1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2001 Atsushi Onoe 5 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> 30__FBSDID("$FreeBSD$"); 31 32#include "opt_inet.h" 33#include "opt_inet6.h" 34#include "opt_wlan.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/kernel.h> 39#include <sys/malloc.h> 40#include <sys/mbuf.h> 41#include <sys/endian.h> 42 43#include <sys/socket.h> 44 45#include <net/bpf.h> 46#include <net/ethernet.h> 47#include <net/if.h> 48#include <net/if_var.h> 49#include <net/if_llc.h> 50#include <net/if_media.h> 51#include <net/if_vlan_var.h> 52 53#include <net80211/ieee80211_var.h> 54#include <net80211/ieee80211_regdomain.h> 55#ifdef IEEE80211_SUPPORT_SUPERG 56#include <net80211/ieee80211_superg.h> 57#endif 58#ifdef IEEE80211_SUPPORT_TDMA 59#include <net80211/ieee80211_tdma.h> 60#endif 61#include <net80211/ieee80211_wds.h> 62#include <net80211/ieee80211_mesh.h> 63#include <net80211/ieee80211_vht.h> 64 65#if defined(INET) || defined(INET6) 66#include <netinet/in.h> 67#endif 68 69#ifdef INET 70#include <netinet/if_ether.h> 71#include <netinet/in_systm.h> 72#include <netinet/ip.h> 73#endif 74#ifdef INET6 75#include <netinet/ip6.h> 76#endif 77 78#include <security/mac/mac_framework.h> 79 80#define ETHER_HEADER_COPY(dst, src) \ 81 memcpy(dst, src, sizeof(struct ether_header)) 82 83static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 84 u_int hdrsize, u_int ciphdrsize, u_int mtu); 85static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 86 87#ifdef IEEE80211_DEBUG 88/* 89 * Decide if an outbound management frame should be 90 * printed when debugging is enabled. This filters some 91 * of the less interesting frames that come frequently 92 * (e.g. beacons). 93 */ 94static __inline int 95doprint(struct ieee80211vap *vap, int subtype) 96{ 97 switch (subtype) { 98 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 99 return (vap->iv_opmode == IEEE80211_M_IBSS); 100 } 101 return 1; 102} 103#endif 104 105/* 106 * Transmit a frame to the given destination on the given VAP. 107 * 108 * It's up to the caller to figure out the details of who this 109 * is going to and resolving the node. 110 * 111 * This routine takes care of queuing it for power save, 112 * A-MPDU state stuff, fast-frames state stuff, encapsulation 113 * if required, then passing it up to the driver layer. 114 * 115 * This routine (for now) consumes the mbuf and frees the node 116 * reference; it ideally will return a TX status which reflects 117 * whether the mbuf was consumed or not, so the caller can 118 * free the mbuf (if appropriate) and the node reference (again, 119 * if appropriate.) 120 */ 121int 122ieee80211_vap_pkt_send_dest(struct ieee80211vap *vap, struct mbuf *m, 123 struct ieee80211_node *ni) 124{ 125 struct ieee80211com *ic = vap->iv_ic; 126 struct ifnet *ifp = vap->iv_ifp; 127 int mcast; 128 int do_ampdu = 0; 129 int do_amsdu = 0; 130 int do_ampdu_amsdu = 0; 131 int no_ampdu = 1; /* Will be set to 0 if ampdu is active */ 132 int do_ff = 0; 133 134 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 135 (m->m_flags & M_PWR_SAV) == 0) { 136 /* 137 * Station in power save mode; pass the frame 138 * to the 802.11 layer and continue. We'll get 139 * the frame back when the time is right. 140 * XXX lose WDS vap linkage? 141 */ 142 if (ieee80211_pwrsave(ni, m) != 0) 143 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 144 ieee80211_free_node(ni); 145 146 /* 147 * We queued it fine, so tell the upper layer 148 * that we consumed it. 149 */ 150 return (0); 151 } 152 /* calculate priority so drivers can find the tx queue */ 153 if (ieee80211_classify(ni, m)) { 154 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 155 ni->ni_macaddr, NULL, 156 "%s", "classification failure"); 157 vap->iv_stats.is_tx_classify++; 158 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 159 m_freem(m); 160 ieee80211_free_node(ni); 161 162 /* XXX better status? */ 163 return (0); 164 } 165 /* 166 * Stash the node pointer. Note that we do this after 167 * any call to ieee80211_dwds_mcast because that code 168 * uses any existing value for rcvif to identify the 169 * interface it (might have been) received on. 170 */ 171 MPASS((m->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0); 172 m->m_pkthdr.rcvif = (void *)ni; 173 mcast = (m->m_flags & (M_MCAST | M_BCAST)) ? 1: 0; 174 175 BPF_MTAP(ifp, m); /* 802.3 tx */ 176 177 /* 178 * Figure out if we can do A-MPDU, A-MSDU or FF. 179 * 180 * A-MPDU depends upon vap/node config. 181 * A-MSDU depends upon vap/node config. 182 * FF depends upon vap config, IE and whether 183 * it's 11abg (and not 11n/11ac/etc.) 184 * 185 * Note that these flags indiciate whether we can do 186 * it at all, rather than the situation (eg traffic type.) 187 */ 188 do_ampdu = ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 189 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX)); 190 do_amsdu = ((ni->ni_flags & IEEE80211_NODE_AMSDU_TX) && 191 (vap->iv_flags_ht & IEEE80211_FHT_AMSDU_TX)); 192 do_ff = 193 ((ni->ni_flags & IEEE80211_NODE_HT) == 0) && 194 ((ni->ni_flags & IEEE80211_NODE_VHT) == 0) && 195 (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)); 196 197 /* 198 * Check if A-MPDU tx aggregation is setup or if we 199 * should try to enable it. The sta must be associated 200 * with HT and A-MPDU enabled for use. When the policy 201 * routine decides we should enable A-MPDU we issue an 202 * ADDBA request and wait for a reply. The frame being 203 * encapsulated will go out w/o using A-MPDU, or possibly 204 * it might be collected by the driver and held/retransmit. 205 * The default ic_ampdu_enable routine handles staggering 206 * ADDBA requests in case the receiver NAK's us or we are 207 * otherwise unable to establish a BA stream. 208 * 209 * Don't treat group-addressed frames as candidates for aggregation; 210 * net80211 doesn't support 802.11aa-2012 and so group addressed 211 * frames will always have sequence numbers allocated from the NON_QOS 212 * TID. 213 */ 214 if (do_ampdu) { 215 if ((m->m_flags & M_EAPOL) == 0 && (! mcast)) { 216 int tid = WME_AC_TO_TID(M_WME_GETAC(m)); 217 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[tid]; 218 219 ieee80211_txampdu_count_packet(tap); 220 if (IEEE80211_AMPDU_RUNNING(tap)) { 221 /* 222 * Operational, mark frame for aggregation. 223 * 224 * XXX do tx aggregation here 225 */ 226 m->m_flags |= M_AMPDU_MPDU; 227 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 228 ic->ic_ampdu_enable(ni, tap)) { 229 /* 230 * Not negotiated yet, request service. 231 */ 232 ieee80211_ampdu_request(ni, tap); 233 /* XXX hold frame for reply? */ 234 } 235 /* 236 * Now update the no-ampdu flag. A-MPDU may have been 237 * started or administratively disabled above; so now we 238 * know whether we're running yet or not. 239 * 240 * This will let us know whether we should be doing A-MSDU 241 * at this point. We only do A-MSDU if we're either not 242 * doing A-MPDU, or A-MPDU is NACKed, or A-MPDU + A-MSDU 243 * is available. 244 * 245 * Whilst here, update the amsdu-ampdu flag. The above may 246 * have also set or cleared the amsdu-in-ampdu txa_flags 247 * combination so we can correctly do A-MPDU + A-MSDU. 248 */ 249 no_ampdu = (! IEEE80211_AMPDU_RUNNING(tap) 250 || (IEEE80211_AMPDU_NACKED(tap))); 251 do_ampdu_amsdu = IEEE80211_AMPDU_RUNNING_AMSDU(tap); 252 } 253 } 254 255#ifdef IEEE80211_SUPPORT_SUPERG 256 /* 257 * Check for AMSDU/FF; queue for aggregation 258 * 259 * Note: we don't bother trying to do fast frames or 260 * A-MSDU encapsulation for 802.3 drivers. Now, we 261 * likely could do it for FF (because it's a magic 262 * atheros tunnel LLC type) but I don't think we're going 263 * to really need to. For A-MSDU we'd have to set the 264 * A-MSDU QoS bit in the wifi header, so we just plain 265 * can't do it. 266 */ 267 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 268 if ((! mcast) && 269 (do_ampdu_amsdu || (no_ampdu && do_amsdu)) && 270 ieee80211_amsdu_tx_ok(ni)) { 271 m = ieee80211_amsdu_check(ni, m); 272 if (m == NULL) { 273 /* NB: any ni ref held on stageq */ 274 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, 275 "%s: amsdu_check queued frame\n", 276 __func__); 277 return (0); 278 } 279 } else if ((! mcast) && do_ff) { 280 m = ieee80211_ff_check(ni, m); 281 if (m == NULL) { 282 /* NB: any ni ref held on stageq */ 283 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, 284 "%s: ff_check queued frame\n", 285 __func__); 286 return (0); 287 } 288 } 289 } 290#endif /* IEEE80211_SUPPORT_SUPERG */ 291 292 /* 293 * Grab the TX lock - serialise the TX process from this 294 * point (where TX state is being checked/modified) 295 * through to driver queue. 296 */ 297 IEEE80211_TX_LOCK(ic); 298 299 /* 300 * XXX make the encap and transmit code a separate function 301 * so things like the FF (and later A-MSDU) path can just call 302 * it for flushed frames. 303 */ 304 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 305 /* 306 * Encapsulate the packet in prep for transmission. 307 */ 308 m = ieee80211_encap(vap, ni, m); 309 if (m == NULL) { 310 /* NB: stat+msg handled in ieee80211_encap */ 311 IEEE80211_TX_UNLOCK(ic); 312 ieee80211_free_node(ni); 313 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 314 return (ENOBUFS); 315 } 316 } 317 (void) ieee80211_parent_xmitpkt(ic, m); 318 319 /* 320 * Unlock at this point - no need to hold it across 321 * ieee80211_free_node() (ie, the comlock) 322 */ 323 IEEE80211_TX_UNLOCK(ic); 324 ic->ic_lastdata = ticks; 325 326 return (0); 327} 328 329/* 330 * Send the given mbuf through the given vap. 331 * 332 * This consumes the mbuf regardless of whether the transmit 333 * was successful or not. 334 * 335 * This does none of the initial checks that ieee80211_start() 336 * does (eg CAC timeout, interface wakeup) - the caller must 337 * do this first. 338 */ 339static int 340ieee80211_start_pkt(struct ieee80211vap *vap, struct mbuf *m) 341{ 342#define IS_DWDS(vap) \ 343 (vap->iv_opmode == IEEE80211_M_WDS && \ 344 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 345 struct ieee80211com *ic = vap->iv_ic; 346 struct ifnet *ifp = vap->iv_ifp; 347 struct ieee80211_node *ni; 348 struct ether_header *eh; 349 350 /* 351 * Cancel any background scan. 352 */ 353 if (ic->ic_flags & IEEE80211_F_SCAN) 354 ieee80211_cancel_anyscan(vap); 355 /* 356 * Find the node for the destination so we can do 357 * things like power save and fast frames aggregation. 358 * 359 * NB: past this point various code assumes the first 360 * mbuf has the 802.3 header present (and contiguous). 361 */ 362 ni = NULL; 363 if (m->m_len < sizeof(struct ether_header) && 364 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 365 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 366 "discard frame, %s\n", "m_pullup failed"); 367 vap->iv_stats.is_tx_nobuf++; /* XXX */ 368 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 369 return (ENOBUFS); 370 } 371 eh = mtod(m, struct ether_header *); 372 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 373 if (IS_DWDS(vap)) { 374 /* 375 * Only unicast frames from the above go out 376 * DWDS vaps; multicast frames are handled by 377 * dispatching the frame as it comes through 378 * the AP vap (see below). 379 */ 380 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 381 eh->ether_dhost, "mcast", "%s", "on DWDS"); 382 vap->iv_stats.is_dwds_mcast++; 383 m_freem(m); 384 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 385 /* XXX better status? */ 386 return (ENOBUFS); 387 } 388 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 389 /* 390 * Spam DWDS vap's w/ multicast traffic. 391 */ 392 /* XXX only if dwds in use? */ 393 ieee80211_dwds_mcast(vap, m); 394 } 395 } 396#ifdef IEEE80211_SUPPORT_MESH 397 if (vap->iv_opmode != IEEE80211_M_MBSS) { 398#endif 399 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 400 if (ni == NULL) { 401 /* NB: ieee80211_find_txnode does stat+msg */ 402 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 403 m_freem(m); 404 /* XXX better status? */ 405 return (ENOBUFS); 406 } 407 if (ni->ni_associd == 0 && 408 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 409 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 410 eh->ether_dhost, NULL, 411 "sta not associated (type 0x%04x)", 412 htons(eh->ether_type)); 413 vap->iv_stats.is_tx_notassoc++; 414 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 415 m_freem(m); 416 ieee80211_free_node(ni); 417 /* XXX better status? */ 418 return (ENOBUFS); 419 } 420#ifdef IEEE80211_SUPPORT_MESH 421 } else { 422 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) { 423 /* 424 * Proxy station only if configured. 425 */ 426 if (!ieee80211_mesh_isproxyena(vap)) { 427 IEEE80211_DISCARD_MAC(vap, 428 IEEE80211_MSG_OUTPUT | 429 IEEE80211_MSG_MESH, 430 eh->ether_dhost, NULL, 431 "%s", "proxy not enabled"); 432 vap->iv_stats.is_mesh_notproxy++; 433 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 434 m_freem(m); 435 /* XXX better status? */ 436 return (ENOBUFS); 437 } 438 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 439 "forward frame from DS SA(%6D), DA(%6D)\n", 440 eh->ether_shost, ":", 441 eh->ether_dhost, ":"); 442 ieee80211_mesh_proxy_check(vap, eh->ether_shost); 443 } 444 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 445 if (ni == NULL) { 446 /* 447 * NB: ieee80211_mesh_discover holds/disposes 448 * frame (e.g. queueing on path discovery). 449 */ 450 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 451 /* XXX better status? */ 452 return (ENOBUFS); 453 } 454 } 455#endif 456 457 /* 458 * We've resolved the sender, so attempt to transmit it. 459 */ 460 461 if (vap->iv_state == IEEE80211_S_SLEEP) { 462 /* 463 * In power save; queue frame and then wakeup device 464 * for transmit. 465 */ 466 ic->ic_lastdata = ticks; 467 if (ieee80211_pwrsave(ni, m) != 0) 468 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 469 ieee80211_free_node(ni); 470 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 471 return (0); 472 } 473 474 if (ieee80211_vap_pkt_send_dest(vap, m, ni) != 0) 475 return (ENOBUFS); 476 return (0); 477#undef IS_DWDS 478} 479 480/* 481 * Start method for vap's. All packets from the stack come 482 * through here. We handle common processing of the packets 483 * before dispatching them to the underlying device. 484 * 485 * if_transmit() requires that the mbuf be consumed by this call 486 * regardless of the return condition. 487 */ 488int 489ieee80211_vap_transmit(struct ifnet *ifp, struct mbuf *m) 490{ 491 struct ieee80211vap *vap = ifp->if_softc; 492 struct ieee80211com *ic = vap->iv_ic; 493 494 /* 495 * No data frames go out unless we're running. 496 * Note in particular this covers CAC and CSA 497 * states (though maybe we should check muting 498 * for CSA). 499 */ 500 if (vap->iv_state != IEEE80211_S_RUN && 501 vap->iv_state != IEEE80211_S_SLEEP) { 502 IEEE80211_LOCK(ic); 503 /* re-check under the com lock to avoid races */ 504 if (vap->iv_state != IEEE80211_S_RUN && 505 vap->iv_state != IEEE80211_S_SLEEP) { 506 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 507 "%s: ignore queue, in %s state\n", 508 __func__, ieee80211_state_name[vap->iv_state]); 509 vap->iv_stats.is_tx_badstate++; 510 IEEE80211_UNLOCK(ic); 511 ifp->if_drv_flags |= IFF_DRV_OACTIVE; 512 m_freem(m); 513 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 514 return (ENETDOWN); 515 } 516 IEEE80211_UNLOCK(ic); 517 } 518 519 /* 520 * Sanitize mbuf flags for net80211 use. We cannot 521 * clear M_PWR_SAV or M_MORE_DATA because these may 522 * be set for frames that are re-submitted from the 523 * power save queue. 524 * 525 * NB: This must be done before ieee80211_classify as 526 * it marks EAPOL in frames with M_EAPOL. 527 */ 528 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 529 530 /* 531 * Bump to the packet transmission path. 532 * The mbuf will be consumed here. 533 */ 534 return (ieee80211_start_pkt(vap, m)); 535} 536 537void 538ieee80211_vap_qflush(struct ifnet *ifp) 539{ 540 541 /* Empty for now */ 542} 543 544/* 545 * 802.11 raw output routine. 546 * 547 * XXX TODO: this (and other send routines) should correctly 548 * XXX keep the pwr mgmt bit set if it decides to call into the 549 * XXX driver to send a frame whilst the state is SLEEP. 550 * 551 * Otherwise the peer may decide that we're awake and flood us 552 * with traffic we are still too asleep to receive! 