ieee80211_output.c revision 219604
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_output.c 219604 2011-03-13 12:56:46Z bschmidt $"); 29 30#include "opt_inet.h" 31#include "opt_inet6.h" 32#include "opt_wlan.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/mbuf.h> 37#include <sys/kernel.h> 38#include <sys/endian.h> 39 40#include <sys/socket.h> 41 42#include <net/bpf.h> 43#include <net/ethernet.h> 44#include <net/if.h> 45#include <net/if_llc.h> 46#include <net/if_media.h> 47#include <net/if_vlan_var.h> 48 49#include <net80211/ieee80211_var.h> 50#include <net80211/ieee80211_regdomain.h> 51#ifdef IEEE80211_SUPPORT_SUPERG 52#include <net80211/ieee80211_superg.h> 53#endif 54#ifdef IEEE80211_SUPPORT_TDMA 55#include <net80211/ieee80211_tdma.h> 56#endif 57#include <net80211/ieee80211_wds.h> 58#include <net80211/ieee80211_mesh.h> 59 60#ifdef INET 61#include <netinet/in.h> 62#include <netinet/if_ether.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#endif 66#ifdef INET6 67#include <netinet/ip6.h> 68#endif 69 70#include <security/mac/mac_framework.h> 71 72#define ETHER_HEADER_COPY(dst, src) \ 73 memcpy(dst, src, sizeof(struct ether_header)) 74 75/* unalligned little endian access */ 76#define LE_WRITE_2(p, v) do { \ 77 ((uint8_t *)(p))[0] = (v) & 0xff; \ 78 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 79} while (0) 80#define LE_WRITE_4(p, v) do { \ 81 ((uint8_t *)(p))[0] = (v) & 0xff; \ 82 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 83 ((uint8_t *)(p))[2] = ((v) >> 16) & 0xff; \ 84 ((uint8_t *)(p))[3] = ((v) >> 24) & 0xff; \ 85} while (0) 86 87static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 88 u_int hdrsize, u_int ciphdrsize, u_int mtu); 89static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 90 91#ifdef IEEE80211_DEBUG 92/* 93 * Decide if an outbound management frame should be 94 * printed when debugging is enabled. This filters some 95 * of the less interesting frames that come frequently 96 * (e.g. beacons). 97 */ 98static __inline int 99doprint(struct ieee80211vap *vap, int subtype) 100{ 101 switch (subtype) { 102 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 103 return (vap->iv_opmode == IEEE80211_M_IBSS); 104 } 105 return 1; 106} 107#endif 108 109/* 110 * Start method for vap's. All packets from the stack come 111 * through here. We handle common processing of the packets 112 * before dispatching them to the underlying device. 113 */ 114void 115ieee80211_start(struct ifnet *ifp) 116{ 117#define IS_DWDS(vap) \ 118 (vap->iv_opmode == IEEE80211_M_WDS && \ 119 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 120 struct ieee80211vap *vap = ifp->if_softc; 121 struct ieee80211com *ic = vap->iv_ic; 122 struct ifnet *parent = ic->ic_ifp; 123 struct ieee80211_node *ni; 124 struct mbuf *m; 125 struct ether_header *eh; 126 int error; 127 128 /* NB: parent must be up and running */ 129 if (!IFNET_IS_UP_RUNNING(parent)) { 130 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 131 "%s: ignore queue, parent %s not up+running\n", 132 __func__, parent->if_xname); 133 /* XXX stat */ 134 return; 135 } 136 if (vap->iv_state == IEEE80211_S_SLEEP) { 137 /* 138 * In power save, wakeup device for transmit. 139 */ 140 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 141 return; 142 } 143 /* 144 * No data frames go out unless we're running. 145 * Note in particular this covers CAC and CSA 146 * states (though maybe we should check muting 147 * for CSA). 148 */ 149 if (vap->iv_state != IEEE80211_S_RUN) { 150 IEEE80211_LOCK(ic); 151 /* re-check under the com lock to avoid races */ 152 if (vap->iv_state != IEEE80211_S_RUN) { 153 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 154 "%s: ignore queue, in %s state\n", 155 __func__, ieee80211_state_name[vap->iv_state]); 156 vap->iv_stats.is_tx_badstate++; 157 ifp->if_drv_flags |= IFF_DRV_OACTIVE; 158 IEEE80211_UNLOCK(ic); 159 return; 160 } 161 IEEE80211_UNLOCK(ic); 162 } 163 for (;;) { 164 IFQ_DEQUEUE(&ifp->if_snd, m); 165 if (m == NULL) 166 break; 167 /* 168 * Sanitize mbuf flags for net80211 use. We cannot 169 * clear M_PWR_SAV or M_MORE_DATA because these may 170 * be set for frames that are re-submitted from the 171 * power save queue. 172 * 173 * NB: This must be done before ieee80211_classify as 174 * it marks EAPOL in frames with M_EAPOL. 175 */ 176 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 177 /* 178 * Cancel any background scan. 179 */ 180 if (ic->ic_flags & IEEE80211_F_SCAN) 181 ieee80211_cancel_anyscan(vap); 182 /* 183 * Find the node for the destination so we can do 184 * things like power save and fast frames aggregation. 185 * 186 * NB: past this point various code assumes the first 187 * mbuf has the 802.3 header present (and contiguous). 188 */ 189 ni = NULL; 190 if (m->m_len < sizeof(struct ether_header) && 191 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 192 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 193 "discard frame, %s\n", "m_pullup failed"); 194 vap->iv_stats.is_tx_nobuf++; /* XXX */ 195 ifp->if_oerrors++; 196 continue; 197 } 198 eh = mtod(m, struct ether_header *); 199 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 200 if (IS_DWDS(vap)) { 201 /* 202 * Only unicast frames from the above go out 203 * DWDS vaps; multicast frames are handled by 204 * dispatching the frame as it comes through 205 * the AP vap (see below). 206 */ 207 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 208 eh->ether_dhost, "mcast", "%s", "on DWDS"); 209 vap->iv_stats.is_dwds_mcast++; 210 m_freem(m); 211 continue; 212 } 213 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 214 /* 215 * Spam DWDS vap's w/ multicast traffic. 216 */ 217 /* XXX only if dwds in use? */ 218 ieee80211_dwds_mcast(vap, m); 219 } 220 } 221#ifdef IEEE80211_SUPPORT_MESH 222 if (vap->iv_opmode != IEEE80211_M_MBSS) { 223#endif 224 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 225 if (ni == NULL) { 226 /* NB: ieee80211_find_txnode does stat+msg */ 227 ifp->if_oerrors++; 228 m_freem(m); 229 continue; 230 } 231 if (ni->ni_associd == 0 && 232 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 233 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 234 eh->ether_dhost, NULL, 235 "sta not associated (type 0x%04x)", 236 htons(eh->ether_type)); 237 vap->iv_stats.is_tx_notassoc++; 238 ifp->if_oerrors++; 239 m_freem(m); 240 ieee80211_free_node(ni); 241 continue; 242 } 243#ifdef IEEE80211_SUPPORT_MESH 244 } else { 245 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) { 246 /* 247 * Proxy station only if configured. 248 */ 249 if (!ieee80211_mesh_isproxyena(vap)) { 250 IEEE80211_DISCARD_MAC(vap, 251 IEEE80211_MSG_OUTPUT | 252 IEEE80211_MSG_MESH, 253 eh->ether_dhost, NULL, 254 "%s", "proxy not enabled"); 255 vap->iv_stats.is_mesh_notproxy++; 256 ifp->if_oerrors++; 257 m_freem(m); 258 continue; 259 } 260 ieee80211_mesh_proxy_check(vap, eh->ether_shost); 261 } 262 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 263 if (ni == NULL) { 264 /* 265 * NB: ieee80211_mesh_discover holds/disposes 266 * frame (e.g. queueing on path discovery). 267 */ 268 ifp->if_oerrors++; 269 continue; 270 } 271 } 272#endif 273 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 274 (m->m_flags & M_PWR_SAV) == 0) { 275 /* 276 * Station in power save mode; pass the frame 277 * to the 802.11 layer and continue. We'll get 278 * the frame back when the time is right. 279 * XXX lose WDS vap linkage? 280 */ 281 (void) ieee80211_pwrsave(ni, m); 282 ieee80211_free_node(ni); 283 continue; 284 } 285 /* calculate priority so drivers can find the tx queue */ 286 if (ieee80211_classify(ni, m)) { 287 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 288 eh->ether_dhost, NULL, 289 "%s", "classification failure"); 290 vap->iv_stats.is_tx_classify++; 291 ifp->if_oerrors++; 292 m_freem(m); 293 ieee80211_free_node(ni); 294 continue; 295 } 296 /* 297 * Stash the node pointer. Note that we do this after 298 * any call to ieee80211_dwds_mcast because that code 299 * uses any existing value for rcvif to identify the 300 * interface it (might have been) received on. 301 */ 302 m->m_pkthdr.rcvif = (void *)ni; 303 304 BPF_MTAP(ifp, m); /* 802.3 tx */ 305 306 /* 307 * Check if A-MPDU tx aggregation is setup or if we 308 * should try to enable it. The sta must be associated 309 * with HT and A-MPDU enabled for use. When the policy 310 * routine decides we should enable A-MPDU we issue an 311 * ADDBA request and wait for a reply. The frame being 312 * encapsulated will go out w/o using A-MPDU, or possibly 313 * it might be collected by the driver and held/retransmit. 314 * The default ic_ampdu_enable routine handles staggering 315 * ADDBA requests in case the receiver NAK's us or we are 316 * otherwise unable to establish a BA stream. 317 */ 318 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 319 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX) && 320 (m->m_flags & M_EAPOL) == 0) { 321 const int ac = M_WME_GETAC(m); 322 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac]; 323 324 ieee80211_txampdu_count_packet(tap); 325 if (IEEE80211_AMPDU_RUNNING(tap)) { 326 /* 327 * Operational, mark frame for aggregation. 328 * 329 * XXX do tx aggregation here 330 */ 331 m->m_flags |= M_AMPDU_MPDU; 332 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 333 ic->ic_ampdu_enable(ni, tap)) { 334 /* 335 * Not negotiated yet, request service. 336 */ 337 ieee80211_ampdu_request(ni, tap); 338 /* XXX hold frame for reply? */ 339 } 340 } 341#ifdef IEEE80211_SUPPORT_SUPERG 342 else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)) { 343 m = ieee80211_ff_check(ni, m); 344 if (m == NULL) { 345 /* NB: any ni ref held on stageq */ 346 continue; 347 } 348 } 349#endif /* IEEE80211_SUPPORT_SUPERG */ 350 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 351 /* 352 * Encapsulate the packet in prep for transmission. 353 */ 354 m = ieee80211_encap(vap, ni, m); 355 if (m == NULL) { 356 /* NB: stat+msg handled in ieee80211_encap */ 357 ieee80211_free_node(ni); 358 continue; 359 } 360 } 361 362 error = parent->if_transmit(parent, m); 363 if (error != 0) { 364 /* NB: IFQ_HANDOFF reclaims mbuf */ 365 ieee80211_free_node(ni); 366 } else { 367 ifp->if_opackets++; 368 } 369 ic->ic_lastdata = ticks; 370 } 371#undef IS_DWDS 372} 373 374/* 375 * 802.11 output routine. This is (currently) used only to 376 * connect bpf write calls to the 802.11 layer for injecting 377 * raw 802.11 frames. 378 */ 379int 380ieee80211_output(struct ifnet *ifp, struct mbuf *m, 381 struct sockaddr *dst, struct route *ro) 382{ 383#define senderr(e) do { error = (e); goto bad;} while (0) 384 struct ieee80211_node *ni = NULL; 385 struct ieee80211vap *vap; 386 struct ieee80211_frame *wh; 387 int error; 388 389 if (ifp->if_drv_flags & IFF_DRV_OACTIVE) { 390 /* 391 * Short-circuit requests if the vap is marked OACTIVE 392 * as this can happen because a packet came down through 393 * ieee80211_start before the vap entered RUN state in 394 * which case it's ok to just drop the frame. This 395 * should not be necessary but callers of if_output don't 396 * check OACTIVE. 397 */ 398 senderr(ENETDOWN); 399 } 400 vap = ifp->if_softc; 401 /* 402 * Hand to the 802.3 code if not tagged as 403 * a raw 802.11 frame. 404 */ 405 if (dst->sa_family != AF_IEEE80211) 406 return vap->iv_output(ifp, m, dst, ro); 407#ifdef MAC 408 error = mac_ifnet_check_transmit(ifp, m); 409 if (error) 410 senderr(error); 411#endif 412 if (ifp->if_flags & IFF_MONITOR) 413 senderr(ENETDOWN); 414 if (!IFNET_IS_UP_RUNNING(ifp)) 415 senderr(ENETDOWN); 416 if (vap->iv_state == IEEE80211_S_CAC) { 417 IEEE80211_DPRINTF(vap, 418 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 419 "block %s frame in CAC state\n", "raw data"); 420 vap->iv_stats.is_tx_badstate++; 421 senderr(EIO); /* XXX */ 422 } else if (vap->iv_state == IEEE80211_S_SCAN) 423 senderr(EIO); 424 /* XXX bypass bridge, pfil, carp, etc. */ 425 426 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 427 senderr(EIO); /* XXX */ 428 wh = mtod(m, struct ieee80211_frame *); 429 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 430 IEEE80211_FC0_VERSION_0) 431 senderr(EIO); /* XXX */ 432 433 /* locate destination node */ 434 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 435 case IEEE80211_FC1_DIR_NODS: 436 case IEEE80211_FC1_DIR_FROMDS: 437 ni = ieee80211_find_txnode(vap, wh->i_addr1); 438 break; 439 case IEEE80211_FC1_DIR_TODS: 440 case IEEE80211_FC1_DIR_DSTODS: 441 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) 442 senderr(EIO); /* XXX */ 443 ni = ieee80211_find_txnode(vap, wh->i_addr3); 444 break; 445 default: 446 senderr(EIO); /* XXX */ 447 } 448 if (ni == NULL) { 449 /* 450 * Permit packets w/ bpf params through regardless 451 * (see below about sa_len). 