sys/net80211/ieee80211_output.c

116742Ssam/*-
116904Ssam * Copyright (c) 2001 Atsushi Onoe
186904Ssam * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting
116742Ssam * All rights reserved.
116742Ssam *
116742Ssam * Redistribution and use in source and binary forms, with or without
116742Ssam * modification, are permitted provided that the following conditions
116742Ssam * are met:
116742Ssam * 1. Redistributions of source code must retain the above copyright
116904Ssam *    notice, this list of conditions and the following disclaimer.
116904Ssam * 2. Redistributions in binary form must reproduce the above copyright
116904Ssam *    notice, this list of conditions and the following disclaimer in the
116904Ssam *    documentation and/or other materials provided with the distribution.
116742Ssam *
116904Ssam * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
116904Ssam * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
116904Ssam * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
116904Ssam * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
116904Ssam * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
116904Ssam * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
116904Ssam * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
116904Ssam * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
116904Ssam * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
116904Ssam * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
116742Ssam */
116742Ssam
116742Ssam#include <sys/cdefs.h>
116742Ssam__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_output.c 193655 2009-06-07 22:00:22Z sam $");
116742Ssam
116742Ssam#include "opt_inet.h"
178354Ssam#include "opt_wlan.h"
116742Ssam
116742Ssam#include <sys/param.h>
116742Ssam#include <sys/systm.h>
116742Ssam#include <sys/mbuf.h>
116742Ssam#include <sys/kernel.h>
116742Ssam#include <sys/endian.h>
116742Ssam
138568Ssam#include <sys/socket.h>
116742Ssam
138568Ssam#include <net/bpf.h>
138568Ssam#include <net/ethernet.h>
116742Ssam#include <net/if.h>
138568Ssam#include <net/if_llc.h>
116742Ssam#include <net/if_media.h>
138568Ssam#include <net/if_vlan_var.h>
116742Ssam
116742Ssam#include <net80211/ieee80211_var.h>
170530Ssam#include <net80211/ieee80211_regdomain.h>
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190391Ssam#include <net80211/ieee80211_superg.h>
190391Ssam#endif
186904Ssam#ifdef IEEE80211_SUPPORT_TDMA
186904Ssam#include <net80211/ieee80211_tdma.h>
186904Ssam#endif
178354Ssam#include <net80211/ieee80211_wds.h>
116742Ssam
116742Ssam#ifdef INET
116742Ssam#include <netinet/in.h>
116742Ssam#include <netinet/if_ether.h>
138568Ssam#include <netinet/in_systm.h>
138568Ssam#include <netinet/ip.h>
116742Ssam#endif
116742Ssam
193504Srwatson#include <security/mac/mac_framework.h>
193504Srwatson
170530Ssam#define	ETHER_HEADER_COPY(dst, src) \
170530Ssam	memcpy(dst, src, sizeof(struct ether_header))
170530Ssam
178354Ssamstatic int ieee80211_fragment(struct ieee80211vap *, struct mbuf *,
170530Ssam	u_int hdrsize, u_int ciphdrsize, u_int mtu);
170530Ssamstatic	void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int);
170530Ssam
138568Ssam#ifdef IEEE80211_DEBUG
119150Ssam/*
138568Ssam * Decide if an outbound management frame should be
138568Ssam * printed when debugging is enabled.  This filters some
138568Ssam * of the less interesting frames that come frequently
138568Ssam * (e.g. beacons).
138568Ssam */
138568Ssamstatic __inline int
178354Ssamdoprint(struct ieee80211vap *vap, int subtype)
138568Ssam{
138568Ssam	switch (subtype) {
138568Ssam	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
178354Ssam		return (vap->iv_opmode == IEEE80211_M_IBSS);
138568Ssam	}
138568Ssam	return 1;
138568Ssam}
138568Ssam#endif
138568Ssam
138568Ssam/*
178354Ssam * Start method for vap's.  All packets from the stack come
178354Ssam * through here.  We handle common processing of the packets
178354Ssam * before dispatching them to the underlying device.
178354Ssam */
178354Ssamvoid
178354Ssamieee80211_start(struct ifnet *ifp)
178354Ssam{
178354Ssam#define	IS_DWDS(vap) \
178354Ssam	(vap->iv_opmode == IEEE80211_M_WDS && \
178354Ssam	 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0)
178354Ssam	struct ieee80211vap *vap = ifp->if_softc;
178354Ssam	struct ieee80211com *ic = vap->iv_ic;
178354Ssam	struct ifnet *parent = ic->ic_ifp;
178354Ssam	struct ieee80211_node *ni;
178354Ssam	struct mbuf *m;
178354Ssam	struct ether_header *eh;
178354Ssam	int error;
178354Ssam
178354Ssam	/* NB: parent must be up and running */
178354Ssam	if (!IFNET_IS_UP_RUNNING(parent)) {
178354Ssam		IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
178354Ssam		    "%s: ignore queue, parent %s not up+running\n",
178354Ssam		    __func__, parent->if_xname);
178354Ssam		/* XXX stat */
178354Ssam		return;
178354Ssam	}
178354Ssam	if (vap->iv_state == IEEE80211_S_SLEEP) {
178354Ssam		/*
178354Ssam		 * In power save, wakeup device for transmit.
178354Ssam		 */
178354Ssam		ieee80211_new_state(vap, IEEE80211_S_RUN, 0);
178354Ssam		return;
178354Ssam	}
178354Ssam	/*
178354Ssam	 * No data frames go out unless we're running.
178354Ssam	 * Note in particular this covers CAC and CSA
178354Ssam	 * states (though maybe we should check muting
178354Ssam	 * for CSA).
178354Ssam	 */
178354Ssam	if (vap->iv_state != IEEE80211_S_RUN) {
178354Ssam		IEEE80211_LOCK(ic);
178354Ssam		/* re-check under the com lock to avoid races */
178354Ssam		if (vap->iv_state != IEEE80211_S_RUN) {
178354Ssam			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
178354Ssam			    "%s: ignore queue, in %s state\n",
178354Ssam			    __func__, ieee80211_state_name[vap->iv_state]);
178354Ssam			vap->iv_stats.is_tx_badstate++;
178354Ssam			ifp->if_drv_flags |= IFF_DRV_OACTIVE;
178354Ssam			IEEE80211_UNLOCK(ic);
178354Ssam			return;
178354Ssam		}
178354Ssam		IEEE80211_UNLOCK(ic);
178354Ssam	}
178354Ssam	for (;;) {
178354Ssam		IFQ_DEQUEUE(&ifp->if_snd, m);
178354Ssam		if (m == NULL)
178354Ssam			break;
178354Ssam		/*
178354Ssam		 * Sanitize mbuf flags for net80211 use.  We cannot
178354Ssam		 * clear M_PWR_SAV because this may be set for frames
178354Ssam		 * that are re-submitted from the power save queue.
178354Ssam		 *
178354Ssam		 * NB: This must be done before ieee80211_classify as
178354Ssam		 *     it marks EAPOL in frames with M_EAPOL.
178354Ssam		 */
178354Ssam		m->m_flags &= ~(M_80211_TX - M_PWR_SAV);
178354Ssam		/*
178354Ssam		 * Cancel any background scan.
178354Ssam		 */
178354Ssam		if (ic->ic_flags & IEEE80211_F_SCAN)
178354Ssam			ieee80211_cancel_anyscan(vap);
178354Ssam		/*
178354Ssam		 * Find the node for the destination so we can do
178354Ssam		 * things like power save and fast frames aggregation.
178354Ssam		 *
178354Ssam		 * NB: past this point various code assumes the first
178354Ssam		 *     mbuf has the 802.3 header present (and contiguous).
178354Ssam		 */
178354Ssam		ni = NULL;
178354Ssam		if (m->m_len < sizeof(struct ether_header) &&
178354Ssam		   (m = m_pullup(m, sizeof(struct ether_header))) == NULL) {
178354Ssam			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
178354Ssam			    "discard frame, %s\n", "m_pullup failed");
178354Ssam			vap->iv_stats.is_tx_nobuf++;	/* XXX */
178354Ssam			ifp->if_oerrors++;
178354Ssam			continue;
178354Ssam		}
178354Ssam		eh = mtod(m, struct ether_header *);
178354Ssam		if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
178354Ssam			if (IS_DWDS(vap)) {
178354Ssam				/*
178354Ssam				 * Only unicast frames from the above go out
178354Ssam				 * DWDS vaps; multicast frames are handled by
178354Ssam				 * dispatching the frame as it comes through
178354Ssam				 * the AP vap (see below).
178354Ssam				 */
178354Ssam				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS,
178354Ssam				    eh->ether_dhost, "mcast", "%s", "on DWDS");
178354Ssam				vap->iv_stats.is_dwds_mcast++;
178354Ssam				m_freem(m);
178354Ssam				continue;
178354Ssam			}
178354Ssam			if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
178354Ssam				/*
178354Ssam				 * Spam DWDS vap's w/ multicast traffic.
178354Ssam				 */
178354Ssam				/* XXX only if dwds in use? */
178354Ssam				ieee80211_dwds_mcast(vap, m);
178354Ssam			}
178354Ssam		}
178354Ssam		ni = ieee80211_find_txnode(vap, eh->ether_dhost);
178354Ssam		if (ni == NULL) {
178354Ssam			/* NB: ieee80211_find_txnode does stat+msg */
178354Ssam			ifp->if_oerrors++;
178354Ssam			m_freem(m);
178354Ssam			continue;
178354Ssam		}
184271Ssam		if (ni->ni_associd == 0 &&
186099Ssam		    (ni->ni_flags & IEEE80211_NODE_ASSOCID)) {
184271Ssam			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT,
184271Ssam			    eh->ether_dhost, NULL,
184271Ssam			    "sta not associated (type 0x%04x)",
184271Ssam			    htons(eh->ether_type));
184271Ssam			vap->iv_stats.is_tx_notassoc++;
184271Ssam			ifp->if_oerrors++;
184271Ssam			m_freem(m);
184271Ssam			ieee80211_free_node(ni);
184271Ssam			continue;
178354Ssam		}
190579Ssam
178354Ssam		if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
178354Ssam		    (m->m_flags & M_PWR_SAV) == 0) {
178354Ssam			/*
178354Ssam			 * Station in power save mode; pass the frame
178354Ssam			 * to the 802.11 layer and continue.  We'll get
178354Ssam			 * the frame back when the time is right.
178354Ssam			 * XXX lose WDS vap linkage?
178354Ssam			 */
184288Ssam			(void) ieee80211_pwrsave(ni, m);
178354Ssam			ieee80211_free_node(ni);
178354Ssam			continue;
178354Ssam		}
178354Ssam		/* calculate priority so drivers can find the tx queue */
178354Ssam		if (ieee80211_classify(ni, m)) {
178354Ssam			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT,
178354Ssam			    eh->ether_dhost, NULL,
178354Ssam			    "%s", "classification failure");
178354Ssam			vap->iv_stats.is_tx_classify++;
178354Ssam			ifp->if_oerrors++;
178354Ssam			m_freem(m);
178354Ssam			ieee80211_free_node(ni);
178354Ssam			continue;
178354Ssam		}
191550Ssam		/*
191550Ssam		 * Stash the node pointer.  Note that we do this after
191550Ssam		 * any call to ieee80211_dwds_mcast because that code
191550Ssam		 * uses any existing value for rcvif to identify the
191550Ssam		 * interface it (might have been) received on.
191550Ssam		 */
191550Ssam		m->m_pkthdr.rcvif = (void *)ni;
178354Ssam
190579Ssam		BPF_MTAP(ifp, m);		/* 802.3 tx */
190579Ssam
191553Ssam		/*
191553Ssam		 * Check if A-MPDU tx aggregation is setup or if we
191553Ssam		 * should try to enable it.  The sta must be associated
191553Ssam		 * with HT and A-MPDU enabled for use.  When the policy
191553Ssam		 * routine decides we should enable A-MPDU we issue an
191553Ssam		 * ADDBA request and wait for a reply.  The frame being
191553Ssam		 * encapsulated will go out w/o using A-MPDU, or possibly
191553Ssam		 * it might be collected by the driver and held/retransmit.
191553Ssam		 * The default ic_ampdu_enable routine handles staggering
191553Ssam		 * ADDBA requests in case the receiver NAK's us or we are
191553Ssam		 * otherwise unable to establish a BA stream.
191553Ssam		 */
191553Ssam		if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) &&
193655Ssam		    (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX) &&
191553Ssam		    (m->m_flags & M_EAPOL) == 0) {
191553Ssam			const int ac = M_WME_GETAC(m);
191553Ssam			struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac];
191553Ssam
191553Ssam			ieee80211_txampdu_count_packet(tap);
191553Ssam			if (IEEE80211_AMPDU_RUNNING(tap)) {
191553Ssam				/*
191553Ssam				 * Operational, mark frame for aggregation.
191553Ssam				 *
191553Ssam				 * XXX do tx aggregation here
191553Ssam				 */
191553Ssam				m->m_flags |= M_AMPDU_MPDU;
191553Ssam			} else if (!IEEE80211_AMPDU_REQUESTED(tap) &&
191553Ssam			    ic->ic_ampdu_enable(ni, tap)) {
191553Ssam				/*
191553Ssam				 * Not negotiated yet, request service.
191553Ssam				 */
191553Ssam				ieee80211_ampdu_request(ni, tap);
191553Ssam				/* XXX hold frame for reply? */
191553Ssam			}
191553Ssam		}
190579Ssam#ifdef IEEE80211_SUPPORT_SUPERG
191553Ssam		else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)) {
190579Ssam			m = ieee80211_ff_check(ni, m);
190579Ssam			if (m == NULL) {
190579Ssam				/* NB: any ni ref held on stageq */
190579Ssam				continue;
190579Ssam			}
190579Ssam		}
190579Ssam#endif /* IEEE80211_SUPPORT_SUPERG */
190850Ssam		if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) {
190850Ssam			/*
190850Ssam			 * Encapsulate the packet in prep for transmission.
190850Ssam			 */
190850Ssam			m = ieee80211_encap(vap, ni, m);
190850Ssam			if (m == NULL) {
190850Ssam				/* NB: stat+msg handled in ieee80211_encap */
190850Ssam				ieee80211_free_node(ni);
190850Ssam				continue;
190850Ssam			}
190579Ssam		}
178354Ssam
186658Ssam		error = parent->if_transmit(parent, m);
178354Ssam		if (error != 0) {
178354Ssam			/* NB: IFQ_HANDOFF reclaims mbuf */
178354Ssam			ieee80211_free_node(ni);
178354Ssam		} else {
178354Ssam			ifp->if_opackets++;
178354Ssam		}
178354Ssam		ic->ic_lastdata = ticks;
178354Ssam	}
178354Ssam#undef IS_DWDS
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * 802.11 output routine. This is (currently) used only to
178354Ssam * connect bpf write calls to the 802.11 layer for injecting
191538Ssam * raw 802.11 frames.
178354Ssam */
178354Ssamint
178354Ssamieee80211_output(struct ifnet *ifp, struct mbuf *m,
191148Skmacy	struct sockaddr *dst, struct route *ro)
178354Ssam{
178354Ssam#define senderr(e) do { error = (e); goto bad;} while (0)
178354Ssam	struct ieee80211_node *ni = NULL;
178354Ssam	struct ieee80211vap *vap;
178354Ssam	struct ieee80211_frame *wh;
178354Ssam	int error;
178354Ssam
178354Ssam	if (ifp->if_drv_flags & IFF_DRV_OACTIVE) {
178354Ssam		/*
178354Ssam		 * Short-circuit requests if the vap is marked OACTIVE
178354Ssam		 * as this is used when tearing down state to indicate
178354Ssam		 * the vap may be gone.  This can also happen because a
178354Ssam		 * packet came down through ieee80211_start before the
178354Ssam		 * vap entered RUN state in which case it's also ok to
178354Ssam		 * just drop the frame.  This should not be necessary
178354Ssam		 * but callers of if_output don't check OACTIVE.
178354Ssam		 */
178354Ssam		senderr(ENETDOWN);
178354Ssam	}
178354Ssam	vap = ifp->if_softc;
178354Ssam	/*
178354Ssam	 * Hand to the 802.3 code if not tagged as
178354Ssam	 * a raw 802.11 frame.
