2907 vap->iv_csa_count = 0; 2908 /* 2909 * Effect channel change before reconstructing the beacon 2910 * frame contents as many places reference ni_chan. 2911 */ 2912 if (ic->ic_csa_newchan != NULL) 2913 ieee80211_csa_completeswitch(ic); 2914 /* 2915 * NB: ieee80211_beacon_construct clears all pending 2916 * updates in bo_flags so we don't need to explicitly 2917 * clear IEEE80211_BEACON_CSA. 2918 */ 2919 ieee80211_beacon_construct(m, 2920 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), bo, ni); 2921 2922 /* XXX do WME aggressive mode processing? */ 2923 IEEE80211_UNLOCK(ic); 2924 return 1; /* just assume length changed */ 2925 } 2926 2927 wh = mtod(m, struct ieee80211_frame *); 2928 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 2929 *(uint16_t *)&wh->i_seq[0] = 2930 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 2931 M_SEQNO_SET(m, seqno); 2932 2933 /* XXX faster to recalculate entirely or just changes? */ 2934 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2935 *bo->bo_caps = htole16(capinfo); 2936 2937 if (vap->iv_flags & IEEE80211_F_WME) { 2938 struct ieee80211_wme_state *wme = &ic->ic_wme; 2939 2940 /* 2941 * Check for agressive mode change. When there is 2942 * significant high priority traffic in the BSS 2943 * throttle back BE traffic by using conservative 2944 * parameters. Otherwise BE uses agressive params 2945 * to optimize performance of legacy/non-QoS traffic. 2946 */ 2947 if (wme->wme_flags & WME_F_AGGRMODE) { 2948 if (wme->wme_hipri_traffic > 2949 wme->wme_hipri_switch_thresh) { 2950 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2951 "%s: traffic %u, disable aggressive mode\n", 2952 __func__, wme->wme_hipri_traffic); 2953 wme->wme_flags &= ~WME_F_AGGRMODE; 2954 ieee80211_wme_updateparams_locked(vap); 2955 wme->wme_hipri_traffic = 2956 wme->wme_hipri_switch_hysteresis; 2957 } else 2958 wme->wme_hipri_traffic = 0; 2959 } else { 2960 if (wme->wme_hipri_traffic <= 2961 wme->wme_hipri_switch_thresh) { 2962 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2963 "%s: traffic %u, enable aggressive mode\n", 2964 __func__, wme->wme_hipri_traffic); 2965 wme->wme_flags |= WME_F_AGGRMODE; 2966 ieee80211_wme_updateparams_locked(vap); 2967 wme->wme_hipri_traffic = 0; 2968 } else 2969 wme->wme_hipri_traffic = 2970 wme->wme_hipri_switch_hysteresis; 2971 } 2972 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 2973 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 2974 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 2975 } 2976 } 2977 2978 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 2979 ieee80211_ht_update_beacon(vap, bo); 2980 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 2981 } 2982 #ifdef IEEE80211_SUPPORT_TDMA 2983 if (vap->iv_caps & IEEE80211_C_TDMA) { 2984 /* 2985 * NB: the beacon is potentially updated every TBTT. 2986 */ 2987 ieee80211_tdma_update_beacon(vap, bo); 2988 } 2989 #endif 2990 #ifdef IEEE80211_SUPPORT_MESH 2991 if (vap->iv_opmode == IEEE80211_M_MBSS) 2992 ieee80211_mesh_update_beacon(vap, bo); 2993 #endif 2994 2995 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2996 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 2997 struct ieee80211_tim_ie *tie = 2998 (struct ieee80211_tim_ie *) bo->bo_tim; 2999 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 3000 u_int timlen, timoff, i; 3001 /* 3002 * ATIM/DTIM needs updating. If it fits in the 3003 * current space allocated then just copy in the 3004 * new bits. Otherwise we need to move any trailing 3005 * data to make room. Note that we know there is 3006 * contiguous space because ieee80211_beacon_allocate 3007 * insures there is space in the mbuf to write a 3008 * maximal-size virtual bitmap (based on iv_max_aid). 3009 */ 3010 /* 3011 * Calculate the bitmap size and offset, copy any 3012 * trailer out of the way, and then copy in the 3013 * new bitmap and update the information element. 