553 */ 554int 555ieee80211_raw_output(struct ieee80211vap *vap, struct ieee80211_node *ni, 556 struct mbuf *m, const struct ieee80211_bpf_params *params) 557{ 558 struct ieee80211com *ic = vap->iv_ic; 559 int error; 560 561 /* 562 * Set node - the caller has taken a reference, so ensure 563 * that the mbuf has the same node value that 564 * it would if it were going via the normal path. 565 */ 566 MPASS((m->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0); 567 m->m_pkthdr.rcvif = (void *)ni; 568 569 /* 570 * Attempt to add bpf transmit parameters. 571 * 572 * For now it's ok to fail; the raw_xmit api still takes 573 * them as an option. 574 * 575 * Later on when ic_raw_xmit() has params removed, 576 * they'll have to be added - so fail the transmit if 577 * they can't be. 578 */ 579 if (params) 580 (void) ieee80211_add_xmit_params(m, params); 581 582 error = ic->ic_raw_xmit(ni, m, params); 583 if (error) { 584 if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS, 1); 585 ieee80211_free_node(ni); 586 } 587 return (error); 588} 589 590static int 591ieee80211_validate_frame(struct mbuf *m, 592 const struct ieee80211_bpf_params *params) 593{ 594 struct ieee80211_frame *wh; 595 int type; 596 597 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 598 return (EINVAL); 599 600 wh = mtod(m, struct ieee80211_frame *); 601 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 602 IEEE80211_FC0_VERSION_0) 603 return (EINVAL); 604 605 type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; 606 if (type != IEEE80211_FC0_TYPE_DATA) { 607 if ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) != 608 IEEE80211_FC1_DIR_NODS) 609 return (EINVAL); 610 611 if (type != IEEE80211_FC0_TYPE_MGT && 612 (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) != 0) 613 return (EINVAL); 614 615 /* XXX skip other field checks? */ 616 } 617 618 if ((params && (params->ibp_flags & IEEE80211_BPF_CRYPTO) != 0) || 619 (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) != 0) { 620 int subtype; 621 622 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 623 624 /* 625 * See IEEE Std 802.11-2012, 626 * 8.2.4.1.9 'Protected Frame field' 627 */ 628 /* XXX no support for robust management frames yet. */ 629 if (!(type == IEEE80211_FC0_TYPE_DATA || 630 (type == IEEE80211_FC0_TYPE_MGT && 631 subtype == IEEE80211_FC0_SUBTYPE_AUTH))) 632 return (EINVAL); 633 634 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 635 } 636 637 if (m->m_pkthdr.len < ieee80211_anyhdrsize(wh)) 638 return (EINVAL); 639 640 return (0); 641} 642 643static int 644ieee80211_validate_rate(struct ieee80211_node *ni, uint8_t rate) 645{ 646 struct ieee80211com *ic = ni->ni_ic; 647 648 if (IEEE80211_IS_HT_RATE(rate)) { 649 if ((ic->ic_htcaps & IEEE80211_HTC_HT) == 0) 650 return (EINVAL); 651 652 rate = IEEE80211_RV(rate); 653 if (rate <= 31) { 654 if (rate > ic->ic_txstream * 8 - 1) 655 return (EINVAL); 656 657 return (0); 658 } 659 660 if (rate == 32) { 661 if ((ic->ic_htcaps & IEEE80211_HTC_TXMCS32) == 0) 662 return (EINVAL); 663 664 return (0); 665 } 666 667 if ((ic->ic_htcaps & IEEE80211_HTC_TXUNEQUAL) == 0) 668 return (EINVAL); 669 670 switch (ic->ic_txstream) { 671 case 0: 672 case 1: 673 return (EINVAL); 674 case 2: 675 if (rate > 38) 676 return (EINVAL); 677 678 return (0); 679 case 3: 680 if (rate > 52) 681 return (EINVAL); 682 683 return (0); 684 case 4: 685 default: 686 if (rate > 76) 687 return (EINVAL); 688 689 return (0); 690 } 691 } 692 693 if (!ieee80211_isratevalid(ic->ic_rt, rate)) 694 return (EINVAL); 695 696 return (0); 697} 698 699static int 700ieee80211_sanitize_rates(struct ieee80211_node *ni, struct mbuf *m, 701 const struct ieee80211_bpf_params *params) 702{ 703 int error; 704 705 if (!params) 706 return (0); /* nothing to do */ 707 708 /* NB: most drivers assume that ibp_rate0 is set (!= 0). */ 709 if (params->ibp_rate0 != 0) { 710 error = ieee80211_validate_rate(ni, params->ibp_rate0); 711 if (error != 0) 712 return (error); 713 } else { 714 /* XXX pre-setup some default (e.g., mgmt / mcast) rate */ 715 /* XXX __DECONST? */ 716 (void) m; 717 } 718 719 if (params->ibp_rate1 != 0 && 720 (error = ieee80211_validate_rate(ni, params->ibp_rate1)) != 0) 721 return (error); 722 723 if (params->ibp_rate2 != 0 && 724 (error = ieee80211_validate_rate(ni, params->ibp_rate2)) != 0) 725 return (error); 726 727 if (params->ibp_rate3 != 0 && 728 (error = ieee80211_validate_rate(ni, params->ibp_rate3)) != 0) 729 return (error); 730 731 return (0); 732} 733 734/* 735 * 802.11 output routine. This is (currently) used only to 736 * connect bpf write calls to the 802.11 layer for injecting 737 * raw 802.11 frames. 738 */ 739int 740ieee80211_output(struct ifnet *ifp, struct mbuf *m, 741 const struct sockaddr *dst, struct route *ro) 742{ 743#define senderr(e) do { error = (e); goto bad;} while (0) 744 const struct ieee80211_bpf_params *params = NULL; 745 struct ieee80211_node *ni = NULL; 746 struct ieee80211vap *vap; 747 struct ieee80211_frame *wh; 748 struct ieee80211com *ic = NULL; 749 int error; 750 int ret; 751 752 if (ifp->if_drv_flags & IFF_DRV_OACTIVE) { 753 /* 754 * Short-circuit requests if the vap is marked OACTIVE 755 * as this can happen because a packet came down through 756 * ieee80211_start before the vap entered RUN state in 757 * which case it's ok to just drop the frame. This 758 * should not be necessary but callers of if_output don't 759 * check OACTIVE. 760 */ 761 senderr(ENETDOWN); 762 } 763 vap = ifp->if_softc; 764 ic = vap->iv_ic; 765 /* 766 * Hand to the 802.3 code if not tagged as 767 * a raw 802.11 frame. 768 */ 769 if (dst->sa_family != AF_IEEE80211) 770 return vap->iv_output(ifp, m, dst, ro); 771#ifdef MAC 772 error = mac_ifnet_check_transmit(ifp, m); 773 if (error) 774 senderr(error); 775#endif 776 if (ifp->if_flags & IFF_MONITOR) 777 senderr(ENETDOWN); 778 if (!IFNET_IS_UP_RUNNING(ifp)) 779 senderr(ENETDOWN); 780 if (vap->iv_state == IEEE80211_S_CAC) { 781 IEEE80211_DPRINTF(vap, 782 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 783 "block %s frame in CAC state\n", "raw data"); 784 vap->iv_stats.is_tx_badstate++; 785 senderr(EIO); /* XXX */ 786 } else if (vap->iv_state == IEEE80211_S_SCAN) 787 senderr(EIO); 788 /* XXX bypass bridge, pfil, carp, etc. */ 789 790 /* 791 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 792 * present by setting the sa_len field of the sockaddr (yes, 793 * this is a hack). 794 * NB: we assume sa_data is suitably aligned to cast. 795 */ 796 if (dst->sa_len != 0) 797 params = (const struct ieee80211_bpf_params *)dst->sa_data; 798 799 error = ieee80211_validate_frame(m, params); 800 if (error != 0) 801 senderr(error); 802 803 wh = mtod(m, struct ieee80211_frame *); 804 805 /* locate destination node */ 806 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 807 case IEEE80211_FC1_DIR_NODS: 808 case IEEE80211_FC1_DIR_FROMDS: 809 ni = ieee80211_find_txnode(vap, wh->i_addr1); 810 break; 811 case IEEE80211_FC1_DIR_TODS: 812 case IEEE80211_FC1_DIR_DSTODS: 813 ni = ieee80211_find_txnode(vap, wh->i_addr3); 814 break; 815 default: 816 senderr(EDOOFUS); 817 } 818 if (ni == NULL) { 819 /* 820 * Permit packets w/ bpf params through regardless 821 * (see below about sa_len). 822 */ 823 if (dst->sa_len == 0) 824 senderr(EHOSTUNREACH); 825 ni = ieee80211_ref_node(vap->iv_bss); 826 } 827 828 /* 829 * Sanitize mbuf for net80211 flags leaked from above. 830 * 831 * NB: This must be done before ieee80211_classify as 832 * it marks EAPOL in frames with M_EAPOL. 833 */ 834 m->m_flags &= ~M_80211_TX; 835 m->m_flags |= M_ENCAP; /* mark encapsulated */ 836 837 if (IEEE80211_IS_DATA(wh)) { 838 /* calculate priority so drivers can find the tx queue */ 839 if (ieee80211_classify(ni, m)) 840 senderr(EIO); /* XXX */ 841 842 /* NB: ieee80211_encap does not include 802.11 header */ 843 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, 844 m->m_pkthdr.len - ieee80211_hdrsize(wh)); 845 } else 846 M_WME_SETAC(m, WME_AC_BE); 847 848 error = ieee80211_sanitize_rates(ni, m, params); 849 if (error != 0) 850 senderr(error); 851 852 IEEE80211_NODE_STAT(ni, tx_data); 853 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 854 IEEE80211_NODE_STAT(ni, tx_mcast); 855 m->m_flags |= M_MCAST; 856 } else 857 IEEE80211_NODE_STAT(ni, tx_ucast); 858 859 IEEE80211_TX_LOCK(ic); 860 ret = ieee80211_raw_output(vap, ni, m, params); 861 IEEE80211_TX_UNLOCK(ic); 862 return (ret); 863bad: 864 if (m != NULL) 865 m_freem(m); 866 if (ni != NULL) 867 ieee80211_free_node(ni); 868 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 869 return error; 870#undef senderr 871} 872 873/* 874 * Set the direction field and address fields of an outgoing 875 * frame. Note this should be called early on in constructing 876 * a frame as it sets i_fc[1]; other bits can then be or'd in. 877 */ 878void 879ieee80211_send_setup( 880 struct ieee80211_node *ni, 881 struct mbuf *m, 882 int type, int tid, 883 const uint8_t sa[IEEE80211_ADDR_LEN], 884 const uint8_t da[IEEE80211_ADDR_LEN], 885 const uint8_t bssid[IEEE80211_ADDR_LEN]) 886{ 887#define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 888 struct ieee80211vap *vap = ni->ni_vap; 889 struct ieee80211_tx_ampdu *tap; 890 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 891 ieee80211_seq seqno; 892 893 IEEE80211_TX_LOCK_ASSERT(ni->ni_ic); 894 895 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 896 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 897 switch (vap->iv_opmode) { 898 case IEEE80211_M_STA: 899 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 900 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 901 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 902 IEEE80211_ADDR_COPY(wh->i_addr3, da); 903 break; 904 case IEEE80211_M_IBSS: 905 case IEEE80211_M_AHDEMO: 906 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 907 IEEE80211_ADDR_COPY(wh->i_addr1, da); 908 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 909 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 910 break; 911 case IEEE80211_M_HOSTAP: 912 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 913 IEEE80211_ADDR_COPY(wh->i_addr1, da); 914 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 915 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 916 break; 917 case IEEE80211_M_WDS: 918 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 919 IEEE80211_ADDR_COPY(wh->i_addr1, da); 920 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 921 IEEE80211_ADDR_COPY(wh->i_addr3, da); 922 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 923 break; 924 case IEEE80211_M_MBSS: 925#ifdef IEEE80211_SUPPORT_MESH 926 if (IEEE80211_IS_MULTICAST(da)) { 927 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 928 /* XXX next hop */ 929 IEEE80211_ADDR_COPY(wh->i_addr1, da); 930 IEEE80211_ADDR_COPY(wh->i_addr2, 931 vap->iv_myaddr); 932 } else { 933 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 934 IEEE80211_ADDR_COPY(wh->i_addr1, da); 935 IEEE80211_ADDR_COPY(wh->i_addr2, 936 vap->iv_myaddr); 937 IEEE80211_ADDR_COPY(wh->i_addr3, da); 938 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 939 } 940#endif 941 break; 942 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 943 break; 944 } 945 } else { 946 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 947 IEEE80211_ADDR_COPY(wh->i_addr1, da); 948 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 949#ifdef IEEE80211_SUPPORT_MESH 950 if (vap->iv_opmode == IEEE80211_M_MBSS) 951 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 952 else 953#endif 954 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 955 } 956 *(uint16_t *)&wh->i_dur[0] = 0; 957 958 /* 959 * XXX TODO: this is what the TX lock is for. 960 * Here we're incrementing sequence numbers, and they 961 * need to be in lock-step with what the driver is doing 962 * both in TX ordering and crypto encap (IV increment.) 963 * 964 * If the driver does seqno itself, then we can skip 965 * assigning sequence numbers here, and we can avoid 966 * requiring the TX lock. 967 */ 968 tap = &ni->ni_tx_ampdu[tid]; 969 if (tid != IEEE80211_NONQOS_TID && IEEE80211_AMPDU_RUNNING(tap)) { 970 m->m_flags |= M_AMPDU_MPDU; 971 972 /* NB: zero out i_seq field (for s/w encryption etc) */ 973 *(uint16_t *)&wh->i_seq[0] = 0; 974 } else { 975 if (IEEE80211_HAS_SEQ(type & IEEE80211_FC0_TYPE_MASK, 976 type & IEEE80211_FC0_SUBTYPE_MASK)) 977 /* 978 * 802.11-2012 9.3.2.10 - QoS multicast frames 979 * come out of a different seqno space. 980 */ 981 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 982 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 983 } else { 984 seqno = ni->ni_txseqs[tid]++; 985 } 986 else 987 seqno = 0; 988 989 *(uint16_t *)&wh->i_seq[0] = 990 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 991 M_SEQNO_SET(m, seqno); 992 } 993 994 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 995 m->m_flags |= M_MCAST; 996#undef WH4 997} 998 999/* 1000 * Send a management frame to the specified node. The node pointer 1001 * must have a reference as the pointer will be passed to the driver 1002 * and potentially held for a long time. If the frame is successfully 1003 * dispatched to the driver, then it is responsible for freeing the 1004 * reference (and potentially free'ing up any associated storage); 1005 * otherwise deal with reclaiming any reference (on error). 1006 */ 1007int 1008ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 1009 struct ieee80211_bpf_params *params) 1010{ 1011 struct ieee80211vap *vap = ni->ni_vap; 1012 struct ieee80211com *ic = ni->ni_ic; 1013 struct ieee80211_frame *wh; 1014 int ret; 1015 1016 KASSERT(ni != NULL, ("null node")); 1017 1018 if (vap->iv_state == IEEE80211_S_CAC) { 1019 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 1020 ni, "block %s frame in CAC state", 1021 ieee80211_mgt_subtype_name(type)); 1022 vap->iv_stats.is_tx_badstate++; 1023 ieee80211_free_node(ni); 1024 m_freem(m); 1025 return EIO; /* XXX */ 1026 } 1027 1028 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 1029 if (m == NULL) { 1030 ieee80211_free_node(ni); 1031 return ENOMEM; 1032 } 1033 1034 IEEE80211_TX_LOCK(ic); 1035 1036 wh = mtod(m, struct ieee80211_frame *); 1037 ieee80211_send_setup(ni, m, 1038 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 1039 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 1040 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 1041 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 1042 "encrypting frame (%s)", __func__); 1043 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 1044 } 1045 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1046 1047 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 1048 M_WME_SETAC(m, params->ibp_pri); 1049 1050#ifdef IEEE80211_DEBUG 1051 /* avoid printing too many frames */ 1052 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 1053 ieee80211_msg_dumppkts(vap)) { 1054 printf("[%s] send %s on channel %u\n", 1055 ether_sprintf(wh->i_addr1), 1056 ieee80211_mgt_subtype_name(type), 1057 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1058 } 1059#endif 1060 IEEE80211_NODE_STAT(ni, tx_mgmt); 1061 1062 ret = ieee80211_raw_output(vap, ni, m, params); 1063 IEEE80211_TX_UNLOCK(ic); 1064 return (ret); 1065} 1066 1067static void 1068ieee80211_nulldata_transmitted(struct ieee80211_node *ni, void *arg, 1069 int status) 1070{ 1071 struct ieee80211vap *vap = ni->ni_vap; 1072 1073 wakeup(vap); 1074} 1075 1076/* 1077 * Send a null data frame to the specified node. If the station 1078 * is setup for QoS then a QoS Null Data frame is constructed. 1079 * If this is a WDS station then a 4-address frame is constructed. 