178354Ssam	 */
178354Ssam	if (dst->sa_family != AF_IEEE80211)
191148Skmacy		return vap->iv_output(ifp, m, dst, ro);
178354Ssam#ifdef MAC
193504Srwatson	error = mac_ifnet_check_transmit(ifp, m);
178354Ssam	if (error)
178354Ssam		senderr(error);
178354Ssam#endif
178354Ssam	if (ifp->if_flags & IFF_MONITOR)
178354Ssam		senderr(ENETDOWN);
178354Ssam	if (!IFNET_IS_UP_RUNNING(ifp))
178354Ssam		senderr(ENETDOWN);
178354Ssam	if (vap->iv_state == IEEE80211_S_CAC) {
178354Ssam		IEEE80211_DPRINTF(vap,
178354Ssam		    IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH,
178354Ssam		    "block %s frame in CAC state\n", "raw data");
178354Ssam		vap->iv_stats.is_tx_badstate++;
178354Ssam		senderr(EIO);		/* XXX */
178354Ssam	}
178354Ssam	/* XXX bypass bridge, pfil, carp, etc. */
178354Ssam
178354Ssam	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack))
178354Ssam		senderr(EIO);	/* XXX */
178354Ssam	wh = mtod(m, struct ieee80211_frame *);
178354Ssam	if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
178354Ssam	    IEEE80211_FC0_VERSION_0)
178354Ssam		senderr(EIO);	/* XXX */
178354Ssam
178354Ssam	/* locate destination node */
178354Ssam	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
178354Ssam	case IEEE80211_FC1_DIR_NODS:
178354Ssam	case IEEE80211_FC1_DIR_FROMDS:
178354Ssam		ni = ieee80211_find_txnode(vap, wh->i_addr1);
178354Ssam		break;
178354Ssam	case IEEE80211_FC1_DIR_TODS:
178354Ssam	case IEEE80211_FC1_DIR_DSTODS:
178354Ssam		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame))
178354Ssam			senderr(EIO);	/* XXX */
178354Ssam		ni = ieee80211_find_txnode(vap, wh->i_addr3);
178354Ssam		break;
178354Ssam	default:
178354Ssam		senderr(EIO);	/* XXX */
178354Ssam	}
178354Ssam	if (ni == NULL) {
178354Ssam		/*
178354Ssam		 * Permit packets w/ bpf params through regardless
178354Ssam		 * (see below about sa_len).
178354Ssam		 */
178354Ssam		if (dst->sa_len == 0)
178354Ssam			senderr(EHOSTUNREACH);
178354Ssam		ni = ieee80211_ref_node(vap->iv_bss);
178354Ssam	}
178354Ssam
178354Ssam	/*
178354Ssam	 * Sanitize mbuf for net80211 flags leaked from above.
178354Ssam	 *
178354Ssam	 * NB: This must be done before ieee80211_classify as
178354Ssam	 *     it marks EAPOL in frames with M_EAPOL.
178354Ssam	 */
178354Ssam	m->m_flags &= ~M_80211_TX;
178354Ssam
178354Ssam	/* calculate priority so drivers can find the tx queue */
178354Ssam	/* XXX assumes an 802.3 frame */
178354Ssam	if (ieee80211_classify(ni, m))
178354Ssam		senderr(EIO);		/* XXX */
178354Ssam
191536Ssam	IEEE80211_NODE_STAT(ni, tx_data);
191536Ssam	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
191536Ssam		IEEE80211_NODE_STAT(ni, tx_mcast);
191536Ssam		m->m_flags |= M_MCAST;
191536Ssam	} else
191536Ssam		IEEE80211_NODE_STAT(ni, tx_ucast);
191536Ssam	/* NB: ieee80211_encap does not include 802.11 header */
191536Ssam	IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len);
191536Ssam
178354Ssam	/*
178354Ssam	 * NB: DLT_IEEE802_11_RADIO identifies the parameters are
178354Ssam	 * present by setting the sa_len field of the sockaddr (yes,
178354Ssam	 * this is a hack).
178354Ssam	 * NB: we assume sa_data is suitably aligned to cast.
178354Ssam	 */
178354Ssam	return vap->iv_ic->ic_raw_xmit(ni, m,
178354Ssam	    (const struct ieee80211_bpf_params *)(dst->sa_len ?
178354Ssam		dst->sa_data : NULL));
178354Ssambad:
178354Ssam	if (m != NULL)
178354Ssam		m_freem(m);
178354Ssam	if (ni != NULL)
178354Ssam		ieee80211_free_node(ni);
178354Ssam	return error;
178354Ssam#undef senderr
178354Ssam}
178354Ssam
178354Ssam/*
148314Ssam * Set the direction field and address fields of an outgoing
184285Ssam * frame.  Note this should be called early on in constructing
184285Ssam * a frame as it sets i_fc[1]; other bits can then be or'd in.
148314Ssam */
148314Ssamstatic void
178354Ssamieee80211_send_setup(
148314Ssam	struct ieee80211_node *ni,
191544Ssam	struct mbuf *m,
184282Ssam	int type, int tid,
170530Ssam	const uint8_t sa[IEEE80211_ADDR_LEN],
170530Ssam	const uint8_t da[IEEE80211_ADDR_LEN],
170530Ssam	const uint8_t bssid[IEEE80211_ADDR_LEN])
148314Ssam{
148314Ssam#define	WH4(wh)	((struct ieee80211_frame_addr4 *)wh)
191544Ssam	struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
191544Ssam	ieee80211_seq seqno;
148314Ssam
148314Ssam	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type;
148314Ssam	if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) {
178354Ssam		struct ieee80211vap *vap = ni->ni_vap;
178354Ssam
178354Ssam		switch (vap->iv_opmode) {
148314Ssam		case IEEE80211_M_STA:
148314Ssam			wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr1, bssid);
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr2, sa);
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr3, da);
148314Ssam			break;
148314Ssam		case IEEE80211_M_IBSS:
148314Ssam		case IEEE80211_M_AHDEMO:
148314Ssam			wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr1, da);
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr2, sa);
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
148314Ssam			break;
148314Ssam		case IEEE80211_M_HOSTAP:
148314Ssam			wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr1, da);
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr2, bssid);
148314Ssam			IEEE80211_ADDR_COPY(wh->i_addr3, sa);
148314Ssam			break;
170530Ssam		case IEEE80211_M_WDS:
170530Ssam			wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS;
178354Ssam			IEEE80211_ADDR_COPY(wh->i_addr1, da);
178354Ssam			IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
170530Ssam			IEEE80211_ADDR_COPY(wh->i_addr3, da);
170530Ssam			IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa);
170530Ssam			break;
148314Ssam		case IEEE80211_M_MONITOR:	/* NB: to quiet compiler */
148314Ssam			break;
148314Ssam		}
148314Ssam	} else {
148314Ssam		wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
148314Ssam		IEEE80211_ADDR_COPY(wh->i_addr1, da);
148314Ssam		IEEE80211_ADDR_COPY(wh->i_addr2, sa);
148314Ssam		IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
148314Ssam	}
170530Ssam	*(uint16_t *)&wh->i_dur[0] = 0;
191544Ssam
191544Ssam	seqno = ni->ni_txseqs[tid]++;
191544Ssam	*(uint16_t *)&wh->i_seq[0] = htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
191571Ssam	M_SEQNO_SET(m, seqno);
191544Ssam
191544Ssam	if (IEEE80211_IS_MULTICAST(wh->i_addr1))
191544Ssam		m->m_flags |= M_MCAST;
148314Ssam#undef WH4
148314Ssam}
148314Ssam
148314Ssam/*
119150Ssam * Send a management frame to the specified node.  The node pointer
119150Ssam * must have a reference as the pointer will be passed to the driver
119150Ssam * and potentially held for a long time.  If the frame is successfully
119150Ssam * dispatched to the driver, then it is responsible for freeing the
178354Ssam * reference (and potentially free'ing up any associated storage);
178354Ssam * otherwise deal with reclaiming any reference (on error).
119150Ssam */
170530Ssamint
184282Ssamieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type,
184282Ssam	struct ieee80211_bpf_params *params)
116742Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
178354Ssam	struct ieee80211com *ic = ni->ni_ic;
116742Ssam	struct ieee80211_frame *wh;
116742Ssam
119150Ssam	KASSERT(ni != NULL, ("null node"));
116742Ssam
178354Ssam	if (vap->iv_state == IEEE80211_S_CAC) {
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH,
178354Ssam		    ni, "block %s frame in CAC state",
178354Ssam			ieee80211_mgt_subtype_name[
178354Ssam			    (type & IEEE80211_FC0_SUBTYPE_MASK) >>
178354Ssam				IEEE80211_FC0_SUBTYPE_SHIFT]);
178354Ssam		vap->iv_stats.is_tx_badstate++;
178354Ssam		ieee80211_free_node(ni);
178354Ssam		m_freem(m);
178354Ssam		return EIO;		/* XXX */
178354Ssam	}
178354Ssam
116742Ssam	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
178354Ssam	if (m == NULL) {
178354Ssam		ieee80211_free_node(ni);
116742Ssam		return ENOMEM;
178354Ssam	}
119150Ssam
116742Ssam	wh = mtod(m, struct ieee80211_frame *);
191544Ssam	ieee80211_send_setup(ni, m,
184282Ssam	     IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID,
184282Ssam	     vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
184282Ssam	if (params->ibp_flags & IEEE80211_BPF_CRYPTO) {
178354Ssam		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1,
178354Ssam		    "encrypting frame (%s)", __func__);
138568Ssam		wh->i_fc[1] |= IEEE80211_FC1_WEP;
138568Ssam	}
184286Ssam	m->m_flags |= M_ENCAP;		/* mark encapsulated */
184282Ssam
184282Ssam	KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?"));
184282Ssam	M_WME_SETAC(m, params->ibp_pri);
184282Ssam
116742Ssam#ifdef IEEE80211_DEBUG
138568Ssam	/* avoid printing too many frames */
178354Ssam	if ((ieee80211_msg_debug(vap) && doprint(vap, type)) ||
178354Ssam	    ieee80211_msg_dumppkts(vap)) {
138568Ssam		printf("[%s] send %s on channel %u\n",
138568Ssam		    ether_sprintf(wh->i_addr1),
138568Ssam		    ieee80211_mgt_subtype_name[
138568Ssam			(type & IEEE80211_FC0_SUBTYPE_MASK) >>
138568Ssam				IEEE80211_FC0_SUBTYPE_SHIFT],
148936Ssam		    ieee80211_chan2ieee(ic, ic->ic_curchan));
138568Ssam	}
116742Ssam#endif
138568Ssam	IEEE80211_NODE_STAT(ni, tx_mgmt);
170530Ssam
184282Ssam	return ic->ic_raw_xmit(ni, m, params);
116742Ssam}
116742Ssam
119150Ssam/*
184283Ssam * Send a null data frame to the specified node.  If the station
184283Ssam * is setup for QoS then a QoS Null Data frame is constructed.
184283Ssam * If this is a WDS station then a 4-address frame is constructed.
148582Ssam *
148582Ssam * NB: the caller is assumed to have setup a node reference
148582Ssam *     for use; this is necessary to deal with a race condition
178354Ssam *     when probing for inactive stations.  Like ieee80211_mgmt_output
178354Ssam *     we must cleanup any node reference on error;  however we
178354Ssam *     can safely just unref it as we know it will never be the
178354Ssam *     last reference to the node.
119150Ssam */
138568Ssamint
148301Ssamieee80211_send_nulldata(struct ieee80211_node *ni)
138568Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
148301Ssam	struct ieee80211com *ic = ni->ni_ic;
138568Ssam	struct mbuf *m;
138568Ssam	struct ieee80211_frame *wh;
184283Ssam	int hdrlen;
184283Ssam	uint8_t *frm;
138568Ssam
178354Ssam	if (vap->iv_state == IEEE80211_S_CAC) {
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH,
178354Ssam		    ni, "block %s frame in CAC state", "null data");
178354Ssam		ieee80211_unref_node(&ni);
178354Ssam		vap->iv_stats.is_tx_badstate++;
178354Ssam		return EIO;		/* XXX */
178354Ssam	}
178354Ssam
184283Ssam	if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT))
184283Ssam		hdrlen = sizeof(struct ieee80211_qosframe);
184283Ssam	else
184283Ssam		hdrlen = sizeof(struct ieee80211_frame);
184283Ssam	/* NB: only WDS vap's get 4-address frames */
184283Ssam	if (vap->iv_opmode == IEEE80211_M_WDS)
184283Ssam		hdrlen += IEEE80211_ADDR_LEN;
184283Ssam	if (ic->ic_flags & IEEE80211_F_DATAPAD)
184283Ssam		hdrlen = roundup(hdrlen, sizeof(uint32_t));
184283Ssam
184283Ssam	m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0);
138568Ssam	if (m == NULL) {
138568Ssam		/* XXX debug msg */
170530Ssam		ieee80211_unref_node(&ni);
178354Ssam		vap->iv_stats.is_tx_nobuf++;
138568Ssam		return ENOMEM;
138568Ssam	}
184283Ssam	KASSERT(M_LEADINGSPACE(m) >= hdrlen,
184283Ssam	    ("leading space %zd", M_LEADINGSPACE(m)));
184283Ssam	M_PREPEND(m, hdrlen, M_DONTWAIT);
184283Ssam	if (m == NULL) {
184283Ssam		/* NB: cannot happen */
184283Ssam		ieee80211_free_node(ni);
184283Ssam		return ENOMEM;
184283Ssam	}
138568Ssam
184283Ssam	wh = mtod(m, struct ieee80211_frame *);		/* NB: a little lie */
184283Ssam	if (ni->ni_flags & IEEE80211_NODE_QOS) {
184283Ssam		const int tid = WME_AC_TO_TID(WME_AC_BE);
184283Ssam		uint8_t *qos;
184283Ssam
191544Ssam		ieee80211_send_setup(ni, m,
184283Ssam		    IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL,
184283Ssam		    tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
184283Ssam
184283Ssam		if (vap->iv_opmode == IEEE80211_M_WDS)
184283Ssam			qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos;
184283Ssam		else
184283Ssam			qos = ((struct ieee80211_qosframe *) wh)->i_qos;
184283Ssam		qos[0] = tid & IEEE80211_QOS_TID;
184283Ssam		if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy)
184283Ssam			qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK;
184283Ssam		qos[1] = 0;
184283Ssam	} else {
191544Ssam		ieee80211_send_setup(ni, m,
184283Ssam		    IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA,
184283Ssam		    IEEE80211_NONQOS_TID,
184283Ssam		    vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
184283Ssam	}
178354Ssam	if (vap->iv_opmode != IEEE80211_M_WDS) {
178354Ssam		/* NB: power management bit is never sent by an AP */
178354Ssam		if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
178354Ssam		    vap->iv_opmode != IEEE80211_M_HOSTAP)
178354Ssam			wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT;
178354Ssam	}
184283Ssam	m->m_len = m->m_pkthdr.len = hdrlen;
184286Ssam	m->m_flags |= M_ENCAP;		/* mark encapsulated */
184283Ssam
172231Ssam	M_WME_SETAC(m, WME_AC_BE);
138568Ssam
138568Ssam	IEEE80211_NODE_STAT(ni, tx_data);
138568Ssam
178354Ssam	IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni,
184283Ssam	    "send %snull data frame on channel %u, pwr mgt %s",
184283Ssam	    ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "",
148936Ssam	    ieee80211_chan2ieee(ic, ic->ic_curchan),
148314Ssam	    wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis");
148314Ssam
178354Ssam	return ic->ic_raw_xmit(ni, m, NULL);
138568Ssam}
138568Ssam
138568Ssam/*
138568Ssam * Assign priority to a frame based on any vlan tag assigned
138568Ssam * to the station and/or any Diffserv setting in an IP header.
138568Ssam * Finally, if an ACM policy is setup (in station mode) it's
138568Ssam * applied.
138568Ssam */
138568Ssamint
178354Ssamieee80211_classify(struct ieee80211_node *ni, struct mbuf *m)
138568Ssam{
178354Ssam	const struct ether_header *eh = mtod(m, struct ether_header *);
138568Ssam	int v_wme_ac, d_wme_ac, ac;
138568Ssam
178354Ssam	/*
178354Ssam	 * Always promote PAE/EAPOL frames to high priority.
178354Ssam	 */
178354Ssam	if (eh->ether_type == htons(ETHERTYPE_PAE)) {
178354Ssam		/* NB: mark so others don't need to check header */
178354Ssam		m->m_flags |= M_EAPOL;
178354Ssam		ac = WME_AC_VO;
178354Ssam		goto done;
178354Ssam	}
178354Ssam	/*
178354Ssam	 * Non-qos traffic goes to BE.
178354Ssam	 */
138568Ssam	if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) {
138568Ssam		ac = WME_AC_BE;
138568Ssam		goto done;
138568Ssam	}
138568Ssam
138568Ssam	/*
138568Ssam	 * If node has a vlan tag then all traffic
138568Ssam	 * to it must have a matching tag.
138568Ssam	 */
138568Ssam	v_wme_ac = 0;
138568Ssam	if (ni->ni_vlan != 0) {
162375Sandre		 if ((m->m_flags & M_VLANTAG) == 0) {
138568Ssam			IEEE80211_NODE_STAT(ni, tx_novlantag);
138568Ssam			return 1;
138568Ssam		}
162375Sandre		if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) !=
138568Ssam		    EVL_VLANOFTAG(ni->ni_vlan)) {
138568Ssam			IEEE80211_NODE_STAT(ni, tx_vlanmismatch);
138568Ssam			return 1;
138568Ssam		}
138568Ssam		/* map vlan priority to AC */
173867Ssam		v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan));
138568Ssam	}
138568Ssam
138568Ssam#ifdef INET
138568Ssam	if (eh->ether_type == htons(ETHERTYPE_IP)) {
173867Ssam		uint8_t tos;
138568Ssam		/*
173867Ssam		 * IP frame, map the DSCP bits from the TOS field.