452 */ 453 if (dst->sa_len == 0) 454 senderr(EHOSTUNREACH); 455 ni = ieee80211_ref_node(vap->iv_bss); 456 } 457 458 /* 459 * Sanitize mbuf for net80211 flags leaked from above. 460 * 461 * NB: This must be done before ieee80211_classify as 462 * it marks EAPOL in frames with M_EAPOL. 463 */ 464 m->m_flags &= ~M_80211_TX; 465 466 /* calculate priority so drivers can find the tx queue */ 467 /* XXX assumes an 802.3 frame */ 468 if (ieee80211_classify(ni, m)) 469 senderr(EIO); /* XXX */ 470 471 ifp->if_opackets++; 472 IEEE80211_NODE_STAT(ni, tx_data); 473 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 474 IEEE80211_NODE_STAT(ni, tx_mcast); 475 m->m_flags |= M_MCAST; 476 } else 477 IEEE80211_NODE_STAT(ni, tx_ucast); 478 /* NB: ieee80211_encap does not include 802.11 header */ 479 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len); 480 481 /* 482 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 483 * present by setting the sa_len field of the sockaddr (yes, 484 * this is a hack). 485 * NB: we assume sa_data is suitably aligned to cast. 486 */ 487 return vap->iv_ic->ic_raw_xmit(ni, m, 488 (const struct ieee80211_bpf_params *)(dst->sa_len ? 489 dst->sa_data : NULL)); 490bad: 491 if (m != NULL) 492 m_freem(m); 493 if (ni != NULL) 494 ieee80211_free_node(ni); 495 ifp->if_oerrors++; 496 return error; 497#undef senderr 498} 499 500/* 501 * Set the direction field and address fields of an outgoing 502 * frame. Note this should be called early on in constructing 503 * a frame as it sets i_fc[1]; other bits can then be or'd in. 504 */ 505void 506ieee80211_send_setup( 507 struct ieee80211_node *ni, 508 struct mbuf *m, 509 int type, int tid, 510 const uint8_t sa[IEEE80211_ADDR_LEN], 511 const uint8_t da[IEEE80211_ADDR_LEN], 512 const uint8_t bssid[IEEE80211_ADDR_LEN]) 513{ 514#define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 515 struct ieee80211vap *vap = ni->ni_vap; 516 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 517 ieee80211_seq seqno; 518 519 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 520 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 521 switch (vap->iv_opmode) { 522 case IEEE80211_M_STA: 523 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 524 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 525 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 526 IEEE80211_ADDR_COPY(wh->i_addr3, da); 527 break; 528 case IEEE80211_M_IBSS: 529 case IEEE80211_M_AHDEMO: 530 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 531 IEEE80211_ADDR_COPY(wh->i_addr1, da); 532 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 533 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 534 break; 535 case IEEE80211_M_HOSTAP: 536 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 537 IEEE80211_ADDR_COPY(wh->i_addr1, da); 538 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 539 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 540 break; 541 case IEEE80211_M_WDS: 542 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 543 IEEE80211_ADDR_COPY(wh->i_addr1, da); 544 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 545 IEEE80211_ADDR_COPY(wh->i_addr3, da); 546 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 547 break; 548 case IEEE80211_M_MBSS: 549#ifdef IEEE80211_SUPPORT_MESH 550 /* XXX add support for proxied addresses */ 551 if (IEEE80211_IS_MULTICAST(da)) { 552 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 553 /* XXX next hop */ 554 IEEE80211_ADDR_COPY(wh->i_addr1, da); 555 IEEE80211_ADDR_COPY(wh->i_addr2, 556 vap->iv_myaddr); 557 } else { 558 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 559 IEEE80211_ADDR_COPY(wh->i_addr1, da); 560 IEEE80211_ADDR_COPY(wh->i_addr2, 561 vap->iv_myaddr); 562 IEEE80211_ADDR_COPY(wh->i_addr3, da); 563 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 564 } 565#endif 566 break; 567 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 568 break; 569 } 570 } else { 571 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 572 IEEE80211_ADDR_COPY(wh->i_addr1, da); 573 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 574#ifdef IEEE80211_SUPPORT_MESH 575 if (vap->iv_opmode == IEEE80211_M_MBSS) 576 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 577 else 578#endif 579 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 580 } 581 *(uint16_t *)&wh->i_dur[0] = 0; 582 583 seqno = ni->ni_txseqs[tid]++; 584 *(uint16_t *)&wh->i_seq[0] = htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 585 M_SEQNO_SET(m, seqno); 586 587 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 588 m->m_flags |= M_MCAST; 589#undef WH4 590} 591 592/* 593 * Send a management frame to the specified node. The node pointer 594 * must have a reference as the pointer will be passed to the driver 595 * and potentially held for a long time. If the frame is successfully 596 * dispatched to the driver, then it is responsible for freeing the 597 * reference (and potentially free'ing up any associated storage); 598 * otherwise deal with reclaiming any reference (on error). 599 */ 600int 601ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 602 struct ieee80211_bpf_params *params) 603{ 604 struct ieee80211vap *vap = ni->ni_vap; 605 struct ieee80211com *ic = ni->ni_ic; 606 struct ieee80211_frame *wh; 607 608 KASSERT(ni != NULL, ("null node")); 609 610 if (vap->iv_state == IEEE80211_S_CAC) { 611 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 612 ni, "block %s frame in CAC state", 613 ieee80211_mgt_subtype_name[ 614 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 615 IEEE80211_FC0_SUBTYPE_SHIFT]); 616 vap->iv_stats.is_tx_badstate++; 617 ieee80211_free_node(ni); 618 m_freem(m); 619 return EIO; /* XXX */ 620 } 621 622 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 623 if (m == NULL) { 624 ieee80211_free_node(ni); 625 return ENOMEM; 626 } 627 628 wh = mtod(m, struct ieee80211_frame *); 629 ieee80211_send_setup(ni, m, 630 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 631 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 632 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 633 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 634 "encrypting frame (%s)", __func__); 635 wh->i_fc[1] |= IEEE80211_FC1_WEP; 636 } 637 m->m_flags |= M_ENCAP; /* mark encapsulated */ 638 639 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 640 M_WME_SETAC(m, params->ibp_pri); 641 642#ifdef IEEE80211_DEBUG 643 /* avoid printing too many frames */ 644 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 645 ieee80211_msg_dumppkts(vap)) { 646 printf("[%s] send %s on channel %u\n", 647 ether_sprintf(wh->i_addr1), 648 ieee80211_mgt_subtype_name[ 649 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 650 IEEE80211_FC0_SUBTYPE_SHIFT], 651 ieee80211_chan2ieee(ic, ic->ic_curchan)); 652 } 653#endif 654 IEEE80211_NODE_STAT(ni, tx_mgmt); 655 656 return ic->ic_raw_xmit(ni, m, params); 657} 658 659/* 660 * Send a null data frame to the specified node. If the station 661 * is setup for QoS then a QoS Null Data frame is constructed. 662 * If this is a WDS station then a 4-address frame is constructed. 663 * 664 * NB: the caller is assumed to have setup a node reference 665 * for use; this is necessary to deal with a race condition 666 * when probing for inactive stations. Like ieee80211_mgmt_output 667 * we must cleanup any node reference on error; however we 668 * can safely just unref it as we know it will never be the 669 * last reference to the node. 670 */ 671int 672ieee80211_send_nulldata(struct ieee80211_node *ni) 673{ 674 struct ieee80211vap *vap = ni->ni_vap; 675 struct ieee80211com *ic = ni->ni_ic; 676 struct mbuf *m; 677 struct ieee80211_frame *wh; 678 int hdrlen; 679 uint8_t *frm; 680 681 if (vap->iv_state == IEEE80211_S_CAC) { 682 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 683 ni, "block %s frame in CAC state", "null data"); 684 ieee80211_unref_node(&ni); 685 vap->iv_stats.is_tx_badstate++; 686 return EIO; /* XXX */ 687 } 688 689 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 690 hdrlen = sizeof(struct ieee80211_qosframe); 691 else 692 hdrlen = sizeof(struct ieee80211_frame); 693 /* NB: only WDS vap's get 4-address frames */ 694 if (vap->iv_opmode == IEEE80211_M_WDS) 695 hdrlen += IEEE80211_ADDR_LEN; 696 if (ic->ic_flags & IEEE80211_F_DATAPAD) 697 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 698 699 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 700 if (m == NULL) { 701 /* XXX debug msg */ 702 ieee80211_unref_node(&ni); 703 vap->iv_stats.is_tx_nobuf++; 704 return ENOMEM; 705 } 706 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 707 ("leading space %zd", M_LEADINGSPACE(m))); 708 M_PREPEND(m, hdrlen, M_DONTWAIT); 709 if (m == NULL) { 710 /* NB: cannot happen */ 711 ieee80211_free_node(ni); 712 return ENOMEM; 713 } 714 715 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 716 if (ni->ni_flags & IEEE80211_NODE_QOS) { 717 const int tid = WME_AC_TO_TID(WME_AC_BE); 718 uint8_t *qos; 719 720 ieee80211_send_setup(ni, m, 721 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 722 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 723 724 if (vap->iv_opmode == IEEE80211_M_WDS) 725 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 726 else 727 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 728 qos[0] = tid & IEEE80211_QOS_TID; 729 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 730 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 731 qos[1] = 0; 732 } else { 733 ieee80211_send_setup(ni, m, 734 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 735 IEEE80211_NONQOS_TID, 736 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 737 } 738 if (vap->iv_opmode != IEEE80211_M_WDS) { 739 /* NB: power management bit is never sent by an AP */ 740 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 741 vap->iv_opmode != IEEE80211_M_HOSTAP) 742 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 743 } 744 m->m_len = m->m_pkthdr.len = hdrlen; 745 m->m_flags |= M_ENCAP; /* mark encapsulated */ 746 747 M_WME_SETAC(m, WME_AC_BE); 748 749 IEEE80211_NODE_STAT(ni, tx_data); 750 751 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 752 "send %snull data frame on channel %u, pwr mgt %s", 753 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 754 ieee80211_chan2ieee(ic, ic->ic_curchan), 755 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 756 757 return ic->ic_raw_xmit(ni, m, NULL); 758} 759 760/* 761 * Assign priority to a frame based on any vlan tag assigned 762 * to the station and/or any Diffserv setting in an IP header. 763 * Finally, if an ACM policy is setup (in station mode) it's 764 * applied. 765 */ 766int 767ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 768{ 769 const struct ether_header *eh = mtod(m, struct ether_header *); 770 int v_wme_ac, d_wme_ac, ac; 771 772 /* 773 * Always promote PAE/EAPOL frames to high priority. 774 */ 775 if (eh->ether_type == htons(ETHERTYPE_PAE)) { 776 /* NB: mark so others don't need to check header */ 777 m->m_flags |= M_EAPOL; 778 ac = WME_AC_VO; 779 goto done; 780 } 781 /* 782 * Non-qos traffic goes to BE. 783 */ 784 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 785 ac = WME_AC_BE; 786 goto done; 787 } 788 789 /* 790 * If node has a vlan tag then all traffic 791 * to it must have a matching tag. 792 */ 793 v_wme_ac = 0; 794 if (ni->ni_vlan != 0) { 795 if ((m->m_flags & M_VLANTAG) == 0) { 796 IEEE80211_NODE_STAT(ni, tx_novlantag); 797 return 1; 798 } 799 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) != 800 EVL_VLANOFTAG(ni->ni_vlan)) { 801 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 802 return 1; 803 } 804 /* map vlan priority to AC */ 805 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 806 } 807 808 /* XXX m_copydata may be too slow for fast path */ 809#ifdef INET 810 if (eh->ether_type == htons(ETHERTYPE_IP)) { 811 uint8_t tos; 812 /* 813 * IP frame, map the DSCP bits from the TOS field. 814 */ 815 /* NB: ip header may not be in first mbuf */ 816 m_copydata(m, sizeof(struct ether_header) + 817 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 818 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 819 d_wme_ac = TID_TO_WME_AC(tos); 820 } else { 821#endif /* INET */ 822#ifdef INET6 823 if (eh->ether_type == htons(ETHERTYPE_IPV6)) { 824 uint32_t flow; 825 uint8_t tos; 826 /* 827 * IPv6 frame, map the DSCP bits from the TOS field. 