1080 * 1081 * NB: the caller is assumed to have setup a node reference 1082 * for use; this is necessary to deal with a race condition 1083 * when probing for inactive stations. Like ieee80211_mgmt_output 1084 * we must cleanup any node reference on error; however we 1085 * can safely just unref it as we know it will never be the 1086 * last reference to the node. 1087 */ 1088int 1089ieee80211_send_nulldata(struct ieee80211_node *ni) 1090{ 1091 struct ieee80211vap *vap = ni->ni_vap; 1092 struct ieee80211com *ic = ni->ni_ic; 1093 struct mbuf *m; 1094 struct ieee80211_frame *wh; 1095 int hdrlen; 1096 uint8_t *frm; 1097 int ret; 1098 1099 if (vap->iv_state == IEEE80211_S_CAC) { 1100 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 1101 ni, "block %s frame in CAC state", "null data"); 1102 ieee80211_unref_node(&ni); 1103 vap->iv_stats.is_tx_badstate++; 1104 return EIO; /* XXX */ 1105 } 1106 1107 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 1108 hdrlen = sizeof(struct ieee80211_qosframe); 1109 else 1110 hdrlen = sizeof(struct ieee80211_frame); 1111 /* NB: only WDS vap's get 4-address frames */ 1112 if (vap->iv_opmode == IEEE80211_M_WDS) 1113 hdrlen += IEEE80211_ADDR_LEN; 1114 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1115 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 1116 1117 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 1118 if (m == NULL) { 1119 /* XXX debug msg */ 1120 ieee80211_unref_node(&ni); 1121 vap->iv_stats.is_tx_nobuf++; 1122 return ENOMEM; 1123 } 1124 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 1125 ("leading space %zd", M_LEADINGSPACE(m))); 1126 M_PREPEND(m, hdrlen, M_NOWAIT); 1127 if (m == NULL) { 1128 /* NB: cannot happen */ 1129 ieee80211_free_node(ni); 1130 return ENOMEM; 1131 } 1132 1133 IEEE80211_TX_LOCK(ic); 1134 1135 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 1136 if (ni->ni_flags & IEEE80211_NODE_QOS) { 1137 const int tid = WME_AC_TO_TID(WME_AC_BE); 1138 uint8_t *qos; 1139 1140 ieee80211_send_setup(ni, m, 1141 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 1142 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 1143 1144 if (vap->iv_opmode == IEEE80211_M_WDS) 1145 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1146 else 1147 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1148 qos[0] = tid & IEEE80211_QOS_TID; 1149 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 1150 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1151 qos[1] = 0; 1152 } else { 1153 ieee80211_send_setup(ni, m, 1154 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 1155 IEEE80211_NONQOS_TID, 1156 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 1157 } 1158 if (vap->iv_opmode != IEEE80211_M_WDS) { 1159 /* NB: power management bit is never sent by an AP */ 1160 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 1161 vap->iv_opmode != IEEE80211_M_HOSTAP) 1162 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 1163 } 1164 if ((ic->ic_flags & IEEE80211_F_SCAN) && 1165 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)) { 1166 ieee80211_add_callback(m, ieee80211_nulldata_transmitted, 1167 NULL); 1168 } 1169 m->m_len = m->m_pkthdr.len = hdrlen; 1170 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1171 1172 M_WME_SETAC(m, WME_AC_BE); 1173 1174 IEEE80211_NODE_STAT(ni, tx_data); 1175 1176 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 1177 "send %snull data frame on channel %u, pwr mgt %s", 1178 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 1179 ieee80211_chan2ieee(ic, ic->ic_curchan), 1180 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 1181 1182 ret = ieee80211_raw_output(vap, ni, m, NULL); 1183 IEEE80211_TX_UNLOCK(ic); 1184 return (ret); 1185} 1186 1187/* 1188 * Assign priority to a frame based on any vlan tag assigned 1189 * to the station and/or any Diffserv setting in an IP header. 1190 * Finally, if an ACM policy is setup (in station mode) it's 1191 * applied. 1192 */ 1193int 1194ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 1195{ 1196 const struct ether_header *eh = NULL; 1197 uint16_t ether_type; 1198 int v_wme_ac, d_wme_ac, ac; 1199 1200 if (__predict_false(m->m_flags & M_ENCAP)) { 1201 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 1202 struct llc *llc; 1203 int hdrlen, subtype; 1204 1205 subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; 1206 if (subtype & IEEE80211_FC0_SUBTYPE_NODATA) { 1207 ac = WME_AC_BE; 1208 goto done; 1209 } 1210 1211 hdrlen = ieee80211_hdrsize(wh); 1212 if (m->m_pkthdr.len < hdrlen + sizeof(*llc)) 1213 return 1; 1214 1215 llc = (struct llc *)mtodo(m, hdrlen); 1216 if (llc->llc_dsap != LLC_SNAP_LSAP || 1217 llc->llc_ssap != LLC_SNAP_LSAP || 1218 llc->llc_control != LLC_UI || 1219 llc->llc_snap.org_code[0] != 0 || 1220 llc->llc_snap.org_code[1] != 0 || 1221 llc->llc_snap.org_code[2] != 0) 1222 return 1; 1223 1224 ether_type = llc->llc_snap.ether_type; 1225 } else { 1226 eh = mtod(m, struct ether_header *); 1227 ether_type = eh->ether_type; 1228 } 1229 1230 /* 1231 * Always promote PAE/EAPOL frames to high priority. 1232 */ 1233 if (ether_type == htons(ETHERTYPE_PAE)) { 1234 /* NB: mark so others don't need to check header */ 1235 m->m_flags |= M_EAPOL; 1236 ac = WME_AC_VO; 1237 goto done; 1238 } 1239 /* 1240 * Non-qos traffic goes to BE. 1241 */ 1242 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 1243 ac = WME_AC_BE; 1244 goto done; 1245 } 1246 1247 /* 1248 * If node has a vlan tag then all traffic 1249 * to it must have a matching tag. 1250 */ 1251 v_wme_ac = 0; 1252 if (ni->ni_vlan != 0) { 1253 if ((m->m_flags & M_VLANTAG) == 0) { 1254 IEEE80211_NODE_STAT(ni, tx_novlantag); 1255 return 1; 1256 } 1257 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) != 1258 EVL_VLANOFTAG(ni->ni_vlan)) { 1259 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 1260 return 1; 1261 } 1262 /* map vlan priority to AC */ 1263 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 1264 } 1265 1266 /* XXX m_copydata may be too slow for fast path */ 1267#ifdef INET 1268 if (eh && eh->ether_type == htons(ETHERTYPE_IP)) { 1269 uint8_t tos; 1270 /* 1271 * IP frame, map the DSCP bits from the TOS field. 1272 */ 1273 /* NB: ip header may not be in first mbuf */ 1274 m_copydata(m, sizeof(struct ether_header) + 1275 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 1276 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 1277 d_wme_ac = TID_TO_WME_AC(tos); 1278 } else { 1279#endif /* INET */ 1280#ifdef INET6 1281 if (eh && eh->ether_type == htons(ETHERTYPE_IPV6)) { 1282 uint32_t flow; 1283 uint8_t tos; 1284 /* 1285 * IPv6 frame, map the DSCP bits from the traffic class field. 1286 */ 1287 m_copydata(m, sizeof(struct ether_header) + 1288 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 1289 (caddr_t) &flow); 1290 tos = (uint8_t)(ntohl(flow) >> 20); 1291 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 1292 d_wme_ac = TID_TO_WME_AC(tos); 1293 } else { 1294#endif /* INET6 */ 1295 d_wme_ac = WME_AC_BE; 1296#ifdef INET6 1297 } 1298#endif 1299#ifdef INET 1300 } 1301#endif 1302 /* 1303 * Use highest priority AC. 1304 */ 1305 if (v_wme_ac > d_wme_ac) 1306 ac = v_wme_ac; 1307 else 1308 ac = d_wme_ac; 1309 1310 /* 1311 * Apply ACM policy. 1312 */ 1313 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 1314 static const int acmap[4] = { 1315 WME_AC_BK, /* WME_AC_BE */ 1316 WME_AC_BK, /* WME_AC_BK */ 1317 WME_AC_BE, /* WME_AC_VI */ 1318 WME_AC_VI, /* WME_AC_VO */ 1319 }; 1320 struct ieee80211com *ic = ni->ni_ic; 1321 1322 while (ac != WME_AC_BK && 1323 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 1324 ac = acmap[ac]; 1325 } 1326done: 1327 M_WME_SETAC(m, ac); 1328 return 0; 1329} 1330 1331/* 1332 * Insure there is sufficient contiguous space to encapsulate the 1333 * 802.11 data frame. If room isn't already there, arrange for it. 1334 * Drivers and cipher modules assume we have done the necessary work 1335 * and fail rudely if they don't find the space they need. 1336 */ 1337struct mbuf * 1338ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 1339 struct ieee80211_key *key, struct mbuf *m) 1340{ 1341#define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 1342 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 1343 1344 if (key != NULL) { 1345 /* XXX belongs in crypto code? */ 1346 needed_space += key->wk_cipher->ic_header; 1347 /* XXX frags */ 1348 /* 1349 * When crypto is being done in the host we must insure 1350 * the data are writable for the cipher routines; clone 1351 * a writable mbuf chain. 1352 * XXX handle SWMIC specially 1353 */ 1354 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 1355 m = m_unshare(m, M_NOWAIT); 1356 if (m == NULL) { 1357 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 1358 "%s: cannot get writable mbuf\n", __func__); 1359 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 1360 return NULL; 1361 } 1362 } 1363 } 1364 /* 1365 * We know we are called just before stripping an Ethernet 1366 * header and prepending an LLC header. This means we know 1367 * there will be 1368 * sizeof(struct ether_header) - sizeof(struct llc) 1369 * bytes recovered to which we need additional space for the 1370 * 802.11 header and any crypto header. 1371 */ 1372 /* XXX check trailing space and copy instead? */ 1373 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 1374 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type); 1375 if (n == NULL) { 1376 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 1377 "%s: cannot expand storage\n", __func__); 1378 vap->iv_stats.is_tx_nobuf++; 1379 m_freem(m); 1380 return NULL; 1381 } 1382 KASSERT(needed_space <= MHLEN, 1383 ("not enough room, need %u got %d\n", needed_space, MHLEN)); 1384 /* 1385 * Setup new mbuf to have leading space to prepend the 1386 * 802.11 header and any crypto header bits that are 1387 * required (the latter are added when the driver calls 1388 * back to ieee80211_crypto_encap to do crypto encapsulation). 1389 */ 1390 /* NB: must be first 'cuz it clobbers m_data */ 1391 m_move_pkthdr(n, m); 1392 n->m_len = 0; /* NB: m_gethdr does not set */ 1393 n->m_data += needed_space; 1394 /* 1395 * Pull up Ethernet header to create the expected layout. 1396 * We could use m_pullup but that's overkill (i.e. we don't 1397 * need the actual data) and it cannot fail so do it inline 1398 * for speed. 1399 */ 1400 /* NB: struct ether_header is known to be contiguous */ 1401 n->m_len += sizeof(struct ether_header); 1402 m->m_len -= sizeof(struct ether_header); 1403 m->m_data += sizeof(struct ether_header); 1404 /* 1405 * Replace the head of the chain. 1406 */ 1407 n->m_next = m; 1408 m = n; 1409 } 1410 return m; 1411#undef TO_BE_RECLAIMED 1412} 1413 1414/* 1415 * Return the transmit key to use in sending a unicast frame. 1416 * If a unicast key is set we use that. When no unicast key is set 1417 * we fall back to the default transmit key. 1418 */ 1419static __inline struct ieee80211_key * 1420ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 1421 struct ieee80211_node *ni) 1422{ 1423 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 1424 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 1425 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 1426 return NULL; 1427 return &vap->iv_nw_keys[vap->iv_def_txkey]; 1428 } else { 1429 return &ni->ni_ucastkey; 1430 } 1431} 1432 1433/* 1434 * Return the transmit key to use in sending a multicast frame. 1435 * Multicast traffic always uses the group key which is installed as 1436 * the default tx key. 1437 */ 1438static __inline struct ieee80211_key * 1439ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 1440 struct ieee80211_node *ni) 1441{ 1442 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 1443 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 1444 return NULL; 1445 return &vap->iv_nw_keys[vap->iv_def_txkey]; 1446} 1447 1448/* 1449 * Encapsulate an outbound data frame. The mbuf chain is updated. 1450 * If an error is encountered NULL is returned. The caller is required 1451 * to provide a node reference and pullup the ethernet header in the 1452 * first mbuf. 1453 * 1454 * NB: Packet is assumed to be processed by ieee80211_classify which 1455 * marked EAPOL frames w/ M_EAPOL. 1456 */ 1457struct mbuf * 1458ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 1459 struct mbuf *m) 1460{ 1461#define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 1462#define MC01(mc) ((struct ieee80211_meshcntl_ae01 *)mc) 1463 struct ieee80211com *ic = ni->ni_ic; 1464#ifdef IEEE80211_SUPPORT_MESH 1465 struct ieee80211_mesh_state *ms = vap->iv_mesh; 1466 struct ieee80211_meshcntl_ae10 *mc; 1467 struct ieee80211_mesh_route *rt = NULL; 1468 int dir = -1; 1469#endif 1470 struct ether_header eh; 1471 struct ieee80211_frame *wh; 1472 struct ieee80211_key *key; 1473 struct llc *llc; 1474 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr, is_mcast; 1475 ieee80211_seq seqno; 1476 int meshhdrsize, meshae; 1477 uint8_t *qos; 1478 int is_amsdu = 0; 1479 1480 IEEE80211_TX_LOCK_ASSERT(ic); 1481 1482 is_mcast = !! (m->m_flags & (M_MCAST | M_BCAST)); 1483 1484 /* 1485 * Copy existing Ethernet header to a safe place. The 1486 * rest of the code assumes it's ok to strip it when 1487 * reorganizing state for the final encapsulation. 1488 */ 1489 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1490 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1491 1492 /* 1493 * Insure space for additional headers. First identify 1494 * transmit key to use in calculating any buffer adjustments 1495 * required. This is also used below to do privacy 1496 * encapsulation work. Then calculate the 802.11 header 1497 * size and any padding required by the driver. 1498 * 1499 * Note key may be NULL if we fall back to the default 1500 * transmit key and that is not set. In that case the 1501 * buffer may not be expanded as needed by the cipher 1502 * routines, but they will/should discard it. 1503 */ 1504 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1505 if (vap->iv_opmode == IEEE80211_M_STA || 1506 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1507 (vap->iv_opmode == IEEE80211_M_WDS && 1508 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) { 1509 key = ieee80211_crypto_getucastkey(vap, ni); 1510 } else if ((vap->iv_opmode == IEEE80211_M_WDS) && 1511 (! (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) { 1512 /* 1513 * Use ucastkey for DWDS transmit nodes, multicast 1514 * or otherwise. 1515 * 1516 * This is required to ensure that multicast frames 1517 * from a DWDS AP to a DWDS STA is encrypted with 1518 * a key that can actually work. 1519 * 1520 * There's no default key for multicast traffic 1521 * on a DWDS WDS VAP node (note NOT the DWDS enabled 1522 * AP VAP, the dynamically created per-STA WDS node) 1523 * so encap fails and transmit fails. 1524 */ 1525 key = ieee80211_crypto_getucastkey(vap, ni); 1526 } else { 1527 key = ieee80211_crypto_getmcastkey(vap, ni); 1528 } 1529 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1530 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1531 eh.ether_dhost, 1532 "no default transmit key (%s) deftxkey %u", 1533 __func__, vap->iv_def_txkey); 1534 vap->iv_stats.is_tx_nodefkey++; 1535 goto bad; 1536 } 1537 } else 1538 key = NULL; 1539 /* 1540 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1541 * frames so suppress use. This may be an issue if other 1542 * ap's require all data frames to be QoS-encapsulated 1543 * once negotiated in which case we'll need to make this 1544 * configurable. 1545 * 1546 * Don't send multicast QoS frames. 1547 * Technically multicast frames can be QoS if all stations in the 1548 * BSS are also QoS. 1549 * 1550 * NB: mesh data frames are QoS, including multicast frames. 1551 */ 1552 addqos = 1553 (((is_mcast == 0) && (ni->ni_flags & 1554 (IEEE80211_NODE_QOS|IEEE80211_NODE_HT))) || 1555 (vap->iv_opmode == IEEE80211_M_MBSS)) && 1556 (m->m_flags & M_EAPOL) == 0; 1557 1558 if (addqos) 1559 hdrsize = sizeof(struct ieee80211_qosframe); 1560 else 1561 hdrsize = sizeof(struct ieee80211_frame); 1562#ifdef IEEE80211_SUPPORT_MESH 1563 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1564 /* 1565 * Mesh data frames are encapsulated according to the 1566 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1567 * o Group Addressed data (aka multicast) originating 1568 * at the local sta are sent w/ 3-address format and 1569 * address extension mode 00 1570 * o Individually Addressed data (aka unicast) originating 1571 * at the local sta are sent w/ 4-address format and 1572 * address extension mode 00 1573 * o Group Addressed data forwarded from a non-mesh sta are 1574 * sent w/ 3-address format and address extension mode 01 1575 * o Individually Address data from another sta are sent 1576 * w/ 4-address format and address extension mode 10 1577 */ 1578 is4addr = 0; /* NB: don't use, disable */ 1579 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1580 rt = ieee80211_mesh_rt_find(vap, eh.ether_dhost); 1581 KASSERT(rt != NULL, ("route is NULL")); 1582 dir = IEEE80211_FC1_DIR_DSTODS; 1583 hdrsize += IEEE80211_ADDR_LEN; 1584 if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY) { 1585 if (IEEE80211_ADDR_EQ(rt->rt_mesh_gate, 1586 vap->iv_myaddr)) { 1587 IEEE80211_NOTE_MAC(vap, 1588 IEEE80211_MSG_MESH, 1589 eh.ether_dhost, 1590 "%s", "trying to send to ourself"); 1591 goto bad; 1592 } 1593 meshae = IEEE80211_MESH_AE_10; 1594 meshhdrsize = 1595 sizeof(struct ieee80211_meshcntl_ae10); 1596 } else { 1597 meshae = IEEE80211_MESH_AE_00; 1598 meshhdrsize = 1599 sizeof(struct ieee80211_meshcntl); 1600 } 1601 } else { 1602 dir = IEEE80211_FC1_DIR_FROMDS; 1603 if (!IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1604 /* proxy group */ 1605 meshae = IEEE80211_MESH_AE_01; 1606 meshhdrsize = 1607 sizeof(struct ieee80211_meshcntl_ae01); 1608 } else { 1609 /* group */ 1610 meshae = IEEE80211_MESH_AE_00; 1611 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1612 } 1613 } 1614 } else { 1615#endif 1616 /* 1617 * 4-address frames need to be generated for: 1618 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1619 * o packets sent through a vap marked for relaying 1620 * (e.g. a station operating with dynamic WDS) 1621 */ 1622 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1623 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1624 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1625 if (is4addr) 1626 hdrsize += IEEE80211_ADDR_LEN; 1627 meshhdrsize = meshae = 0; 1628#ifdef IEEE80211_SUPPORT_MESH 1629 } 1630#endif 1631 /* 1632 * Honor driver DATAPAD requirement. 