138568Ssam		 */
173867Ssam		/* XXX m_copydata may be too slow for fast path */
173867Ssam		/* NB: ip header may not be in first mbuf */
173867Ssam		m_copydata(m, sizeof(struct ether_header) +
173867Ssam		    offsetof(struct ip, ip_tos), sizeof(tos), &tos);
173867Ssam		tos >>= 5;		/* NB: ECN + low 3 bits of DSCP */
173867Ssam		d_wme_ac = TID_TO_WME_AC(tos);
138568Ssam	} else {
138568Ssam#endif /* INET */
138568Ssam		d_wme_ac = WME_AC_BE;
138568Ssam#ifdef INET
138568Ssam	}
138568Ssam#endif
138568Ssam	/*
138568Ssam	 * Use highest priority AC.
138568Ssam	 */
138568Ssam	if (v_wme_ac > d_wme_ac)
138568Ssam		ac = v_wme_ac;
138568Ssam	else
138568Ssam		ac = d_wme_ac;
138568Ssam
138568Ssam	/*
138568Ssam	 * Apply ACM policy.
138568Ssam	 */
178354Ssam	if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) {
138568Ssam		static const int acmap[4] = {
138568Ssam			WME_AC_BK,	/* WME_AC_BE */
138568Ssam			WME_AC_BK,	/* WME_AC_BK */
138568Ssam			WME_AC_BE,	/* WME_AC_VI */
138568Ssam			WME_AC_VI,	/* WME_AC_VO */
138568Ssam		};
178354Ssam		struct ieee80211com *ic = ni->ni_ic;
178354Ssam
138568Ssam		while (ac != WME_AC_BK &&
138568Ssam		    ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm)
138568Ssam			ac = acmap[ac];
138568Ssam	}
138568Ssamdone:
138568Ssam	M_WME_SETAC(m, ac);
138568Ssam	return 0;
138568Ssam}
138568Ssam
138568Ssam/*
139527Ssam * Insure there is sufficient contiguous space to encapsulate the
139527Ssam * 802.11 data frame.  If room isn't already there, arrange for it.
139527Ssam * Drivers and cipher modules assume we have done the necessary work
139527Ssam * and fail rudely if they don't find the space they need.
139527Ssam */
190391Ssamstruct mbuf *
178354Ssamieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize,
139527Ssam	struct ieee80211_key *key, struct mbuf *m)
139527Ssam{
164805Ssam#define	TO_BE_RECLAIMED	(sizeof(struct ether_header) - sizeof(struct llc))
178354Ssam	int needed_space = vap->iv_ic->ic_headroom + hdrsize;
139527Ssam
139527Ssam	if (key != NULL) {
139527Ssam		/* XXX belongs in crypto code? */
139527Ssam		needed_space += key->wk_cipher->ic_header;
139527Ssam		/* XXX frags */
156758Ssam		/*
156758Ssam		 * When crypto is being done in the host we must insure
156758Ssam		 * the data are writable for the cipher routines; clone
156758Ssam		 * a writable mbuf chain.
156758Ssam		 * XXX handle SWMIC specially
156758Ssam		 */
179394Ssam		if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) {
156758Ssam			m = m_unshare(m, M_NOWAIT);
156758Ssam			if (m == NULL) {
178354Ssam				IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
156758Ssam				    "%s: cannot get writable mbuf\n", __func__);
178354Ssam				vap->iv_stats.is_tx_nobuf++; /* XXX new stat */
156758Ssam				return NULL;
156758Ssam			}
156758Ssam		}
139527Ssam	}
139527Ssam	/*
139527Ssam	 * We know we are called just before stripping an Ethernet
139527Ssam	 * header and prepending an LLC header.  This means we know
139527Ssam	 * there will be
164805Ssam	 *	sizeof(struct ether_header) - sizeof(struct llc)
139527Ssam	 * bytes recovered to which we need additional space for the
139527Ssam	 * 802.11 header and any crypto header.
139527Ssam	 */
139527Ssam	/* XXX check trailing space and copy instead? */
139527Ssam	if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) {
139527Ssam		struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type);
139527Ssam		if (n == NULL) {
178354Ssam			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
139527Ssam			    "%s: cannot expand storage\n", __func__);
178354Ssam			vap->iv_stats.is_tx_nobuf++;
139527Ssam			m_freem(m);
139527Ssam			return NULL;
139527Ssam		}
139527Ssam		KASSERT(needed_space <= MHLEN,
139527Ssam		    ("not enough room, need %u got %zu\n", needed_space, MHLEN));
139527Ssam		/*
139527Ssam		 * Setup new mbuf to have leading space to prepend the
139527Ssam		 * 802.11 header and any crypto header bits that are
139527Ssam		 * required (the latter are added when the driver calls
139527Ssam		 * back to ieee80211_crypto_encap to do crypto encapsulation).
139527Ssam		 */
139527Ssam		/* NB: must be first 'cuz it clobbers m_data */
139527Ssam		m_move_pkthdr(n, m);
139527Ssam		n->m_len = 0;			/* NB: m_gethdr does not set */
139527Ssam		n->m_data += needed_space;
139527Ssam		/*
139527Ssam		 * Pull up Ethernet header to create the expected layout.
139527Ssam		 * We could use m_pullup but that's overkill (i.e. we don't
139527Ssam		 * need the actual data) and it cannot fail so do it inline
139527Ssam		 * for speed.
139527Ssam		 */
139527Ssam		/* NB: struct ether_header is known to be contiguous */
139527Ssam		n->m_len += sizeof(struct ether_header);
139527Ssam		m->m_len -= sizeof(struct ether_header);
139527Ssam		m->m_data += sizeof(struct ether_header);
139527Ssam		/*
139527Ssam		 * Replace the head of the chain.
139527Ssam		 */
139527Ssam		n->m_next = m;
139527Ssam		m = n;
139527Ssam	}
139527Ssam	return m;
139527Ssam#undef TO_BE_RECLAIMED
139527Ssam}
139527Ssam
139527Ssam/*
139527Ssam * Return the transmit key to use in sending a unicast frame.
139527Ssam * If a unicast key is set we use that.  When no unicast key is set
139527Ssam * we fall back to the default transmit key.
138568Ssam */
138568Ssamstatic __inline struct ieee80211_key *
178354Ssamieee80211_crypto_getucastkey(struct ieee80211vap *vap,
178354Ssam	struct ieee80211_node *ni)
138568Ssam{
167432Ssam	if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) {
178354Ssam		if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE ||
178354Ssam		    IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey]))
138568Ssam			return NULL;
178354Ssam		return &vap->iv_nw_keys[vap->iv_def_txkey];
138568Ssam	} else {
138568Ssam		return &ni->ni_ucastkey;
138568Ssam	}
138568Ssam}
138568Ssam
138568Ssam/*
139527Ssam * Return the transmit key to use in sending a multicast frame.
139527Ssam * Multicast traffic always uses the group key which is installed as
139527Ssam * the default tx key.
139527Ssam */
139527Ssamstatic __inline struct ieee80211_key *
178354Ssamieee80211_crypto_getmcastkey(struct ieee80211vap *vap,
178354Ssam	struct ieee80211_node *ni)
139527Ssam{
178354Ssam	if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE ||
178354Ssam	    IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey]))
139527Ssam		return NULL;
178354Ssam	return &vap->iv_nw_keys[vap->iv_def_txkey];
139527Ssam}
139527Ssam
139527Ssam/*
138568Ssam * Encapsulate an outbound data frame.  The mbuf chain is updated.
138568Ssam * If an error is encountered NULL is returned.  The caller is required
138568Ssam * to provide a node reference and pullup the ethernet header in the
138568Ssam * first mbuf.
178354Ssam *
178354Ssam * NB: Packet is assumed to be processed by ieee80211_classify which
178354Ssam *     marked EAPOL frames w/ M_EAPOL.
138568Ssam */
116742Ssamstruct mbuf *
190579Ssamieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni,
190579Ssam    struct mbuf *m)
116742Ssam{
178354Ssam#define	WH4(wh)	((struct ieee80211_frame_addr4 *)(wh))
178354Ssam	struct ieee80211com *ic = ni->ni_ic;
116742Ssam	struct ether_header eh;
116742Ssam	struct ieee80211_frame *wh;
138568Ssam	struct ieee80211_key *key;
116742Ssam	struct llc *llc;
190391Ssam	int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr;
191544Ssam	ieee80211_seq seqno;
116742Ssam
170530Ssam	/*
170530Ssam	 * Copy existing Ethernet header to a safe place.  The
170530Ssam	 * rest of the code assumes it's ok to strip it when
170530Ssam	 * reorganizing state for the final encapsulation.
170530Ssam	 */
138568Ssam	KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!"));
178354Ssam	ETHER_HEADER_COPY(&eh, mtod(m, caddr_t));
116742Ssam
138568Ssam	/*
138568Ssam	 * Insure space for additional headers.  First identify
138568Ssam	 * transmit key to use in calculating any buffer adjustments
138568Ssam	 * required.  This is also used below to do privacy
138568Ssam	 * encapsulation work.  Then calculate the 802.11 header
138568Ssam	 * size and any padding required by the driver.
138568Ssam	 *
138568Ssam	 * Note key may be NULL if we fall back to the default
138568Ssam	 * transmit key and that is not set.  In that case the
138568Ssam	 * buffer may not be expanded as needed by the cipher
138568Ssam	 * routines, but they will/should discard it.
138568Ssam	 */
178354Ssam	if (vap->iv_flags & IEEE80211_F_PRIVACY) {
178354Ssam		if (vap->iv_opmode == IEEE80211_M_STA ||
178354Ssam		    !IEEE80211_IS_MULTICAST(eh.ether_dhost) ||
178354Ssam		    (vap->iv_opmode == IEEE80211_M_WDS &&
178354Ssam		     (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY)))
178354Ssam			key = ieee80211_crypto_getucastkey(vap, ni);
139527Ssam		else
178354Ssam			key = ieee80211_crypto_getmcastkey(vap, ni);
178354Ssam		if (key == NULL && (m->m_flags & M_EAPOL) == 0) {
178354Ssam			IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO,
178354Ssam			    eh.ether_dhost,
178354Ssam			    "no default transmit key (%s) deftxkey %u",
178354Ssam			    __func__, vap->iv_def_txkey);
178354Ssam			vap->iv_stats.is_tx_nodefkey++;
171950Ssam			goto bad;
138568Ssam		}
138568Ssam	} else
138568Ssam		key = NULL;
139527Ssam	/*
139527Ssam	 * XXX Some ap's don't handle QoS-encapsulated EAPOL
139527Ssam	 * frames so suppress use.  This may be an issue if other
139527Ssam	 * ap's require all data frames to be QoS-encapsulated
139527Ssam	 * once negotiated in which case we'll need to make this
139527Ssam	 * configurable.
139527Ssam	 */
170530Ssam	addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) &&
178354Ssam		 (m->m_flags & M_EAPOL) == 0;
139527Ssam	if (addqos)
138568Ssam		hdrsize = sizeof(struct ieee80211_qosframe);
138568Ssam	else
138568Ssam		hdrsize = sizeof(struct ieee80211_frame);
178354Ssam	/*
178354Ssam	 * 4-address frames need to be generated for:
190672Ssam	 * o packets sent through a WDS vap (IEEE80211_M_WDS)
191555Ssam	 * o packets sent through a vap marked for relaying
191555Ssam	 *   (e.g. a station operating with dynamic WDS)
178354Ssam	 */
190672Ssam	is4addr = vap->iv_opmode == IEEE80211_M_WDS ||
191555Ssam	    ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) &&
178354Ssam	     !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr));
178354Ssam	if (is4addr)
178354Ssam		hdrsize += IEEE80211_ADDR_LEN;
178354Ssam	/*
178354Ssam	 * Honor driver DATAPAD requirement.
178354Ssam	 */
138568Ssam	if (ic->ic_flags & IEEE80211_F_DATAPAD)
178354Ssam		hdrspace = roundup(hdrsize, sizeof(uint32_t));
178354Ssam	else
178354Ssam		hdrspace = hdrsize;
170530Ssam
190391Ssam	if (__predict_true((m->m_flags & M_FF) == 0)) {
170530Ssam		/*
170530Ssam		 * Normal frame.
170530Ssam		 */
178354Ssam		m = ieee80211_mbuf_adjust(vap, hdrspace, key, m);
170530Ssam		if (m == NULL) {
170530Ssam			/* NB: ieee80211_mbuf_adjust handles msgs+statistics */
170530Ssam			goto bad;
170530Ssam		}
170530Ssam		/* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */
170530Ssam		m_adj(m, sizeof(struct ether_header) - sizeof(struct llc));
170530Ssam		llc = mtod(m, struct llc *);
170530Ssam		llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
170530Ssam		llc->llc_control = LLC_UI;
170530Ssam		llc->llc_snap.org_code[0] = 0;
170530Ssam		llc->llc_snap.org_code[1] = 0;
170530Ssam		llc->llc_snap.org_code[2] = 0;
170530Ssam		llc->llc_snap.ether_type = eh.ether_type;
190391Ssam	} else {
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190579Ssam		/*
190579Ssam		 * Aggregated frame.
190579Ssam		 */
190391Ssam		m = ieee80211_ff_encap(vap, m, hdrspace, key);
190391Ssam		if (m == NULL)
190391Ssam#endif
190391Ssam			goto bad;
127772Ssam	}
138568Ssam	datalen = m->m_pkthdr.len;		/* NB: w/o 802.11 header */
138568Ssam
178354Ssam	M_PREPEND(m, hdrspace, M_DONTWAIT);
121180Ssam	if (m == NULL) {
178354Ssam		vap->iv_stats.is_tx_nobuf++;
119150Ssam		goto bad;
121180Ssam	}
116742Ssam	wh = mtod(m, struct ieee80211_frame *);
116742Ssam	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
170530Ssam	*(uint16_t *)wh->i_dur = 0;
178354Ssam	if (is4addr) {
178354Ssam		wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS;
178354Ssam		IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
178354Ssam		IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
178354Ssam		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
178354Ssam		IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost);
178354Ssam	} else switch (vap->iv_opmode) {
116742Ssam	case IEEE80211_M_STA:
116742Ssam		wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
116742Ssam		break;
116742Ssam	case IEEE80211_M_IBSS:
116742Ssam	case IEEE80211_M_AHDEMO:
116742Ssam		wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
140636Ssam		/*
178354Ssam		 * NB: always use the bssid from iv_bss as the
140636Ssam		 *     neighbor's may be stale after an ibss merge
140636Ssam		 */
178354Ssam		IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid);
116742Ssam		break;
116742Ssam	case IEEE80211_M_HOSTAP:
116742Ssam		wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
116742Ssam		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
116742Ssam		break;
117817Ssam	case IEEE80211_M_MONITOR:
178354Ssam	case IEEE80211_M_WDS:		/* NB: is4addr should always be true */
119150Ssam		goto bad;
116742Ssam	}
190678Ssam	if (m->m_flags & M_MORE_DATA)
147789Ssam		wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
139527Ssam	if (addqos) {
178354Ssam		uint8_t *qos;
138568Ssam		int ac, tid;
138568Ssam
178354Ssam		if (is4addr) {
178354Ssam			qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos;
178354Ssam		} else
178354Ssam			qos = ((struct ieee80211_qosframe *) wh)->i_qos;
138568Ssam		ac = M_WME_GETAC(m);
138568Ssam		/* map from access class/queue to 11e header priorty value */
138568Ssam		tid = WME_AC_TO_TID(ac);
178354Ssam		qos[0] = tid & IEEE80211_QOS_TID;
138568Ssam		if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy)
178354Ssam			qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK;
178354Ssam		qos[1] = 0;
178354Ssam		wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
138568Ssam
183247Ssam		if ((m->m_flags & M_AMPDU_MPDU) == 0) {
183247Ssam			/*
183247Ssam			 * NB: don't assign a sequence # to potential
183247Ssam			 * aggregates; we expect this happens at the
183247Ssam			 * point the frame comes off any aggregation q
183247Ssam			 * as otherwise we may introduce holes in the
183247Ssam			 * BA sequence space and/or make window accouting
183247Ssam			 * more difficult.
183247Ssam			 *
183247Ssam			 * XXX may want to control this with a driver
183247Ssam			 * capability; this may also change when we pull
183247Ssam			 * aggregation up into net80211
183247Ssam			 */
191544Ssam			seqno = ni->ni_txseqs[tid]++;
183247Ssam			*(uint16_t *)wh->i_seq =
191544Ssam			    htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
191571Ssam			M_SEQNO_SET(m, seqno);
183247Ssam		}
138568Ssam	} else {
191544Ssam		seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
170530Ssam		*(uint16_t *)wh->i_seq =
191544Ssam		    htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
191571Ssam		M_SEQNO_SET(m, seqno);
138568Ssam	}
191571Ssam
170530Ssam	/* check if xmit fragmentation is required */
178354Ssam	txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold &&
170530Ssam	    !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
178354Ssam	    (vap->iv_caps & IEEE80211_C_TXFRAG) &&
191545Ssam	    (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0);
139527Ssam	if (key != NULL) {
139527Ssam		/*
139527Ssam		 * IEEE 802.1X: send EAPOL frames always in the clear.