828 */ 829 m_copydata(m, sizeof(struct ether_header) + 830 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 831 (caddr_t) &flow); 832 tos = (uint8_t)(ntohl(flow) >> 20); 833 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 834 d_wme_ac = TID_TO_WME_AC(tos); 835 } else { 836#endif /* INET6 */ 837 d_wme_ac = WME_AC_BE; 838#ifdef INET6 839 } 840#endif 841#ifdef INET 842 } 843#endif 844 /* 845 * Use highest priority AC. 846 */ 847 if (v_wme_ac > d_wme_ac) 848 ac = v_wme_ac; 849 else 850 ac = d_wme_ac; 851 852 /* 853 * Apply ACM policy. 854 */ 855 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 856 static const int acmap[4] = { 857 WME_AC_BK, /* WME_AC_BE */ 858 WME_AC_BK, /* WME_AC_BK */ 859 WME_AC_BE, /* WME_AC_VI */ 860 WME_AC_VI, /* WME_AC_VO */ 861 }; 862 struct ieee80211com *ic = ni->ni_ic; 863 864 while (ac != WME_AC_BK && 865 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 866 ac = acmap[ac]; 867 } 868done: 869 M_WME_SETAC(m, ac); 870 return 0; 871} 872 873/* 874 * Insure there is sufficient contiguous space to encapsulate the 875 * 802.11 data frame. If room isn't already there, arrange for it. 876 * Drivers and cipher modules assume we have done the necessary work 877 * and fail rudely if they don't find the space they need. 878 */ 879struct mbuf * 880ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 881 struct ieee80211_key *key, struct mbuf *m) 882{ 883#define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 884 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 885 886 if (key != NULL) { 887 /* XXX belongs in crypto code? */ 888 needed_space += key->wk_cipher->ic_header; 889 /* XXX frags */ 890 /* 891 * When crypto is being done in the host we must insure 892 * the data are writable for the cipher routines; clone 893 * a writable mbuf chain. 894 * XXX handle SWMIC specially 895 */ 896 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 897 m = m_unshare(m, M_NOWAIT); 898 if (m == NULL) { 899 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 900 "%s: cannot get writable mbuf\n", __func__); 901 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 902 return NULL; 903 } 904 } 905 } 906 /* 907 * We know we are called just before stripping an Ethernet 908 * header and prepending an LLC header. This means we know 909 * there will be 910 * sizeof(struct ether_header) - sizeof(struct llc) 911 * bytes recovered to which we need additional space for the 912 * 802.11 header and any crypto header. 913 */ 914 /* XXX check trailing space and copy instead? */ 915 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 916 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type); 917 if (n == NULL) { 918 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 919 "%s: cannot expand storage\n", __func__); 920 vap->iv_stats.is_tx_nobuf++; 921 m_freem(m); 922 return NULL; 923 } 924 KASSERT(needed_space <= MHLEN, 925 ("not enough room, need %u got %zu\n", needed_space, MHLEN)); 926 /* 927 * Setup new mbuf to have leading space to prepend the 928 * 802.11 header and any crypto header bits that are 929 * required (the latter are added when the driver calls 930 * back to ieee80211_crypto_encap to do crypto encapsulation). 931 */ 932 /* NB: must be first 'cuz it clobbers m_data */ 933 m_move_pkthdr(n, m); 934 n->m_len = 0; /* NB: m_gethdr does not set */ 935 n->m_data += needed_space; 936 /* 937 * Pull up Ethernet header to create the expected layout. 938 * We could use m_pullup but that's overkill (i.e. we don't 939 * need the actual data) and it cannot fail so do it inline 940 * for speed. 941 */ 942 /* NB: struct ether_header is known to be contiguous */ 943 n->m_len += sizeof(struct ether_header); 944 m->m_len -= sizeof(struct ether_header); 945 m->m_data += sizeof(struct ether_header); 946 /* 947 * Replace the head of the chain. 948 */ 949 n->m_next = m; 950 m = n; 951 } 952 return m; 953#undef TO_BE_RECLAIMED 954} 955 956/* 957 * Return the transmit key to use in sending a unicast frame. 958 * If a unicast key is set we use that. When no unicast key is set 959 * we fall back to the default transmit key. 960 */ 961static __inline struct ieee80211_key * 962ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 963 struct ieee80211_node *ni) 964{ 965 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 966 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 967 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 968 return NULL; 969 return &vap->iv_nw_keys[vap->iv_def_txkey]; 970 } else { 971 return &ni->ni_ucastkey; 972 } 973} 974 975/* 976 * Return the transmit key to use in sending a multicast frame. 977 * Multicast traffic always uses the group key which is installed as 978 * the default tx key. 979 */ 980static __inline struct ieee80211_key * 981ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 982 struct ieee80211_node *ni) 983{ 984 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 985 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 986 return NULL; 987 return &vap->iv_nw_keys[vap->iv_def_txkey]; 988} 989 990/* 991 * Encapsulate an outbound data frame. The mbuf chain is updated. 992 * If an error is encountered NULL is returned. The caller is required 993 * to provide a node reference and pullup the ethernet header in the 994 * first mbuf. 995 * 996 * NB: Packet is assumed to be processed by ieee80211_classify which 997 * marked EAPOL frames w/ M_EAPOL. 998 */ 999struct mbuf * 1000ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 1001 struct mbuf *m) 1002{ 1003#define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 1004 struct ieee80211com *ic = ni->ni_ic; 1005#ifdef IEEE80211_SUPPORT_MESH 1006 struct ieee80211_mesh_state *ms = vap->iv_mesh; 1007 struct ieee80211_meshcntl_ae10 *mc; 1008#endif 1009 struct ether_header eh; 1010 struct ieee80211_frame *wh; 1011 struct ieee80211_key *key; 1012 struct llc *llc; 1013 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr; 1014 ieee80211_seq seqno; 1015 int meshhdrsize, meshae; 1016 uint8_t *qos; 1017 1018 /* 1019 * Copy existing Ethernet header to a safe place. The 1020 * rest of the code assumes it's ok to strip it when 1021 * reorganizing state for the final encapsulation. 1022 */ 1023 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1024 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1025 1026 /* 1027 * Insure space for additional headers. First identify 1028 * transmit key to use in calculating any buffer adjustments 1029 * required. This is also used below to do privacy 1030 * encapsulation work. Then calculate the 802.11 header 1031 * size and any padding required by the driver. 1032 * 1033 * Note key may be NULL if we fall back to the default 1034 * transmit key and that is not set. In that case the 1035 * buffer may not be expanded as needed by the cipher 1036 * routines, but they will/should discard it. 1037 */ 1038 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1039 if (vap->iv_opmode == IEEE80211_M_STA || 1040 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1041 (vap->iv_opmode == IEEE80211_M_WDS && 1042 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) 1043 key = ieee80211_crypto_getucastkey(vap, ni); 1044 else 1045 key = ieee80211_crypto_getmcastkey(vap, ni); 1046 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1047 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1048 eh.ether_dhost, 1049 "no default transmit key (%s) deftxkey %u", 1050 __func__, vap->iv_def_txkey); 1051 vap->iv_stats.is_tx_nodefkey++; 1052 goto bad; 1053 } 1054 } else 1055 key = NULL; 1056 /* 1057 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1058 * frames so suppress use. This may be an issue if other 1059 * ap's require all data frames to be QoS-encapsulated 1060 * once negotiated in which case we'll need to make this 1061 * configurable. 1062 */ 1063 addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) && 1064 (m->m_flags & M_EAPOL) == 0; 1065 if (addqos) 1066 hdrsize = sizeof(struct ieee80211_qosframe); 1067 else 1068 hdrsize = sizeof(struct ieee80211_frame); 1069#ifdef IEEE80211_SUPPORT_MESH 1070 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1071 /* 1072 * Mesh data frames are encapsulated according to the 1073 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1074 * o Group Addressed data (aka multicast) originating 1075 * at the local sta are sent w/ 3-address format and 1076 * address extension mode 00 1077 * o Individually Addressed data (aka unicast) originating 1078 * at the local sta are sent w/ 4-address format and 1079 * address extension mode 00 1080 * o Group Addressed data forwarded from a non-mesh sta are 1081 * sent w/ 3-address format and address extension mode 01 1082 * o Individually Address data from another sta are sent 1083 * w/ 4-address format and address extension mode 10 1084 */ 1085 is4addr = 0; /* NB: don't use, disable */ 1086 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) 1087 hdrsize += IEEE80211_ADDR_LEN; /* unicast are 4-addr */ 1088 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1089 /* XXX defines for AE modes */ 1090 if (IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1091 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) 1092 meshae = 0; 1093 else 1094 meshae = 4; /* NB: pseudo */ 1095 } else if (IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1096 meshae = 1; 1097 meshhdrsize += 1*IEEE80211_ADDR_LEN; 1098 } else { 1099 meshae = 2; 1100 meshhdrsize += 2*IEEE80211_ADDR_LEN; 1101 } 1102 } else { 1103#endif 1104 /* 1105 * 4-address frames need to be generated for: 1106 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1107 * o packets sent through a vap marked for relaying 1108 * (e.g. a station operating with dynamic WDS) 1109 */ 1110 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1111 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1112 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1113 if (is4addr) 1114 hdrsize += IEEE80211_ADDR_LEN; 1115 meshhdrsize = meshae = 0; 1116#ifdef IEEE80211_SUPPORT_MESH 1117 } 1118#endif 1119 /* 1120 * Honor driver DATAPAD requirement. 1121 */ 1122 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1123 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1124 else 1125 hdrspace = hdrsize; 1126 1127 if (__predict_true((m->m_flags & M_FF) == 0)) { 1128 /* 1129 * Normal frame. 1130 */ 1131 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1132 if (m == NULL) { 1133 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1134 goto bad; 1135 } 1136 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1137 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1138 llc = mtod(m, struct llc *); 1139 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1140 llc->llc_control = LLC_UI; 1141 llc->llc_snap.org_code[0] = 0; 1142 llc->llc_snap.org_code[1] = 0; 1143 llc->llc_snap.org_code[2] = 0; 1144 llc->llc_snap.ether_type = eh.ether_type; 1145 } else { 1146#ifdef IEEE80211_SUPPORT_SUPERG 1147 /* 1148 * Aggregated frame. 