1633 */ 1634 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1635 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1636 else 1637 hdrspace = hdrsize; 1638 1639 if (__predict_true((m->m_flags & M_FF) == 0)) { 1640 /* 1641 * Normal frame. 1642 */ 1643 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1644 if (m == NULL) { 1645 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1646 goto bad; 1647 } 1648 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1649 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1650 llc = mtod(m, struct llc *); 1651 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1652 llc->llc_control = LLC_UI; 1653 llc->llc_snap.org_code[0] = 0; 1654 llc->llc_snap.org_code[1] = 0; 1655 llc->llc_snap.org_code[2] = 0; 1656 llc->llc_snap.ether_type = eh.ether_type; 1657 } else { 1658#ifdef IEEE80211_SUPPORT_SUPERG 1659 /* 1660 * Aggregated frame. Check if it's for AMSDU or FF. 1661 * 1662 * XXX TODO: IEEE80211_NODE_AMSDU* isn't implemented 1663 * anywhere for some reason. But, since 11n requires 1664 * AMSDU RX, we can just assume "11n" == "AMSDU". 1665 */ 1666 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, "%s: called; M_FF\n", __func__); 1667 if (ieee80211_amsdu_tx_ok(ni)) { 1668 m = ieee80211_amsdu_encap(vap, m, hdrspace + meshhdrsize, key); 1669 is_amsdu = 1; 1670 } else { 1671 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1672 } 1673 if (m == NULL) 1674#endif 1675 goto bad; 1676 } 1677 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1678 1679 M_PREPEND(m, hdrspace + meshhdrsize, M_NOWAIT); 1680 if (m == NULL) { 1681 vap->iv_stats.is_tx_nobuf++; 1682 goto bad; 1683 } 1684 wh = mtod(m, struct ieee80211_frame *); 1685 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1686 *(uint16_t *)wh->i_dur = 0; 1687 qos = NULL; /* NB: quiet compiler */ 1688 if (is4addr) { 1689 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1690 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1691 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1692 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1693 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1694 } else switch (vap->iv_opmode) { 1695 case IEEE80211_M_STA: 1696 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1697 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1698 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1699 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1700 break; 1701 case IEEE80211_M_IBSS: 1702 case IEEE80211_M_AHDEMO: 1703 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1704 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1705 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1706 /* 1707 * NB: always use the bssid from iv_bss as the 1708 * neighbor's may be stale after an ibss merge 1709 */ 1710 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1711 break; 1712 case IEEE80211_M_HOSTAP: 1713 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1714 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1715 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1716 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1717 break; 1718#ifdef IEEE80211_SUPPORT_MESH 1719 case IEEE80211_M_MBSS: 1720 /* NB: offset by hdrspace to deal with DATAPAD */ 1721 mc = (struct ieee80211_meshcntl_ae10 *) 1722 (mtod(m, uint8_t *) + hdrspace); 1723 wh->i_fc[1] = dir; 1724 switch (meshae) { 1725 case IEEE80211_MESH_AE_00: /* no proxy */ 1726 mc->mc_flags = 0; 1727 if (dir == IEEE80211_FC1_DIR_DSTODS) { /* ucast */ 1728 IEEE80211_ADDR_COPY(wh->i_addr1, 1729 ni->ni_macaddr); 1730 IEEE80211_ADDR_COPY(wh->i_addr2, 1731 vap->iv_myaddr); 1732 IEEE80211_ADDR_COPY(wh->i_addr3, 1733 eh.ether_dhost); 1734 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, 1735 eh.ether_shost); 1736 qos =((struct ieee80211_qosframe_addr4 *) 1737 wh)->i_qos; 1738 } else if (dir == IEEE80211_FC1_DIR_FROMDS) { 1739 /* mcast */ 1740 IEEE80211_ADDR_COPY(wh->i_addr1, 1741 eh.ether_dhost); 1742 IEEE80211_ADDR_COPY(wh->i_addr2, 1743 vap->iv_myaddr); 1744 IEEE80211_ADDR_COPY(wh->i_addr3, 1745 eh.ether_shost); 1746 qos = ((struct ieee80211_qosframe *) 1747 wh)->i_qos; 1748 } 1749 break; 1750 case IEEE80211_MESH_AE_01: /* mcast, proxy */ 1751 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1752 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1753 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1754 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr); 1755 mc->mc_flags = 1; 1756 IEEE80211_ADDR_COPY(MC01(mc)->mc_addr4, 1757 eh.ether_shost); 1758 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1759 break; 1760 case IEEE80211_MESH_AE_10: /* ucast, proxy */ 1761 KASSERT(rt != NULL, ("route is NULL")); 1762 IEEE80211_ADDR_COPY(wh->i_addr1, rt->rt_nexthop); 1763 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1764 IEEE80211_ADDR_COPY(wh->i_addr3, rt->rt_mesh_gate); 1765 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr); 1766 mc->mc_flags = IEEE80211_MESH_AE_10; 1767 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_dhost); 1768 IEEE80211_ADDR_COPY(mc->mc_addr6, eh.ether_shost); 1769 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1770 break; 1771 default: 1772 KASSERT(0, ("meshae %d", meshae)); 1773 break; 1774 } 1775 mc->mc_ttl = ms->ms_ttl; 1776 ms->ms_seq++; 1777 le32enc(mc->mc_seq, ms->ms_seq); 1778 break; 1779#endif 1780 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1781 default: 1782 goto bad; 1783 } 1784 if (m->m_flags & M_MORE_DATA) 1785 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1786 if (addqos) { 1787 int ac, tid; 1788 1789 if (is4addr) { 1790 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1791 /* NB: mesh case handled earlier */ 1792 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1793 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1794 ac = M_WME_GETAC(m); 1795 /* map from access class/queue to 11e header priorty value */ 1796 tid = WME_AC_TO_TID(ac); 1797 qos[0] = tid & IEEE80211_QOS_TID; 1798 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1799 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1800#ifdef IEEE80211_SUPPORT_MESH 1801 if (vap->iv_opmode == IEEE80211_M_MBSS) 1802 qos[1] = IEEE80211_QOS_MC; 1803 else 1804#endif 1805 qos[1] = 0; 1806 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 1807 1808 /* 1809 * If this is an A-MSDU then ensure we set the 1810 * relevant field. 1811 */ 1812 if (is_amsdu) 1813 qos[0] |= IEEE80211_QOS_AMSDU; 1814 1815 /* 1816 * XXX TODO TX lock is needed for atomic updates of sequence 1817 * numbers. If the driver does it, then don't do it here; 1818 * and we don't need the TX lock held. 1819 */ 1820 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1821 /* 1822 * 802.11-2012 9.3.2.10 - 1823 * 1824 * If this is a multicast frame then we need 1825 * to ensure that the sequence number comes from 1826 * a separate seqno space and not the TID space. 1827 * 1828 * Otherwise multicast frames may actually cause 1829 * holes in the TX blockack window space and 1830 * upset various things. 1831 */ 1832 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 1833 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1834 else 1835 seqno = ni->ni_txseqs[tid]++; 1836 1837 /* 1838 * NB: don't assign a sequence # to potential 1839 * aggregates; we expect this happens at the 1840 * point the frame comes off any aggregation q 1841 * as otherwise we may introduce holes in the 1842 * BA sequence space and/or make window accouting 1843 * more difficult. 1844 * 1845 * XXX may want to control this with a driver 1846 * capability; this may also change when we pull 1847 * aggregation up into net80211 1848 */ 1849 *(uint16_t *)wh->i_seq = 1850 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1851 M_SEQNO_SET(m, seqno); 1852 } else { 1853 /* NB: zero out i_seq field (for s/w encryption etc) */ 1854 *(uint16_t *)wh->i_seq = 0; 1855 } 1856 } else { 1857 /* 1858 * XXX TODO TX lock is needed for atomic updates of sequence 1859 * numbers. If the driver does it, then don't do it here; 1860 * and we don't need the TX lock held. 1861 */ 1862 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1863 *(uint16_t *)wh->i_seq = 1864 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1865 M_SEQNO_SET(m, seqno); 1866 1867 /* 1868 * XXX TODO: we shouldn't allow EAPOL, etc that would 1869 * be forced to be non-QoS traffic to be A-MSDU encapsulated. 1870 */ 1871 if (is_amsdu) 1872 printf("%s: XXX ERROR: is_amsdu set; not QoS!\n", 1873 __func__); 1874 } 1875 1876 /* 1877 * Check if xmit fragmentation is required. 1878 * 1879 * If the hardware does fragmentation offload, then don't bother 1880 * doing it here. 1881 */ 1882 if (IEEE80211_CONF_FRAG_OFFLOAD(ic)) 1883 txfrag = 0; 1884 else 1885 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1886 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1887 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1888 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1889 1890 if (key != NULL) { 1891 /* 1892 * IEEE 802.1X: send EAPOL frames always in the clear. 1893 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1894 */ 1895 if ((m->m_flags & M_EAPOL) == 0 || 1896 ((vap->iv_flags & IEEE80211_F_WPA) && 1897 (vap->iv_opmode == IEEE80211_M_STA ? 1898 !IEEE80211_KEY_UNDEFINED(key) : 1899 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1900 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 1901 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1902 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1903 eh.ether_dhost, 1904 "%s", "enmic failed, discard frame"); 1905 vap->iv_stats.is_crypto_enmicfail++; 1906 goto bad; 1907 } 1908 } 1909 } 1910 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1911 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1912 goto bad; 1913 1914 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1915 1916 IEEE80211_NODE_STAT(ni, tx_data); 1917 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1918 IEEE80211_NODE_STAT(ni, tx_mcast); 1919 m->m_flags |= M_MCAST; 1920 } else 1921 IEEE80211_NODE_STAT(ni, tx_ucast); 1922 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1923 1924 return m; 1925bad: 1926 if (m != NULL) 1927 m_freem(m); 1928 return NULL; 1929#undef WH4 1930#undef MC01 1931} 1932 1933void 1934ieee80211_free_mbuf(struct mbuf *m) 1935{ 1936 struct mbuf *next; 1937 1938 if (m == NULL) 1939 return; 1940 1941 do { 1942 next = m->m_nextpkt; 1943 m->m_nextpkt = NULL; 1944 m_freem(m); 1945 } while ((m = next) != NULL); 1946} 1947 1948/* 1949 * Fragment the frame according to the specified mtu. 1950 * The size of the 802.11 header (w/o padding) is provided 1951 * so we don't need to recalculate it. We create a new 1952 * mbuf for each fragment and chain it through m_nextpkt; 1953 * we might be able to optimize this by reusing the original 1954 * packet's mbufs but that is significantly more complicated. 1955 */ 1956static int 1957ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1958 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1959{ 1960 struct ieee80211com *ic = vap->iv_ic; 1961 struct ieee80211_frame *wh, *whf; 1962 struct mbuf *m, *prev; 1963 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1964 u_int hdrspace; 1965 1966 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1967 KASSERT(m0->m_pkthdr.len > mtu, 1968 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1969 1970 /* 1971 * Honor driver DATAPAD requirement. 1972 */ 1973 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1974 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1975 else 1976 hdrspace = hdrsize; 1977 1978 wh = mtod(m0, struct ieee80211_frame *); 1979 /* NB: mark the first frag; it will be propagated below */ 1980 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1981 totalhdrsize = hdrspace + ciphdrsize; 1982 fragno = 1; 1983 off = mtu - ciphdrsize; 1984 remainder = m0->m_pkthdr.len - off; 1985 prev = m0; 1986 do { 1987 fragsize = MIN(totalhdrsize + remainder, mtu); 1988 m = m_get2(fragsize, M_NOWAIT, MT_DATA, M_PKTHDR); 1989 if (m == NULL) 1990 goto bad; 1991 /* leave room to prepend any cipher header */ 1992 m_align(m, fragsize - ciphdrsize); 1993 1994 /* 1995 * Form the header in the fragment. Note that since 1996 * we mark the first fragment with the MORE_FRAG bit 1997 * it automatically is propagated to each fragment; we 1998 * need only clear it on the last fragment (done below). 1999 * NB: frag 1+ dont have Mesh Control field present. 2000 */ 2001 whf = mtod(m, struct ieee80211_frame *); 2002 memcpy(whf, wh, hdrsize); 2003#ifdef IEEE80211_SUPPORT_MESH 2004 if (vap->iv_opmode == IEEE80211_M_MBSS) 2005 ieee80211_getqos(wh)[1] &= ~IEEE80211_QOS_MC; 2006#endif 2007 *(uint16_t *)&whf->i_seq[0] |= htole16( 2008 (fragno & IEEE80211_SEQ_FRAG_MASK) << 2009 IEEE80211_SEQ_FRAG_SHIFT); 2010 fragno++; 2011 2012 payload = fragsize - totalhdrsize; 2013 /* NB: destination is known to be contiguous */ 2014 2015 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrspace); 2016 m->m_len = hdrspace + payload; 2017 m->m_pkthdr.len = hdrspace + payload; 2018 m->m_flags |= M_FRAG; 2019 2020 /* chain up the fragment */ 2021 prev->m_nextpkt = m; 2022 prev = m; 2023 2024 /* deduct fragment just formed */ 2025 remainder -= payload; 2026 off += payload; 2027 } while (remainder != 0); 2028 2029 /* set the last fragment */ 2030 m->m_flags |= M_LASTFRAG; 2031 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 2032 2033 /* strip first mbuf now that everything has been copied */ 2034 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 2035 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 2036 2037 vap->iv_stats.is_tx_fragframes++; 2038 vap->iv_stats.is_tx_frags += fragno-1; 2039 2040 return 1; 2041bad: 2042 /* reclaim fragments but leave original frame for caller to free */ 2043 ieee80211_free_mbuf(m0->m_nextpkt); 2044 m0->m_nextpkt = NULL; 2045 return 0; 2046} 2047 2048/* 2049 * Add a supported rates element id to a frame. 2050 */ 2051uint8_t * 2052ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 2053{ 2054 int nrates; 2055 2056 *frm++ = IEEE80211_ELEMID_RATES; 2057 nrates = rs->rs_nrates; 2058 if (nrates > IEEE80211_RATE_SIZE) 2059 nrates = IEEE80211_RATE_SIZE; 2060 *frm++ = nrates; 2061 memcpy(frm, rs->rs_rates, nrates); 2062 return frm + nrates; 2063} 2064 2065/* 2066 * Add an extended supported rates element id to a frame. 2067 */ 2068uint8_t * 2069ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 2070{ 2071 /* 2072 * Add an extended supported rates element if operating in 11g mode. 2073 */ 2074 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 2075 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 2076 *frm++ = IEEE80211_ELEMID_XRATES; 2077 *frm++ = nrates; 2078 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 2079 frm += nrates; 2080 } 2081 return frm; 2082} 2083 2084/* 2085 * Add an ssid element to a frame. 2086 */ 2087uint8_t * 2088ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 2089{ 2090 *frm++ = IEEE80211_ELEMID_SSID; 2091 *frm++ = len; 2092 memcpy(frm, ssid, len); 2093 return frm + len; 2094} 2095 2096/* 2097 * Add an erp element to a frame. 2098 */ 2099static uint8_t * 2100ieee80211_add_erp(uint8_t *frm, struct ieee80211vap *vap) 2101{ 2102 struct ieee80211com *ic = vap->iv_ic; 2103 uint8_t erp; 2104 2105 *frm++ = IEEE80211_ELEMID_ERP; 2106 *frm++ = 1; 2107 erp = 0; 2108 2109 /* 2110 * TODO: This uses the global flags for now because 2111 * the per-VAP flags are fine for per-VAP, but don't 2112 * take into account which VAPs share the same channel 2113 * and which are on different channels. 2114 * 2115 * ERP and HT/VHT protection mode is a function of 2116 * how many stations are on a channel, not specifically 2117 * the VAP or global. But, until we grow that status, 2118 * the global flag will have to do. 2119 */ 2120 if (ic->ic_flags_ext & IEEE80211_FEXT_NONERP_PR) 2121 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 2122 2123 /* 2124 * TODO: same as above; these should be based not 2125 * on the vap or ic flags, but instead on a combination 2126 * of per-VAP and channels. 