139527Ssam		 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set.
139527Ssam		 */
178354Ssam		if ((m->m_flags & M_EAPOL) == 0 ||
178354Ssam		    ((vap->iv_flags & IEEE80211_F_WPA) &&
178354Ssam		     (vap->iv_opmode == IEEE80211_M_STA ?
167432Ssam		      !IEEE80211_KEY_UNDEFINED(key) :
167432Ssam		      !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) {
139527Ssam			wh->i_fc[1] |= IEEE80211_FC1_WEP;
178354Ssam			if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) {
178354Ssam				IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT,
178354Ssam				    eh.ether_dhost,
178354Ssam				    "%s", "enmic failed, discard frame");
178354Ssam				vap->iv_stats.is_crypto_enmicfail++;
139527Ssam				goto bad;
139527Ssam			}
139527Ssam		}
139527Ssam	}
178354Ssam	if (txfrag && !ieee80211_fragment(vap, m, hdrsize,
178354Ssam	    key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold))
170530Ssam		goto bad;
138568Ssam
184286Ssam	m->m_flags |= M_ENCAP;		/* mark encapsulated */
184286Ssam
138568Ssam	IEEE80211_NODE_STAT(ni, tx_data);
191544Ssam	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
161144Ssam		IEEE80211_NODE_STAT(ni, tx_mcast);
191544Ssam		m->m_flags |= M_MCAST;
191544Ssam	} else
161144Ssam		IEEE80211_NODE_STAT(ni, tx_ucast);
138568Ssam	IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen);
138568Ssam
116742Ssam	return m;
119150Ssambad:
119150Ssam	if (m != NULL)
119150Ssam		m_freem(m);
119150Ssam	return NULL;
178354Ssam#undef WH4
116742Ssam}
116742Ssam
116742Ssam/*
170530Ssam * Fragment the frame according to the specified mtu.
170530Ssam * The size of the 802.11 header (w/o padding) is provided
170530Ssam * so we don't need to recalculate it.  We create a new
170530Ssam * mbuf for each fragment and chain it through m_nextpkt;
170530Ssam * we might be able to optimize this by reusing the original
170530Ssam * packet's mbufs but that is significantly more complicated.
170530Ssam */
170530Ssamstatic int
178354Ssamieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0,
170530Ssam	u_int hdrsize, u_int ciphdrsize, u_int mtu)
170530Ssam{
170530Ssam	struct ieee80211_frame *wh, *whf;
170530Ssam	struct mbuf *m, *prev, *next;
170530Ssam	u_int totalhdrsize, fragno, fragsize, off, remainder, payload;
170530Ssam
170530Ssam	KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?"));
170530Ssam	KASSERT(m0->m_pkthdr.len > mtu,
170530Ssam		("pktlen %u mtu %u", m0->m_pkthdr.len, mtu));
170530Ssam
170530Ssam	wh = mtod(m0, struct ieee80211_frame *);
170530Ssam	/* NB: mark the first frag; it will be propagated below */
170530Ssam	wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG;
170530Ssam	totalhdrsize = hdrsize + ciphdrsize;
170530Ssam	fragno = 1;
170530Ssam	off = mtu - ciphdrsize;
170530Ssam	remainder = m0->m_pkthdr.len - off;
170530Ssam	prev = m0;
170530Ssam	do {
170530Ssam		fragsize = totalhdrsize + remainder;
170530Ssam		if (fragsize > mtu)
170530Ssam			fragsize = mtu;
178354Ssam		/* XXX fragsize can be >2048! */
170530Ssam		KASSERT(fragsize < MCLBYTES,
170530Ssam			("fragment size %u too big!", fragsize));
170530Ssam		if (fragsize > MHLEN)
170530Ssam			m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
170530Ssam		else
170530Ssam			m = m_gethdr(M_DONTWAIT, MT_DATA);
170530Ssam		if (m == NULL)
170530Ssam			goto bad;
170530Ssam		/* leave room to prepend any cipher header */
170530Ssam		m_align(m, fragsize - ciphdrsize);
170530Ssam
170530Ssam		/*
170530Ssam		 * Form the header in the fragment.  Note that since
170530Ssam		 * we mark the first fragment with the MORE_FRAG bit
170530Ssam		 * it automatically is propagated to each fragment; we
170530Ssam		 * need only clear it on the last fragment (done below).
170530Ssam		 */
170530Ssam		whf = mtod(m, struct ieee80211_frame *);
170530Ssam		memcpy(whf, wh, hdrsize);
170530Ssam		*(uint16_t *)&whf->i_seq[0] |= htole16(
170530Ssam			(fragno & IEEE80211_SEQ_FRAG_MASK) <<
170530Ssam				IEEE80211_SEQ_FRAG_SHIFT);
170530Ssam		fragno++;
170530Ssam
170530Ssam		payload = fragsize - totalhdrsize;
170530Ssam		/* NB: destination is known to be contiguous */
170530Ssam		m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize);
170530Ssam		m->m_len = hdrsize + payload;
170530Ssam		m->m_pkthdr.len = hdrsize + payload;
170530Ssam		m->m_flags |= M_FRAG;
170530Ssam
170530Ssam		/* chain up the fragment */
170530Ssam		prev->m_nextpkt = m;
170530Ssam		prev = m;
170530Ssam
170530Ssam		/* deduct fragment just formed */
170530Ssam		remainder -= payload;
170530Ssam		off += payload;
170530Ssam	} while (remainder != 0);
188380Sweongyo
188380Sweongyo	/* set the last fragment */
188380Sweongyo	m->m_flags |= M_LASTFRAG;
170530Ssam	whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG;
170530Ssam
170530Ssam	/* strip first mbuf now that everything has been copied */
170530Ssam	m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize)));
170530Ssam	m0->m_flags |= M_FIRSTFRAG | M_FRAG;
170530Ssam
178354Ssam	vap->iv_stats.is_tx_fragframes++;
178354Ssam	vap->iv_stats.is_tx_frags += fragno-1;
170530Ssam
170530Ssam	return 1;
170530Ssambad:
170530Ssam	/* reclaim fragments but leave original frame for caller to free */
170530Ssam	for (m = m0->m_nextpkt; m != NULL; m = next) {
170530Ssam		next = m->m_nextpkt;
170530Ssam		m->m_nextpkt = NULL;		/* XXX paranoid */
170530Ssam		m_freem(m);
170530Ssam	}
170530Ssam	m0->m_nextpkt = NULL;
170530Ssam	return 0;
170530Ssam}
170530Ssam
170530Ssam/*
116742Ssam * Add a supported rates element id to a frame.
116742Ssam */
170530Ssamstatic uint8_t *
170530Ssamieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs)
116742Ssam{
116742Ssam	int nrates;
116742Ssam
116742Ssam	*frm++ = IEEE80211_ELEMID_RATES;
116742Ssam	nrates = rs->rs_nrates;
116742Ssam	if (nrates > IEEE80211_RATE_SIZE)
116742Ssam		nrates = IEEE80211_RATE_SIZE;
116742Ssam	*frm++ = nrates;
116742Ssam	memcpy(frm, rs->rs_rates, nrates);
116742Ssam	return frm + nrates;
116742Ssam}
116742Ssam
116742Ssam/*
116742Ssam * Add an extended supported rates element id to a frame.
116742Ssam */
170530Ssamstatic uint8_t *
170530Ssamieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs)
116742Ssam{
116742Ssam	/*
116742Ssam	 * Add an extended supported rates element if operating in 11g mode.
116742Ssam	 */
116742Ssam	if (rs->rs_nrates > IEEE80211_RATE_SIZE) {
116742Ssam		int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
116742Ssam		*frm++ = IEEE80211_ELEMID_XRATES;
116742Ssam		*frm++ = nrates;
116742Ssam		memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
116742Ssam		frm += nrates;
116742Ssam	}
116742Ssam	return frm;
116742Ssam}
116742Ssam
116742Ssam/*
178354Ssam * Add an ssid element to a frame.
116742Ssam */
170530Ssamstatic uint8_t *
170530Ssamieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len)
116742Ssam{
116742Ssam	*frm++ = IEEE80211_ELEMID_SSID;
116742Ssam	*frm++ = len;
116742Ssam	memcpy(frm, ssid, len);
116742Ssam	return frm + len;
116742Ssam}
116742Ssam
138568Ssam/*
138568Ssam * Add an erp element to a frame.
138568Ssam */
170530Ssamstatic uint8_t *
170530Ssamieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic)
116742Ssam{
170530Ssam	uint8_t erp;
116742Ssam
138568Ssam	*frm++ = IEEE80211_ELEMID_ERP;
138568Ssam	*frm++ = 1;
138568Ssam	erp = 0;
138568Ssam	if (ic->ic_nonerpsta != 0)
138568Ssam		erp |= IEEE80211_ERP_NON_ERP_PRESENT;
138568Ssam	if (ic->ic_flags & IEEE80211_F_USEPROT)
138568Ssam		erp |= IEEE80211_ERP_USE_PROTECTION;
138568Ssam	if (ic->ic_flags & IEEE80211_F_USEBARKER)
138568Ssam		erp |= IEEE80211_ERP_LONG_PREAMBLE;
138568Ssam	*frm++ = erp;
138568Ssam	return frm;
138568Ssam}
138568Ssam
178354Ssam/*
178354Ssam * Add a CFParams element to a frame.
178354Ssam */
170530Ssamstatic uint8_t *
178354Ssamieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic)
138568Ssam{
138568Ssam#define	ADDSHORT(frm, v) do {			\
138568Ssam	frm[0] = (v) & 0xff;			\
138568Ssam	frm[1] = (v) >> 8;			\
138568Ssam	frm += 2;				\
138568Ssam} while (0)
178354Ssam	*frm++ = IEEE80211_ELEMID_CFPARMS;
178354Ssam	*frm++ = 6;
178354Ssam	*frm++ = 0;		/* CFP count */
178354Ssam	*frm++ = 2;		/* CFP period */
178354Ssam	ADDSHORT(frm, 0);	/* CFP MaxDuration (TU) */
178354Ssam	ADDSHORT(frm, 0);	/* CFP CurRemaining (TU) */
138568Ssam	return frm;
138568Ssam#undef ADDSHORT
116742Ssam}
116742Ssam
178354Ssamstatic __inline uint8_t *
178354Ssamadd_appie(uint8_t *frm, const struct ieee80211_appie *ie)
138568Ssam{
178354Ssam	memcpy(frm, ie->ie_data, ie->ie_len);
178354Ssam	return frm + ie->ie_len;
138568Ssam}
138568Ssam
178354Ssamstatic __inline uint8_t *
178354Ssamadd_ie(uint8_t *frm, const uint8_t *ie)
138568Ssam{
178354Ssam	memcpy(frm, ie, 2 + ie[1]);
178354Ssam	return frm + 2 + ie[1];
138568Ssam}
138568Ssam
138568Ssam#define	WME_OUI_BYTES		0x00, 0x50, 0xf2
138568Ssam/*
138568Ssam * Add a WME information element to a frame.
138568Ssam */
170530Ssamstatic uint8_t *
170530Ssamieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme)
138568Ssam{
138568Ssam	static const struct ieee80211_wme_info info = {
138568Ssam		.wme_id		= IEEE80211_ELEMID_VENDOR,
138568Ssam		.wme_len	= sizeof(struct ieee80211_wme_info) - 2,
138568Ssam		.wme_oui	= { WME_OUI_BYTES },
138568Ssam		.wme_type	= WME_OUI_TYPE,
138568Ssam		.wme_subtype	= WME_INFO_OUI_SUBTYPE,
138568Ssam		.wme_version	= WME_VERSION,
138568Ssam		.wme_info	= 0,
138568Ssam	};
138568Ssam	memcpy(frm, &info, sizeof(info));
138568Ssam	return frm + sizeof(info);
138568Ssam}
138568Ssam
138568Ssam/*
138568Ssam * Add a WME parameters element to a frame.
138568Ssam */
170530Ssamstatic uint8_t *
170530Ssamieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme)
138568Ssam{
138568Ssam#define	SM(_v, _f)	(((_v) << _f##_S) & _f)
138568Ssam#define	ADDSHORT(frm, v) do {			\
138568Ssam	frm[0] = (v) & 0xff;			\
138568Ssam	frm[1] = (v) >> 8;			\
138568Ssam	frm += 2;				\
138568Ssam} while (0)
138568Ssam	/* NB: this works 'cuz a param has an info at the front */
138568Ssam	static const struct ieee80211_wme_info param = {
138568Ssam		.wme_id		= IEEE80211_ELEMID_VENDOR,
138568Ssam		.wme_len	= sizeof(struct ieee80211_wme_param) - 2,
138568Ssam		.wme_oui	= { WME_OUI_BYTES },
138568Ssam		.wme_type	= WME_OUI_TYPE,
138568Ssam		.wme_subtype	= WME_PARAM_OUI_SUBTYPE,
138568Ssam		.wme_version	= WME_VERSION,
138568Ssam	};
138568Ssam	int i;
138568Ssam
138568Ssam	memcpy(frm, &param, sizeof(param));
138568Ssam	frm += __offsetof(struct ieee80211_wme_info, wme_info);
138568Ssam	*frm++ = wme->wme_bssChanParams.cap_info;	/* AC info */
138568Ssam	*frm++ = 0;					/* reserved field */
138568Ssam	for (i = 0; i < WME_NUM_AC; i++) {
138568Ssam		const struct wmeParams *ac =
138568Ssam		       &wme->wme_bssChanParams.cap_wmeParams[i];
138568Ssam		*frm++ = SM(i, WME_PARAM_ACI)
138568Ssam		       | SM(ac->wmep_acm, WME_PARAM_ACM)
138568Ssam		       | SM(ac->wmep_aifsn, WME_PARAM_AIFSN)
138568Ssam		       ;
138568Ssam		*frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX)
138568Ssam		       | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN)
138568Ssam		       ;
138568Ssam		ADDSHORT(frm, ac->wmep_txopLimit);
138568Ssam	}
138568Ssam	return frm;
138568Ssam#undef SM
138568Ssam#undef ADDSHORT
138568Ssam}
138568Ssam#undef WME_OUI_BYTES
138568Ssam
138568Ssam/*
178354Ssam * Add an 11h Power Constraint element to a frame.
178354Ssam */
178354Ssamstatic uint8_t *
178354Ssamieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap)
178354Ssam{
178354Ssam	const struct ieee80211_channel *c = vap->iv_bss->ni_chan;
178354Ssam	/* XXX per-vap tx power limit? */
178354Ssam	int8_t limit = vap->iv_ic->ic_txpowlimit / 2;
178354Ssam
178354Ssam	frm[0] = IEEE80211_ELEMID_PWRCNSTR;
178354Ssam	frm[1] = 1;
178354Ssam	frm[2] = c->ic_maxregpower > limit ?  c->ic_maxregpower - limit : 0;
178354Ssam	return frm + 3;
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Add an 11h Power Capability element to a frame.
178354Ssam */
178354Ssamstatic uint8_t *
178354Ssamieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c)
178354Ssam{
178354Ssam	frm[0] = IEEE80211_ELEMID_PWRCAP;
178354Ssam	frm[1] = 2;
178354Ssam	frm[2] = c->ic_minpower;
178354Ssam	frm[3] = c->ic_maxpower;
178354Ssam	return frm + 4;
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Add an 11h Supported Channels element to a frame.
178354Ssam */
178354Ssamstatic uint8_t *
178354Ssamieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic)
178354Ssam{
178354Ssam	static const int ielen = 26;
178354Ssam
178354Ssam	frm[0] = IEEE80211_ELEMID_SUPPCHAN;
178354Ssam	frm[1] = ielen;
178354Ssam	/* XXX not correct */
178354Ssam	memcpy(frm+2, ic->ic_chan_avail, ielen);
178354Ssam	return frm + 2 + ielen;
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Add an 11h Channel Switch Announcement element to a frame.
178354Ssam * Note that we use the per-vap CSA count to adjust the global
178354Ssam * counter so we can use this routine to form probe response
178354Ssam * frames and get the current count.
178354Ssam */
178354Ssamstatic uint8_t *
178354Ssamieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap)
178354Ssam{
178354Ssam	struct ieee80211com *ic = vap->iv_ic;
178354Ssam	struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm;
178354Ssam
193439Ssam	csa->csa_ie = IEEE80211_ELEMID_CSA;
178354Ssam	csa->csa_len = 3;
178354Ssam	csa->csa_mode = 1;		/* XXX force quiet on channel */
178354Ssam	csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan);
178354Ssam	csa->csa_count = ic->ic_csa_count - vap->iv_csa_count;
178354Ssam	return frm + sizeof(*csa);
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Add an 11h country information element to a frame.