3014 * Note that the tim bitmap must contain at least 3015 * one byte and any offset must be even. 3016 */ 3017 if (vap->iv_ps_pending != 0) { 3018 timoff = 128; /* impossibly large */ 3019 for (i = 0; i < vap->iv_tim_len; i++) 3020 if (vap->iv_tim_bitmap[i]) { 3021 timoff = i &~ 1; 3022 break; 3023 } 3024 KASSERT(timoff != 128, ("tim bitmap empty!")); 3025 for (i = vap->iv_tim_len-1; i >= timoff; i--) 3026 if (vap->iv_tim_bitmap[i]) 3027 break; 3028 timlen = 1 + (i - timoff); 3029 } else { 3030 timoff = 0; 3031 timlen = 1; 3032 } 3033 if (timlen != bo->bo_tim_len) { 3034 /* copy up/down trailer */ 3035 int adjust = tie->tim_bitmap+timlen 3036 - bo->bo_tim_trailer; 3037 ovbcopy(bo->bo_tim_trailer, 3038 bo->bo_tim_trailer+adjust, 3039 bo->bo_tim_trailer_len); 3040 bo->bo_tim_trailer += adjust; 3041 bo->bo_erp += adjust; 3042 bo->bo_htinfo += adjust; 3043 #ifdef IEEE80211_SUPPORT_SUPERG 3044 bo->bo_ath += adjust; 3045 #endif 3046 #ifdef IEEE80211_SUPPORT_TDMA 3047 bo->bo_tdma += adjust; 3048 #endif 3049 #ifdef IEEE80211_SUPPORT_MESH 3050 bo->bo_meshconf += adjust; 3051 #endif 3052 bo->bo_appie += adjust; 3053 bo->bo_wme += adjust; 3054 bo->bo_csa += adjust; 3055 bo->bo_quiet += adjust; 3056 bo->bo_tim_len = timlen; 3057 3058 /* update information element */ 3059 tie->tim_len = 3 + timlen; 3060 tie->tim_bitctl = timoff; 3061 len_changed = 1; 3062 } 3063 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 3064 bo->bo_tim_len); 3065 3066 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 3067 3068 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 3069 "%s: TIM updated, pending %u, off %u, len %u\n", 3070 __func__, vap->iv_ps_pending, timoff, timlen); 3071 } 3072 /* count down DTIM period */ 3073 if (tie->tim_count == 0) 3074 tie->tim_count = tie->tim_period - 1; 3075 else 3076 tie->tim_count--; 3077 /* update state for buffered multicast frames on DTIM */ 3078 if (mcast && tie->tim_count == 0) 3079 tie->tim_bitctl |= 1; 3080 else 3081 tie->tim_bitctl &= ~1; 3082 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 3083 struct ieee80211_csa_ie *csa = 3084 (struct ieee80211_csa_ie *) bo->bo_csa; 3085 3086 /* 3087 * Insert or update CSA ie. If we're just starting 3088 * to count down to the channel switch then we need 3089 * to insert the CSA ie. Otherwise we just need to 3090 * drop the count. The actual change happens above 3091 * when the vap's count reaches the target count. 3092 */ 3093 if (vap->iv_csa_count == 0) { 3094 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 3095 bo->bo_erp += sizeof(*csa); 3096 bo->bo_htinfo += sizeof(*csa); 3097 bo->bo_wme += sizeof(*csa); 3098 #ifdef IEEE80211_SUPPORT_SUPERG 3099 bo->bo_ath += sizeof(*csa); 3100 #endif 3101 #ifdef IEEE80211_SUPPORT_TDMA 3102 bo->bo_tdma += sizeof(*csa); 3103 #endif 3104 #ifdef IEEE80211_SUPPORT_MESH 3105 bo->bo_meshconf += sizeof(*csa); 3106 #endif 3107 bo->bo_appie += sizeof(*csa); 3108 bo->bo_csa_trailer_len += sizeof(*csa); 3109 bo->bo_quiet += sizeof(*csa); 3110 bo->bo_tim_trailer_len += sizeof(*csa); 3111 m->m_len += sizeof(*csa); 3112 m->m_pkthdr.len += sizeof(*csa); 3113 3114 ieee80211_add_csa(bo->bo_csa, vap); 3115 } else 3116 csa->csa_count--; 3117 vap->iv_csa_count++; 3118 /* NB: don't clear IEEE80211_BEACON_CSA */ 3119 } 3120 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 3121 (vap->iv_flags_ext & IEEE80211_FEXT_DFS) ){ 3122 if (vap->iv_quiet) 3123 ieee80211_add_quiet(bo->bo_quiet, vap); 3124 } 3125 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 3126 /* 3127 * ERP element needs updating. 3128 */ 3129 (void) ieee80211_add_erp(bo->bo_erp, ic); 3130 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 3131 } 3132 #ifdef IEEE80211_SUPPORT_SUPERG 3133 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 3134 ieee80211_add_athcaps(bo->bo_ath, ni); 3135 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 3136 } 3137 #endif 3138 } 3139 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 3140 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 3141 int aielen; 3142 uint8_t *frm; 3143 3144 aielen = 0; 3145 if (aie != NULL) 3146 aielen += aie->ie_len; 3147 if (aielen != bo->bo_appie_len) { 3148 /* copy up/down trailer */ 3149 int adjust = aielen - bo->bo_appie_len; 3150 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 3151 bo->bo_tim_trailer_len); 3152 bo->bo_tim_trailer += adjust; 3153 bo->bo_appie += adjust; 3154 bo->bo_appie_len = aielen; 3155 3156 len_changed = 1; 3157 } 3158 frm = bo->bo_appie; 3159 if (aie != NULL) 3160 frm = add_appie(frm, aie); 3161 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 3162 } 3163 IEEE80211_UNLOCK(ic); 3164 3165 return len_changed; 3166 } 3167