1149 */ 1150 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1151 if (m == NULL) 1152#endif 1153 goto bad; 1154 } 1155 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1156 1157 M_PREPEND(m, hdrspace + meshhdrsize, M_DONTWAIT); 1158 if (m == NULL) { 1159 vap->iv_stats.is_tx_nobuf++; 1160 goto bad; 1161 } 1162 wh = mtod(m, struct ieee80211_frame *); 1163 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1164 *(uint16_t *)wh->i_dur = 0; 1165 qos = NULL; /* NB: quiet compiler */ 1166 if (is4addr) { 1167 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1168 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1169 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1170 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1171 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1172 } else switch (vap->iv_opmode) { 1173 case IEEE80211_M_STA: 1174 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1175 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1176 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1177 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1178 break; 1179 case IEEE80211_M_IBSS: 1180 case IEEE80211_M_AHDEMO: 1181 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1182 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1183 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1184 /* 1185 * NB: always use the bssid from iv_bss as the 1186 * neighbor's may be stale after an ibss merge 1187 */ 1188 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1189 break; 1190 case IEEE80211_M_HOSTAP: 1191 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1192 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1193 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1194 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1195 break; 1196#ifdef IEEE80211_SUPPORT_MESH 1197 case IEEE80211_M_MBSS: 1198 /* NB: offset by hdrspace to deal with DATAPAD */ 1199 mc = (struct ieee80211_meshcntl_ae10 *) 1200 (mtod(m, uint8_t *) + hdrspace); 1201 switch (meshae) { 1202 case 0: /* ucast, no proxy */ 1203 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1204 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1205 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1206 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1207 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1208 mc->mc_flags = 0; 1209 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1210 break; 1211 case 4: /* mcast, no proxy */ 1212 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1213 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1214 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1215 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1216 mc->mc_flags = 0; /* NB: AE is really 0 */ 1217 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1218 break; 1219 case 1: /* mcast, proxy */ 1220 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1221 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1222 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1223 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr); 1224 mc->mc_flags = 1; 1225 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_shost); 1226 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1227 break; 1228 case 2: /* ucast, proxy */ 1229 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1230 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1231 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1232 /* XXX not right, need MeshDA */ 1233 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1234 /* XXX assume are MeshSA */ 1235 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr); 1236 mc->mc_flags = 2; 1237 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_dhost); 1238 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_shost); 1239 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1240 break; 1241 default: 1242 KASSERT(0, ("meshae %d", meshae)); 1243 break; 1244 } 1245 mc->mc_ttl = ms->ms_ttl; 1246 ms->ms_seq++; 1247 LE_WRITE_4(mc->mc_seq, ms->ms_seq); 1248 break; 1249#endif 1250 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1251 default: 1252 goto bad; 1253 } 1254 if (m->m_flags & M_MORE_DATA) 1255 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1256 if (addqos) { 1257 int ac, tid; 1258 1259 if (is4addr) { 1260 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1261 /* NB: mesh case handled earlier */ 1262 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1263 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1264 ac = M_WME_GETAC(m); 1265 /* map from access class/queue to 11e header priorty value */ 1266 tid = WME_AC_TO_TID(ac); 1267 qos[0] = tid & IEEE80211_QOS_TID; 1268 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1269 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1270 qos[1] = 0; 1271 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 1272 1273 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1274 /* 1275 * NB: don't assign a sequence # to potential 1276 * aggregates; we expect this happens at the 1277 * point the frame comes off any aggregation q 1278 * as otherwise we may introduce holes in the 1279 * BA sequence space and/or make window accouting 1280 * more difficult. 1281 * 1282 * XXX may want to control this with a driver 1283 * capability; this may also change when we pull 1284 * aggregation up into net80211 1285 */ 1286 seqno = ni->ni_txseqs[tid]++; 1287 *(uint16_t *)wh->i_seq = 1288 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1289 M_SEQNO_SET(m, seqno); 1290 } 1291 } else { 1292 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1293 *(uint16_t *)wh->i_seq = 1294 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1295 M_SEQNO_SET(m, seqno); 1296 } 1297 1298 1299 /* check if xmit fragmentation is required */ 1300 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1301 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1302 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1303 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1304 if (key != NULL) { 1305 /* 1306 * IEEE 802.1X: send EAPOL frames always in the clear. 1307 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1308 */ 1309 if ((m->m_flags & M_EAPOL) == 0 || 1310 ((vap->iv_flags & IEEE80211_F_WPA) && 1311 (vap->iv_opmode == IEEE80211_M_STA ? 1312 !IEEE80211_KEY_UNDEFINED(key) : 1313 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1314 wh->i_fc[1] |= IEEE80211_FC1_WEP; 1315 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1316 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1317 eh.ether_dhost, 1318 "%s", "enmic failed, discard frame"); 1319 vap->iv_stats.is_crypto_enmicfail++; 1320 goto bad; 1321 } 1322 } 1323 } 1324 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1325 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1326 goto bad; 1327 1328 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1329 1330 IEEE80211_NODE_STAT(ni, tx_data); 1331 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1332 IEEE80211_NODE_STAT(ni, tx_mcast); 1333 m->m_flags |= M_MCAST; 1334 } else 1335 IEEE80211_NODE_STAT(ni, tx_ucast); 1336 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1337 1338 return m; 1339bad: 1340 if (m != NULL) 1341 m_freem(m); 1342 return NULL; 1343#undef WH4 1344} 1345 1346/* 1347 * Fragment the frame according to the specified mtu. 1348 * The size of the 802.11 header (w/o padding) is provided 1349 * so we don't need to recalculate it. We create a new 1350 * mbuf for each fragment and chain it through m_nextpkt; 1351 * we might be able to optimize this by reusing the original 1352 * packet's mbufs but that is significantly more complicated. 1353 */ 1354static int 1355ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1356 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1357{ 1358 struct ieee80211_frame *wh, *whf; 1359 struct mbuf *m, *prev, *next; 1360 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1361 1362 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1363 KASSERT(m0->m_pkthdr.len > mtu, 1364 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1365 1366 wh = mtod(m0, struct ieee80211_frame *); 1367 /* NB: mark the first frag; it will be propagated below */ 1368 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1369 totalhdrsize = hdrsize + ciphdrsize; 1370 fragno = 1; 1371 off = mtu - ciphdrsize; 1372 remainder = m0->m_pkthdr.len - off; 1373 prev = m0; 1374 do { 1375 fragsize = totalhdrsize + remainder; 1376 if (fragsize > mtu) 1377 fragsize = mtu; 1378 /* XXX fragsize can be >2048! */ 1379 KASSERT(fragsize < MCLBYTES, 1380 ("fragment size %u too big!", fragsize)); 1381 if (fragsize > MHLEN) 1382 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR); 1383 else 1384 m = m_gethdr(M_DONTWAIT, MT_DATA); 1385 if (m == NULL) 1386 goto bad; 1387 /* leave room to prepend any cipher header */ 1388 m_align(m, fragsize - ciphdrsize); 1389 1390 /* 1391 * Form the header in the fragment. Note that since 1392 * we mark the first fragment with the MORE_FRAG bit 1393 * it automatically is propagated to each fragment; we 1394 * need only clear it on the last fragment (done below). 1395 */ 1396 whf = mtod(m, struct ieee80211_frame *); 1397 memcpy(whf, wh, hdrsize); 1398 *(uint16_t *)&whf->i_seq[0] |= htole16( 1399 (fragno & IEEE80211_SEQ_FRAG_MASK) << 1400 IEEE80211_SEQ_FRAG_SHIFT); 1401 fragno++; 1402 1403 payload = fragsize - totalhdrsize; 1404 /* NB: destination is known to be contiguous */ 1405 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize); 1406 m->m_len = hdrsize + payload; 1407 m->m_pkthdr.len = hdrsize + payload; 1408 m->m_flags |= M_FRAG; 1409 1410 /* chain up the fragment */ 1411 prev->m_nextpkt = m; 1412 prev = m; 1413 1414 /* deduct fragment just formed */ 1415 remainder -= payload; 1416 off += payload; 1417 } while (remainder != 0); 1418 1419 /* set the last fragment */ 1420 m->m_flags |= M_LASTFRAG; 1421 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 1422 1423 /* strip first mbuf now that everything has been copied */ 1424 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 1425 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 1426 1427 vap->iv_stats.is_tx_fragframes++; 1428 vap->iv_stats.is_tx_frags += fragno-1; 1429 1430 return 1; 1431bad: 1432 /* reclaim fragments but leave original frame for caller to free */ 1433 for (m = m0->m_nextpkt; m != NULL; m = next) { 1434 next = m->m_nextpkt; 1435 m->m_nextpkt = NULL; /* XXX paranoid */ 1436 m_freem(m); 1437 } 1438 m0->m_nextpkt = NULL; 1439 return 0; 1440} 1441 1442/* 1443 * Add a supported rates element id to a frame. 1444 */ 1445uint8_t * 1446ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 1447{ 1448 int nrates; 1449 1450 *frm++ = IEEE80211_ELEMID_RATES; 1451 nrates = rs->rs_nrates; 1452 if (nrates > IEEE80211_RATE_SIZE) 1453 nrates = IEEE80211_RATE_SIZE; 1454 *frm++ = nrates; 1455 memcpy(frm, rs->rs_rates, nrates); 1456 return frm + nrates; 1457} 1458 1459/* 1460 * Add an extended supported rates element id to a frame. 1461 */ 1462uint8_t * 1463ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 1464{ 1465 /* 1466 * Add an extended supported rates element if operating in 11g mode. 1467 */ 1468 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 1469 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1470 *frm++ = IEEE80211_ELEMID_XRATES; 1471 *frm++ = nrates; 1472 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1473 frm += nrates; 1474 } 1475 return frm; 1476} 1477 1478/* 1479 * Add an ssid element to a frame. 1480 */ 1481static uint8_t * 1482ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 1483{ 1484 *frm++ = IEEE80211_ELEMID_SSID; 1485 *frm++ = len; 1486 memcpy(frm, ssid, len); 1487 return frm + len; 1488} 1489 1490/* 1491 * Add an erp element to a frame. 1492 */ 1493static uint8_t * 1494ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic) 1495{ 1496 uint8_t erp; 1497 1498 *frm++ = IEEE80211_ELEMID_ERP; 1499 *frm++ = 1; 1500 erp = 0; 1501 if (ic->ic_nonerpsta != 0) 1502 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1503 if (ic->ic_flags & IEEE80211_F_USEPROT) 1504 erp |= IEEE80211_ERP_USE_PROTECTION; 1505 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1506 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1507 *frm++ = erp; 1508 return frm; 1509} 1510 1511/* 1512 * Add a CFParams element to a frame. 1513 */ 1514static uint8_t * 1515ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 1516{ 1517#define ADDSHORT(frm, v) do { \ 1518 LE_WRITE_2(frm, v); \ 1519 frm += 2; \ 1520} while (0) 1521 *frm++ = IEEE80211_ELEMID_CFPARMS; 1522 *frm++ = 6; 1523 *frm++ = 0; /* CFP count */ 1524 *frm++ = 2; /* CFP period */ 1525 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 1526 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 1527 return frm; 1528#undef ADDSHORT 1529} 1530 1531static __inline uint8_t * 1532add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 1533{ 1534 memcpy(frm, ie->ie_data, ie->ie_len); 1535 return frm + ie->ie_len; 1536} 1537 1538static __inline uint8_t * 1539add_ie(uint8_t *frm, const uint8_t *ie) 1540{ 1541 memcpy(frm, ie, 2 + ie[1]); 1542 return frm + 2 + ie[1]; 1543} 1544 1545#define WME_OUI_BYTES 0x00, 0x50, 0xf2 1546/* 1547 * Add a WME information element to a frame. 1548 */ 1549static uint8_t * 1550ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme) 1551{ 1552 static const struct ieee80211_wme_info info = { 1553 .wme_id = IEEE80211_ELEMID_VENDOR, 1554 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1555 .wme_oui = { WME_OUI_BYTES }, 1556 .wme_type = WME_OUI_TYPE, 1557 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1558 .wme_version = WME_VERSION, 1559 .wme_info = 0, 1560 }; 1561 memcpy(frm, &info, sizeof(info)); 1562 return frm + sizeof(info); 1563} 1564 1565/* 1566 * Add a WME parameters element to a frame. 