178354Ssam */
178354Ssamstatic uint8_t *
178354Ssamieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic)
178354Ssam{
178354Ssam
178354Ssam	if (ic->ic_countryie == NULL ||
178354Ssam	    ic->ic_countryie_chan != ic->ic_bsschan) {
178354Ssam		/*
178354Ssam		 * Handle lazy construction of ie.  This is done on
178354Ssam		 * first use and after a channel change that requires
178354Ssam		 * re-calculation.
178354Ssam		 */
178354Ssam		if (ic->ic_countryie != NULL)
178354Ssam			free(ic->ic_countryie, M_80211_NODE_IE);
178354Ssam		ic->ic_countryie = ieee80211_alloc_countryie(ic);
178354Ssam		if (ic->ic_countryie == NULL)
178354Ssam			return frm;
178354Ssam		ic->ic_countryie_chan = ic->ic_bsschan;
178354Ssam	}
178354Ssam	return add_appie(frm, ic->ic_countryie);
178354Ssam}
178354Ssam
178354Ssam/*
148315Ssam * Send a probe request frame with the specified ssid
148315Ssam * and any optional information element data.
148315Ssam */
148315Ssamint
148315Ssamieee80211_send_probereq(struct ieee80211_node *ni,
170530Ssam	const uint8_t sa[IEEE80211_ADDR_LEN],
170530Ssam	const uint8_t da[IEEE80211_ADDR_LEN],
170530Ssam	const uint8_t bssid[IEEE80211_ADDR_LEN],
178354Ssam	const uint8_t *ssid, size_t ssidlen)
148315Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
148315Ssam	struct ieee80211com *ic = ni->ni_ic;
184284Ssam	const struct ieee80211_txparam *tp;
184284Ssam	struct ieee80211_bpf_params params;
148315Ssam	struct ieee80211_frame *wh;
165569Ssam	const struct ieee80211_rateset *rs;
148315Ssam	struct mbuf *m;
170530Ssam	uint8_t *frm;
148315Ssam
178354Ssam	if (vap->iv_state == IEEE80211_S_CAC) {
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni,
178354Ssam		    "block %s frame in CAC state", "probe request");
178354Ssam		vap->iv_stats.is_tx_badstate++;
178354Ssam		return EIO;		/* XXX */
178354Ssam	}
178354Ssam
148315Ssam	/*
148315Ssam	 * Hold a reference on the node so it doesn't go away until after
148315Ssam	 * the xmit is complete all the way in the driver.  On error we
148315Ssam	 * will remove our reference.
148315Ssam	 */
178354Ssam	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
148315Ssam		"ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
148315Ssam		__func__, __LINE__,
148315Ssam		ni, ether_sprintf(ni->ni_macaddr),
148315Ssam		ieee80211_node_refcnt(ni)+1);
148315Ssam	ieee80211_ref_node(ni);
148315Ssam
148315Ssam	/*
148315Ssam	 * prreq frame format
148315Ssam	 *	[tlv] ssid
148315Ssam	 *	[tlv] supported rates
178354Ssam	 *	[tlv] RSN (optional)
148315Ssam	 *	[tlv] extended supported rates
178354Ssam	 *	[tlv] WPA (optional)
148315Ssam	 *	[tlv] user-specified ie's
148315Ssam	 */
148315Ssam	m = ieee80211_getmgtframe(&frm,
170530Ssam		 ic->ic_headroom + sizeof(struct ieee80211_frame),
178354Ssam	       	 2 + IEEE80211_NWID_LEN
148315Ssam	       + 2 + IEEE80211_RATE_SIZE
178354Ssam	       + sizeof(struct ieee80211_ie_wpa)
148315Ssam	       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
178354Ssam	       + sizeof(struct ieee80211_ie_wpa)
178354Ssam	       + (vap->iv_appie_probereq != NULL ?
178354Ssam		   vap->iv_appie_probereq->ie_len : 0)
148315Ssam	);
148315Ssam	if (m == NULL) {
178354Ssam		vap->iv_stats.is_tx_nobuf++;
148315Ssam		ieee80211_free_node(ni);
148315Ssam		return ENOMEM;
148315Ssam	}
148315Ssam
148315Ssam	frm = ieee80211_add_ssid(frm, ssid, ssidlen);
165569Ssam	rs = ieee80211_get_suprates(ic, ic->ic_curchan);
165569Ssam	frm = ieee80211_add_rates(frm, rs);
178354Ssam	if (vap->iv_flags & IEEE80211_F_WPA2) {
178354Ssam		if (vap->iv_rsn_ie != NULL)
178354Ssam			frm = add_ie(frm, vap->iv_rsn_ie);
178354Ssam		/* XXX else complain? */
178354Ssam	}
165569Ssam	frm = ieee80211_add_xrates(frm, rs);
178354Ssam	if (vap->iv_flags & IEEE80211_F_WPA1) {
178354Ssam		if (vap->iv_wpa_ie != NULL)
178354Ssam			frm = add_ie(frm, vap->iv_wpa_ie);
178354Ssam		/* XXX else complain? */
148315Ssam	}
178354Ssam	if (vap->iv_appie_probereq != NULL)
178354Ssam		frm = add_appie(frm, vap->iv_appie_probereq);
170530Ssam	m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
148315Ssam
184284Ssam	KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame),
184284Ssam	    ("leading space %zd", M_LEADINGSPACE(m)));
148315Ssam	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
184284Ssam	if (m == NULL) {
184284Ssam		/* NB: cannot happen */
184284Ssam		ieee80211_free_node(ni);
148315Ssam		return ENOMEM;
184284Ssam	}
148315Ssam
148315Ssam	wh = mtod(m, struct ieee80211_frame *);
191544Ssam	ieee80211_send_setup(ni, m,
184282Ssam	     IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ,
184282Ssam	     IEEE80211_NONQOS_TID, sa, da, bssid);
148315Ssam	/* XXX power management? */
184286Ssam	m->m_flags |= M_ENCAP;		/* mark encapsulated */
148315Ssam
178354Ssam	M_WME_SETAC(m, WME_AC_BE);
178354Ssam
148315Ssam	IEEE80211_NODE_STAT(ni, tx_probereq);
148315Ssam	IEEE80211_NODE_STAT(ni, tx_mgmt);
148315Ssam
178354Ssam	IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
178354Ssam	    "send probe req on channel %u bssid %s ssid \"%.*s\"\n",
178354Ssam	    ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(bssid),
178354Ssam	    ssidlen, ssid);
148315Ssam
184284Ssam	memset(&params, 0, sizeof(params));
184284Ssam	params.ibp_pri = M_WME_GETAC(m);
184284Ssam	tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
184284Ssam	params.ibp_rate0 = tp->mgmtrate;
184284Ssam	if (IEEE80211_IS_MULTICAST(da)) {
184284Ssam		params.ibp_flags |= IEEE80211_BPF_NOACK;
184284Ssam		params.ibp_try0 = 1;
184284Ssam	} else
184284Ssam		params.ibp_try0 = tp->maxretry;
184284Ssam	params.ibp_power = ni->ni_txpower;
184284Ssam	return ic->ic_raw_xmit(ni, m, &params);
148315Ssam}
148315Ssam
148315Ssam/*
155999Ssam * Calculate capability information for mgt frames.
155999Ssam */
170530Ssamstatic uint16_t
178354Ssamgetcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan)
155999Ssam{
178354Ssam	struct ieee80211com *ic = vap->iv_ic;
170530Ssam	uint16_t capinfo;
155999Ssam
178354Ssam	KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode"));
155999Ssam
178354Ssam	if (vap->iv_opmode == IEEE80211_M_HOSTAP)
155999Ssam		capinfo = IEEE80211_CAPINFO_ESS;
178354Ssam	else if (vap->iv_opmode == IEEE80211_M_IBSS)
155999Ssam		capinfo = IEEE80211_CAPINFO_IBSS;
155999Ssam	else
155999Ssam		capinfo = 0;
178354Ssam	if (vap->iv_flags & IEEE80211_F_PRIVACY)
155999Ssam		capinfo |= IEEE80211_CAPINFO_PRIVACY;
155999Ssam	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
155999Ssam	    IEEE80211_IS_CHAN_2GHZ(chan))
155999Ssam		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
155999Ssam	if (ic->ic_flags & IEEE80211_F_SHSLOT)
155999Ssam		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
178354Ssam	if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH))
178354Ssam		capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT;
155999Ssam	return capinfo;
155999Ssam}
155999Ssam
155999Ssam/*
119150Ssam * Send a management frame.  The node is for the destination (or ic_bss
119150Ssam * when in station mode).  Nodes other than ic_bss have their reference
119150Ssam * count bumped to reflect our use for an indeterminant time.
119150Ssam */
116742Ssamint
178354Ssamieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg)
116742Ssam{
173273Ssam#define	HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT)
178354Ssam#define	senderr(_x, _v)	do { vap->iv_stats._v++; ret = _x; goto bad; } while (0)
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
178354Ssam	struct ieee80211com *ic = ni->ni_ic;
178354Ssam	struct ieee80211_node *bss = vap->iv_bss;
184282Ssam	struct ieee80211_bpf_params params;
116742Ssam	struct mbuf *m;
170530Ssam	uint8_t *frm;
170530Ssam	uint16_t capinfo;
170530Ssam	int has_challenge, is_shared_key, ret, status;
116742Ssam
119150Ssam	KASSERT(ni != NULL, ("null node"));
119150Ssam
119150Ssam	/*
119150Ssam	 * Hold a reference on the node so it doesn't go away until after
119150Ssam	 * the xmit is complete all the way in the driver.  On error we
119150Ssam	 * will remove our reference.
119150Ssam	 */
178354Ssam	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
140766Ssam		"ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
138568Ssam		__func__, __LINE__,
140766Ssam		ni, ether_sprintf(ni->ni_macaddr),
140766Ssam		ieee80211_node_refcnt(ni)+1);
138568Ssam	ieee80211_ref_node(ni);
138568Ssam
184282Ssam	memset(&params, 0, sizeof(params));
116742Ssam	switch (type) {
116742Ssam
116742Ssam	case IEEE80211_FC0_SUBTYPE_AUTH:
138568Ssam		status = arg >> 16;
138568Ssam		arg &= 0xffff;
138568Ssam		has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE ||
138568Ssam		    arg == IEEE80211_AUTH_SHARED_RESPONSE) &&
138568Ssam		    ni->ni_challenge != NULL);
138568Ssam
138568Ssam		/*
138568Ssam		 * Deduce whether we're doing open authentication or
138568Ssam		 * shared key authentication.  We do the latter if
138568Ssam		 * we're in the middle of a shared key authentication
138568Ssam		 * handshake or if we're initiating an authentication
138568Ssam		 * request and configured to use shared key.
138568Ssam		 */
138568Ssam		is_shared_key = has_challenge ||
138568Ssam		     arg >= IEEE80211_AUTH_SHARED_RESPONSE ||
138568Ssam		     (arg == IEEE80211_AUTH_SHARED_REQUEST &&
178354Ssam		      bss->ni_authmode == IEEE80211_AUTH_SHARED);
138568Ssam
138568Ssam		m = ieee80211_getmgtframe(&frm,
184282Ssam			  ic->ic_headroom + sizeof(struct ieee80211_frame),
170530Ssam			  3 * sizeof(uint16_t)
138568Ssam			+ (has_challenge && status == IEEE80211_STATUS_SUCCESS ?
170530Ssam				sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0)
138568Ssam		);
116742Ssam		if (m == NULL)
138568Ssam			senderr(ENOMEM, is_tx_nobuf);
138568Ssam
170530Ssam		((uint16_t *)frm)[0] =
138568Ssam		    (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED)
138568Ssam		                    : htole16(IEEE80211_AUTH_ALG_OPEN);
170530Ssam		((uint16_t *)frm)[1] = htole16(arg);	/* sequence number */
170530Ssam		((uint16_t *)frm)[2] = htole16(status);/* status */
138568Ssam
138568Ssam		if (has_challenge && status == IEEE80211_STATUS_SUCCESS) {
170530Ssam			((uint16_t *)frm)[3] =
138568Ssam			    htole16((IEEE80211_CHALLENGE_LEN << 8) |
138568Ssam			    IEEE80211_ELEMID_CHALLENGE);
170530Ssam			memcpy(&((uint16_t *)frm)[4], ni->ni_challenge,
138568Ssam			    IEEE80211_CHALLENGE_LEN);
138568Ssam			m->m_pkthdr.len = m->m_len =
170530Ssam				4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN;
138568Ssam			if (arg == IEEE80211_AUTH_SHARED_RESPONSE) {
178354Ssam				IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
178354Ssam				    "request encrypt frame (%s)", __func__);
184282Ssam				/* mark frame for encryption */
184282Ssam				params.ibp_flags |= IEEE80211_BPF_CRYPTO;
138568Ssam			}
138568Ssam		} else
170530Ssam			m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t);
138568Ssam
138568Ssam		/* XXX not right for shared key */
138568Ssam		if (status == IEEE80211_STATUS_SUCCESS)
138568Ssam			IEEE80211_NODE_STAT(ni, tx_auth);
138568Ssam		else
138568Ssam			IEEE80211_NODE_STAT(ni, tx_auth_fail);
138568Ssam
178354Ssam		if (vap->iv_opmode == IEEE80211_M_STA)
170530Ssam			ieee80211_add_callback(m, ieee80211_tx_mgt_cb,
178354Ssam				(void *) vap->iv_state);
116742Ssam		break;
116742Ssam
116742Ssam	case IEEE80211_FC0_SUBTYPE_DEAUTH:
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
178354Ssam		    "send station deauthenticate (reason %d)", arg);
170530Ssam		m = ieee80211_getmgtframe(&frm,
170530Ssam			ic->ic_headroom + sizeof(struct ieee80211_frame),
170530Ssam			sizeof(uint16_t));
116742Ssam		if (m == NULL)
138568Ssam			senderr(ENOMEM, is_tx_nobuf);
170530Ssam		*(uint16_t *)frm = htole16(arg);	/* reason */
170530Ssam		m->m_pkthdr.len = m->m_len = sizeof(uint16_t);
138568Ssam
138568Ssam		IEEE80211_NODE_STAT(ni, tx_deauth);
138568Ssam		IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg);
138568Ssam
148302Ssam		ieee80211_node_unauthorize(ni);		/* port closed */
116742Ssam		break;
116742Ssam
116742Ssam	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
116742Ssam	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
116742Ssam		/*
116742Ssam		 * asreq frame format
116742Ssam		 *	[2] capability information
116742Ssam		 *	[2] listen interval
116742Ssam		 *	[6*] current AP address (reassoc only)
116742Ssam		 *	[tlv] ssid
116742Ssam		 *	[tlv] supported rates
116742Ssam		 *	[tlv] extended supported rates
178354Ssam		 *	[4] power capability (optional)
178354Ssam		 *	[28] supported channels (optional)
170530Ssam		 *	[tlv] HT capabilities
178354Ssam		 *	[tlv] WME (optional)
170530Ssam		 *	[tlv] Vendor OUI HT capabilities (optional)
170530Ssam		 *	[tlv] Atheros capabilities (if negotiated)
178354Ssam		 *	[tlv] AppIE's (optional)
116742Ssam		 */
138568Ssam		m = ieee80211_getmgtframe(&frm,
170530Ssam			 ic->ic_headroom + sizeof(struct ieee80211_frame),
170530Ssam			 sizeof(uint16_t)
170530Ssam		       + sizeof(uint16_t)
116742Ssam		       + IEEE80211_ADDR_LEN
138568Ssam		       + 2 + IEEE80211_NWID_LEN
116742Ssam		       + 2 + IEEE80211_RATE_SIZE
138568Ssam		       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
178354Ssam		       + 4
178354Ssam		       + 2 + 26
138568Ssam		       + sizeof(struct ieee80211_wme_info)
178354Ssam		       + sizeof(struct ieee80211_ie_htcap)
178354Ssam		       + 4 + sizeof(struct ieee80211_ie_htcap)
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
170530Ssam		       + sizeof(struct ieee80211_ath_ie)
190391Ssam#endif
178354Ssam		       + (vap->iv_appie_wpa != NULL ?
178354Ssam				vap->iv_appie_wpa->ie_len : 0)
178354Ssam		       + (vap->iv_appie_assocreq != NULL ?
178354Ssam				vap->iv_appie_assocreq->ie_len : 0)
138568Ssam		);
116742Ssam		if (m == NULL)
138568Ssam			senderr(ENOMEM, is_tx_nobuf);
116742Ssam
178354Ssam		KASSERT(vap->iv_opmode == IEEE80211_M_STA,
178354Ssam		    ("wrong mode %u", vap->iv_opmode));
155999Ssam		capinfo = IEEE80211_CAPINFO_ESS;
178354Ssam		if (vap->iv_flags & IEEE80211_F_PRIVACY)
116742Ssam			capinfo |= IEEE80211_CAPINFO_PRIVACY;
120070Ssam		/*
120070Ssam		 * NB: Some 11a AP's reject the request when
120070Ssam		 *     short premable is set.