2127 */ 2128 if (ic->ic_flags & IEEE80211_F_USEPROT) 2129 erp |= IEEE80211_ERP_USE_PROTECTION; 2130 if (ic->ic_flags & IEEE80211_F_USEBARKER) 2131 erp |= IEEE80211_ERP_LONG_PREAMBLE; 2132 *frm++ = erp; 2133 return frm; 2134} 2135 2136/* 2137 * Add a CFParams element to a frame. 2138 */ 2139static uint8_t * 2140ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 2141{ 2142#define ADDSHORT(frm, v) do { \ 2143 le16enc(frm, v); \ 2144 frm += 2; \ 2145} while (0) 2146 *frm++ = IEEE80211_ELEMID_CFPARMS; 2147 *frm++ = 6; 2148 *frm++ = 0; /* CFP count */ 2149 *frm++ = 2; /* CFP period */ 2150 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 2151 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 2152 return frm; 2153#undef ADDSHORT 2154} 2155 2156static __inline uint8_t * 2157add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 2158{ 2159 memcpy(frm, ie->ie_data, ie->ie_len); 2160 return frm + ie->ie_len; 2161} 2162 2163static __inline uint8_t * 2164add_ie(uint8_t *frm, const uint8_t *ie) 2165{ 2166 memcpy(frm, ie, 2 + ie[1]); 2167 return frm + 2 + ie[1]; 2168} 2169 2170#define WME_OUI_BYTES 0x00, 0x50, 0xf2 2171/* 2172 * Add a WME information element to a frame. 2173 */ 2174uint8_t * 2175ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme, 2176 struct ieee80211_node *ni) 2177{ 2178 static const uint8_t oui[4] = { WME_OUI_BYTES, WME_OUI_TYPE }; 2179 struct ieee80211vap *vap = ni->ni_vap; 2180 2181 *frm++ = IEEE80211_ELEMID_VENDOR; 2182 *frm++ = sizeof(struct ieee80211_wme_info) - 2; 2183 memcpy(frm, oui, sizeof(oui)); 2184 frm += sizeof(oui); 2185 *frm++ = WME_INFO_OUI_SUBTYPE; 2186 *frm++ = WME_VERSION; 2187 2188 /* QoS info field depends upon operating mode */ 2189 switch (vap->iv_opmode) { 2190 case IEEE80211_M_HOSTAP: 2191 *frm = wme->wme_bssChanParams.cap_info; 2192 if (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD) 2193 *frm |= WME_CAPINFO_UAPSD_EN; 2194 frm++; 2195 break; 2196 case IEEE80211_M_STA: 2197 /* 2198 * NB: UAPSD drivers must set this up in their 2199 * VAP creation method. 2200 */ 2201 *frm++ = vap->iv_uapsdinfo; 2202 break; 2203 default: 2204 *frm++ = 0; 2205 break; 2206 } 2207 2208 return frm; 2209} 2210 2211/* 2212 * Add a WME parameters element to a frame. 2213 */ 2214static uint8_t * 2215ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme, 2216 int uapsd_enable) 2217{ 2218#define ADDSHORT(frm, v) do { \ 2219 le16enc(frm, v); \ 2220 frm += 2; \ 2221} while (0) 2222 /* NB: this works 'cuz a param has an info at the front */ 2223 static const struct ieee80211_wme_info param = { 2224 .wme_id = IEEE80211_ELEMID_VENDOR, 2225 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 2226 .wme_oui = { WME_OUI_BYTES }, 2227 .wme_type = WME_OUI_TYPE, 2228 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 2229 .wme_version = WME_VERSION, 2230 }; 2231 int i; 2232 2233 memcpy(frm, ¶m, sizeof(param)); 2234 frm += __offsetof(struct ieee80211_wme_info, wme_info); 2235 *frm = wme->wme_bssChanParams.cap_info; /* AC info */ 2236 if (uapsd_enable) 2237 *frm |= WME_CAPINFO_UAPSD_EN; 2238 frm++; 2239 *frm++ = 0; /* reserved field */ 2240 /* XXX TODO - U-APSD bits - SP, flags below */ 2241 for (i = 0; i < WME_NUM_AC; i++) { 2242 const struct wmeParams *ac = 2243 &wme->wme_bssChanParams.cap_wmeParams[i]; 2244 *frm++ = _IEEE80211_SHIFTMASK(i, WME_PARAM_ACI) 2245 | _IEEE80211_SHIFTMASK(ac->wmep_acm, WME_PARAM_ACM) 2246 | _IEEE80211_SHIFTMASK(ac->wmep_aifsn, WME_PARAM_AIFSN) 2247 ; 2248 *frm++ = _IEEE80211_SHIFTMASK(ac->wmep_logcwmax, 2249 WME_PARAM_LOGCWMAX) 2250 | _IEEE80211_SHIFTMASK(ac->wmep_logcwmin, 2251 WME_PARAM_LOGCWMIN) 2252 ; 2253 ADDSHORT(frm, ac->wmep_txopLimit); 2254 } 2255 return frm; 2256#undef ADDSHORT 2257} 2258#undef WME_OUI_BYTES 2259 2260/* 2261 * Add an 11h Power Constraint element to a frame. 2262 */ 2263static uint8_t * 2264ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 2265{ 2266 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 2267 /* XXX per-vap tx power limit? */ 2268 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 2269 2270 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 2271 frm[1] = 1; 2272 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 2273 return frm + 3; 2274} 2275 2276/* 2277 * Add an 11h Power Capability element to a frame. 2278 */ 2279static uint8_t * 2280ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 2281{ 2282 frm[0] = IEEE80211_ELEMID_PWRCAP; 2283 frm[1] = 2; 2284 frm[2] = c->ic_minpower; 2285 frm[3] = c->ic_maxpower; 2286 return frm + 4; 2287} 2288 2289/* 2290 * Add an 11h Supported Channels element to a frame. 2291 */ 2292static uint8_t * 2293ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 2294{ 2295 static const int ielen = 26; 2296 2297 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 2298 frm[1] = ielen; 2299 /* XXX not correct */ 2300 memcpy(frm+2, ic->ic_chan_avail, ielen); 2301 return frm + 2 + ielen; 2302} 2303 2304/* 2305 * Add an 11h Quiet time element to a frame. 2306 */ 2307static uint8_t * 2308ieee80211_add_quiet(uint8_t *frm, struct ieee80211vap *vap, int update) 2309{ 2310 struct ieee80211_quiet_ie *quiet = (struct ieee80211_quiet_ie *) frm; 2311 2312 quiet->quiet_ie = IEEE80211_ELEMID_QUIET; 2313 quiet->len = 6; 2314 2315 /* 2316 * Only update every beacon interval - otherwise probe responses 2317 * would update the quiet count value. 2318 */ 2319 if (update) { 2320 if (vap->iv_quiet_count_value == 1) 2321 vap->iv_quiet_count_value = vap->iv_quiet_count; 2322 else if (vap->iv_quiet_count_value > 1) 2323 vap->iv_quiet_count_value--; 2324 } 2325 2326 if (vap->iv_quiet_count_value == 0) { 2327 /* value 0 is reserved as per 802.11h standerd */ 2328 vap->iv_quiet_count_value = 1; 2329 } 2330 2331 quiet->tbttcount = vap->iv_quiet_count_value; 2332 quiet->period = vap->iv_quiet_period; 2333 quiet->duration = htole16(vap->iv_quiet_duration); 2334 quiet->offset = htole16(vap->iv_quiet_offset); 2335 return frm + sizeof(*quiet); 2336} 2337 2338/* 2339 * Add an 11h Channel Switch Announcement element to a frame. 2340 * Note that we use the per-vap CSA count to adjust the global 2341 * counter so we can use this routine to form probe response 2342 * frames and get the current count. 2343 */ 2344static uint8_t * 2345ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 2346{ 2347 struct ieee80211com *ic = vap->iv_ic; 2348 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 2349 2350 csa->csa_ie = IEEE80211_ELEMID_CSA; 2351 csa->csa_len = 3; 2352 csa->csa_mode = 1; /* XXX force quiet on channel */ 2353 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 2354 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 2355 return frm + sizeof(*csa); 2356} 2357 2358/* 2359 * Add an 11h country information element to a frame. 2360 */ 2361static uint8_t * 2362ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 2363{ 2364 2365 if (ic->ic_countryie == NULL || 2366 ic->ic_countryie_chan != ic->ic_bsschan) { 2367 /* 2368 * Handle lazy construction of ie. This is done on 2369 * first use and after a channel change that requires 2370 * re-calculation. 2371 */ 2372 if (ic->ic_countryie != NULL) 2373 IEEE80211_FREE(ic->ic_countryie, M_80211_NODE_IE); 2374 ic->ic_countryie = ieee80211_alloc_countryie(ic); 2375 if (ic->ic_countryie == NULL) 2376 return frm; 2377 ic->ic_countryie_chan = ic->ic_bsschan; 2378 } 2379 return add_appie(frm, ic->ic_countryie); 2380} 2381 2382uint8_t * 2383ieee80211_add_wpa(uint8_t *frm, const struct ieee80211vap *vap) 2384{ 2385 if (vap->iv_flags & IEEE80211_F_WPA1 && vap->iv_wpa_ie != NULL) 2386 return (add_ie(frm, vap->iv_wpa_ie)); 2387 else { 2388 /* XXX else complain? */ 2389 return (frm); 2390 } 2391} 2392 2393uint8_t * 2394ieee80211_add_rsn(uint8_t *frm, const struct ieee80211vap *vap) 2395{ 2396 if (vap->iv_flags & IEEE80211_F_WPA2 && vap->iv_rsn_ie != NULL) 2397 return (add_ie(frm, vap->iv_rsn_ie)); 2398 else { 2399 /* XXX else complain? */ 2400 return (frm); 2401 } 2402} 2403 2404uint8_t * 2405ieee80211_add_qos(uint8_t *frm, const struct ieee80211_node *ni) 2406{ 2407 if (ni->ni_flags & IEEE80211_NODE_QOS) { 2408 *frm++ = IEEE80211_ELEMID_QOS; 2409 *frm++ = 1; 2410 *frm++ = 0; 2411 } 2412 2413 return (frm); 2414} 2415 2416/* 2417 * Send a probe request frame with the specified ssid 2418 * and any optional information element data. 2419 */ 2420int 2421ieee80211_send_probereq(struct ieee80211_node *ni, 2422 const uint8_t sa[IEEE80211_ADDR_LEN], 2423 const uint8_t da[IEEE80211_ADDR_LEN], 2424 const uint8_t bssid[IEEE80211_ADDR_LEN], 2425 const uint8_t *ssid, size_t ssidlen) 2426{ 2427 struct ieee80211vap *vap = ni->ni_vap; 2428 struct ieee80211com *ic = ni->ni_ic; 2429 struct ieee80211_node *bss; 2430 const struct ieee80211_txparam *tp; 2431 struct ieee80211_bpf_params params; 2432 const struct ieee80211_rateset *rs; 2433 struct mbuf *m; 2434 uint8_t *frm; 2435 int ret; 2436 2437 bss = ieee80211_ref_node(vap->iv_bss); 2438 2439 if (vap->iv_state == IEEE80211_S_CAC) { 2440 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 2441 "block %s frame in CAC state", "probe request"); 2442 vap->iv_stats.is_tx_badstate++; 2443 ieee80211_free_node(bss); 2444 return EIO; /* XXX */ 2445 } 2446 2447 /* 2448 * Hold a reference on the node so it doesn't go away until after 2449 * the xmit is complete all the way in the driver. On error we 2450 * will remove our reference. 2451 */ 2452 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2453 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2454 __func__, __LINE__, 2455 ni, ether_sprintf(ni->ni_macaddr), 2456 ieee80211_node_refcnt(ni)+1); 2457 ieee80211_ref_node(ni); 2458 2459 /* 2460 * prreq frame format 2461 * [tlv] ssid 2462 * [tlv] supported rates 2463 * [tlv] RSN (optional) 2464 * [tlv] extended supported rates 2465 * [tlv] HT cap (optional) 2466 * [tlv] VHT cap (optional) 2467 * [tlv] WPA (optional) 2468 * [tlv] user-specified ie's 2469 */ 2470 m = ieee80211_getmgtframe(&frm, 2471 ic->ic_headroom + sizeof(struct ieee80211_frame), 2472 2 + IEEE80211_NWID_LEN 2473 + 2 + IEEE80211_RATE_SIZE 2474 + sizeof(struct ieee80211_ie_htcap) 2475 + sizeof(struct ieee80211_ie_vhtcap) 2476 + sizeof(struct ieee80211_ie_htinfo) /* XXX not needed? */ 2477 + sizeof(struct ieee80211_ie_wpa) 2478 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2479 + sizeof(struct ieee80211_ie_wpa) 2480 + (vap->iv_appie_probereq != NULL ? 2481 vap->iv_appie_probereq->ie_len : 0) 2482 ); 2483 if (m == NULL) { 2484 vap->iv_stats.is_tx_nobuf++; 2485 ieee80211_free_node(ni); 2486 ieee80211_free_node(bss); 2487 return ENOMEM; 2488 } 2489 2490 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 2491 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 2492 frm = ieee80211_add_rates(frm, rs); 2493 frm = ieee80211_add_rsn(frm, vap); 2494 frm = ieee80211_add_xrates(frm, rs); 2495 2496 /* 2497 * Note: we can't use bss; we don't have one yet. 2498 * 2499 * So, we should announce our capabilities 2500 * in this channel mode (2g/5g), not the 2501 * channel details itself. 2502 */ 2503 if ((vap->iv_opmode == IEEE80211_M_IBSS) && 2504 (vap->iv_flags_ht & IEEE80211_FHT_HT)) { 2505 struct ieee80211_channel *c; 2506 2507 /* 2508 * Get the HT channel that we should try upgrading to. 2509 * If we can do 40MHz then this'll upgrade it appropriately. 2510 */ 2511 c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 2512 vap->iv_flags_ht); 2513 frm = ieee80211_add_htcap_ch(frm, vap, c); 2514 } 2515 2516 /* 2517 * XXX TODO: need to figure out what/how to update the 2518 * VHT channel. 2519 */ 2520#if 0 2521 (vap->iv_flags_vht & IEEE80211_FVHT_VHT) { 2522 struct ieee80211_channel *c; 2523 2524 c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan, 2525 vap->iv_flags_ht); 2526 c = ieee80211_vht_adjust_channel(ic, c, vap->iv_flags_vht); 2527 frm = ieee80211_add_vhtcap_ch(frm, vap, c); 2528 } 2529#endif 2530 2531 frm = ieee80211_add_wpa(frm, vap); 2532 if (vap->iv_appie_probereq != NULL) 2533 frm = add_appie(frm, vap->iv_appie_probereq); 2534 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2535 2536 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 2537 ("leading space %zd", M_LEADINGSPACE(m))); 2538 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 2539 if (m == NULL) { 2540 /* NB: cannot happen */ 2541 ieee80211_free_node(ni); 2542 ieee80211_free_node(bss); 2543 return ENOMEM; 2544 } 2545 2546 IEEE80211_TX_LOCK(ic); 2547 ieee80211_send_setup(ni, m, 2548 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 2549 IEEE80211_NONQOS_TID, sa, da, bssid); 2550 /* XXX power management? */ 2551 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2552 2553 M_WME_SETAC(m, WME_AC_BE); 2554 2555 IEEE80211_NODE_STAT(ni, tx_probereq); 2556 IEEE80211_NODE_STAT(ni, tx_mgmt); 2557 2558 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2559 "send probe req on channel %u bssid %s sa %6D da %6D ssid \"%.*s\"\n", 2560 ieee80211_chan2ieee(ic, ic->ic_curchan), 2561 ether_sprintf(bssid), 2562 sa, ":", 2563 da, ":", 2564 ssidlen, ssid); 2565 2566 memset(¶ms, 0, sizeof(params)); 2567 params.ibp_pri = M_WME_GETAC(m); 2568 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 2569 params.ibp_rate0 = tp->mgmtrate; 2570 if (IEEE80211_IS_MULTICAST(da)) { 2571 params.ibp_flags |= IEEE80211_BPF_NOACK; 2572 params.ibp_try0 = 1; 2573 } else 2574 params.ibp_try0 = tp->maxretry; 2575 params.ibp_power = ni->ni_txpower; 2576 ret = ieee80211_raw_output(vap, ni, m, ¶ms); 2577 IEEE80211_TX_UNLOCK(ic); 2578 ieee80211_free_node(bss); 2579 return (ret); 2580} 2581 2582/* 2583 * Calculate capability information for mgt frames. 2584 */ 2585uint16_t 2586ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 2587{ 2588 uint16_t capinfo; 2589 2590 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 2591 2592 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 2593 capinfo = IEEE80211_CAPINFO_ESS; 2594 else if (vap->iv_opmode == IEEE80211_M_IBSS) 2595 capinfo = IEEE80211_CAPINFO_IBSS; 2596 else 2597 capinfo = 0; 2598 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2599 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2600 if ((vap->iv_flags & IEEE80211_F_SHPREAMBLE) && 2601 IEEE80211_IS_CHAN_2GHZ(chan)) 2602 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2603 if (vap->iv_flags & IEEE80211_F_SHSLOT) 2604 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2605 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 2606 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2607 return capinfo; 2608} 2609 2610/* 2611 * Send a management frame. The node is for the destination (or ic_bss 2612 * when in station mode). Nodes other than ic_bss have their reference 2613 * count bumped to reflect our use for an indeterminant time. 2614 */ 2615int 2616ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 2617{ 2618#define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 2619#define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 2620 struct ieee80211vap *vap = ni->ni_vap; 2621 struct ieee80211com *ic = ni->ni_ic; 2622 struct ieee80211_node *bss = vap->iv_bss; 2623 struct ieee80211_bpf_params params; 2624 struct mbuf *m; 2625 uint8_t *frm; 2626 uint16_t capinfo; 2627 int has_challenge, is_shared_key, ret, status; 2628 2629 KASSERT(ni != NULL, ("null node")); 2630 2631 /* 2632 * Hold a reference on the node so it doesn't go away until after 2633 * the xmit is complete all the way in the driver. On error we 2634 * will remove our reference. 