1567 */ 1568static uint8_t * 1569ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme) 1570{ 1571#define SM(_v, _f) (((_v) << _f##_S) & _f) 1572#define ADDSHORT(frm, v) do { \ 1573 LE_WRITE_2(frm, v); \ 1574 frm += 2; \ 1575} while (0) 1576 /* NB: this works 'cuz a param has an info at the front */ 1577 static const struct ieee80211_wme_info param = { 1578 .wme_id = IEEE80211_ELEMID_VENDOR, 1579 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1580 .wme_oui = { WME_OUI_BYTES }, 1581 .wme_type = WME_OUI_TYPE, 1582 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1583 .wme_version = WME_VERSION, 1584 }; 1585 int i; 1586 1587 memcpy(frm, ¶m, sizeof(param)); 1588 frm += __offsetof(struct ieee80211_wme_info, wme_info); 1589 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1590 *frm++ = 0; /* reserved field */ 1591 for (i = 0; i < WME_NUM_AC; i++) { 1592 const struct wmeParams *ac = 1593 &wme->wme_bssChanParams.cap_wmeParams[i]; 1594 *frm++ = SM(i, WME_PARAM_ACI) 1595 | SM(ac->wmep_acm, WME_PARAM_ACM) 1596 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1597 ; 1598 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1599 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1600 ; 1601 ADDSHORT(frm, ac->wmep_txopLimit); 1602 } 1603 return frm; 1604#undef SM 1605#undef ADDSHORT 1606} 1607#undef WME_OUI_BYTES 1608 1609/* 1610 * Add an 11h Power Constraint element to a frame. 1611 */ 1612static uint8_t * 1613ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 1614{ 1615 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 1616 /* XXX per-vap tx power limit? */ 1617 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 1618 1619 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 1620 frm[1] = 1; 1621 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 1622 return frm + 3; 1623} 1624 1625/* 1626 * Add an 11h Power Capability element to a frame. 1627 */ 1628static uint8_t * 1629ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 1630{ 1631 frm[0] = IEEE80211_ELEMID_PWRCAP; 1632 frm[1] = 2; 1633 frm[2] = c->ic_minpower; 1634 frm[3] = c->ic_maxpower; 1635 return frm + 4; 1636} 1637 1638/* 1639 * Add an 11h Supported Channels element to a frame. 1640 */ 1641static uint8_t * 1642ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 1643{ 1644 static const int ielen = 26; 1645 1646 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 1647 frm[1] = ielen; 1648 /* XXX not correct */ 1649 memcpy(frm+2, ic->ic_chan_avail, ielen); 1650 return frm + 2 + ielen; 1651} 1652 1653/* 1654 * Add an 11h Channel Switch Announcement element to a frame. 1655 * Note that we use the per-vap CSA count to adjust the global 1656 * counter so we can use this routine to form probe response 1657 * frames and get the current count. 1658 */ 1659static uint8_t * 1660ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 1661{ 1662 struct ieee80211com *ic = vap->iv_ic; 1663 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 1664 1665 csa->csa_ie = IEEE80211_ELEMID_CSA; 1666 csa->csa_len = 3; 1667 csa->csa_mode = 1; /* XXX force quiet on channel */ 1668 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 1669 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 1670 return frm + sizeof(*csa); 1671} 1672 1673/* 1674 * Add an 11h country information element to a frame. 1675 */ 1676static uint8_t * 1677ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 1678{ 1679 1680 if (ic->ic_countryie == NULL || 1681 ic->ic_countryie_chan != ic->ic_bsschan) { 1682 /* 1683 * Handle lazy construction of ie. This is done on 1684 * first use and after a channel change that requires 1685 * re-calculation. 1686 */ 1687 if (ic->ic_countryie != NULL) 1688 free(ic->ic_countryie, M_80211_NODE_IE); 1689 ic->ic_countryie = ieee80211_alloc_countryie(ic); 1690 if (ic->ic_countryie == NULL) 1691 return frm; 1692 ic->ic_countryie_chan = ic->ic_bsschan; 1693 } 1694 return add_appie(frm, ic->ic_countryie); 1695} 1696 1697/* 1698 * Send a probe request frame with the specified ssid 1699 * and any optional information element data. 1700 */ 1701int 1702ieee80211_send_probereq(struct ieee80211_node *ni, 1703 const uint8_t sa[IEEE80211_ADDR_LEN], 1704 const uint8_t da[IEEE80211_ADDR_LEN], 1705 const uint8_t bssid[IEEE80211_ADDR_LEN], 1706 const uint8_t *ssid, size_t ssidlen) 1707{ 1708 struct ieee80211vap *vap = ni->ni_vap; 1709 struct ieee80211com *ic = ni->ni_ic; 1710 const struct ieee80211_txparam *tp; 1711 struct ieee80211_bpf_params params; 1712 struct ieee80211_frame *wh; 1713 const struct ieee80211_rateset *rs; 1714 struct mbuf *m; 1715 uint8_t *frm; 1716 1717 if (vap->iv_state == IEEE80211_S_CAC) { 1718 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 1719 "block %s frame in CAC state", "probe request"); 1720 vap->iv_stats.is_tx_badstate++; 1721 return EIO; /* XXX */ 1722 } 1723 1724 /* 1725 * Hold a reference on the node so it doesn't go away until after 1726 * the xmit is complete all the way in the driver. On error we 1727 * will remove our reference. 1728 */ 1729 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1730 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1731 __func__, __LINE__, 1732 ni, ether_sprintf(ni->ni_macaddr), 1733 ieee80211_node_refcnt(ni)+1); 1734 ieee80211_ref_node(ni); 1735 1736 /* 1737 * prreq frame format 1738 * [tlv] ssid 1739 * [tlv] supported rates 1740 * [tlv] RSN (optional) 1741 * [tlv] extended supported rates 1742 * [tlv] WPA (optional) 1743 * [tlv] user-specified ie's 1744 */ 1745 m = ieee80211_getmgtframe(&frm, 1746 ic->ic_headroom + sizeof(struct ieee80211_frame), 1747 2 + IEEE80211_NWID_LEN 1748 + 2 + IEEE80211_RATE_SIZE 1749 + sizeof(struct ieee80211_ie_wpa) 1750 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1751 + sizeof(struct ieee80211_ie_wpa) 1752 + (vap->iv_appie_probereq != NULL ? 1753 vap->iv_appie_probereq->ie_len : 0) 1754 ); 1755 if (m == NULL) { 1756 vap->iv_stats.is_tx_nobuf++; 1757 ieee80211_free_node(ni); 1758 return ENOMEM; 1759 } 1760 1761 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1762 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1763 frm = ieee80211_add_rates(frm, rs); 1764 if (vap->iv_flags & IEEE80211_F_WPA2) { 1765 if (vap->iv_rsn_ie != NULL) 1766 frm = add_ie(frm, vap->iv_rsn_ie); 1767 /* XXX else complain? */ 1768 } 1769 frm = ieee80211_add_xrates(frm, rs); 1770 if (vap->iv_flags & IEEE80211_F_WPA1) { 1771 if (vap->iv_wpa_ie != NULL) 1772 frm = add_ie(frm, vap->iv_wpa_ie); 1773 /* XXX else complain? */ 1774 } 1775 if (vap->iv_appie_probereq != NULL) 1776 frm = add_appie(frm, vap->iv_appie_probereq); 1777 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1778 1779 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 1780 ("leading space %zd", M_LEADINGSPACE(m))); 1781 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 1782 if (m == NULL) { 1783 /* NB: cannot happen */ 1784 ieee80211_free_node(ni); 1785 return ENOMEM; 1786 } 1787 1788 wh = mtod(m, struct ieee80211_frame *); 1789 ieee80211_send_setup(ni, m, 1790 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1791 IEEE80211_NONQOS_TID, sa, da, bssid); 1792 /* XXX power management? */ 1793 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1794 1795 M_WME_SETAC(m, WME_AC_BE); 1796 1797 IEEE80211_NODE_STAT(ni, tx_probereq); 1798 IEEE80211_NODE_STAT(ni, tx_mgmt); 1799 1800 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1801 "send probe req on channel %u bssid %s ssid \"%.*s\"\n", 1802 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(bssid), 1803 ssidlen, ssid); 1804 1805 memset(¶ms, 0, sizeof(params)); 1806 params.ibp_pri = M_WME_GETAC(m); 1807 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 1808 params.ibp_rate0 = tp->mgmtrate; 1809 if (IEEE80211_IS_MULTICAST(da)) { 1810 params.ibp_flags |= IEEE80211_BPF_NOACK; 1811 params.ibp_try0 = 1; 1812 } else 1813 params.ibp_try0 = tp->maxretry; 1814 params.ibp_power = ni->ni_txpower; 1815 return ic->ic_raw_xmit(ni, m, ¶ms); 1816} 1817 1818/* 1819 * Calculate capability information for mgt frames. 1820 */ 1821uint16_t 1822ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 1823{ 1824 struct ieee80211com *ic = vap->iv_ic; 1825 uint16_t capinfo; 1826 1827 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 1828 1829 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 1830 capinfo = IEEE80211_CAPINFO_ESS; 1831 else if (vap->iv_opmode == IEEE80211_M_IBSS) 1832 capinfo = IEEE80211_CAPINFO_IBSS; 1833 else 1834 capinfo = 0; 1835 if (vap->iv_flags & IEEE80211_F_PRIVACY) 1836 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1837 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1838 IEEE80211_IS_CHAN_2GHZ(chan)) 1839 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1840 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1841 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1842 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 1843 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 1844 return capinfo; 1845} 1846 1847/* 1848 * Send a management frame. The node is for the destination (or ic_bss 1849 * when in station mode). Nodes other than ic_bss have their reference 1850 * count bumped to reflect our use for an indeterminant time. 1851 */ 1852int 1853ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 1854{ 1855#define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 1856#define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 1857 struct ieee80211vap *vap = ni->ni_vap; 1858 struct ieee80211com *ic = ni->ni_ic; 1859 struct ieee80211_node *bss = vap->iv_bss; 1860 struct ieee80211_bpf_params params; 1861 struct mbuf *m; 1862 uint8_t *frm; 1863 uint16_t capinfo; 1864 int has_challenge, is_shared_key, ret, status; 1865 1866 KASSERT(ni != NULL, ("null node")); 1867 1868 /* 1869 * Hold a reference on the node so it doesn't go away until after 1870 * the xmit is complete all the way in the driver. On error we 1871 * will remove our reference. 1872 */ 1873 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1874 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1875 __func__, __LINE__, 1876 ni, ether_sprintf(ni->ni_macaddr), 1877 ieee80211_node_refcnt(ni)+1); 1878 ieee80211_ref_node(ni); 1879 1880 memset(¶ms, 0, sizeof(params)); 1881 switch (type) { 1882 1883 case IEEE80211_FC0_SUBTYPE_AUTH: 1884 status = arg >> 16; 1885 arg &= 0xffff; 1886 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1887 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1888 ni->ni_challenge != NULL); 1889 1890 /* 1891 * Deduce whether we're doing open authentication or 1892 * shared key authentication. We do the latter if 1893 * we're in the middle of a shared key authentication 1894 * handshake or if we're initiating an authentication 1895 * request and configured to use shared key. 1896 */ 1897 is_shared_key = has_challenge || 1898 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1899 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1900 bss->ni_authmode == IEEE80211_AUTH_SHARED); 1901 1902 m = ieee80211_getmgtframe(&frm, 1903 ic->ic_headroom + sizeof(struct ieee80211_frame), 1904 3 * sizeof(uint16_t) 1905 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1906 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 1907 ); 1908 if (m == NULL) 1909 senderr(ENOMEM, is_tx_nobuf); 1910 1911 ((uint16_t *)frm)[0] = 1912 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 1913 : htole16(IEEE80211_AUTH_ALG_OPEN); 1914 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 1915 ((uint16_t *)frm)[2] = htole16(status);/* status */ 1916 1917 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 1918 ((uint16_t *)frm)[3] = 1919 htole16((IEEE80211_CHALLENGE_LEN << 8) | 1920 IEEE80211_ELEMID_CHALLENGE); 1921 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 1922 IEEE80211_CHALLENGE_LEN); 1923 m->m_pkthdr.len = m->m_len = 1924 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 1925 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 1926 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1927 "request encrypt frame (%s)", __func__); 1928 /* mark frame for encryption */ 1929 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 1930 } 1931 } else 1932 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 1933 1934 /* XXX not right for shared key */ 1935 if (status == IEEE80211_STATUS_SUCCESS) 1936 IEEE80211_NODE_STAT(ni, tx_auth); 1937 else 1938 IEEE80211_NODE_STAT(ni, tx_auth_fail); 1939 1940 if (vap->iv_opmode == IEEE80211_M_STA) 1941 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 1942 (void *) vap->iv_state); 1943 break; 1944 1945 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1946 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1947 "send station deauthenticate (reason %d)", arg); 1948 m = ieee80211_getmgtframe(&frm, 1949 ic->ic_headroom + sizeof(struct ieee80211_frame), 1950 sizeof(uint16_t)); 1951 if (m == NULL) 1952 senderr(ENOMEM, is_tx_nobuf); 1953 *(uint16_t *)frm = htole16(arg); /* reason */ 1954 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 1955 1956 IEEE80211_NODE_STAT(ni, tx_deauth); 1957 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 1958 1959 ieee80211_node_unauthorize(ni); /* port closed */ 1960 break; 1961 1962 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1963 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1964 /* 1965 * asreq frame format 1966 * [2] capability information 1967 * [2] listen interval 1968 * [6*] current AP address (reassoc only) 1969 * [tlv] ssid 1970 * [tlv] supported rates 1971 * [tlv] extended supported rates 1972 * [4] power capability (optional) 1973 * [28] supported channels (optional) 1974 * [tlv] HT capabilities 1975 * [tlv] WME (optional) 1976 * [tlv] Vendor OUI HT capabilities (optional) 1977 * [tlv] Atheros capabilities (if negotiated) 1978 * [tlv] AppIE's (optional) 1979 */ 1980 m = ieee80211_getmgtframe(&frm, 1981 ic->ic_headroom + sizeof(struct ieee80211_frame), 1982 sizeof(uint16_t) 1983 + sizeof(uint16_t) 1984 + IEEE80211_ADDR_LEN 1985 + 2 + IEEE80211_NWID_LEN 1986 + 2 + IEEE80211_RATE_SIZE 1987 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1988 + 4 1989 + 2 + 26 1990 + sizeof(struct ieee80211_wme_info) 1991 + sizeof(struct ieee80211_ie_htcap) 1992 + 4 + sizeof(struct ieee80211_ie_htcap) 1993#ifdef IEEE80211_SUPPORT_SUPERG 1994 + sizeof(struct ieee80211_ath_ie) 1995#endif 1996 + (vap->iv_appie_wpa != NULL ? 