120070Ssam		 */
120070Ssam		if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
148936Ssam		    IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
116742Ssam			capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
170530Ssam		if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
138568Ssam		    (ic->ic_caps & IEEE80211_C_SHSLOT))
116742Ssam			capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
173273Ssam		if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) &&
178354Ssam		    (vap->iv_flags & IEEE80211_F_DOTH))
173273Ssam			capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT;
170530Ssam		*(uint16_t *)frm = htole16(capinfo);
116742Ssam		frm += 2;
116742Ssam
178354Ssam		KASSERT(bss->ni_intval != 0, ("beacon interval is zero!"));
170530Ssam		*(uint16_t *)frm = htole16(howmany(ic->ic_lintval,
178354Ssam						    bss->ni_intval));
116742Ssam		frm += 2;
116742Ssam
116742Ssam		if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
178354Ssam			IEEE80211_ADDR_COPY(frm, bss->ni_bssid);
116742Ssam			frm += IEEE80211_ADDR_LEN;
116742Ssam		}
116742Ssam
116742Ssam		frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
116742Ssam		frm = ieee80211_add_rates(frm, &ni->ni_rates);
178354Ssam		if (vap->iv_flags & IEEE80211_F_WPA2) {
178354Ssam			if (vap->iv_rsn_ie != NULL)
178354Ssam				frm = add_ie(frm, vap->iv_rsn_ie);
178354Ssam			/* XXX else complain? */
178354Ssam		}
116742Ssam		frm = ieee80211_add_xrates(frm, &ni->ni_rates);
178354Ssam		if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) {
178354Ssam			frm = ieee80211_add_powercapability(frm,
178354Ssam			    ic->ic_curchan);
178354Ssam			frm = ieee80211_add_supportedchannels(frm, ic);
178354Ssam		}
193655Ssam		if ((vap->iv_flags_ht & IEEE80211_FHT_HT) &&
178354Ssam		    ni->ni_ies.htcap_ie != NULL &&
178354Ssam		    ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP)
173273Ssam			frm = ieee80211_add_htcap(frm, ni);
178354Ssam		if (vap->iv_flags & IEEE80211_F_WPA1) {
178354Ssam			if (vap->iv_wpa_ie != NULL)
178354Ssam				frm = add_ie(frm, vap->iv_wpa_ie);
178354Ssam			/* XXX else complain */
178354Ssam		}
178354Ssam		if ((ic->ic_flags & IEEE80211_F_WME) &&
178354Ssam		    ni->ni_ies.wme_ie != NULL)
138568Ssam			frm = ieee80211_add_wme_info(frm, &ic->ic_wme);
193655Ssam		if ((vap->iv_flags_ht & IEEE80211_FHT_HT) &&
178354Ssam		    ni->ni_ies.htcap_ie != NULL &&
178354Ssam		    ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR)
173273Ssam			frm = ieee80211_add_htcap_vendor(frm, ni);
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190451Ssam		if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) {
190451Ssam			frm = ieee80211_add_ath(frm,
178354Ssam				IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS),
190451Ssam				((vap->iv_flags & IEEE80211_F_WPA) == 0 &&
190451Ssam				 ni->ni_authmode != IEEE80211_AUTH_8021X) ?
190451Ssam				vap->iv_def_txkey : IEEE80211_KEYIX_NONE);
190451Ssam		}
190391Ssam#endif /* IEEE80211_SUPPORT_SUPERG */
178354Ssam		if (vap->iv_appie_assocreq != NULL)
178354Ssam			frm = add_appie(frm, vap->iv_appie_assocreq);
170530Ssam		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
116742Ssam
170530Ssam		ieee80211_add_callback(m, ieee80211_tx_mgt_cb,
178354Ssam			(void *) vap->iv_state);
116742Ssam		break;
116742Ssam
116742Ssam	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
116742Ssam	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
116742Ssam		/*
170530Ssam		 * asresp frame format
116742Ssam		 *	[2] capability information
116742Ssam		 *	[2] status
116742Ssam		 *	[2] association ID
116742Ssam		 *	[tlv] supported rates
116742Ssam		 *	[tlv] extended supported rates
178354Ssam		 *	[tlv] HT capabilities (standard, if STA enabled)
178354Ssam		 *	[tlv] HT information (standard, if STA enabled)
178354Ssam		 *	[tlv] WME (if configured and STA enabled)
178354Ssam		 *	[tlv] HT capabilities (vendor OUI, if STA enabled)
178354Ssam		 *	[tlv] HT information (vendor OUI, if STA enabled)
178354Ssam		 *	[tlv] Atheros capabilities (if STA enabled)
178354Ssam		 *	[tlv] AppIE's (optional)
116742Ssam		 */
138568Ssam		m = ieee80211_getmgtframe(&frm,
170530Ssam			 ic->ic_headroom + sizeof(struct ieee80211_frame),
170530Ssam			 sizeof(uint16_t)
170530Ssam		       + sizeof(uint16_t)
170530Ssam		       + sizeof(uint16_t)
116742Ssam		       + 2 + IEEE80211_RATE_SIZE
138568Ssam		       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
170530Ssam		       + sizeof(struct ieee80211_ie_htcap) + 4
170530Ssam		       + sizeof(struct ieee80211_ie_htinfo) + 4
178354Ssam		       + sizeof(struct ieee80211_wme_param)
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
170530Ssam		       + sizeof(struct ieee80211_ath_ie)
190391Ssam#endif
178354Ssam		       + (vap->iv_appie_assocresp != NULL ?
178354Ssam				vap->iv_appie_assocresp->ie_len : 0)
138568Ssam		);
116742Ssam		if (m == NULL)
138568Ssam			senderr(ENOMEM, is_tx_nobuf);
116742Ssam
178354Ssam		capinfo = getcapinfo(vap, bss->ni_chan);
170530Ssam		*(uint16_t *)frm = htole16(capinfo);
116742Ssam		frm += 2;
116742Ssam
170530Ssam		*(uint16_t *)frm = htole16(arg);	/* status */
116742Ssam		frm += 2;
116742Ssam
138568Ssam		if (arg == IEEE80211_STATUS_SUCCESS) {
170530Ssam			*(uint16_t *)frm = htole16(ni->ni_associd);
138568Ssam			IEEE80211_NODE_STAT(ni, tx_assoc);
138568Ssam		} else
138568Ssam			IEEE80211_NODE_STAT(ni, tx_assoc_fail);
116742Ssam		frm += 2;
116742Ssam
119150Ssam		frm = ieee80211_add_rates(frm, &ni->ni_rates);
119150Ssam		frm = ieee80211_add_xrates(frm, &ni->ni_rates);
173273Ssam		/* NB: respond according to what we received */
173273Ssam		if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) {
173273Ssam			frm = ieee80211_add_htcap(frm, ni);
173273Ssam			frm = ieee80211_add_htinfo(frm, ni);
173273Ssam		}
178354Ssam		if ((vap->iv_flags & IEEE80211_F_WME) &&
178354Ssam		    ni->ni_ies.wme_ie != NULL)
138568Ssam			frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
173273Ssam		if ((ni->ni_flags & HTFLAGS) == HTFLAGS) {
173273Ssam			frm = ieee80211_add_htcap_vendor(frm, ni);
173273Ssam			frm = ieee80211_add_htinfo_vendor(frm, ni);
170530Ssam		}
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
178354Ssam		if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS))
190451Ssam			frm = ieee80211_add_ath(frm,
178354Ssam				IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS),
190451Ssam				((vap->iv_flags & IEEE80211_F_WPA) == 0 &&
190451Ssam				 ni->ni_authmode != IEEE80211_AUTH_8021X) ?
190451Ssam				vap->iv_def_txkey : IEEE80211_KEYIX_NONE);
190391Ssam#endif /* IEEE80211_SUPPORT_SUPERG */
178354Ssam		if (vap->iv_appie_assocresp != NULL)
178354Ssam			frm = add_appie(frm, vap->iv_appie_assocresp);
170530Ssam		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
116742Ssam		break;
116742Ssam
116742Ssam	case IEEE80211_FC0_SUBTYPE_DISASSOC:
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
178354Ssam		    "send station disassociate (reason %d)", arg);
170530Ssam		m = ieee80211_getmgtframe(&frm,
170530Ssam			ic->ic_headroom + sizeof(struct ieee80211_frame),
170530Ssam			sizeof(uint16_t));
116742Ssam		if (m == NULL)
138568Ssam			senderr(ENOMEM, is_tx_nobuf);
170530Ssam		*(uint16_t *)frm = htole16(arg);	/* reason */
170530Ssam		m->m_pkthdr.len = m->m_len = sizeof(uint16_t);
138568Ssam
138568Ssam		IEEE80211_NODE_STAT(ni, tx_disassoc);
138568Ssam		IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg);
116742Ssam		break;
116742Ssam
116742Ssam	default:
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni,
178354Ssam		    "invalid mgmt frame type %u", type);
121180Ssam		senderr(EINVAL, is_tx_unknownmgt);
119150Ssam		/* NOTREACHED */
116742Ssam	}
170530Ssam
184282Ssam	/* NB: force non-ProbeResp frames to the highest queue */
184282Ssam	params.ibp_pri = WME_AC_VO;
184282Ssam	params.ibp_rate0 = bss->ni_txparms->mgmtrate;
184282Ssam	/* NB: we know all frames are unicast */
184282Ssam	params.ibp_try0 = bss->ni_txparms->maxretry;
184282Ssam	params.ibp_power = bss->ni_txpower;
184282Ssam	return ieee80211_mgmt_output(ni, m, type, &params);
119150Ssambad:
170530Ssam	ieee80211_free_node(ni);
116742Ssam	return ret;
119150Ssam#undef senderr
173273Ssam#undef HTFLAGS
116742Ssam}
138568Ssam
178354Ssam/*
178354Ssam * Return an mbuf with a probe response frame in it.
178354Ssam * Space is left to prepend and 802.11 header at the
178354Ssam * front but it's left to the caller to fill in.
178354Ssam */
178354Ssamstruct mbuf *
178354Ssamieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy)
178354Ssam{
178354Ssam	struct ieee80211vap *vap = bss->ni_vap;
178354Ssam	struct ieee80211com *ic = bss->ni_ic;
178354Ssam	const struct ieee80211_rateset *rs;
178354Ssam	struct mbuf *m;
178354Ssam	uint16_t capinfo;
178354Ssam	uint8_t *frm;
178354Ssam
178354Ssam	/*
178354Ssam	 * probe response frame format
178354Ssam	 *	[8] time stamp
178354Ssam	 *	[2] beacon interval
178354Ssam	 *	[2] cabability information
178354Ssam	 *	[tlv] ssid
178354Ssam	 *	[tlv] supported rates
178354Ssam	 *	[tlv] parameter set (FH/DS)
178354Ssam	 *	[tlv] parameter set (IBSS)
178354Ssam	 *	[tlv] country (optional)
178354Ssam	 *	[3] power control (optional)
178354Ssam	 *	[5] channel switch announcement (CSA) (optional)
178354Ssam	 *	[tlv] extended rate phy (ERP)
178354Ssam	 *	[tlv] extended supported rates
180351Ssam	 *	[tlv] RSN (optional)
178354Ssam	 *	[tlv] HT capabilities
178354Ssam	 *	[tlv] HT information
178354Ssam	 *	[tlv] WPA (optional)
178354Ssam	 *	[tlv] WME (optional)
178354Ssam	 *	[tlv] Vendor OUI HT capabilities (optional)
178354Ssam	 *	[tlv] Vendor OUI HT information (optional)
178354Ssam	 *	[tlv] Atheros capabilities
178354Ssam	 *	[tlv] AppIE's (optional)
178354Ssam	 */
178354Ssam	m = ieee80211_getmgtframe(&frm,
178354Ssam		 ic->ic_headroom + sizeof(struct ieee80211_frame),
178354Ssam		 8
178354Ssam	       + sizeof(uint16_t)
178354Ssam	       + sizeof(uint16_t)
178354Ssam	       + 2 + IEEE80211_NWID_LEN
178354Ssam	       + 2 + IEEE80211_RATE_SIZE
178354Ssam	       + 7	/* max(7,3) */
178354Ssam	       + IEEE80211_COUNTRY_MAX_SIZE
178354Ssam	       + 3
178354Ssam	       + sizeof(struct ieee80211_csa_ie)
178354Ssam	       + 3
178354Ssam	       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
180351Ssam	       + sizeof(struct ieee80211_ie_wpa)
178354Ssam	       + sizeof(struct ieee80211_ie_htcap)
178354Ssam	       + sizeof(struct ieee80211_ie_htinfo)
178354Ssam	       + sizeof(struct ieee80211_ie_wpa)
178354Ssam	       + sizeof(struct ieee80211_wme_param)
178354Ssam	       + 4 + sizeof(struct ieee80211_ie_htcap)
178354Ssam	       + 4 + sizeof(struct ieee80211_ie_htinfo)
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
178354Ssam	       + sizeof(struct ieee80211_ath_ie)
190391Ssam#endif
178354Ssam	       + (vap->iv_appie_proberesp != NULL ?
178354Ssam			vap->iv_appie_proberesp->ie_len : 0)
178354Ssam	);
178354Ssam	if (m == NULL) {
178354Ssam		vap->iv_stats.is_tx_nobuf++;
178354Ssam		return NULL;
178354Ssam	}
178354Ssam
178354Ssam	memset(frm, 0, 8);	/* timestamp should be filled later */
178354Ssam	frm += 8;
178354Ssam	*(uint16_t *)frm = htole16(bss->ni_intval);
178354Ssam	frm += 2;
178354Ssam	capinfo = getcapinfo(vap, bss->ni_chan);
178354Ssam	*(uint16_t *)frm = htole16(capinfo);
178354Ssam	frm += 2;
178354Ssam
178354Ssam	frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen);
178354Ssam	rs = ieee80211_get_suprates(ic, bss->ni_chan);
178354Ssam	frm = ieee80211_add_rates(frm, rs);
178354Ssam
178354Ssam	if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) {
178354Ssam		*frm++ = IEEE80211_ELEMID_FHPARMS;
178354Ssam		*frm++ = 5;
178354Ssam		*frm++ = bss->ni_fhdwell & 0x00ff;
178354Ssam		*frm++ = (bss->ni_fhdwell >> 8) & 0x00ff;
178354Ssam		*frm++ = IEEE80211_FH_CHANSET(
178354Ssam		    ieee80211_chan2ieee(ic, bss->ni_chan));
178354Ssam		*frm++ = IEEE80211_FH_CHANPAT(
178354Ssam		    ieee80211_chan2ieee(ic, bss->ni_chan));
178354Ssam		*frm++ = bss->ni_fhindex;
178354Ssam	} else {
178354Ssam		*frm++ = IEEE80211_ELEMID_DSPARMS;
178354Ssam		*frm++ = 1;
178354Ssam		*frm++ = ieee80211_chan2ieee(ic, bss->ni_chan);
178354Ssam	}
178354Ssam
178354Ssam	if (vap->iv_opmode == IEEE80211_M_IBSS) {
178354Ssam		*frm++ = IEEE80211_ELEMID_IBSSPARMS;
178354Ssam		*frm++ = 2;
178354Ssam		*frm++ = 0; *frm++ = 0;		/* TODO: ATIM window */
178354Ssam	}
178354Ssam	if ((vap->iv_flags & IEEE80211_F_DOTH) ||
178354Ssam	    (vap->iv_flags_ext & IEEE80211_FEXT_DOTD))
178354Ssam		frm = ieee80211_add_countryie(frm, ic);
178354Ssam	if (vap->iv_flags & IEEE80211_F_DOTH) {
178354Ssam		if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan))
178354Ssam			frm = ieee80211_add_powerconstraint(frm, vap);
178354Ssam		if (ic->ic_flags & IEEE80211_F_CSAPENDING)
178354Ssam			frm = ieee80211_add_csa(frm, vap);
178354Ssam	}
178354Ssam	if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan))
178354Ssam		frm = ieee80211_add_erp(frm, ic);
178354Ssam	frm = ieee80211_add_xrates(frm, rs);
180351Ssam	if (vap->iv_flags & IEEE80211_F_WPA2) {
180351Ssam		if (vap->iv_rsn_ie != NULL)
180351Ssam			frm = add_ie(frm, vap->iv_rsn_ie);
180351Ssam		/* XXX else complain? */
180351Ssam	}
178354Ssam	/*
178354Ssam	 * NB: legacy 11b clients do not get certain ie's.
178354Ssam	 *     The caller identifies such clients by passing
178354Ssam	 *     a token in legacy to us.  Could expand this to be
178354Ssam	 *     any legacy client for stuff like HT ie's.