2635 */ 2636 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2637 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2638 __func__, __LINE__, 2639 ni, ether_sprintf(ni->ni_macaddr), 2640 ieee80211_node_refcnt(ni)+1); 2641 ieee80211_ref_node(ni); 2642 2643 memset(¶ms, 0, sizeof(params)); 2644 switch (type) { 2645 case IEEE80211_FC0_SUBTYPE_AUTH: 2646 status = arg >> 16; 2647 arg &= 0xffff; 2648 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 2649 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 2650 ni->ni_challenge != NULL); 2651 2652 /* 2653 * Deduce whether we're doing open authentication or 2654 * shared key authentication. We do the latter if 2655 * we're in the middle of a shared key authentication 2656 * handshake or if we're initiating an authentication 2657 * request and configured to use shared key. 2658 */ 2659 is_shared_key = has_challenge || 2660 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 2661 (arg == IEEE80211_AUTH_SHARED_REQUEST && 2662 bss->ni_authmode == IEEE80211_AUTH_SHARED); 2663 2664 m = ieee80211_getmgtframe(&frm, 2665 ic->ic_headroom + sizeof(struct ieee80211_frame), 2666 3 * sizeof(uint16_t) 2667 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 2668 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 2669 ); 2670 if (m == NULL) 2671 senderr(ENOMEM, is_tx_nobuf); 2672 2673 ((uint16_t *)frm)[0] = 2674 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 2675 : htole16(IEEE80211_AUTH_ALG_OPEN); 2676 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 2677 ((uint16_t *)frm)[2] = htole16(status);/* status */ 2678 2679 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 2680 ((uint16_t *)frm)[3] = 2681 htole16((IEEE80211_CHALLENGE_LEN << 8) | 2682 IEEE80211_ELEMID_CHALLENGE); 2683 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 2684 IEEE80211_CHALLENGE_LEN); 2685 m->m_pkthdr.len = m->m_len = 2686 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 2687 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 2688 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2689 "request encrypt frame (%s)", __func__); 2690 /* mark frame for encryption */ 2691 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 2692 } 2693 } else 2694 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 2695 2696 /* XXX not right for shared key */ 2697 if (status == IEEE80211_STATUS_SUCCESS) 2698 IEEE80211_NODE_STAT(ni, tx_auth); 2699 else 2700 IEEE80211_NODE_STAT(ni, tx_auth_fail); 2701 2702 if (vap->iv_opmode == IEEE80211_M_STA) 2703 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2704 (void *) vap->iv_state); 2705 break; 2706 2707 case IEEE80211_FC0_SUBTYPE_DEAUTH: 2708 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 2709 "send station deauthenticate (reason: %d (%s))", arg, 2710 ieee80211_reason_to_string(arg)); 2711 m = ieee80211_getmgtframe(&frm, 2712 ic->ic_headroom + sizeof(struct ieee80211_frame), 2713 sizeof(uint16_t)); 2714 if (m == NULL) 2715 senderr(ENOMEM, is_tx_nobuf); 2716 *(uint16_t *)frm = htole16(arg); /* reason */ 2717 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2718 2719 IEEE80211_NODE_STAT(ni, tx_deauth); 2720 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 2721 2722 ieee80211_node_unauthorize(ni); /* port closed */ 2723 break; 2724 2725 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 2726 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 2727 /* 2728 * asreq frame format 2729 * [2] capability information 2730 * [2] listen interval 2731 * [6*] current AP address (reassoc only) 2732 * [tlv] ssid 2733 * [tlv] supported rates 2734 * [tlv] extended supported rates 2735 * [4] power capability (optional) 2736 * [28] supported channels (optional) 2737 * [tlv] HT capabilities 2738 * [tlv] VHT capabilities 2739 * [tlv] WME (optional) 2740 * [tlv] Vendor OUI HT capabilities (optional) 2741 * [tlv] Atheros capabilities (if negotiated) 2742 * [tlv] AppIE's (optional) 2743 */ 2744 m = ieee80211_getmgtframe(&frm, 2745 ic->ic_headroom + sizeof(struct ieee80211_frame), 2746 sizeof(uint16_t) 2747 + sizeof(uint16_t) 2748 + IEEE80211_ADDR_LEN 2749 + 2 + IEEE80211_NWID_LEN 2750 + 2 + IEEE80211_RATE_SIZE 2751 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2752 + 4 2753 + 2 + 26 2754 + sizeof(struct ieee80211_wme_info) 2755 + sizeof(struct ieee80211_ie_htcap) 2756 + sizeof(struct ieee80211_ie_vhtcap) 2757 + 4 + sizeof(struct ieee80211_ie_htcap) 2758#ifdef IEEE80211_SUPPORT_SUPERG 2759 + sizeof(struct ieee80211_ath_ie) 2760#endif 2761 + (vap->iv_appie_wpa != NULL ? 2762 vap->iv_appie_wpa->ie_len : 0) 2763 + (vap->iv_appie_assocreq != NULL ? 2764 vap->iv_appie_assocreq->ie_len : 0) 2765 ); 2766 if (m == NULL) 2767 senderr(ENOMEM, is_tx_nobuf); 2768 2769 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 2770 ("wrong mode %u", vap->iv_opmode)); 2771 capinfo = IEEE80211_CAPINFO_ESS; 2772 if (vap->iv_flags & IEEE80211_F_PRIVACY) 2773 capinfo |= IEEE80211_CAPINFO_PRIVACY; 2774 /* 2775 * NB: Some 11a AP's reject the request when 2776 * short preamble is set. 2777 */ 2778 if ((vap->iv_flags & IEEE80211_F_SHPREAMBLE) && 2779 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 2780 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 2781 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2782 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2783 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2784 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2785 (vap->iv_flags & IEEE80211_F_DOTH)) 2786 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2787 *(uint16_t *)frm = htole16(capinfo); 2788 frm += 2; 2789 2790 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2791 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2792 bss->ni_intval)); 2793 frm += 2; 2794 2795 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2796 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2797 frm += IEEE80211_ADDR_LEN; 2798 } 2799 2800 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2801 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2802 frm = ieee80211_add_rsn(frm, vap); 2803 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2804 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2805 frm = ieee80211_add_powercapability(frm, 2806 ic->ic_curchan); 2807 frm = ieee80211_add_supportedchannels(frm, ic); 2808 } 2809 2810 /* 2811 * Check the channel - we may be using an 11n NIC with an 2812 * 11n capable station, but we're configured to be an 11b 2813 * channel. 2814 */ 2815 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2816 IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2817 ni->ni_ies.htcap_ie != NULL && 2818 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) { 2819 frm = ieee80211_add_htcap(frm, ni); 2820 } 2821 2822 if ((vap->iv_flags_vht & IEEE80211_FVHT_VHT) && 2823 IEEE80211_IS_CHAN_VHT(ni->ni_chan) && 2824 ni->ni_ies.vhtcap_ie != NULL && 2825 ni->ni_ies.vhtcap_ie[0] == IEEE80211_ELEMID_VHT_CAP) { 2826 frm = ieee80211_add_vhtcap(frm, ni); 2827 } 2828 2829 frm = ieee80211_add_wpa(frm, vap); 2830 if ((ic->ic_flags & IEEE80211_F_WME) && 2831 ni->ni_ies.wme_ie != NULL) 2832 frm = ieee80211_add_wme_info(frm, &ic->ic_wme, ni); 2833 2834 /* 2835 * Same deal - only send HT info if we're on an 11n 2836 * capable channel. 2837 */ 2838 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2839 IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2840 ni->ni_ies.htcap_ie != NULL && 2841 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) { 2842 frm = ieee80211_add_htcap_vendor(frm, ni); 2843 } 2844#ifdef IEEE80211_SUPPORT_SUPERG 2845 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2846 frm = ieee80211_add_ath(frm, 2847 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2848 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2849 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2850 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2851 } 2852#endif /* IEEE80211_SUPPORT_SUPERG */ 2853 if (vap->iv_appie_assocreq != NULL) 2854 frm = add_appie(frm, vap->iv_appie_assocreq); 2855 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2856 2857 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2858 (void *) vap->iv_state); 2859 break; 2860 2861 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2862 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2863 /* 2864 * asresp frame format 2865 * [2] capability information 2866 * [2] status 2867 * [2] association ID 2868 * [tlv] supported rates 2869 * [tlv] extended supported rates 2870 * [tlv] HT capabilities (standard, if STA enabled) 2871 * [tlv] HT information (standard, if STA enabled) 2872 * [tlv] VHT capabilities (standard, if STA enabled) 2873 * [tlv] VHT information (standard, if STA enabled) 2874 * [tlv] WME (if configured and STA enabled) 2875 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2876 * [tlv] HT information (vendor OUI, if STA enabled) 2877 * [tlv] Atheros capabilities (if STA enabled) 2878 * [tlv] AppIE's (optional) 2879 */ 2880 m = ieee80211_getmgtframe(&frm, 2881 ic->ic_headroom + sizeof(struct ieee80211_frame), 2882 sizeof(uint16_t) 2883 + sizeof(uint16_t) 2884 + sizeof(uint16_t) 2885 + 2 + IEEE80211_RATE_SIZE 2886 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2887 + sizeof(struct ieee80211_ie_htcap) + 4 2888 + sizeof(struct ieee80211_ie_htinfo) + 4 2889 + sizeof(struct ieee80211_ie_vhtcap) 2890 + sizeof(struct ieee80211_ie_vht_operation) 2891 + sizeof(struct ieee80211_wme_param) 2892#ifdef IEEE80211_SUPPORT_SUPERG 2893 + sizeof(struct ieee80211_ath_ie) 2894#endif 2895 + (vap->iv_appie_assocresp != NULL ? 2896 vap->iv_appie_assocresp->ie_len : 0) 2897 ); 2898 if (m == NULL) 2899 senderr(ENOMEM, is_tx_nobuf); 2900 2901 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2902 *(uint16_t *)frm = htole16(capinfo); 2903 frm += 2; 2904 2905 *(uint16_t *)frm = htole16(arg); /* status */ 2906 frm += 2; 2907 2908 if (arg == IEEE80211_STATUS_SUCCESS) { 2909 *(uint16_t *)frm = htole16(ni->ni_associd); 2910 IEEE80211_NODE_STAT(ni, tx_assoc); 2911 } else 2912 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2913 frm += 2; 2914 2915 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2916 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2917 /* NB: respond according to what we received */ 2918 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2919 frm = ieee80211_add_htcap(frm, ni); 2920 frm = ieee80211_add_htinfo(frm, ni); 2921 } 2922 if ((vap->iv_flags & IEEE80211_F_WME) && 2923 ni->ni_ies.wme_ie != NULL) 2924 frm = ieee80211_add_wme_param(frm, &ic->ic_wme, 2925 !! (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD)); 2926 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2927 frm = ieee80211_add_htcap_vendor(frm, ni); 2928 frm = ieee80211_add_htinfo_vendor(frm, ni); 2929 } 2930 if (ni->ni_flags & IEEE80211_NODE_VHT) { 2931 frm = ieee80211_add_vhtcap(frm, ni); 2932 frm = ieee80211_add_vhtinfo(frm, ni); 2933 } 2934#ifdef IEEE80211_SUPPORT_SUPERG 2935 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 2936 frm = ieee80211_add_ath(frm, 2937 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2938 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2939 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2940 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2941#endif /* IEEE80211_SUPPORT_SUPERG */ 2942 if (vap->iv_appie_assocresp != NULL) 2943 frm = add_appie(frm, vap->iv_appie_assocresp); 2944 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2945 break; 2946 2947 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2948 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2949 "send station disassociate (reason: %d (%s))", arg, 2950 ieee80211_reason_to_string(arg)); 2951 m = ieee80211_getmgtframe(&frm, 2952 ic->ic_headroom + sizeof(struct ieee80211_frame), 2953 sizeof(uint16_t)); 2954 if (m == NULL) 2955 senderr(ENOMEM, is_tx_nobuf); 2956 *(uint16_t *)frm = htole16(arg); /* reason */ 2957 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2958 2959 IEEE80211_NODE_STAT(ni, tx_disassoc); 2960 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 2961 break; 2962 2963 default: 2964 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 2965 "invalid mgmt frame type %u", type); 2966 senderr(EINVAL, is_tx_unknownmgt); 2967 /* NOTREACHED */ 2968 } 2969 2970 /* NB: force non-ProbeResp frames to the highest queue */ 2971 params.ibp_pri = WME_AC_VO; 2972 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 2973 /* NB: we know all frames are unicast */ 2974 params.ibp_try0 = bss->ni_txparms->maxretry; 2975 params.ibp_power = bss->ni_txpower; 2976 return ieee80211_mgmt_output(ni, m, type, ¶ms); 2977bad: 2978 ieee80211_free_node(ni); 2979 return ret; 2980#undef senderr 2981#undef HTFLAGS 2982} 2983 2984/* 2985 * Return an mbuf with a probe response frame in it. 2986 * Space is left to prepend and 802.11 header at the 2987 * front but it's left to the caller to fill in. 2988 */ 2989struct mbuf * 2990ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 2991{ 2992 struct ieee80211vap *vap = bss->ni_vap; 2993 struct ieee80211com *ic = bss->ni_ic; 2994 const struct ieee80211_rateset *rs; 2995 struct mbuf *m; 2996 uint16_t capinfo; 2997 uint8_t *frm; 2998 2999 /* 3000 * probe response frame format 3001 * [8] time stamp 3002 * [2] beacon interval 3003 * [2] cabability information 3004 * [tlv] ssid 3005 * [tlv] supported rates 3006 * [tlv] parameter set (FH/DS) 3007 * [tlv] parameter set (IBSS) 3008 * [tlv] country (optional) 3009 * [3] power control (optional) 3010 * [5] channel switch announcement (CSA) (optional) 3011 * [tlv] extended rate phy (ERP) 3012 * [tlv] extended supported rates 3013 * [tlv] RSN (optional) 3014 * [tlv] HT capabilities 3015 * [tlv] HT information 3016 * [tlv] VHT capabilities 3017 * [tlv] VHT information 3018 * [tlv] WPA (optional) 3019 * [tlv] WME (optional) 3020 * [tlv] Vendor OUI HT capabilities (optional) 3021 * [tlv] Vendor OUI HT information (optional) 3022 * [tlv] Atheros capabilities 3023 * [tlv] AppIE's (optional) 3024 * [tlv] Mesh ID (MBSS) 3025 * [tlv] Mesh Conf (MBSS) 3026 */ 3027 m = ieee80211_getmgtframe(&frm, 3028 ic->ic_headroom + sizeof(struct ieee80211_frame), 3029 8 3030 + sizeof(uint16_t) 3031 + sizeof(uint16_t) 3032 + 2 + IEEE80211_NWID_LEN 3033 + 2 + IEEE80211_RATE_SIZE 3034 + 7 /* max(7,3) */ 3035 + IEEE80211_COUNTRY_MAX_SIZE 3036 + 3 3037 + sizeof(struct ieee80211_csa_ie) 3038 + sizeof(struct ieee80211_quiet_ie) 3039 + 3 3040 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 3041 + sizeof(struct ieee80211_ie_wpa) 3042 + sizeof(struct ieee80211_ie_htcap) 3043 + sizeof(struct ieee80211_ie_htinfo) 3044 + sizeof(struct ieee80211_ie_wpa) 3045 + sizeof(struct ieee80211_wme_param) 3046 + 4 + sizeof(struct ieee80211_ie_htcap) 3047 + 4 + sizeof(struct ieee80211_ie_htinfo) 3048 + sizeof(struct ieee80211_ie_vhtcap) 3049 + sizeof(struct ieee80211_ie_vht_operation) 3050#ifdef IEEE80211_SUPPORT_SUPERG 3051 + sizeof(struct ieee80211_ath_ie) 3052#endif 3053#ifdef IEEE80211_SUPPORT_MESH 3054 + 2 + IEEE80211_MESHID_LEN 3055 + sizeof(struct ieee80211_meshconf_ie) 3056#endif 3057 + (vap->iv_appie_proberesp != NULL ? 3058 vap->iv_appie_proberesp->ie_len : 0) 3059 ); 3060 if (m == NULL) { 3061 vap->iv_stats.is_tx_nobuf++; 3062 return NULL; 3063 } 3064 3065 memset(frm, 0, 8); /* timestamp should be filled later */ 3066 frm += 8; 3067 *(uint16_t *)frm = htole16(bss->ni_intval); 3068 frm += 2; 3069 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 3070 *(uint16_t *)frm = htole16(capinfo); 3071 frm += 2; 3072 3073 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 3074 rs = ieee80211_get_suprates(ic, bss->ni_chan); 3075 frm = ieee80211_add_rates(frm, rs); 3076 3077 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 3078 *frm++ = IEEE80211_ELEMID_FHPARMS; 3079 *frm++ = 5; 3080 *frm++ = bss->ni_fhdwell & 0x00ff; 3081 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 3082 *frm++ = IEEE80211_FH_CHANSET( 3083 ieee80211_chan2ieee(ic, bss->ni_chan)); 3084 *frm++ = IEEE80211_FH_CHANPAT( 3085 ieee80211_chan2ieee(ic, bss->ni_chan)); 3086 *frm++ = bss->ni_fhindex; 3087 } else { 3088 *frm++ = IEEE80211_ELEMID_DSPARMS; 3089 *frm++ = 1; 3090 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 3091 } 3092 3093 if (vap->iv_opmode == IEEE80211_M_IBSS) { 3094 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 3095 *frm++ = 2; 3096 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 3097 } 3098 if ((vap->iv_flags & IEEE80211_F_DOTH) || 3099 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 3100 frm = ieee80211_add_countryie(frm, ic); 3101 if (vap->iv_flags & IEEE80211_F_DOTH) { 3102 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 3103 frm = ieee80211_add_powerconstraint(frm, vap); 3104 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 3105 frm = ieee80211_add_csa(frm, vap); 3106 } 3107 if (vap->iv_flags & IEEE80211_F_DOTH) { 3108 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 3109 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) { 3110 if (vap->iv_quiet) 3111 frm = ieee80211_add_quiet(frm, vap, 0); 3112 } 3113 } 3114 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 3115 frm = ieee80211_add_erp(frm, vap); 3116 frm = ieee80211_add_xrates(frm, rs); 3117 frm = ieee80211_add_rsn(frm, vap); 3118 /* 3119 * NB: legacy 11b clients do not get certain ie's. 3120 * The caller identifies such clients by passing 3121 * a token in legacy to us. Could expand this to be 3122 * any legacy client for stuff like HT ie's. 3123 */ 3124 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 3125 legacy != IEEE80211_SEND_LEGACY_11B) { 3126 frm = ieee80211_add_htcap(frm, bss); 3127 frm = ieee80211_add_htinfo(frm, bss); 3128 } 3129 if (IEEE80211_IS_CHAN_VHT(bss->ni_chan) && 3130 legacy != IEEE80211_SEND_LEGACY_11B) { 3131 frm = ieee80211_add_vhtcap(frm, bss); 3132 frm = ieee80211_add_vhtinfo(frm, bss); 3133 } 3134 frm = ieee80211_add_wpa(frm, vap); 3135 if (vap->iv_flags & IEEE80211_F_WME) 3136 frm = ieee80211_add_wme_param(frm, &ic->ic_wme, 3137 !! (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD)); 3138 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 3139 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 3140 legacy != IEEE80211_SEND_LEGACY_11B) { 3141 frm = ieee80211_add_htcap_vendor(frm, bss); 3142 frm = ieee80211_add_htinfo_vendor(frm, bss); 3143 } 3144#ifdef IEEE80211_SUPPORT_SUPERG 3145 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 3146 legacy != IEEE80211_SEND_LEGACY_11B) 3147 frm = ieee80211_add_athcaps(frm, bss); 3148#endif 3149 if (vap->iv_appie_proberesp != NULL) 3150 frm = add_appie(frm, vap->iv_appie_proberesp); 3151#ifdef IEEE80211_SUPPORT_MESH 3152 if (vap->iv_opmode == IEEE80211_M_MBSS) { 3153 frm = ieee80211_add_meshid(frm, vap); 3154 frm = ieee80211_add_meshconf(frm, vap); 3155 } 3156#endif 3157 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 3158 3159 return m; 3160} 3161 3162/* 3163 * Send a probe response frame to the specified mac address. 