1997 vap->iv_appie_wpa->ie_len : 0) 1998 + (vap->iv_appie_assocreq != NULL ? 1999 vap->iv_appie_assocreq->ie_len : 0) 2000 ); 2001 if (m == NULL) 2002 senderr(ENOMEM, is_tx_nobuf); 2003 2004 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 2005 ("wrong mode %u", vap->iv_opmode)); 2006 capinfo = IEEE80211_CAPINFO_ESS; 2007 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2008 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2009 /* 2010 * NB: Some 11a AP's reject the request when 2011 * short premable is set. 2012 */ 2013 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 2014 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 2015 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2016 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2017 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2018 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2019 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2020 (vap->iv_flags & IEEE80211_F_DOTH)) 2021 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2022 *(uint16_t *)frm = htole16(capinfo); 2023 frm += 2; 2024 2025 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2026 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2027 bss->ni_intval)); 2028 frm += 2; 2029 2030 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2031 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2032 frm += IEEE80211_ADDR_LEN; 2033 } 2034 2035 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2036 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2037 if (vap->iv_flags & IEEE80211_F_WPA2) { 2038 if (vap->iv_rsn_ie != NULL) 2039 frm = add_ie(frm, vap->iv_rsn_ie); 2040 /* XXX else complain? */ 2041 } 2042 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2043 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2044 frm = ieee80211_add_powercapability(frm, 2045 ic->ic_curchan); 2046 frm = ieee80211_add_supportedchannels(frm, ic); 2047 } 2048 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2049 ni->ni_ies.htcap_ie != NULL && 2050 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) 2051 frm = ieee80211_add_htcap(frm, ni); 2052 if (vap->iv_flags & IEEE80211_F_WPA1) { 2053 if (vap->iv_wpa_ie != NULL) 2054 frm = add_ie(frm, vap->iv_wpa_ie); 2055 /* XXX else complain */ 2056 } 2057 if ((ic->ic_flags & IEEE80211_F_WME) && 2058 ni->ni_ies.wme_ie != NULL) 2059 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 2060 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2061 ni->ni_ies.htcap_ie != NULL && 2062 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) 2063 frm = ieee80211_add_htcap_vendor(frm, ni); 2064#ifdef IEEE80211_SUPPORT_SUPERG 2065 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2066 frm = ieee80211_add_ath(frm, 2067 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2068 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2069 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2070 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2071 } 2072#endif /* IEEE80211_SUPPORT_SUPERG */ 2073 if (vap->iv_appie_assocreq != NULL) 2074 frm = add_appie(frm, vap->iv_appie_assocreq); 2075 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2076 2077 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2078 (void *) vap->iv_state); 2079 break; 2080 2081 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2082 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2083 /* 2084 * asresp frame format 2085 * [2] capability information 2086 * [2] status 2087 * [2] association ID 2088 * [tlv] supported rates 2089 * [tlv] extended supported rates 2090 * [tlv] HT capabilities (standard, if STA enabled) 2091 * [tlv] HT information (standard, if STA enabled) 2092 * [tlv] WME (if configured and STA enabled) 2093 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2094 * [tlv] HT information (vendor OUI, if STA enabled) 2095 * [tlv] Atheros capabilities (if STA enabled) 2096 * [tlv] AppIE's (optional) 2097 */ 2098 m = ieee80211_getmgtframe(&frm, 2099 ic->ic_headroom + sizeof(struct ieee80211_frame), 2100 sizeof(uint16_t) 2101 + sizeof(uint16_t) 2102 + sizeof(uint16_t) 2103 + 2 + IEEE80211_RATE_SIZE 2104 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2105 + sizeof(struct ieee80211_ie_htcap) + 4 2106 + sizeof(struct ieee80211_ie_htinfo) + 4 2107 + sizeof(struct ieee80211_wme_param) 2108#ifdef IEEE80211_SUPPORT_SUPERG 2109 + sizeof(struct ieee80211_ath_ie) 2110#endif 2111 + (vap->iv_appie_assocresp != NULL ? 2112 vap->iv_appie_assocresp->ie_len : 0) 2113 ); 2114 if (m == NULL) 2115 senderr(ENOMEM, is_tx_nobuf); 2116 2117 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2118 *(uint16_t *)frm = htole16(capinfo); 2119 frm += 2; 2120 2121 *(uint16_t *)frm = htole16(arg); /* status */ 2122 frm += 2; 2123 2124 if (arg == IEEE80211_STATUS_SUCCESS) { 2125 *(uint16_t *)frm = htole16(ni->ni_associd); 2126 IEEE80211_NODE_STAT(ni, tx_assoc); 2127 } else 2128 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2129 frm += 2; 2130 2131 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2132 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2133 /* NB: respond according to what we received */ 2134 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2135 frm = ieee80211_add_htcap(frm, ni); 2136 frm = ieee80211_add_htinfo(frm, ni); 2137 } 2138 if ((vap->iv_flags & IEEE80211_F_WME) && 2139 ni->ni_ies.wme_ie != NULL) 2140 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2141 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2142 frm = ieee80211_add_htcap_vendor(frm, ni); 2143 frm = ieee80211_add_htinfo_vendor(frm, ni); 2144 } 2145#ifdef IEEE80211_SUPPORT_SUPERG 2146 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 2147 frm = ieee80211_add_ath(frm, 2148 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2149 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2150 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2151 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2152#endif /* IEEE80211_SUPPORT_SUPERG */ 2153 if (vap->iv_appie_assocresp != NULL) 2154 frm = add_appie(frm, vap->iv_appie_assocresp); 2155 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2156 break; 2157 2158 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2159 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2160 "send station disassociate (reason %d)", arg); 2161 m = ieee80211_getmgtframe(&frm, 2162 ic->ic_headroom + sizeof(struct ieee80211_frame), 2163 sizeof(uint16_t)); 2164 if (m == NULL) 2165 senderr(ENOMEM, is_tx_nobuf); 2166 *(uint16_t *)frm = htole16(arg); /* reason */ 2167 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2168 2169 IEEE80211_NODE_STAT(ni, tx_disassoc); 2170 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 2171 break; 2172 2173 default: 2174 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 2175 "invalid mgmt frame type %u", type); 2176 senderr(EINVAL, is_tx_unknownmgt); 2177 /* NOTREACHED */ 2178 } 2179 2180 /* NB: force non-ProbeResp frames to the highest queue */ 2181 params.ibp_pri = WME_AC_VO; 2182 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 2183 /* NB: we know all frames are unicast */ 2184 params.ibp_try0 = bss->ni_txparms->maxretry; 2185 params.ibp_power = bss->ni_txpower; 2186 return ieee80211_mgmt_output(ni, m, type, ¶ms); 2187bad: 2188 ieee80211_free_node(ni); 2189 return ret; 2190#undef senderr 2191#undef HTFLAGS 2192} 2193 2194/* 2195 * Return an mbuf with a probe response frame in it. 2196 * Space is left to prepend and 802.11 header at the 2197 * front but it's left to the caller to fill in. 2198 */ 2199struct mbuf * 2200ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 2201{ 2202 struct ieee80211vap *vap = bss->ni_vap; 2203 struct ieee80211com *ic = bss->ni_ic; 2204 const struct ieee80211_rateset *rs; 2205 struct mbuf *m; 2206 uint16_t capinfo; 2207 uint8_t *frm; 2208 2209 /* 2210 * probe response frame format 2211 * [8] time stamp 2212 * [2] beacon interval 2213 * [2] cabability information 2214 * [tlv] ssid 2215 * [tlv] supported rates 2216 * [tlv] parameter set (FH/DS) 2217 * [tlv] parameter set (IBSS) 2218 * [tlv] country (optional) 2219 * [3] power control (optional) 2220 * [5] channel switch announcement (CSA) (optional) 2221 * [tlv] extended rate phy (ERP) 2222 * [tlv] extended supported rates 2223 * [tlv] RSN (optional) 2224 * [tlv] HT capabilities 2225 * [tlv] HT information 2226 * [tlv] WPA (optional) 2227 * [tlv] WME (optional) 2228 * [tlv] Vendor OUI HT capabilities (optional) 2229 * [tlv] Vendor OUI HT information (optional) 2230 * [tlv] Atheros capabilities 2231 * [tlv] AppIE's (optional) 2232 * [tlv] Mesh ID (MBSS) 2233 * [tlv] Mesh Conf (MBSS) 2234 */ 2235 m = ieee80211_getmgtframe(&frm, 2236 ic->ic_headroom + sizeof(struct ieee80211_frame), 2237 8 2238 + sizeof(uint16_t) 2239 + sizeof(uint16_t) 2240 + 2 + IEEE80211_NWID_LEN 2241 + 2 + IEEE80211_RATE_SIZE 2242 + 7 /* max(7,3) */ 2243 + IEEE80211_COUNTRY_MAX_SIZE 2244 + 3 2245 + sizeof(struct ieee80211_csa_ie) 2246 + 3 2247 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2248 + sizeof(struct ieee80211_ie_wpa) 2249 + sizeof(struct ieee80211_ie_htcap) 2250 + sizeof(struct ieee80211_ie_htinfo) 2251 + sizeof(struct ieee80211_ie_wpa) 2252 + sizeof(struct ieee80211_wme_param) 2253 + 4 + sizeof(struct ieee80211_ie_htcap) 2254 + 4 + sizeof(struct ieee80211_ie_htinfo) 2255#ifdef IEEE80211_SUPPORT_SUPERG 2256 + sizeof(struct ieee80211_ath_ie) 2257#endif 2258#ifdef IEEE80211_SUPPORT_MESH 2259 + 2 + IEEE80211_MESHID_LEN 2260 + sizeof(struct ieee80211_meshconf_ie) 2261#endif 2262 + (vap->iv_appie_proberesp != NULL ? 