178354Ssam	 */
178354Ssam	if (IEEE80211_IS_CHAN_HT(bss->ni_chan) &&
178354Ssam	    legacy != IEEE80211_SEND_LEGACY_11B) {
178354Ssam		frm = ieee80211_add_htcap(frm, bss);
178354Ssam		frm = ieee80211_add_htinfo(frm, bss);
178354Ssam	}
178354Ssam	if (vap->iv_flags & IEEE80211_F_WPA1) {
178354Ssam		if (vap->iv_wpa_ie != NULL)
178354Ssam			frm = add_ie(frm, vap->iv_wpa_ie);
178354Ssam		/* XXX else complain? */
178354Ssam	}
178354Ssam	if (vap->iv_flags & IEEE80211_F_WME)
178354Ssam		frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
178354Ssam	if (IEEE80211_IS_CHAN_HT(bss->ni_chan) &&
193655Ssam	    (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) &&
178354Ssam	    legacy != IEEE80211_SEND_LEGACY_11B) {
178354Ssam		frm = ieee80211_add_htcap_vendor(frm, bss);
178354Ssam		frm = ieee80211_add_htinfo_vendor(frm, bss);
178354Ssam	}
190391Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190451Ssam	if ((vap->iv_flags & IEEE80211_F_ATHEROS) &&
190451Ssam	    legacy != IEEE80211_SEND_LEGACY_11B)
190451Ssam		frm = ieee80211_add_athcaps(frm, bss);
190391Ssam#endif
178354Ssam	if (vap->iv_appie_proberesp != NULL)
178354Ssam		frm = add_appie(frm, vap->iv_appie_proberesp);
178354Ssam	m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
178354Ssam
178354Ssam	return m;
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Send a probe response frame to the specified mac address.
178354Ssam * This does not go through the normal mgt frame api so we
178354Ssam * can specify the destination address and re-use the bss node
178354Ssam * for the sta reference.
178354Ssam */
178354Ssamint
178354Ssamieee80211_send_proberesp(struct ieee80211vap *vap,
178354Ssam	const uint8_t da[IEEE80211_ADDR_LEN], int legacy)
178354Ssam{
178354Ssam	struct ieee80211_node *bss = vap->iv_bss;
178354Ssam	struct ieee80211com *ic = vap->iv_ic;
178354Ssam	struct ieee80211_frame *wh;
178354Ssam	struct mbuf *m;
178354Ssam
178354Ssam	if (vap->iv_state == IEEE80211_S_CAC) {
178354Ssam		IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss,
178354Ssam		    "block %s frame in CAC state", "probe response");
178354Ssam		vap->iv_stats.is_tx_badstate++;
178354Ssam		return EIO;		/* XXX */
178354Ssam	}
178354Ssam
178354Ssam	/*
178354Ssam	 * Hold a reference on the node so it doesn't go away until after
178354Ssam	 * the xmit is complete all the way in the driver.  On error we
178354Ssam	 * will remove our reference.
178354Ssam	 */
178354Ssam	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
178354Ssam	    "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
178354Ssam	    __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr),
178354Ssam	    ieee80211_node_refcnt(bss)+1);
178354Ssam	ieee80211_ref_node(bss);
178354Ssam
178354Ssam	m = ieee80211_alloc_proberesp(bss, legacy);
178354Ssam	if (m == NULL) {
178354Ssam		ieee80211_free_node(bss);
178354Ssam		return ENOMEM;
178354Ssam	}
178354Ssam
178354Ssam	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
178354Ssam	KASSERT(m != NULL, ("no room for header"));
178354Ssam
178354Ssam	wh = mtod(m, struct ieee80211_frame *);
191544Ssam	ieee80211_send_setup(bss, m,
184282Ssam	     IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP,
184282Ssam	     IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid);
178354Ssam	/* XXX power management? */
184286Ssam	m->m_flags |= M_ENCAP;		/* mark encapsulated */
178354Ssam
178354Ssam	M_WME_SETAC(m, WME_AC_BE);
178354Ssam
178354Ssam	IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
178354Ssam	    "send probe resp on channel %u to %s%s\n",
178354Ssam	    ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da),
178354Ssam	    legacy ? " <legacy>" : "");
178354Ssam	IEEE80211_NODE_STAT(bss, tx_mgmt);
178354Ssam
178354Ssam	return ic->ic_raw_xmit(bss, m, NULL);
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Allocate and build a RTS (Request To Send) control frame.
178354Ssam */
178354Ssamstruct mbuf *
178354Ssamieee80211_alloc_rts(struct ieee80211com *ic,
178354Ssam	const uint8_t ra[IEEE80211_ADDR_LEN],
178354Ssam	const uint8_t ta[IEEE80211_ADDR_LEN],
178354Ssam	uint16_t dur)
178354Ssam{
178354Ssam	struct ieee80211_frame_rts *rts;
178354Ssam	struct mbuf *m;
178354Ssam
178354Ssam	/* XXX honor ic_headroom */
178354Ssam	m = m_gethdr(M_DONTWAIT, MT_DATA);
178354Ssam	if (m != NULL) {
178354Ssam		rts = mtod(m, struct ieee80211_frame_rts *);
178354Ssam		rts->i_fc[0] = IEEE80211_FC0_VERSION_0 |
178354Ssam			IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS;
178354Ssam		rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
178354Ssam		*(u_int16_t *)rts->i_dur = htole16(dur);
178354Ssam		IEEE80211_ADDR_COPY(rts->i_ra, ra);
178354Ssam		IEEE80211_ADDR_COPY(rts->i_ta, ta);
178354Ssam
178354Ssam		m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts);
178354Ssam	}
178354Ssam	return m;
178354Ssam}
178354Ssam
178354Ssam/*
178354Ssam * Allocate and build a CTS (Clear To Send) control frame.
178354Ssam */
178354Ssamstruct mbuf *
178354Ssamieee80211_alloc_cts(struct ieee80211com *ic,
178354Ssam	const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur)
178354Ssam{
178354Ssam	struct ieee80211_frame_cts *cts;
178354Ssam	struct mbuf *m;
178354Ssam
178354Ssam	/* XXX honor ic_headroom */
178354Ssam	m = m_gethdr(M_DONTWAIT, MT_DATA);
178354Ssam	if (m != NULL) {
178354Ssam		cts = mtod(m, struct ieee80211_frame_cts *);
178354Ssam		cts->i_fc[0] = IEEE80211_FC0_VERSION_0 |
178354Ssam			IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS;
178354Ssam		cts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
178354Ssam		*(u_int16_t *)cts->i_dur = htole16(dur);
178354Ssam		IEEE80211_ADDR_COPY(cts->i_ra, ra);
178354Ssam
178354Ssam		m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts);
178354Ssam	}
178354Ssam	return m;
178354Ssam}
178354Ssam
170530Ssamstatic void
170530Ssamieee80211_tx_mgt_timeout(void *arg)
170530Ssam{
170530Ssam	struct ieee80211_node *ni = arg;
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
170530Ssam
178354Ssam	if (vap->iv_state != IEEE80211_S_INIT &&
178354Ssam	    (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) {
170530Ssam		/*
170530Ssam		 * NB: it's safe to specify a timeout as the reason here;
170530Ssam		 *     it'll only be used in the right state.
170530Ssam		 */
178354Ssam		ieee80211_new_state(vap, IEEE80211_S_SCAN,
170530Ssam			IEEE80211_SCAN_FAIL_TIMEOUT);
170530Ssam	}
170530Ssam}
170530Ssam
170530Ssamstatic void
170530Ssamieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status)
170530Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
170530Ssam	enum ieee80211_state ostate = (enum ieee80211_state) arg;
170530Ssam
170530Ssam	/*
170530Ssam	 * Frame transmit completed; arrange timer callback.  If
170530Ssam	 * transmit was successfuly we wait for response.  Otherwise
170530Ssam	 * we arrange an immediate callback instead of doing the
170530Ssam	 * callback directly since we don't know what state the driver
170530Ssam	 * is in (e.g. what locks it is holding).  This work should
170530Ssam	 * not be too time-critical and not happen too often so the
170530Ssam	 * added overhead is acceptable.
170530Ssam	 *
170530Ssam	 * XXX what happens if !acked but response shows up before callback?
170530Ssam	 */
178354Ssam	if (vap->iv_state == ostate)
178354Ssam		callout_reset(&vap->iv_mgtsend,
170530Ssam			status == 0 ? IEEE80211_TRANS_WAIT*hz : 0,
170530Ssam			ieee80211_tx_mgt_timeout, ni);
170530Ssam}
170530Ssam
178354Ssamstatic void
178354Ssamieee80211_beacon_construct(struct mbuf *m, uint8_t *frm,
178354Ssam	struct ieee80211_beacon_offsets *bo, struct ieee80211_node *ni)
138568Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
172211Ssam	struct ieee80211com *ic = ni->ni_ic;
178354Ssam	struct ieee80211_rateset *rs = &ni->ni_rates;
170530Ssam	uint16_t capinfo;
138568Ssam
138568Ssam	/*
138568Ssam	 * beacon frame format
138568Ssam	 *	[8] time stamp
138568Ssam	 *	[2] beacon interval
138568Ssam	 *	[2] cabability information
138568Ssam	 *	[tlv] ssid
138568Ssam	 *	[tlv] supported rates
138568Ssam	 *	[3] parameter set (DS)
178354Ssam	 *	[8] CF parameter set (optional)
138568Ssam	 *	[tlv] parameter set (IBSS/TIM)
178354Ssam	 *	[tlv] country (optional)
178354Ssam	 *	[3] power control (optional)
178354Ssam	 *	[5] channel switch announcement (CSA) (optional)
138568Ssam	 *	[tlv] extended rate phy (ERP)
138568Ssam	 *	[tlv] extended supported rates
180351Ssam	 *	[tlv] RSN parameters
170530Ssam	 *	[tlv] HT capabilities
170530Ssam	 *	[tlv] HT information
178354Ssam	 * XXX Vendor-specific OIDs (e.g. Atheros)
178354Ssam	 *	[tlv] WPA parameters
178354Ssam	 *	[tlv] WME parameters
170530Ssam	 *	[tlv] Vendor OUI HT capabilities (optional)
170530Ssam	 *	[tlv] Vendor OUI HT information (optional)
190451Ssam	 *	[tlv] Atheros capabilities (optional)
186904Ssam	 *	[tlv] TDMA parameters (optional)
178354Ssam	 *	[tlv] application data (optional)
138568Ssam	 */
138568Ssam
173273Ssam	memset(bo, 0, sizeof(*bo));
173273Ssam
138568Ssam	memset(frm, 0, 8);	/* XXX timestamp is set by hardware/driver */
138568Ssam	frm += 8;
170530Ssam	*(uint16_t *)frm = htole16(ni->ni_intval);
138568Ssam	frm += 2;
178354Ssam	capinfo = getcapinfo(vap, ni->ni_chan);
170530Ssam	bo->bo_caps = (uint16_t *)frm;
170530Ssam	*(uint16_t *)frm = htole16(capinfo);
138568Ssam	frm += 2;
138568Ssam	*frm++ = IEEE80211_ELEMID_SSID;
178354Ssam	if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) {
138568Ssam		*frm++ = ni->ni_esslen;
138568Ssam		memcpy(frm, ni->ni_essid, ni->ni_esslen);
138568Ssam		frm += ni->ni_esslen;
138568Ssam	} else
138568Ssam		*frm++ = 0;
138568Ssam	frm = ieee80211_add_rates(frm, rs);
178354Ssam	if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) {
138568Ssam		*frm++ = IEEE80211_ELEMID_DSPARMS;
138568Ssam		*frm++ = 1;
178354Ssam		*frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
138568Ssam	}
178354Ssam	if (ic->ic_flags & IEEE80211_F_PCF) {
178354Ssam		bo->bo_cfp = frm;
178354Ssam		frm = ieee80211_add_cfparms(frm, ic);
178354Ssam	}
138568Ssam	bo->bo_tim = frm;
178354Ssam	if (vap->iv_opmode == IEEE80211_M_IBSS) {
138568Ssam		*frm++ = IEEE80211_ELEMID_IBSSPARMS;
138568Ssam		*frm++ = 2;
138568Ssam		*frm++ = 0; *frm++ = 0;		/* TODO: ATIM window */
138568Ssam		bo->bo_tim_len = 0;
178354Ssam	} else if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
138568Ssam		struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm;
138568Ssam
138568Ssam		tie->tim_ie = IEEE80211_ELEMID_TIM;
138568Ssam		tie->tim_len = 4;	/* length */
138568Ssam		tie->tim_count = 0;	/* DTIM count */
178354Ssam		tie->tim_period = vap->iv_dtim_period;	/* DTIM period */
138568Ssam		tie->tim_bitctl = 0;	/* bitmap control */
138568Ssam		tie->tim_bitmap[0] = 0;	/* Partial Virtual Bitmap */
138568Ssam		frm += sizeof(struct ieee80211_tim_ie);
138568Ssam		bo->bo_tim_len = 1;
138568Ssam	}
172211Ssam	bo->bo_tim_trailer = frm;
178354Ssam	if ((vap->iv_flags & IEEE80211_F_DOTH) ||
178354Ssam	    (vap->iv_flags_ext & IEEE80211_FEXT_DOTD))
178354Ssam		frm = ieee80211_add_countryie(frm, ic);
178354Ssam	if (vap->iv_flags & IEEE80211_F_DOTH) {
178354Ssam		if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan))
178354Ssam			frm = ieee80211_add_powerconstraint(frm, vap);
178354Ssam		bo->bo_csa = frm;
178354Ssam		if (ic->ic_flags & IEEE80211_F_CSAPENDING)
178354Ssam			frm = ieee80211_add_csa(frm, vap);
178354Ssam	} else
178354Ssam		bo->bo_csa = frm;
178354Ssam	if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) {
153973Ssam		bo->bo_erp = frm;
138568Ssam		frm = ieee80211_add_erp(frm, ic);
173273Ssam	}
170530Ssam	frm = ieee80211_add_xrates(frm, rs);
180351Ssam	if (vap->iv_flags & IEEE80211_F_WPA2) {
180351Ssam		if (vap->iv_rsn_ie != NULL)
180351Ssam			frm = add_ie(frm, vap->iv_rsn_ie);
180351Ssam		/* XXX else complain */
180351Ssam	}
178354Ssam	if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) {
170530Ssam		frm = ieee80211_add_htcap(frm, ni);
170530Ssam		bo->bo_htinfo = frm;
170530Ssam		frm = ieee80211_add_htinfo(frm, ni);
173273Ssam	}
178354Ssam	if (vap->iv_flags & IEEE80211_F_WPA1) {
178354Ssam		if (vap->iv_wpa_ie != NULL)
178354Ssam			frm = add_ie(frm, vap->iv_wpa_ie);
178354Ssam		/* XXX else complain */
178354Ssam	}
178354Ssam	if (vap->iv_flags & IEEE80211_F_WME) {
173273Ssam		bo->bo_wme = frm;
173273Ssam		frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
173273Ssam	}
178354Ssam	if (IEEE80211_IS_CHAN_HT(ni->ni_chan) &&
193655Ssam	    (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) {
173273Ssam		frm = ieee80211_add_htcap_vendor(frm, ni);
173273Ssam		frm = ieee80211_add_htinfo_vendor(frm, ni);
173273Ssam	}
190451Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190451Ssam	if (vap->iv_flags & IEEE80211_F_ATHEROS) {
190451Ssam		bo->bo_ath = frm;
190451Ssam		frm = ieee80211_add_athcaps(frm, ni);
190451Ssam	}
190451Ssam#endif
186904Ssam#ifdef IEEE80211_SUPPORT_TDMA
186904Ssam	if (vap->iv_caps & IEEE80211_C_TDMA) {
186904Ssam		bo->bo_tdma = frm;
186904Ssam		frm = ieee80211_add_tdma(frm, vap);
186904Ssam	}
186904Ssam#endif
178354Ssam	if (vap->iv_appie_beacon != NULL) {
178354Ssam		bo->bo_appie = frm;
178354Ssam		bo->bo_appie_len = vap->iv_appie_beacon->ie_len;
178354Ssam		frm = add_appie(frm, vap->iv_appie_beacon);
178354Ssam	}
172211Ssam	bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer;
178354Ssam	bo->bo_csa_trailer_len = frm - bo->bo_csa;
170530Ssam	m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
178354Ssam}
138568Ssam
178354Ssam/*
178354Ssam * Allocate a beacon frame and fillin the appropriate bits.
178354Ssam */
178354Ssamstruct mbuf *
178354Ssamieee80211_beacon_alloc(struct ieee80211_node *ni,
178354Ssam	struct ieee80211_beacon_offsets *bo)
178354Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
178354Ssam	struct ieee80211com *ic = ni->ni_ic;
178354Ssam	struct ifnet *ifp = vap->iv_ifp;
178354Ssam	struct ieee80211_frame *wh;
178354Ssam	struct mbuf *m;
178354Ssam	int pktlen;
178354Ssam	uint8_t *frm;
178354Ssam
178354Ssam	/*
178354Ssam	 * beacon frame format
178354Ssam	 *	[8] time stamp
178354Ssam	 *	[2] beacon interval
178354Ssam	 *	[2] cabability information
178354Ssam	 *	[tlv] ssid
178354Ssam	 *	[tlv] supported rates
178354Ssam	 *	[3] parameter set (DS)
178354Ssam	 *	[8] CF parameter set (optional)
178354Ssam	 *	[tlv] parameter set (IBSS/TIM)
178354Ssam	 *	[tlv] country (optional)
178354Ssam	 *	[3] power control (optional)
178354Ssam	 *	[5] channel switch announcement (CSA) (optional)
178354Ssam	 *	[tlv] extended rate phy (ERP)
178354Ssam	 *	[tlv] extended supported rates
178354Ssam	 *	[tlv] RSN parameters
178354Ssam	 *	[tlv] HT capabilities
178354Ssam	 *	[tlv] HT information
178354Ssam	 *	[tlv] Vendor OUI HT capabilities (optional)
178354Ssam	 *	[tlv] Vendor OUI HT information (optional)
178354Ssam	 * XXX Vendor-specific OIDs (e.g. Atheros)
178354Ssam	 *	[tlv] WPA parameters
178354Ssam	 *	[tlv] WME parameters
186904Ssam	 *	[tlv] TDMA parameters (optional)
178354Ssam	 *	[tlv] application data (optional)
178354Ssam	 * NB: we allocate the max space required for the TIM bitmap.