3164 * This does not go through the normal mgt frame api so we 3165 * can specify the destination address and re-use the bss node 3166 * for the sta reference. 3167 */ 3168int 3169ieee80211_send_proberesp(struct ieee80211vap *vap, 3170 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 3171{ 3172 struct ieee80211_node *bss = vap->iv_bss; 3173 struct ieee80211com *ic = vap->iv_ic; 3174 struct mbuf *m; 3175 int ret; 3176 3177 if (vap->iv_state == IEEE80211_S_CAC) { 3178 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 3179 "block %s frame in CAC state", "probe response"); 3180 vap->iv_stats.is_tx_badstate++; 3181 return EIO; /* XXX */ 3182 } 3183 3184 /* 3185 * Hold a reference on the node so it doesn't go away until after 3186 * the xmit is complete all the way in the driver. On error we 3187 * will remove our reference. 3188 */ 3189 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 3190 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 3191 __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr), 3192 ieee80211_node_refcnt(bss)+1); 3193 ieee80211_ref_node(bss); 3194 3195 m = ieee80211_alloc_proberesp(bss, legacy); 3196 if (m == NULL) { 3197 ieee80211_free_node(bss); 3198 return ENOMEM; 3199 } 3200 3201 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 3202 KASSERT(m != NULL, ("no room for header")); 3203 3204 IEEE80211_TX_LOCK(ic); 3205 ieee80211_send_setup(bss, m, 3206 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 3207 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 3208 /* XXX power management? */ 3209 m->m_flags |= M_ENCAP; /* mark encapsulated */ 3210 3211 M_WME_SETAC(m, WME_AC_BE); 3212 3213 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 3214 "send probe resp on channel %u to %s%s\n", 3215 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da), 3216 legacy ? " <legacy>" : ""); 3217 IEEE80211_NODE_STAT(bss, tx_mgmt); 3218 3219 ret = ieee80211_raw_output(vap, bss, m, NULL); 3220 IEEE80211_TX_UNLOCK(ic); 3221 return (ret); 3222} 3223 3224/* 3225 * Allocate and build a RTS (Request To Send) control frame. 3226 */ 3227struct mbuf * 3228ieee80211_alloc_rts(struct ieee80211com *ic, 3229 const uint8_t ra[IEEE80211_ADDR_LEN], 3230 const uint8_t ta[IEEE80211_ADDR_LEN], 3231 uint16_t dur) 3232{ 3233 struct ieee80211_frame_rts *rts; 3234 struct mbuf *m; 3235 3236 /* XXX honor ic_headroom */ 3237 m = m_gethdr(M_NOWAIT, MT_DATA); 3238 if (m != NULL) { 3239 rts = mtod(m, struct ieee80211_frame_rts *); 3240 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 3241 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 3242 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 3243 *(u_int16_t *)rts->i_dur = htole16(dur); 3244 IEEE80211_ADDR_COPY(rts->i_ra, ra); 3245 IEEE80211_ADDR_COPY(rts->i_ta, ta); 3246 3247 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 3248 } 3249 return m; 3250} 3251 3252/* 3253 * Allocate and build a CTS (Clear To Send) control frame. 3254 */ 3255struct mbuf * 3256ieee80211_alloc_cts(struct ieee80211com *ic, 3257 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 3258{ 3259 struct ieee80211_frame_cts *cts; 3260 struct mbuf *m; 3261 3262 /* XXX honor ic_headroom */ 3263 m = m_gethdr(M_NOWAIT, MT_DATA); 3264 if (m != NULL) { 3265 cts = mtod(m, struct ieee80211_frame_cts *); 3266 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 3267 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 3268 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 3269 *(u_int16_t *)cts->i_dur = htole16(dur); 3270 IEEE80211_ADDR_COPY(cts->i_ra, ra); 3271 3272 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 3273 } 3274 return m; 3275} 3276 3277/* 3278 * Wrapper for CTS/RTS frame allocation. 3279 */ 3280struct mbuf * 3281ieee80211_alloc_prot(struct ieee80211_node *ni, const struct mbuf *m, 3282 uint8_t rate, int prot) 3283{ 3284 struct ieee80211com *ic = ni->ni_ic; 3285 struct ieee80211vap *vap = ni->ni_vap; 3286 const struct ieee80211_frame *wh; 3287 struct mbuf *mprot; 3288 uint16_t dur; 3289 int pktlen, isshort; 3290 3291 KASSERT(prot == IEEE80211_PROT_RTSCTS || 3292 prot == IEEE80211_PROT_CTSONLY, 3293 ("wrong protection type %d", prot)); 3294 3295 wh = mtod(m, const struct ieee80211_frame *); 3296 pktlen = m->m_pkthdr.len + IEEE80211_CRC_LEN; 3297 isshort = (vap->iv_flags & IEEE80211_F_SHPREAMBLE) != 0; 3298 dur = ieee80211_compute_duration(ic->ic_rt, pktlen, rate, isshort) 3299 + ieee80211_ack_duration(ic->ic_rt, rate, isshort); 3300 3301 if (prot == IEEE80211_PROT_RTSCTS) { 3302 /* NB: CTS is the same size as an ACK */ 3303 dur += ieee80211_ack_duration(ic->ic_rt, rate, isshort); 3304 mprot = ieee80211_alloc_rts(ic, wh->i_addr1, wh->i_addr2, dur); 3305 } else 3306 mprot = ieee80211_alloc_cts(ic, vap->iv_myaddr, dur); 3307 3308 return (mprot); 3309} 3310 3311static void 3312ieee80211_tx_mgt_timeout(void *arg) 3313{ 3314 struct ieee80211vap *vap = arg; 3315 3316 IEEE80211_LOCK(vap->iv_ic); 3317 if (vap->iv_state != IEEE80211_S_INIT && 3318 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 3319 /* 3320 * NB: it's safe to specify a timeout as the reason here; 3321 * it'll only be used in the right state. 3322 */ 3323 ieee80211_new_state_locked(vap, IEEE80211_S_SCAN, 3324 IEEE80211_SCAN_FAIL_TIMEOUT); 3325 } 3326 IEEE80211_UNLOCK(vap->iv_ic); 3327} 3328 3329/* 3330 * This is the callback set on net80211-sourced transmitted 3331 * authentication request frames. 3332 * 3333 * This does a couple of things: 3334 * 3335 * + If the frame transmitted was a success, it schedules a future 3336 * event which will transition the interface to scan. 3337 * If a state transition _then_ occurs before that event occurs, 3338 * said state transition will cancel this callout. 3339 * 3340 * + If the frame transmit was a failure, it immediately schedules 3341 * the transition back to scan. 3342 */ 3343static void 3344ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 3345{ 3346 struct ieee80211vap *vap = ni->ni_vap; 3347 enum ieee80211_state ostate = (enum ieee80211_state)(uintptr_t)arg; 3348 3349 /* 3350 * Frame transmit completed; arrange timer callback. If 3351 * transmit was successfully we wait for response. Otherwise 3352 * we arrange an immediate callback instead of doing the 3353 * callback directly since we don't know what state the driver 3354 * is in (e.g. what locks it is holding). This work should 3355 * not be too time-critical and not happen too often so the 3356 * added overhead is acceptable. 3357 * 3358 * XXX what happens if !acked but response shows up before callback? 3359 */ 3360 if (vap->iv_state == ostate) { 3361 callout_reset(&vap->iv_mgtsend, 3362 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 3363 ieee80211_tx_mgt_timeout, vap); 3364 } 3365} 3366 3367static void 3368ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 3369 struct ieee80211_node *ni) 3370{ 3371 struct ieee80211vap *vap = ni->ni_vap; 3372 struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off; 3373 struct ieee80211com *ic = ni->ni_ic; 3374 struct ieee80211_rateset *rs = &ni->ni_rates; 3375 uint16_t capinfo; 3376 3377 /* 3378 * beacon frame format 3379 * 3380 * TODO: update to 802.11-2012; a lot of stuff has changed; 3381 * vendor extensions should be at the end, etc. 3382 * 3383 * [8] time stamp 3384 * [2] beacon interval 3385 * [2] cabability information 3386 * [tlv] ssid 3387 * [tlv] supported rates 3388 * [3] parameter set (DS) 3389 * [8] CF parameter set (optional) 3390 * [tlv] parameter set (IBSS/TIM) 3391 * [tlv] country (optional) 3392 * [3] power control (optional) 3393 * [5] channel switch announcement (CSA) (optional) 3394 * XXX TODO: Quiet 3395 * XXX TODO: IBSS DFS 3396 * XXX TODO: TPC report 3397 * [tlv] extended rate phy (ERP) 3398 * [tlv] extended supported rates 3399 * [tlv] RSN parameters 3400 * XXX TODO: BSSLOAD 3401 * (XXX EDCA parameter set, QoS capability?) 3402 * XXX TODO: AP channel report 3403 * 3404 * [tlv] HT capabilities 3405 * [tlv] HT information 3406 * XXX TODO: 20/40 BSS coexistence 3407 * Mesh: 3408 * XXX TODO: Meshid 3409 * XXX TODO: mesh config 3410 * XXX TODO: mesh awake window 3411 * XXX TODO: beacon timing (mesh, etc) 3412 * XXX TODO: MCCAOP Advertisement Overview 3413 * XXX TODO: MCCAOP Advertisement 3414 * XXX TODO: Mesh channel switch parameters 3415 * VHT: 3416 * XXX TODO: VHT capabilities 3417 * XXX TODO: VHT operation 3418 * XXX TODO: VHT transmit power envelope 3419 * XXX TODO: channel switch wrapper element 3420 * XXX TODO: extended BSS load element 3421 * 3422 * XXX Vendor-specific OIDs (e.g. Atheros) 3423 * [tlv] WPA parameters 3424 * [tlv] WME parameters 3425 * [tlv] Vendor OUI HT capabilities (optional) 3426 * [tlv] Vendor OUI HT information (optional) 3427 * [tlv] Atheros capabilities (optional) 3428 * [tlv] TDMA parameters (optional) 3429 * [tlv] Mesh ID (MBSS) 3430 * [tlv] Mesh Conf (MBSS) 3431 * [tlv] application data (optional) 3432 */ 3433 3434 memset(bo, 0, sizeof(*bo)); 3435 3436 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 3437 frm += 8; 3438 *(uint16_t *)frm = htole16(ni->ni_intval); 3439 frm += 2; 3440 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 3441 bo->bo_caps = (uint16_t *)frm; 3442 *(uint16_t *)frm = htole16(capinfo); 3443 frm += 2; 3444 *frm++ = IEEE80211_ELEMID_SSID; 3445 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 3446 *frm++ = ni->ni_esslen; 3447 memcpy(frm, ni->ni_essid, ni->ni_esslen); 3448 frm += ni->ni_esslen; 3449 } else 3450 *frm++ = 0; 3451 frm = ieee80211_add_rates(frm, rs); 3452 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 3453 *frm++ = IEEE80211_ELEMID_DSPARMS; 3454 *frm++ = 1; 3455 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 3456 } 3457 if (ic->ic_flags & IEEE80211_F_PCF) { 3458 bo->bo_cfp = frm; 3459 frm = ieee80211_add_cfparms(frm, ic); 3460 } 3461 bo->bo_tim = frm; 3462 if (vap->iv_opmode == IEEE80211_M_IBSS) { 3463 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 3464 *frm++ = 2; 3465 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 3466 bo->bo_tim_len = 0; 3467 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 3468 vap->iv_opmode == IEEE80211_M_MBSS) { 3469 /* TIM IE is the same for Mesh and Hostap */ 3470 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 3471 3472 tie->tim_ie = IEEE80211_ELEMID_TIM; 3473 tie->tim_len = 4; /* length */ 3474 tie->tim_count = 0; /* DTIM count */ 3475 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 3476 tie->tim_bitctl = 0; /* bitmap control */ 3477 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 3478 frm += sizeof(struct ieee80211_tim_ie); 3479 bo->bo_tim_len = 1; 3480 } 3481 bo->bo_tim_trailer = frm; 3482 if ((vap->iv_flags & IEEE80211_F_DOTH) || 3483 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 3484 frm = ieee80211_add_countryie(frm, ic); 3485 if (vap->iv_flags & IEEE80211_F_DOTH) { 3486 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 3487 frm = ieee80211_add_powerconstraint(frm, vap); 3488 bo->bo_csa = frm; 3489 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 3490 frm = ieee80211_add_csa(frm, vap); 3491 } else 3492 bo->bo_csa = frm; 3493 3494 bo->bo_quiet = NULL; 3495 if (vap->iv_flags & IEEE80211_F_DOTH) { 3496 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 3497 (vap->iv_flags_ext & IEEE80211_FEXT_DFS) && 3498 (vap->iv_quiet == 1)) { 3499 /* 3500 * We only insert the quiet IE offset if 3501 * the quiet IE is enabled. Otherwise don't 3502 * put it here or we'll just overwrite 3503 * some other beacon contents. 3504 */ 3505 if (vap->iv_quiet) { 3506 bo->bo_quiet = frm; 3507 frm = ieee80211_add_quiet(frm,vap, 0); 3508 } 3509 } 3510 } 3511 3512 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 3513 bo->bo_erp = frm; 3514 frm = ieee80211_add_erp(frm, vap); 3515 } 3516 frm = ieee80211_add_xrates(frm, rs); 3517 frm = ieee80211_add_rsn(frm, vap); 3518 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 3519 frm = ieee80211_add_htcap(frm, ni); 3520 bo->bo_htinfo = frm; 3521 frm = ieee80211_add_htinfo(frm, ni); 3522 } 3523 3524 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan)) { 3525 frm = ieee80211_add_vhtcap(frm, ni); 3526 bo->bo_vhtinfo = frm; 3527 frm = ieee80211_add_vhtinfo(frm, ni); 3528 /* Transmit power envelope */ 3529 /* Channel switch wrapper element */ 3530 /* Extended bss load element */ 3531 } 3532 3533 frm = ieee80211_add_wpa(frm, vap); 3534 if (vap->iv_flags & IEEE80211_F_WME) { 3535 bo->bo_wme = frm; 3536 frm = ieee80211_add_wme_param(frm, &ic->ic_wme, 3537 !! (vap->iv_flags_ext & IEEE80211_FEXT_UAPSD)); 3538 } 3539 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 3540 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 3541 frm = ieee80211_add_htcap_vendor(frm, ni); 3542 frm = ieee80211_add_htinfo_vendor(frm, ni); 3543 } 3544 3545#ifdef IEEE80211_SUPPORT_SUPERG 3546 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 3547 bo->bo_ath = frm; 3548 frm = ieee80211_add_athcaps(frm, ni); 3549 } 3550#endif 3551#ifdef IEEE80211_SUPPORT_TDMA 3552 if (vap->iv_caps & IEEE80211_C_TDMA) { 3553 bo->bo_tdma = frm; 3554 frm = ieee80211_add_tdma(frm, vap); 3555 } 3556#endif 3557 if (vap->iv_appie_beacon != NULL) { 3558 bo->bo_appie = frm; 3559 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 3560 frm = add_appie(frm, vap->iv_appie_beacon); 3561 } 3562 3563 /* XXX TODO: move meshid/meshconf up to before vendor extensions? */ 3564#ifdef IEEE80211_SUPPORT_MESH 3565 if (vap->iv_opmode == IEEE80211_M_MBSS) { 3566 frm = ieee80211_add_meshid(frm, vap); 3567 bo->bo_meshconf = frm; 3568 frm = ieee80211_add_meshconf(frm, vap); 3569 } 3570#endif 3571 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 3572 bo->bo_csa_trailer_len = frm - bo->bo_csa; 3573 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 3574} 3575 3576/* 3577 * Allocate a beacon frame and fillin the appropriate bits. 3578 */ 3579struct mbuf * 3580ieee80211_beacon_alloc(struct ieee80211_node *ni) 3581{ 3582 struct ieee80211vap *vap = ni->ni_vap; 3583 struct ieee80211com *ic = ni->ni_ic; 3584 struct ifnet *ifp = vap->iv_ifp; 3585 struct ieee80211_frame *wh; 3586 struct mbuf *m; 3587 int pktlen; 3588 uint8_t *frm; 3589 3590 /* 3591 * Update the "We're putting the quiet IE in the beacon" state. 3592 */ 3593 if (vap->iv_quiet == 1) 3594 vap->iv_flags_ext |= IEEE80211_FEXT_QUIET_IE; 3595 else if (vap->iv_quiet == 0) 3596 vap->iv_flags_ext &= ~IEEE80211_FEXT_QUIET_IE; 3597 3598 /* 3599 * beacon frame format 3600 * 3601 * Note: This needs updating for 802.11-2012. 3602 * 3603 * [8] time stamp 3604 * [2] beacon interval 3605 * [2] cabability information 3606 * [tlv] ssid 3607 * [tlv] supported rates 3608 * [3] parameter set (DS) 3609 * [8] CF parameter set (optional) 3610 * [tlv] parameter set (IBSS/TIM) 3611 * [tlv] country (optional) 3612 * [3] power control (optional) 3613 * [5] channel switch announcement (CSA) (optional) 3614 * [tlv] extended rate phy (ERP) 3615 * [tlv] extended supported rates 3616 * [tlv] RSN parameters 3617 * [tlv] HT capabilities 3618 * [tlv] HT information 3619 * [tlv] VHT capabilities 3620 * [tlv] VHT operation 3621 * [tlv] Vendor OUI HT capabilities (optional) 3622 * [tlv] Vendor OUI HT information (optional) 3623 * XXX Vendor-specific OIDs (e.g. Atheros) 3624 * [tlv] WPA parameters 3625 * [tlv] WME parameters 3626 * [tlv] TDMA parameters (optional) 3627 * [tlv] Mesh ID (MBSS) 3628 * [tlv] Mesh Conf (MBSS) 3629 * [tlv] application data (optional) 3630 * NB: we allocate the max space required for the TIM bitmap. 