2263 vap->iv_appie_proberesp->ie_len : 0) 2264 ); 2265 if (m == NULL) { 2266 vap->iv_stats.is_tx_nobuf++; 2267 return NULL; 2268 } 2269 2270 memset(frm, 0, 8); /* timestamp should be filled later */ 2271 frm += 8; 2272 *(uint16_t *)frm = htole16(bss->ni_intval); 2273 frm += 2; 2274 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2275 *(uint16_t *)frm = htole16(capinfo); 2276 frm += 2; 2277 2278 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 2279 rs = ieee80211_get_suprates(ic, bss->ni_chan); 2280 frm = ieee80211_add_rates(frm, rs); 2281 2282 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 2283 *frm++ = IEEE80211_ELEMID_FHPARMS; 2284 *frm++ = 5; 2285 *frm++ = bss->ni_fhdwell & 0x00ff; 2286 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 2287 *frm++ = IEEE80211_FH_CHANSET( 2288 ieee80211_chan2ieee(ic, bss->ni_chan)); 2289 *frm++ = IEEE80211_FH_CHANPAT( 2290 ieee80211_chan2ieee(ic, bss->ni_chan)); 2291 *frm++ = bss->ni_fhindex; 2292 } else { 2293 *frm++ = IEEE80211_ELEMID_DSPARMS; 2294 *frm++ = 1; 2295 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 2296 } 2297 2298 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2299 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2300 *frm++ = 2; 2301 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2302 } 2303 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2304 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2305 frm = ieee80211_add_countryie(frm, ic); 2306 if (vap->iv_flags & IEEE80211_F_DOTH) { 2307 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 2308 frm = ieee80211_add_powerconstraint(frm, vap); 2309 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2310 frm = ieee80211_add_csa(frm, vap); 2311 } 2312 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 2313 frm = ieee80211_add_erp(frm, ic); 2314 frm = ieee80211_add_xrates(frm, rs); 2315 if (vap->iv_flags & IEEE80211_F_WPA2) { 2316 if (vap->iv_rsn_ie != NULL) 2317 frm = add_ie(frm, vap->iv_rsn_ie); 2318 /* XXX else complain? */ 2319 } 2320 /* 2321 * NB: legacy 11b clients do not get certain ie's. 2322 * The caller identifies such clients by passing 2323 * a token in legacy to us. Could expand this to be 2324 * any legacy client for stuff like HT ie's. 2325 */ 2326 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2327 legacy != IEEE80211_SEND_LEGACY_11B) { 2328 frm = ieee80211_add_htcap(frm, bss); 2329 frm = ieee80211_add_htinfo(frm, bss); 2330 } 2331 if (vap->iv_flags & IEEE80211_F_WPA1) { 2332 if (vap->iv_wpa_ie != NULL) 2333 frm = add_ie(frm, vap->iv_wpa_ie); 2334 /* XXX else complain? */ 2335 } 2336 if (vap->iv_flags & IEEE80211_F_WME) 2337 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2338 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2339 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 2340 legacy != IEEE80211_SEND_LEGACY_11B) { 2341 frm = ieee80211_add_htcap_vendor(frm, bss); 2342 frm = ieee80211_add_htinfo_vendor(frm, bss); 2343 } 2344#ifdef IEEE80211_SUPPORT_SUPERG 2345 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 2346 legacy != IEEE80211_SEND_LEGACY_11B) 2347 frm = ieee80211_add_athcaps(frm, bss); 2348#endif 2349 if (vap->iv_appie_proberesp != NULL) 2350 frm = add_appie(frm, vap->iv_appie_proberesp); 2351#ifdef IEEE80211_SUPPORT_MESH 2352 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2353 frm = ieee80211_add_meshid(frm, vap); 2354 frm = ieee80211_add_meshconf(frm, vap); 2355 } 2356#endif 2357 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2358 2359 return m; 2360} 2361 2362/* 2363 * Send a probe response frame to the specified mac address. 2364 * This does not go through the normal mgt frame api so we 2365 * can specify the destination address and re-use the bss node 2366 * for the sta reference. 2367 */ 2368int 2369ieee80211_send_proberesp(struct ieee80211vap *vap, 2370 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 2371{ 2372 struct ieee80211_node *bss = vap->iv_bss; 2373 struct ieee80211com *ic = vap->iv_ic; 2374 struct ieee80211_frame *wh; 2375 struct mbuf *m; 2376 2377 if (vap->iv_state == IEEE80211_S_CAC) { 2378 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 2379 "block %s frame in CAC state", "probe response"); 2380 vap->iv_stats.is_tx_badstate++; 2381 return EIO; /* XXX */ 2382 } 2383 2384 /* 2385 * Hold a reference on the node so it doesn't go away until after 2386 * the xmit is complete all the way in the driver. On error we 2387 * will remove our reference. 2388 */ 2389 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2390 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2391 __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr), 2392 ieee80211_node_refcnt(bss)+1); 2393 ieee80211_ref_node(bss); 2394 2395 m = ieee80211_alloc_proberesp(bss, legacy); 2396 if (m == NULL) { 2397 ieee80211_free_node(bss); 2398 return ENOMEM; 2399 } 2400 2401 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2402 KASSERT(m != NULL, ("no room for header")); 2403 2404 wh = mtod(m, struct ieee80211_frame *); 2405 ieee80211_send_setup(bss, m, 2406 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 2407 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 2408 /* XXX power management? */ 2409 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2410 2411 M_WME_SETAC(m, WME_AC_BE); 2412 2413 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2414 "send probe resp on channel %u to %s%s\n", 2415 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da), 2416 legacy ? " <legacy>" : ""); 2417 IEEE80211_NODE_STAT(bss, tx_mgmt); 2418 2419 return ic->ic_raw_xmit(bss, m, NULL); 2420} 2421 2422/* 2423 * Allocate and build a RTS (Request To Send) control frame. 2424 */ 2425struct mbuf * 2426ieee80211_alloc_rts(struct ieee80211com *ic, 2427 const uint8_t ra[IEEE80211_ADDR_LEN], 2428 const uint8_t ta[IEEE80211_ADDR_LEN], 2429 uint16_t dur) 2430{ 2431 struct ieee80211_frame_rts *rts; 2432 struct mbuf *m; 2433 2434 /* XXX honor ic_headroom */ 2435 m = m_gethdr(M_DONTWAIT, MT_DATA); 2436 if (m != NULL) { 2437 rts = mtod(m, struct ieee80211_frame_rts *); 2438 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2439 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 2440 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2441 *(u_int16_t *)rts->i_dur = htole16(dur); 2442 IEEE80211_ADDR_COPY(rts->i_ra, ra); 2443 IEEE80211_ADDR_COPY(rts->i_ta, ta); 2444 2445 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 2446 } 2447 return m; 2448} 2449 2450/* 2451 * Allocate and build a CTS (Clear To Send) control frame. 2452 */ 2453struct mbuf * 2454ieee80211_alloc_cts(struct ieee80211com *ic, 2455 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 2456{ 2457 struct ieee80211_frame_cts *cts; 2458 struct mbuf *m; 2459 2460 /* XXX honor ic_headroom */ 2461 m = m_gethdr(M_DONTWAIT, MT_DATA); 2462 if (m != NULL) { 2463 cts = mtod(m, struct ieee80211_frame_cts *); 2464 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2465 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 2466 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2467 *(u_int16_t *)cts->i_dur = htole16(dur); 2468 IEEE80211_ADDR_COPY(cts->i_ra, ra); 2469 2470 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 2471 } 2472 return m; 2473} 2474 2475static void 2476ieee80211_tx_mgt_timeout(void *arg) 2477{ 2478 struct ieee80211_node *ni = arg; 2479 struct ieee80211vap *vap = ni->ni_vap; 2480 2481 if (vap->iv_state != IEEE80211_S_INIT && 2482 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 2483 /* 2484 * NB: it's safe to specify a timeout as the reason here; 2485 * it'll only be used in the right state. 2486 */ 2487 ieee80211_new_state(vap, IEEE80211_S_SCAN, 2488 IEEE80211_SCAN_FAIL_TIMEOUT); 2489 } 2490} 2491 2492static void 2493ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 2494{ 2495 struct ieee80211vap *vap = ni->ni_vap; 2496 enum ieee80211_state ostate = (enum ieee80211_state) arg; 2497 2498 /* 2499 * Frame transmit completed; arrange timer callback. If 2500 * transmit was successfuly we wait for response. Otherwise 2501 * we arrange an immediate callback instead of doing the 2502 * callback directly since we don't know what state the driver 2503 * is in (e.g. what locks it is holding). This work should 2504 * not be too time-critical and not happen too often so the 2505 * added overhead is acceptable. 2506 * 2507 * XXX what happens if !acked but response shows up before callback? 2508 */ 2509 if (vap->iv_state == ostate) 2510 callout_reset(&vap->iv_mgtsend, 2511 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 2512 ieee80211_tx_mgt_timeout, ni); 2513} 2514 2515static void 2516ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 2517 struct ieee80211_beacon_offsets *bo, struct ieee80211_node *ni) 2518{ 2519 struct ieee80211vap *vap = ni->ni_vap; 2520 struct ieee80211com *ic = ni->ni_ic; 2521 struct ieee80211_rateset *rs = &ni->ni_rates; 2522 uint16_t capinfo; 2523 2524 /* 2525 * beacon frame format 2526 * [8] time stamp 2527 * [2] beacon interval 2528 * [2] cabability information 2529 * [tlv] ssid 2530 * [tlv] supported rates 2531 * [3] parameter set (DS) 2532 * [8] CF parameter set (optional) 2533 * [tlv] parameter set (IBSS/TIM) 2534 * [tlv] country (optional) 2535 * [3] power control (optional) 2536 * [5] channel switch announcement (CSA) (optional) 2537 * [tlv] extended rate phy (ERP) 2538 * [tlv] extended supported rates 2539 * [tlv] RSN parameters 2540 * [tlv] HT capabilities 2541 * [tlv] HT information 2542 * XXX Vendor-specific OIDs (e.g. Atheros) 2543 * [tlv] WPA parameters 2544 * [tlv] WME parameters 2545 * [tlv] Vendor OUI HT capabilities (optional) 2546 * [tlv] Vendor OUI HT information (optional) 2547 * [tlv] Atheros capabilities (optional) 2548 * [tlv] TDMA parameters (optional) 2549 * [tlv] Mesh ID (MBSS) 2550 * [tlv] Mesh Conf (MBSS) 2551 * [tlv] application data (optional) 2552 */ 2553 2554 memset(bo, 0, sizeof(*bo)); 2555 2556 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 2557 frm += 8; 2558 *(uint16_t *)frm = htole16(ni->ni_intval); 2559 frm += 2; 2560 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2561 bo->bo_caps = (uint16_t *)frm; 2562 *(uint16_t *)frm = htole16(capinfo); 2563 frm += 2; 2564 *frm++ = IEEE80211_ELEMID_SSID; 2565 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 2566 *frm++ = ni->ni_esslen; 2567 memcpy(frm, ni->ni_essid, ni->ni_esslen); 2568 frm += ni->ni_esslen; 2569 } else 2570 *frm++ = 0; 2571 frm = ieee80211_add_rates(frm, rs); 2572 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 2573 *frm++ = IEEE80211_ELEMID_DSPARMS; 2574 *frm++ = 1; 2575 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 2576 } 2577 if (ic->ic_flags & IEEE80211_F_PCF) { 2578 bo->bo_cfp = frm; 2579 frm = ieee80211_add_cfparms(frm, ic); 2580 } 2581 bo->bo_tim = frm; 2582 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2583 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2584 *frm++ = 2; 2585 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2586 bo->bo_tim_len = 0; 2587 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2588 vap->iv_opmode == IEEE80211_M_MBSS) { 2589 /* TIM IE is the same for Mesh and Hostap */ 2590 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 2591 2592 tie->tim_ie = IEEE80211_ELEMID_TIM; 2593 tie->tim_len = 4; /* length */ 2594 tie->tim_count = 0; /* DTIM count */ 2595 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 2596 tie->tim_bitctl = 0; /* bitmap control */ 2597 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 2598 frm += sizeof(struct ieee80211_tim_ie); 2599 bo->bo_tim_len = 1; 2600 } 2601 bo->bo_tim_trailer = frm; 2602 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2603 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2604 frm = ieee80211_add_countryie(frm, ic); 2605 if (vap->iv_flags & IEEE80211_F_DOTH) { 2606 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 2607 frm = ieee80211_add_powerconstraint(frm, vap); 2608 bo->bo_csa = frm; 2609 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2610 frm = ieee80211_add_csa(frm, vap); 2611 } else 2612 bo->bo_csa = frm; 2613 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 2614 bo->bo_erp = frm; 2615 frm = ieee80211_add_erp(frm, ic); 2616 } 2617 frm = ieee80211_add_xrates(frm, rs); 2618 if (vap->iv_flags & IEEE80211_F_WPA2) { 2619 if (vap->iv_rsn_ie != NULL) 2620 frm = add_ie(frm, vap->iv_rsn_ie); 2621 /* XXX else complain */ 2622 } 2623 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 2624 frm = ieee80211_add_htcap(frm, ni); 2625 bo->bo_htinfo = frm; 2626 frm = ieee80211_add_htinfo(frm, ni); 2627 } 2628 if (vap->iv_flags & IEEE80211_F_WPA1) { 2629 if (vap->iv_wpa_ie != NULL) 2630 frm = add_ie(frm, vap->iv_wpa_ie); 2631 /* XXX else complain */ 2632 } 2633 if (vap->iv_flags & IEEE80211_F_WME) { 2634 bo->bo_wme = frm; 2635 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2636 } 2637 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2638 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 2639 frm = ieee80211_add_htcap_vendor(frm, ni); 2640 frm = ieee80211_add_htinfo_vendor(frm, ni); 2641 } 2642#ifdef IEEE80211_SUPPORT_SUPERG 2643 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 2644 bo->bo_ath = frm; 2645 frm = ieee80211_add_athcaps(frm, ni); 2646 } 2647#endif 2648#ifdef IEEE80211_SUPPORT_TDMA 2649 if (vap->iv_caps & IEEE80211_C_TDMA) { 2650 bo->bo_tdma = frm; 2651 frm = ieee80211_add_tdma(frm, vap); 2652 } 2653#endif 2654 if (vap->iv_appie_beacon != NULL) { 2655 bo->bo_appie = frm; 2656 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 2657 frm = add_appie(frm, vap->iv_appie_beacon); 2658 } 2659#ifdef IEEE80211_SUPPORT_MESH 2660 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2661 frm = ieee80211_add_meshid(frm, vap); 2662 bo->bo_meshconf = frm; 2663 frm = ieee80211_add_meshconf(frm, vap); 2664 } 2665#endif 2666 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 2667 bo->bo_csa_trailer_len = frm - bo->bo_csa; 2668 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2669} 2670 2671/* 2672 * Allocate a beacon frame and fillin the appropriate bits. 2673 */ 2674struct mbuf * 2675ieee80211_beacon_alloc(struct ieee80211_node *ni, 2676 struct ieee80211_beacon_offsets *bo) 2677{ 2678 struct ieee80211vap *vap = ni->ni_vap; 2679 struct ieee80211com *ic = ni->ni_ic; 2680 struct ifnet *ifp = vap->iv_ifp; 2681 struct ieee80211_frame *wh; 2682 struct mbuf *m; 2683 int pktlen; 2684 uint8_t *frm; 2685 2686 /* 2687 * beacon frame format 2688 * [8] time stamp 2689 * [2] beacon interval 2690 * [2] cabability information 2691 * [tlv] ssid 2692 * [tlv] supported rates 2693 * [3] parameter set (DS) 2694 * [8] CF parameter set (optional) 2695 * [tlv] parameter set (IBSS/TIM) 2696 * [tlv] country (optional) 2697 * [3] power control (optional) 2698 * [5] channel switch announcement (CSA) (optional) 2699 * [tlv] extended rate phy (ERP) 2700 * [tlv] extended supported rates 2701 * [tlv] RSN parameters 2702 * [tlv] HT capabilities 2703 * [tlv] HT information 2704 * [tlv] Vendor OUI HT capabilities (optional) 2705 * [tlv] Vendor OUI HT information (optional) 2706 * XXX Vendor-specific OIDs (e.g. Atheros) 2707 * [tlv] WPA parameters 2708 * [tlv] WME parameters 2709 * [tlv] TDMA parameters (optional) 2710 * [tlv] Mesh ID (MBSS) 2711 * [tlv] Mesh Conf (MBSS) 2712 * [tlv] application data (optional) 2713 * NB: we allocate the max space required for the TIM bitmap. 