178354Ssam	 * XXX how big is this?
178354Ssam	 */
178354Ssam	pktlen =   8					/* time stamp */
178354Ssam		 + sizeof(uint16_t)			/* beacon interval */
178354Ssam		 + sizeof(uint16_t)			/* capabilities */
178354Ssam		 + 2 + ni->ni_esslen			/* ssid */
178354Ssam	         + 2 + IEEE80211_RATE_SIZE		/* supported rates */
178354Ssam	         + 2 + 1				/* DS parameters */
178354Ssam		 + 2 + 6				/* CF parameters */
178354Ssam		 + 2 + 4 + vap->iv_tim_len		/* DTIM/IBSSPARMS */
178354Ssam		 + IEEE80211_COUNTRY_MAX_SIZE		/* country */
178354Ssam		 + 2 + 1				/* power control */
178354Ssam	         + sizeof(struct ieee80211_csa_ie)	/* CSA */
178354Ssam		 + 2 + 1				/* ERP */
178354Ssam	         + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
178354Ssam		 + (vap->iv_caps & IEEE80211_C_WPA ?	/* WPA 1+2 */
178354Ssam			2*sizeof(struct ieee80211_ie_wpa) : 0)
178354Ssam		 /* XXX conditional? */
178354Ssam		 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */
178354Ssam		 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */
178354Ssam		 + (vap->iv_caps & IEEE80211_C_WME ?	/* WME */
178354Ssam			sizeof(struct ieee80211_wme_param) : 0)
190451Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190451Ssam		 + sizeof(struct ieee80211_ath_ie)	/* ATH */
190451Ssam#endif
186904Ssam#ifdef IEEE80211_SUPPORT_TDMA
186904Ssam		 + (vap->iv_caps & IEEE80211_C_TDMA ?	/* TDMA */
186904Ssam			sizeof(struct ieee80211_tdma_param) : 0)
186904Ssam#endif
178354Ssam		 + IEEE80211_MAX_APPIE
178354Ssam		 ;
178354Ssam	m = ieee80211_getmgtframe(&frm,
178354Ssam		ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen);
178354Ssam	if (m == NULL) {
178354Ssam		IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY,
178354Ssam			"%s: cannot get buf; size %u\n", __func__, pktlen);
178354Ssam		vap->iv_stats.is_tx_nobuf++;
178354Ssam		return NULL;
178354Ssam	}
178354Ssam	ieee80211_beacon_construct(m, frm, bo, ni);
178354Ssam
138568Ssam	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
138568Ssam	KASSERT(m != NULL, ("no space for 802.11 header?"));
138568Ssam	wh = mtod(m, struct ieee80211_frame *);
138568Ssam	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
138568Ssam	    IEEE80211_FC0_SUBTYPE_BEACON;
138568Ssam	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
170530Ssam	*(uint16_t *)wh->i_dur = 0;
138568Ssam	IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr);
178354Ssam	IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
138568Ssam	IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
170530Ssam	*(uint16_t *)wh->i_seq = 0;
138568Ssam
138568Ssam	return m;
138568Ssam}
138568Ssam
138568Ssam/*
138568Ssam * Update the dynamic parts of a beacon frame based on the current state.
138568Ssam */
138568Ssamint
172211Ssamieee80211_beacon_update(struct ieee80211_node *ni,
138568Ssam	struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast)
138568Ssam{
178354Ssam	struct ieee80211vap *vap = ni->ni_vap;
172211Ssam	struct ieee80211com *ic = ni->ni_ic;
138568Ssam	int len_changed = 0;
170530Ssam	uint16_t capinfo;
138568Ssam
178354Ssam	IEEE80211_LOCK(ic);
178354Ssam	/*
178354Ssam	 * Handle 11h channel change when we've reached the count.
178354Ssam	 * We must recalculate the beacon frame contents to account
178354Ssam	 * for the new channel.  Note we do this only for the first
178354Ssam	 * vap that reaches this point; subsequent vaps just update
178354Ssam	 * their beacon state to reflect the recalculated channel.
178354Ssam	 */
178354Ssam	if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) &&
178354Ssam	    vap->iv_csa_count == ic->ic_csa_count) {
178354Ssam		vap->iv_csa_count = 0;
178354Ssam		/*
178354Ssam		 * Effect channel change before reconstructing the beacon
178354Ssam		 * frame contents as many places reference ni_chan.
178354Ssam		 */
178354Ssam		if (ic->ic_csa_newchan != NULL)
178354Ssam			ieee80211_csa_completeswitch(ic);
178354Ssam		/*
178354Ssam		 * NB: ieee80211_beacon_construct clears all pending
178354Ssam		 * updates in bo_flags so we don't need to explicitly
178354Ssam		 * clear IEEE80211_BEACON_CSA.
178354Ssam		 */
178354Ssam		ieee80211_beacon_construct(m,
178354Ssam		    mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), bo, ni);
178354Ssam
178354Ssam		/* XXX do WME aggressive mode processing? */
178354Ssam		IEEE80211_UNLOCK(ic);
178354Ssam		return 1;		/* just assume length changed */
178354Ssam	}
178354Ssam
138568Ssam	/* XXX faster to recalculate entirely or just changes? */
178354Ssam	capinfo = getcapinfo(vap, ni->ni_chan);
138568Ssam	*bo->bo_caps = htole16(capinfo);
138568Ssam
178354Ssam	if (vap->iv_flags & IEEE80211_F_WME) {
138568Ssam		struct ieee80211_wme_state *wme = &ic->ic_wme;
138568Ssam
138568Ssam		/*
138568Ssam		 * Check for agressive mode change.  When there is
138568Ssam		 * significant high priority traffic in the BSS
138568Ssam		 * throttle back BE traffic by using conservative
138568Ssam		 * parameters.  Otherwise BE uses agressive params
138568Ssam		 * to optimize performance of legacy/non-QoS traffic.
138568Ssam		 */
138568Ssam		if (wme->wme_flags & WME_F_AGGRMODE) {
138568Ssam			if (wme->wme_hipri_traffic >
138568Ssam			    wme->wme_hipri_switch_thresh) {
178354Ssam				IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
138568Ssam				    "%s: traffic %u, disable aggressive mode\n",
138568Ssam				    __func__, wme->wme_hipri_traffic);
138568Ssam				wme->wme_flags &= ~WME_F_AGGRMODE;
178354Ssam				ieee80211_wme_updateparams_locked(vap);
138568Ssam				wme->wme_hipri_traffic =
138568Ssam					wme->wme_hipri_switch_hysteresis;
138568Ssam			} else
138568Ssam				wme->wme_hipri_traffic = 0;
138568Ssam		} else {
138568Ssam			if (wme->wme_hipri_traffic <=
138568Ssam			    wme->wme_hipri_switch_thresh) {
178354Ssam				IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
138568Ssam				    "%s: traffic %u, enable aggressive mode\n",
138568Ssam				    __func__, wme->wme_hipri_traffic);
138568Ssam				wme->wme_flags |= WME_F_AGGRMODE;
178354Ssam				ieee80211_wme_updateparams_locked(vap);
138568Ssam				wme->wme_hipri_traffic = 0;
138568Ssam			} else
138568Ssam				wme->wme_hipri_traffic =
138568Ssam					wme->wme_hipri_switch_hysteresis;
138568Ssam		}
172211Ssam		if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) {
138568Ssam			(void) ieee80211_add_wme_param(bo->bo_wme, wme);
172211Ssam			clrbit(bo->bo_flags, IEEE80211_BEACON_WME);
138568Ssam		}
138568Ssam	}
138568Ssam
178354Ssam	if (isset(bo->bo_flags,  IEEE80211_BEACON_HTINFO)) {
178354Ssam		ieee80211_ht_update_beacon(vap, bo);
172211Ssam		clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO);
170530Ssam	}
186904Ssam#ifdef IEEE80211_SUPPORT_TDMA
186904Ssam	if (vap->iv_caps & IEEE80211_C_TDMA) {
186904Ssam		/*
186904Ssam		 * NB: the beacon is potentially updated every TBTT.
186904Ssam		 */
186904Ssam		ieee80211_tdma_update_beacon(vap, bo);
186904Ssam	}
186904Ssam#endif
178354Ssam	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {	/* NB: no IBSS support*/
138568Ssam		struct ieee80211_tim_ie *tie =
138568Ssam			(struct ieee80211_tim_ie *) bo->bo_tim;
172211Ssam		if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) {
138568Ssam			u_int timlen, timoff, i;
138568Ssam			/*
138568Ssam			 * ATIM/DTIM needs updating.  If it fits in the
138568Ssam			 * current space allocated then just copy in the
138568Ssam			 * new bits.  Otherwise we need to move any trailing
138568Ssam			 * data to make room.  Note that we know there is
138568Ssam			 * contiguous space because ieee80211_beacon_allocate
138568Ssam			 * insures there is space in the mbuf to write a
178354Ssam			 * maximal-size virtual bitmap (based on iv_max_aid).
138568Ssam			 */
138568Ssam			/*
138568Ssam			 * Calculate the bitmap size and offset, copy any
138568Ssam			 * trailer out of the way, and then copy in the
138568Ssam			 * new bitmap and update the information element.
138568Ssam			 * Note that the tim bitmap must contain at least
138568Ssam			 * one byte and any offset must be even.
138568Ssam			 */
178354Ssam			if (vap->iv_ps_pending != 0) {
138568Ssam				timoff = 128;		/* impossibly large */
178354Ssam				for (i = 0; i < vap->iv_tim_len; i++)
178354Ssam					if (vap->iv_tim_bitmap[i]) {
138568Ssam						timoff = i &~ 1;
138568Ssam						break;
138568Ssam					}
138568Ssam				KASSERT(timoff != 128, ("tim bitmap empty!"));
178354Ssam				for (i = vap->iv_tim_len-1; i >= timoff; i--)
178354Ssam					if (vap->iv_tim_bitmap[i])
138568Ssam						break;
138568Ssam				timlen = 1 + (i - timoff);
138568Ssam			} else {
138568Ssam				timoff = 0;
138568Ssam				timlen = 1;
138568Ssam			}
138568Ssam			if (timlen != bo->bo_tim_len) {
138568Ssam				/* copy up/down trailer */
153973Ssam				int adjust = tie->tim_bitmap+timlen
172211Ssam					   - bo->bo_tim_trailer;
172211Ssam				ovbcopy(bo->bo_tim_trailer,
172211Ssam				    bo->bo_tim_trailer+adjust,
172211Ssam				    bo->bo_tim_trailer_len);
172211Ssam				bo->bo_tim_trailer += adjust;
153973Ssam				bo->bo_erp += adjust;
170530Ssam				bo->bo_htinfo += adjust;
190451Ssam#ifdef IEEE80211_SUPERG_SUPPORT
190451Ssam				bo->bo_ath += adjust;
190451Ssam#endif
190448Ssam#ifdef IEEE80211_TDMA_SUPPORT
190448Ssam				bo->bo_tdma += adjust;
190448Ssam#endif
178354Ssam				bo->bo_appie += adjust;
178354Ssam				bo->bo_wme += adjust;
178354Ssam				bo->bo_csa += adjust;
138568Ssam				bo->bo_tim_len = timlen;
138568Ssam
138568Ssam				/* update information element */
138568Ssam				tie->tim_len = 3 + timlen;
138568Ssam				tie->tim_bitctl = timoff;
138568Ssam				len_changed = 1;
138568Ssam			}
178354Ssam			memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff,
138568Ssam				bo->bo_tim_len);
138568Ssam
172211Ssam			clrbit(bo->bo_flags, IEEE80211_BEACON_TIM);
138568Ssam
178354Ssam			IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER,
138568Ssam				"%s: TIM updated, pending %u, off %u, len %u\n",
178354Ssam				__func__, vap->iv_ps_pending, timoff, timlen);
138568Ssam		}
138568Ssam		/* count down DTIM period */
138568Ssam		if (tie->tim_count == 0)
138568Ssam			tie->tim_count = tie->tim_period - 1;
138568Ssam		else
138568Ssam			tie->tim_count--;
138568Ssam		/* update state for buffered multicast frames on DTIM */
153139Ssam		if (mcast && tie->tim_count == 0)
138568Ssam			tie->tim_bitctl |= 1;
138568Ssam		else
138568Ssam			tie->tim_bitctl &= ~1;
178354Ssam		if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) {
178354Ssam			struct ieee80211_csa_ie *csa =
178354Ssam			    (struct ieee80211_csa_ie *) bo->bo_csa;
178354Ssam
178354Ssam			/*
178354Ssam			 * Insert or update CSA ie.  If we're just starting
178354Ssam			 * to count down to the channel switch then we need
178354Ssam			 * to insert the CSA ie.  Otherwise we just need to
178354Ssam			 * drop the count.  The actual change happens above
178354Ssam			 * when the vap's count reaches the target count.
178354Ssam			 */
178354Ssam			if (vap->iv_csa_count == 0) {
178354Ssam				memmove(&csa[1], csa, bo->bo_csa_trailer_len);
178354Ssam				bo->bo_erp += sizeof(*csa);
190449Ssam				bo->bo_htinfo += sizeof(*csa);
178354Ssam				bo->bo_wme += sizeof(*csa);
190451Ssam#ifdef IEEE80211_SUPERG_SUPPORT
190451Ssam				bo->bo_ath += sizeof(*csa);
190451Ssam#endif
190448Ssam#ifdef IEEE80211_TDMA_SUPPORT
190448Ssam				bo->bo_tdma += sizeof(*csa);
190448Ssam#endif
178354Ssam				bo->bo_appie += sizeof(*csa);
178354Ssam				bo->bo_csa_trailer_len += sizeof(*csa);
178354Ssam				bo->bo_tim_trailer_len += sizeof(*csa);
178354Ssam				m->m_len += sizeof(*csa);
178354Ssam				m->m_pkthdr.len += sizeof(*csa);
178354Ssam
178354Ssam				ieee80211_add_csa(bo->bo_csa, vap);
178354Ssam			} else
178354Ssam				csa->csa_count--;
178354Ssam			vap->iv_csa_count++;
178354Ssam			/* NB: don't clear IEEE80211_BEACON_CSA */
178354Ssam		}
172211Ssam		if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) {
153973Ssam			/*
153973Ssam			 * ERP element needs updating.
153973Ssam			 */
153973Ssam			(void) ieee80211_add_erp(bo->bo_erp, ic);
172211Ssam			clrbit(bo->bo_flags, IEEE80211_BEACON_ERP);
153973Ssam		}
190451Ssam#ifdef IEEE80211_SUPPORT_SUPERG
190451Ssam		if (isset(bo->bo_flags,  IEEE80211_BEACON_ATH)) {
190451Ssam			ieee80211_add_athcaps(bo->bo_ath, ni);
190451Ssam			clrbit(bo->bo_flags, IEEE80211_BEACON_ATH);
190451Ssam		}
190451Ssam#endif
138568Ssam	}
178354Ssam	if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) {
178354Ssam		const struct ieee80211_appie *aie = vap->iv_appie_beacon;
178354Ssam		int aielen;
178354Ssam		uint8_t *frm;
138568Ssam
178354Ssam		aielen = 0;
178354Ssam		if (aie != NULL)
178354Ssam			aielen += aie->ie_len;
178354Ssam		if (aielen != bo->bo_appie_len) {
178354Ssam			/* copy up/down trailer */
178354Ssam			int adjust = aielen - bo->bo_appie_len;
178354Ssam			ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust,
178354Ssam				bo->bo_tim_trailer_len);
178354Ssam			bo->bo_tim_trailer += adjust;
178354Ssam			bo->bo_appie += adjust;
178354Ssam			bo->bo_appie_len = aielen;
178354Ssam
178354Ssam			len_changed = 1;
178354Ssam		}
178354Ssam		frm = bo->bo_appie;
178354Ssam		if (aie != NULL)
178354Ssam			frm  = add_appie(frm, aie);
178354Ssam		clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE);
178354Ssam	}
178354Ssam	IEEE80211_UNLOCK(ic);
178354Ssam
138568Ssam	return len_changed;
138568Ssam}