3631 * XXX how big is this? 3632 */ 3633 pktlen = 8 /* time stamp */ 3634 + sizeof(uint16_t) /* beacon interval */ 3635 + sizeof(uint16_t) /* capabilities */ 3636 + 2 + ni->ni_esslen /* ssid */ 3637 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 3638 + 2 + 1 /* DS parameters */ 3639 + 2 + 6 /* CF parameters */ 3640 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 3641 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 3642 + 2 + 1 /* power control */ 3643 + sizeof(struct ieee80211_csa_ie) /* CSA */ 3644 + sizeof(struct ieee80211_quiet_ie) /* Quiet */ 3645 + 2 + 1 /* ERP */ 3646 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 3647 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 3648 2*sizeof(struct ieee80211_ie_wpa) : 0) 3649 /* XXX conditional? */ 3650 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 3651 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 3652 + sizeof(struct ieee80211_ie_vhtcap)/* VHT caps */ 3653 + sizeof(struct ieee80211_ie_vht_operation)/* VHT info */ 3654 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 3655 sizeof(struct ieee80211_wme_param) : 0) 3656#ifdef IEEE80211_SUPPORT_SUPERG 3657 + sizeof(struct ieee80211_ath_ie) /* ATH */ 3658#endif 3659#ifdef IEEE80211_SUPPORT_TDMA 3660 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 3661 sizeof(struct ieee80211_tdma_param) : 0) 3662#endif 3663#ifdef IEEE80211_SUPPORT_MESH 3664 + 2 + ni->ni_meshidlen 3665 + sizeof(struct ieee80211_meshconf_ie) 3666#endif 3667 + IEEE80211_MAX_APPIE 3668 ; 3669 m = ieee80211_getmgtframe(&frm, 3670 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 3671 if (m == NULL) { 3672 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 3673 "%s: cannot get buf; size %u\n", __func__, pktlen); 3674 vap->iv_stats.is_tx_nobuf++; 3675 return NULL; 3676 } 3677 ieee80211_beacon_construct(m, frm, ni); 3678 3679 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT); 3680 KASSERT(m != NULL, ("no space for 802.11 header?")); 3681 wh = mtod(m, struct ieee80211_frame *); 3682 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 3683 IEEE80211_FC0_SUBTYPE_BEACON; 3684 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 3685 *(uint16_t *)wh->i_dur = 0; 3686 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 3687 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 3688 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 3689 *(uint16_t *)wh->i_seq = 0; 3690 3691 return m; 3692} 3693 3694/* 3695 * Update the dynamic parts of a beacon frame based on the current state. 3696 */ 3697int 3698ieee80211_beacon_update(struct ieee80211_node *ni, struct mbuf *m, int mcast) 3699{ 3700 struct ieee80211vap *vap = ni->ni_vap; 3701 struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off; 3702 struct ieee80211com *ic = ni->ni_ic; 3703 int len_changed = 0; 3704 uint16_t capinfo; 3705 struct ieee80211_frame *wh; 3706 ieee80211_seq seqno; 3707 3708 IEEE80211_LOCK(ic); 3709 /* 3710 * Handle 11h channel change when we've reached the count. 3711 * We must recalculate the beacon frame contents to account 3712 * for the new channel. Note we do this only for the first 3713 * vap that reaches this point; subsequent vaps just update 3714 * their beacon state to reflect the recalculated channel. 3715 */ 3716 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 3717 vap->iv_csa_count == ic->ic_csa_count) { 3718 vap->iv_csa_count = 0; 3719 /* 3720 * Effect channel change before reconstructing the beacon 3721 * frame contents as many places reference ni_chan. 3722 */ 3723 if (ic->ic_csa_newchan != NULL) 3724 ieee80211_csa_completeswitch(ic); 3725 /* 3726 * NB: ieee80211_beacon_construct clears all pending 3727 * updates in bo_flags so we don't need to explicitly 3728 * clear IEEE80211_BEACON_CSA. 3729 */ 3730 ieee80211_beacon_construct(m, 3731 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni); 3732 3733 /* XXX do WME aggressive mode processing? */ 3734 IEEE80211_UNLOCK(ic); 3735 return 1; /* just assume length changed */ 3736 } 3737 3738 /* 3739 * Handle the quiet time element being added and removed. 3740 * Again, for now we just cheat and reconstruct the whole 3741 * beacon - that way the gap is provided as appropriate. 3742 * 3743 * So, track whether we have already added the IE versus 3744 * whether we want to be adding the IE. 3745 */ 3746 if ((vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE) && 3747 (vap->iv_quiet == 0)) { 3748 /* 3749 * Quiet time beacon IE enabled, but it's disabled; 3750 * recalc 3751 */ 3752 vap->iv_flags_ext &= ~IEEE80211_FEXT_QUIET_IE; 3753 ieee80211_beacon_construct(m, 3754 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni); 3755 /* XXX do WME aggressive mode processing? */ 3756 IEEE80211_UNLOCK(ic); 3757 return 1; /* just assume length changed */ 3758 } 3759 3760 if (((vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE) == 0) && 3761 (vap->iv_quiet == 1)) { 3762 /* 3763 * Quiet time beacon IE disabled, but it's now enabled; 3764 * recalc 3765 */ 3766 vap->iv_flags_ext |= IEEE80211_FEXT_QUIET_IE; 3767 ieee80211_beacon_construct(m, 3768 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni); 3769 /* XXX do WME aggressive mode processing? */ 3770 IEEE80211_UNLOCK(ic); 3771 return 1; /* just assume length changed */ 3772 } 3773 3774 wh = mtod(m, struct ieee80211_frame *); 3775 3776 /* 3777 * XXX TODO Strictly speaking this should be incremented with the TX 3778 * lock held so as to serialise access to the non-qos TID sequence 3779 * number space. 3780 * 3781 * If the driver identifies it does its own TX seqno management then 3782 * we can skip this (and still not do the TX seqno.) 3783 */ 3784 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 3785 *(uint16_t *)&wh->i_seq[0] = 3786 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 3787 M_SEQNO_SET(m, seqno); 3788 3789 /* XXX faster to recalculate entirely or just changes? */ 3790 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 3791 *bo->bo_caps = htole16(capinfo); 3792 3793 if (vap->iv_flags & IEEE80211_F_WME) { 3794 struct ieee80211_wme_state *wme = &ic->ic_wme; 3795 3796 /* 3797 * Check for aggressive mode change. When there is 3798 * significant high priority traffic in the BSS 3799 * throttle back BE traffic by using conservative 3800 * parameters. Otherwise BE uses aggressive params 3801 * to optimize performance of legacy/non-QoS traffic. 3802 */ 3803 if (wme->wme_flags & WME_F_AGGRMODE) { 3804 if (wme->wme_hipri_traffic > 3805 wme->wme_hipri_switch_thresh) { 3806 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 3807 "%s: traffic %u, disable aggressive mode\n", 3808 __func__, wme->wme_hipri_traffic); 3809 wme->wme_flags &= ~WME_F_AGGRMODE; 3810 ieee80211_wme_updateparams_locked(vap); 3811 wme->wme_hipri_traffic = 3812 wme->wme_hipri_switch_hysteresis; 3813 } else 3814 wme->wme_hipri_traffic = 0; 3815 } else { 3816 if (wme->wme_hipri_traffic <= 3817 wme->wme_hipri_switch_thresh) { 3818 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 3819 "%s: traffic %u, enable aggressive mode\n", 3820 __func__, wme->wme_hipri_traffic); 3821 wme->wme_flags |= WME_F_AGGRMODE; 3822 ieee80211_wme_updateparams_locked(vap); 3823 wme->wme_hipri_traffic = 0; 3824 } else 3825 wme->wme_hipri_traffic = 3826 wme->wme_hipri_switch_hysteresis; 3827 } 3828 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 3829 (void) ieee80211_add_wme_param(bo->bo_wme, wme, 3830 vap->iv_flags_ext & IEEE80211_FEXT_UAPSD); 3831 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 3832 } 3833 } 3834 3835 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 3836 ieee80211_ht_update_beacon(vap, bo); 3837 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 3838 } 3839#ifdef IEEE80211_SUPPORT_TDMA 3840 if (vap->iv_caps & IEEE80211_C_TDMA) { 3841 /* 3842 * NB: the beacon is potentially updated every TBTT. 3843 */ 3844 ieee80211_tdma_update_beacon(vap, bo); 3845 } 3846#endif 3847#ifdef IEEE80211_SUPPORT_MESH 3848 if (vap->iv_opmode == IEEE80211_M_MBSS) 3849 ieee80211_mesh_update_beacon(vap, bo); 3850#endif 3851 3852 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 3853 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 3854 struct ieee80211_tim_ie *tie = 3855 (struct ieee80211_tim_ie *) bo->bo_tim; 3856 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 3857 u_int timlen, timoff, i; 3858 /* 3859 * ATIM/DTIM needs updating. If it fits in the 3860 * current space allocated then just copy in the 3861 * new bits. Otherwise we need to move any trailing 3862 * data to make room. Note that we know there is 3863 * contiguous space because ieee80211_beacon_allocate 3864 * insures there is space in the mbuf to write a 3865 * maximal-size virtual bitmap (based on iv_max_aid). 3866 */ 3867 /* 3868 * Calculate the bitmap size and offset, copy any 3869 * trailer out of the way, and then copy in the 3870 * new bitmap and update the information element. 3871 * Note that the tim bitmap must contain at least 3872 * one byte and any offset must be even. 3873 */ 3874 if (vap->iv_ps_pending != 0) { 3875 timoff = 128; /* impossibly large */ 3876 for (i = 0; i < vap->iv_tim_len; i++) 3877 if (vap->iv_tim_bitmap[i]) { 3878 timoff = i &~ 1; 3879 break; 3880 } 3881 KASSERT(timoff != 128, ("tim bitmap empty!")); 3882 for (i = vap->iv_tim_len-1; i >= timoff; i--) 3883 if (vap->iv_tim_bitmap[i]) 3884 break; 3885 timlen = 1 + (i - timoff); 3886 } else { 3887 timoff = 0; 3888 timlen = 1; 3889 } 3890 3891 /* 3892 * TODO: validate this! 3893 */ 3894 if (timlen != bo->bo_tim_len) { 3895 /* copy up/down trailer */ 3896 int adjust = tie->tim_bitmap+timlen 3897 - bo->bo_tim_trailer; 3898 ovbcopy(bo->bo_tim_trailer, 3899 bo->bo_tim_trailer+adjust, 3900 bo->bo_tim_trailer_len); 3901 bo->bo_tim_trailer += adjust; 3902 bo->bo_erp += adjust; 3903 bo->bo_htinfo += adjust; 3904 bo->bo_vhtinfo += adjust; 3905#ifdef IEEE80211_SUPPORT_SUPERG 3906 bo->bo_ath += adjust; 3907#endif 3908#ifdef IEEE80211_SUPPORT_TDMA 3909 bo->bo_tdma += adjust; 3910#endif 3911#ifdef IEEE80211_SUPPORT_MESH 3912 bo->bo_meshconf += adjust; 3913#endif 3914 bo->bo_appie += adjust; 3915 bo->bo_wme += adjust; 3916 bo->bo_csa += adjust; 3917 bo->bo_quiet += adjust; 3918 bo->bo_tim_len = timlen; 3919 3920 /* update information element */ 3921 tie->tim_len = 3 + timlen; 3922 tie->tim_bitctl = timoff; 3923 len_changed = 1; 3924 } 3925 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 3926 bo->bo_tim_len); 3927 3928 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 3929 3930 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 3931 "%s: TIM updated, pending %u, off %u, len %u\n", 3932 __func__, vap->iv_ps_pending, timoff, timlen); 3933 } 3934 /* count down DTIM period */ 3935 if (tie->tim_count == 0) 3936 tie->tim_count = tie->tim_period - 1; 3937 else 3938 tie->tim_count--; 3939 /* update state for buffered multicast frames on DTIM */ 3940 if (mcast && tie->tim_count == 0) 3941 tie->tim_bitctl |= 1; 3942 else 3943 tie->tim_bitctl &= ~1; 3944 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 3945 struct ieee80211_csa_ie *csa = 3946 (struct ieee80211_csa_ie *) bo->bo_csa; 3947 3948 /* 3949 * Insert or update CSA ie. If we're just starting 3950 * to count down to the channel switch then we need 3951 * to insert the CSA ie. Otherwise we just need to 3952 * drop the count. The actual change happens above 3953 * when the vap's count reaches the target count. 3954 */ 3955 if (vap->iv_csa_count == 0) { 3956 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 3957 bo->bo_erp += sizeof(*csa); 3958 bo->bo_htinfo += sizeof(*csa); 3959 bo->bo_vhtinfo += sizeof(*csa); 3960 bo->bo_wme += sizeof(*csa); 3961#ifdef IEEE80211_SUPPORT_SUPERG 3962 bo->bo_ath += sizeof(*csa); 3963#endif 3964#ifdef IEEE80211_SUPPORT_TDMA 3965 bo->bo_tdma += sizeof(*csa); 3966#endif 3967#ifdef IEEE80211_SUPPORT_MESH 3968 bo->bo_meshconf += sizeof(*csa); 3969#endif 3970 bo->bo_appie += sizeof(*csa); 3971 bo->bo_csa_trailer_len += sizeof(*csa); 3972 bo->bo_quiet += sizeof(*csa); 3973 bo->bo_tim_trailer_len += sizeof(*csa); 3974 m->m_len += sizeof(*csa); 3975 m->m_pkthdr.len += sizeof(*csa); 3976 3977 ieee80211_add_csa(bo->bo_csa, vap); 3978 } else 3979 csa->csa_count--; 3980 vap->iv_csa_count++; 3981 /* NB: don't clear IEEE80211_BEACON_CSA */ 3982 } 3983 3984 /* 3985 * Only add the quiet time IE if we've enabled it 3986 * as appropriate. 3987 */ 3988 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) && 3989 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) { 3990 if (vap->iv_quiet && 3991 (vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE)) { 3992 ieee80211_add_quiet(bo->bo_quiet, vap, 1); 3993 } 3994 } 3995 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 3996 /* 3997 * ERP element needs updating. 3998 */ 3999 (void) ieee80211_add_erp(bo->bo_erp, vap); 4000 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 4001 } 4002#ifdef IEEE80211_SUPPORT_SUPERG 4003 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 4004 ieee80211_add_athcaps(bo->bo_ath, ni); 4005 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 4006 } 4007#endif 4008 } 4009 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 4010 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 4011 int aielen; 4012 uint8_t *frm; 4013 4014 aielen = 0; 4015 if (aie != NULL) 4016 aielen += aie->ie_len; 4017 if (aielen != bo->bo_appie_len) { 4018 /* copy up/down trailer */ 4019 int adjust = aielen - bo->bo_appie_len; 4020 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 4021 bo->bo_tim_trailer_len); 4022 bo->bo_tim_trailer += adjust; 4023 bo->bo_appie += adjust; 4024 bo->bo_appie_len = aielen; 4025 4026 len_changed = 1; 4027 } 4028 frm = bo->bo_appie; 4029 if (aie != NULL) 4030 frm = add_appie(frm, aie); 4031 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 4032 } 4033 IEEE80211_UNLOCK(ic); 4034 4035 return len_changed; 4036} 4037 4038/* 4039 * Do Ethernet-LLC encapsulation for each payload in a fast frame 4040 * tunnel encapsulation. The frame is assumed to have an Ethernet 4041 * header at the front that must be stripped before prepending the 4042 * LLC followed by the Ethernet header passed in (with an Ethernet 4043 * type that specifies the payload size). 4044 */ 4045struct mbuf * 4046ieee80211_ff_encap1(struct ieee80211vap *vap, struct mbuf *m, 4047 const struct ether_header *eh) 4048{ 4049 struct llc *llc; 4050 uint16_t payload; 4051 4052 /* XXX optimize by combining m_adj+M_PREPEND */ 4053 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 4054 llc = mtod(m, struct llc *); 4055 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 4056 llc->llc_control = LLC_UI; 4057 llc->llc_snap.org_code[0] = 0; 4058 llc->llc_snap.org_code[1] = 0; 4059 llc->llc_snap.org_code[2] = 0; 4060 llc->llc_snap.ether_type = eh->ether_type; 4061 payload = m->m_pkthdr.len; /* NB: w/o Ethernet header */ 4062 4063 M_PREPEND(m, sizeof(struct ether_header), M_NOWAIT); 4064 if (m == NULL) { /* XXX cannot happen */ 4065 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, 4066 "%s: no space for ether_header\n", __func__); 4067 vap->iv_stats.is_tx_nobuf++; 4068 return NULL; 4069 } 4070 ETHER_HEADER_COPY(mtod(m, void *), eh); 4071 mtod(m, struct ether_header *)->ether_type = htons(payload); 4072 return m; 4073} 4074 4075/* 4076 * Complete an mbuf transmission. 4077 * 4078 * For now, this simply processes a completed frame after the 4079 * driver has completed it's transmission and/or retransmission. 4080 * It assumes the frame is an 802.11 encapsulated frame. 4081 * 4082 * Later on it will grow to become the exit path for a given frame 4083 * from the driver and, depending upon how it's been encapsulated 4084 * and already transmitted, it may end up doing A-MPDU retransmission, 4085 * power save requeuing, etc. 4086 * 4087 * In order for the above to work, the driver entry point to this 4088 * must not hold any driver locks. Thus, the driver needs to delay 4089 * any actual mbuf completion until it can release said locks. 4090 * 4091 * This frees the mbuf and if the mbuf has a node reference, 4092 * the node reference will be freed. 4093 */ 4094void 4095ieee80211_tx_complete(struct ieee80211_node *ni, struct mbuf *m, int status) 4096{ 4097 4098 if (ni != NULL) { 4099 struct ifnet *ifp = ni->ni_vap->iv_ifp; 4100 4101 if (status == 0) { 4102 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 4103 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 4104 if (m->m_flags & M_MCAST) 4105 if_inc_counter(ifp, IFCOUNTER_OMCASTS, 1); 4106 } else 4107 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 4108 if (m->m_flags & M_TXCB) 4109 ieee80211_process_callback(ni, m, status); 4110 ieee80211_free_node(ni); 4111 } 4112 m_freem(m); 4113} 4114