2714 * XXX how big is this? 2715 */ 2716 pktlen = 8 /* time stamp */ 2717 + sizeof(uint16_t) /* beacon interval */ 2718 + sizeof(uint16_t) /* capabilities */ 2719 + 2 + ni->ni_esslen /* ssid */ 2720 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 2721 + 2 + 1 /* DS parameters */ 2722 + 2 + 6 /* CF parameters */ 2723 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 2724 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 2725 + 2 + 1 /* power control */ 2726 + sizeof(struct ieee80211_csa_ie) /* CSA */ 2727 + 2 + 1 /* ERP */ 2728 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2729 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 2730 2*sizeof(struct ieee80211_ie_wpa) : 0) 2731 /* XXX conditional? */ 2732 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 2733 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 2734 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 2735 sizeof(struct ieee80211_wme_param) : 0) 2736#ifdef IEEE80211_SUPPORT_SUPERG 2737 + sizeof(struct ieee80211_ath_ie) /* ATH */ 2738#endif 2739#ifdef IEEE80211_SUPPORT_TDMA 2740 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 2741 sizeof(struct ieee80211_tdma_param) : 0) 2742#endif 2743#ifdef IEEE80211_SUPPORT_MESH 2744 + 2 + ni->ni_meshidlen 2745 + sizeof(struct ieee80211_meshconf_ie) 2746#endif 2747 + IEEE80211_MAX_APPIE 2748 ; 2749 m = ieee80211_getmgtframe(&frm, 2750 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 2751 if (m == NULL) { 2752 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 2753 "%s: cannot get buf; size %u\n", __func__, pktlen); 2754 vap->iv_stats.is_tx_nobuf++; 2755 return NULL; 2756 } 2757 ieee80211_beacon_construct(m, frm, bo, ni); 2758 2759 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2760 KASSERT(m != NULL, ("no space for 802.11 header?")); 2761 wh = mtod(m, struct ieee80211_frame *); 2762 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2763 IEEE80211_FC0_SUBTYPE_BEACON; 2764 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2765 *(uint16_t *)wh->i_dur = 0; 2766 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 2767 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 2768 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2769 *(uint16_t *)wh->i_seq = 0; 2770 2771 return m; 2772} 2773 2774/* 2775 * Update the dynamic parts of a beacon frame based on the current state. 2776 */ 2777int 2778ieee80211_beacon_update(struct ieee80211_node *ni, 2779 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 2780{ 2781 struct ieee80211vap *vap = ni->ni_vap; 2782 struct ieee80211com *ic = ni->ni_ic; 2783 int len_changed = 0; 2784 uint16_t capinfo; 2785 2786 IEEE80211_LOCK(ic); 2787 /* 2788 * Handle 11h channel change when we've reached the count. 2789 * We must recalculate the beacon frame contents to account 2790 * for the new channel. Note we do this only for the first 2791 * vap that reaches this point; subsequent vaps just update 2792 * their beacon state to reflect the recalculated channel. 2793 */ 2794 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 2795 vap->iv_csa_count == ic->ic_csa_count) { 2796 vap->iv_csa_count = 0; 2797 /* 2798 * Effect channel change before reconstructing the beacon 2799 * frame contents as many places reference ni_chan. 2800 */ 2801 if (ic->ic_csa_newchan != NULL) 2802 ieee80211_csa_completeswitch(ic); 2803 /* 2804 * NB: ieee80211_beacon_construct clears all pending 2805 * updates in bo_flags so we don't need to explicitly 2806 * clear IEEE80211_BEACON_CSA. 2807 */ 2808 ieee80211_beacon_construct(m, 2809 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), bo, ni); 2810 2811 /* XXX do WME aggressive mode processing? */ 2812 IEEE80211_UNLOCK(ic); 2813 return 1; /* just assume length changed */ 2814 } 2815 2816 /* XXX faster to recalculate entirely or just changes? */ 2817 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2818 *bo->bo_caps = htole16(capinfo); 2819 2820 if (vap->iv_flags & IEEE80211_F_WME) { 2821 struct ieee80211_wme_state *wme = &ic->ic_wme; 2822 2823 /* 2824 * Check for agressive mode change. When there is 2825 * significant high priority traffic in the BSS 2826 * throttle back BE traffic by using conservative 2827 * parameters. Otherwise BE uses agressive params 2828 * to optimize performance of legacy/non-QoS traffic. 2829 */ 2830 if (wme->wme_flags & WME_F_AGGRMODE) { 2831 if (wme->wme_hipri_traffic > 2832 wme->wme_hipri_switch_thresh) { 2833 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2834 "%s: traffic %u, disable aggressive mode\n", 2835 __func__, wme->wme_hipri_traffic); 2836 wme->wme_flags &= ~WME_F_AGGRMODE; 2837 ieee80211_wme_updateparams_locked(vap); 2838 wme->wme_hipri_traffic = 2839 wme->wme_hipri_switch_hysteresis; 2840 } else 2841 wme->wme_hipri_traffic = 0; 2842 } else { 2843 if (wme->wme_hipri_traffic <= 2844 wme->wme_hipri_switch_thresh) { 2845 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2846 "%s: traffic %u, enable aggressive mode\n", 2847 __func__, wme->wme_hipri_traffic); 2848 wme->wme_flags |= WME_F_AGGRMODE; 2849 ieee80211_wme_updateparams_locked(vap); 2850 wme->wme_hipri_traffic = 0; 2851 } else 2852 wme->wme_hipri_traffic = 2853 wme->wme_hipri_switch_hysteresis; 2854 } 2855 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 2856 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 2857 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 2858 } 2859 } 2860 2861 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 2862 ieee80211_ht_update_beacon(vap, bo); 2863 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 2864 } 2865#ifdef IEEE80211_SUPPORT_TDMA 2866 if (vap->iv_caps & IEEE80211_C_TDMA) { 2867 /* 2868 * NB: the beacon is potentially updated every TBTT. 2869 */ 2870 ieee80211_tdma_update_beacon(vap, bo); 2871 } 2872#endif 2873#ifdef IEEE80211_SUPPORT_MESH 2874 if (vap->iv_opmode == IEEE80211_M_MBSS) 2875 ieee80211_mesh_update_beacon(vap, bo); 2876#endif 2877 2878 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2879 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 2880 struct ieee80211_tim_ie *tie = 2881 (struct ieee80211_tim_ie *) bo->bo_tim; 2882 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 2883 u_int timlen, timoff, i; 2884 /* 2885 * ATIM/DTIM needs updating. If it fits in the 2886 * current space allocated then just copy in the 2887 * new bits. Otherwise we need to move any trailing 2888 * data to make room. Note that we know there is 2889 * contiguous space because ieee80211_beacon_allocate 2890 * insures there is space in the mbuf to write a 2891 * maximal-size virtual bitmap (based on iv_max_aid). 2892 */ 2893 /* 2894 * Calculate the bitmap size and offset, copy any 2895 * trailer out of the way, and then copy in the 2896 * new bitmap and update the information element. 2897 * Note that the tim bitmap must contain at least 2898 * one byte and any offset must be even. 2899 */ 2900 if (vap->iv_ps_pending != 0) { 2901 timoff = 128; /* impossibly large */ 2902 for (i = 0; i < vap->iv_tim_len; i++) 2903 if (vap->iv_tim_bitmap[i]) { 2904 timoff = i &~ 1; 2905 break; 2906 } 2907 KASSERT(timoff != 128, ("tim bitmap empty!")); 2908 for (i = vap->iv_tim_len-1; i >= timoff; i--) 2909 if (vap->iv_tim_bitmap[i]) 2910 break; 2911 timlen = 1 + (i - timoff); 2912 } else { 2913 timoff = 0; 2914 timlen = 1; 2915 } 2916 if (timlen != bo->bo_tim_len) { 2917 /* copy up/down trailer */ 2918 int adjust = tie->tim_bitmap+timlen 2919 - bo->bo_tim_trailer; 2920 ovbcopy(bo->bo_tim_trailer, 2921 bo->bo_tim_trailer+adjust, 2922 bo->bo_tim_trailer_len); 2923 bo->bo_tim_trailer += adjust; 2924 bo->bo_erp += adjust; 2925 bo->bo_htinfo += adjust; 2926#ifdef IEEE80211_SUPPORT_SUPERG 2927 bo->bo_ath += adjust; 2928#endif 2929#ifdef IEEE80211_SUPPORT_TDMA 2930 bo->bo_tdma += adjust; 2931#endif 2932#ifdef IEEE80211_SUPPORT_MESH 2933 bo->bo_meshconf += adjust; 2934#endif 2935 bo->bo_appie += adjust; 2936 bo->bo_wme += adjust; 2937 bo->bo_csa += adjust; 2938 bo->bo_tim_len = timlen; 2939 2940 /* update information element */ 2941 tie->tim_len = 3 + timlen; 2942 tie->tim_bitctl = timoff; 2943 len_changed = 1; 2944 } 2945 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 2946 bo->bo_tim_len); 2947 2948 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 2949 2950 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 2951 "%s: TIM updated, pending %u, off %u, len %u\n", 2952 __func__, vap->iv_ps_pending, timoff, timlen); 2953 } 2954 /* count down DTIM period */ 2955 if (tie->tim_count == 0) 2956 tie->tim_count = tie->tim_period - 1; 2957 else 2958 tie->tim_count--; 2959 /* update state for buffered multicast frames on DTIM */ 2960 if (mcast && tie->tim_count == 0) 2961 tie->tim_bitctl |= 1; 2962 else 2963 tie->tim_bitctl &= ~1; 2964 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 2965 struct ieee80211_csa_ie *csa = 2966 (struct ieee80211_csa_ie *) bo->bo_csa; 2967 2968 /* 2969 * Insert or update CSA ie. If we're just starting 2970 * to count down to the channel switch then we need 2971 * to insert the CSA ie. Otherwise we just need to 2972 * drop the count. The actual change happens above 2973 * when the vap's count reaches the target count. 2974 */ 2975 if (vap->iv_csa_count == 0) { 2976 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 2977 bo->bo_erp += sizeof(*csa); 2978 bo->bo_htinfo += sizeof(*csa); 2979 bo->bo_wme += sizeof(*csa); 2980#ifdef IEEE80211_SUPPORT_SUPERG 2981 bo->bo_ath += sizeof(*csa); 2982#endif 2983#ifdef IEEE80211_SUPPORT_TDMA 2984 bo->bo_tdma += sizeof(*csa); 2985#endif 2986#ifdef IEEE80211_SUPPORT_MESH 2987 bo->bo_meshconf += sizeof(*csa); 2988#endif 2989 bo->bo_appie += sizeof(*csa); 2990 bo->bo_csa_trailer_len += sizeof(*csa); 2991 bo->bo_tim_trailer_len += sizeof(*csa); 2992 m->m_len += sizeof(*csa); 2993 m->m_pkthdr.len += sizeof(*csa); 2994 2995 ieee80211_add_csa(bo->bo_csa, vap); 2996 } else 2997 csa->csa_count--; 2998 vap->iv_csa_count++; 2999 /* NB: don't clear IEEE80211_BEACON_CSA */ 3000 } 3001 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 3002 /* 3003 * ERP element needs updating. 3004 */ 3005 (void) ieee80211_add_erp(bo->bo_erp, ic); 3006 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 3007 } 3008#ifdef IEEE80211_SUPPORT_SUPERG 3009 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 3010 ieee80211_add_athcaps(bo->bo_ath, ni); 3011 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 3012 } 3013#endif 3014 } 3015 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 3016 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 3017 int aielen; 3018 uint8_t *frm; 3019 3020 aielen = 0; 3021 if (aie != NULL) 3022 aielen += aie->ie_len; 3023 if (aielen != bo->bo_appie_len) { 3024 /* copy up/down trailer */ 3025 int adjust = aielen - bo->bo_appie_len; 3026 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 3027 bo->bo_tim_trailer_len); 3028 bo->bo_tim_trailer += adjust; 3029 bo->bo_appie += adjust; 3030 bo->bo_appie_len = aielen; 3031 3032 len_changed = 1; 3033 } 3034 frm = bo->bo_appie; 3035 if (aie != NULL) 3036 frm = add_appie(frm, aie); 3037 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 3038 } 3039 IEEE80211_UNLOCK(ic); 3040 3041 return len_changed; 3042} 3043